Re: [fw-wiz] need opinion of security experts on network design


1-each floor is a separate VLAN

If you can guarantee that each floor will stay a separate collision
domain, then I would use separate LANs, i.e. Layer 2 switches for
the floors.

2-all switches in the floors are layer 3 switches (no layer 2 switches at all)

Why? Nothing in your architecture requires this.

3-no VLAN spans multiple swtiches,

Especially because of 1 and 3.

4-each of the floors' switches are connected via point-to-point
interconnecting VLAN to a core switch

Now, for the core switch I would use a pair of layer 3 switches, statically
assign a VLAN for each floor to an _access_ port on each of them,
and connect each floor switch via two uplink ports to each of the core

The core switches can do the routing statically, since you only
ever configure layer 3 information on two devices. They can
provide redundancy to the access/distribution layer (floor switches
and hosts) via HSRP (in a Cisco world) or some similar means for
layer 3 and spanning tree for the layer 2 connections.

5-No spanning tree at all in the network as each switch is a different
unique VLAN

No spanning tree => no redundancy on layer 2 unless I missed something.

6-All VLANs routing are done via OSPF protocol
so i have about 50 VLANs with about 50 interconecting VLANs

can any one gives me his opinion from security point of view on that design?

Security = C * 1 / Complexity

Your design looks overly complex for the architecture requirements
sketched in 1 - 4.

Kind regards,

Patrick M. Hausen
Leiter Netzwerke und Sicherheit
-- GmbH * Kaiserallee 13a * 76133 Karlsruhe
Tel. 0721 9109 0 * Fax 0721 9109 100
Gf: Jürgen Egeling AG Mannheim 108285
firewall-wizards mailing list