Trying to segment network first time VLAN or PVLAN

[yantra]

Hello guys,

I have network design question here on my network.

My network has grown bigger in recent years and I am now thinking of segmenting it department wise i.e. HR, SALES, Accounting, IT, Servers, Printers etc...

no computers from each department should be able to access other department computers except servers vlan and printer vlans, IT vlan should be able to access all vlans but no vlan should be able to access PCs in IT vlan.

We have one DHCP server on Win08 server and that should be able to give lease to all the PCs in the company. we have two DNS and DCs at the same site and they should be able to talk to all the PCs in the company (LDAP and DNS traffic)

Looking at this what should be my best option? is it VLANs? or PVLAN?

couple of question I have here is,

I am more confused in to how does this PVLAN information will get replicated to other switches on my network? I have about 8 switches scattered at different locations in the same building.

If you look at the attached picture I have two switches, SW1 is layer 3 switch.

I want all the segment in the picture to be able to talk to servers and printers segment. I want Eng segment which is scattered on both switches should be able to talk to members in it. I also want to create separate segment for wireless networking, so that visitors accessing this segment does not interfere with the other Members on the network and possibly restrict virus spread from visitors laptop. all the members should be able to go to internet through the router.

I know this a kind of common config for SMBs, there will be many of you who have done it, I am looking for your tips.

Please help,

Thanks a lot

 

[VinceWhirlwind]

Your idea of segmenting everything by department is an idea that was made obsolete by Windows NT in the 90's.

Presumably rights and permission are set on all your PCs and access is restricted accordingly.

Today, segmenting a network into VLANs is done geographically, merely to limit the size of broadcast segments and protect voice from data.
Trying to segment it based on function is messy and requires excessive maintenance which is unnecessary as you can do all that in AD.

 

[nyy1023]

What you want to do is possible. As stated this was a best practice of Cisco, but today that has changed.

Is it possible with what you want, yes.

Without knowing what switches you have in your environment it is hard to give the best way to do this.

You will use something called VTP. Create a domain and place all switches in the same domain. It is also good to create a vtp password so any new switches added must also have this manually added. This will save you in the event you add more switches and will eliminate the possibility of being overwritten.
Create one switch as the VTP Server and all the other switches as VTP clients
any vlan configuration will be done on the server and pushed to the other clients in the same domain.

Then add the vlan to each interface you want to segment.
Create trunks on the switches and allow all vlans to span the trunk.

 

[baddos]

Segmenting by department should only be used if you need the security you mentioned. I'm not sure you actually need that security so I would segment based on location rather.