Customer have one big network with all users in same network fragment. Customer want to improve security.
Problem description: All employee reside in one big network fragment and have some level of access to all corporate servers. Production and support team span acros entire building.
Proposed solution: Split network in 4 fragments: servers, support, production and management. Restrict access to corporate servers with Fortigate firewall. Restrict access to corporate resources with access groups at AD.
Initial schematic (fragment of network).
Implemented solution schematic (fragment of solution).
Note: Port-channel and spanning-tree were used for inter-switch connection for redundancy.
Configuration fragments.
DC switch:
interface Ethernet0/1
description Connection to Fortigate FW
switchport trunk encapsulation dot1q
switchport mode trunkFortigate FW:
Create VLAN interfaces for connection to DC switch and to Distr switch 1.
Create firewall rules to allow traffic from end users to servers, connected to DC switch and to public network (internet).
Distrt switch 1:
interface Port-channel34
description Port-Channel to Acc switch 1
interface Port-channel56
description Port-Channel to Acc switch 2
interface Ethernet0/1
description Connection to Fortigate FW
switchport trunk encapsulation dot1q
switchport mode trunk
interface Ethernet0/3
description Connection to Acc switch 1
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 34 mode active
interface Ethernet0/4
description Connection to Acc switch 1
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 34 mode active
interface Ethernet0/5
description Connection to Acc switch 2
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 56 mode active
interface Ethernet0/6
description Connection to Acc switch 2
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 56 mode activeAcc switch 1
interface Port-channel12
description Port-Channel to Distr switch 1
interface Port-channel48
description Port-Channel to Acc switch 2
interface Ethernet0/1
description Connection to Distr switch 1
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 12 mode active
interface Ethernet0/2
description Connection to Distr switch 1
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 12 mode active
interface Ethernet0/3 - Ethernet0/10
description To support team
switchport
switchport access vlan 100
no shutdown
interface Ethernet0/11 - Ethernet0/20
description To management team
switchport
switchport access vlan 200
no shutdown
interface Ethernet0/21 - Ethernet0/46
description To production team
switchport
switchport access vlan 300
no shutdown
interface Ethernet0/47
description Connection to Acc switch 2
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 48 mode active
interface Ethernet0/48
description Connection to Acc switch 2
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 48 mode activeAcc switch 2
interface Port-channel12
description Port-Channel to Distr switch 1
interface Port-channel48
description Port-Channel to Acc switch 1
interface Ethernet0/1
description Connection to Distr switch 1
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 12 mode active
interface Ethernet0/2
description Connection to Distr switch 1
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 12 mode active
interface Ethernet0/3 - Ethernet0/10
description To support team
switchport
switchport access vlan 100
no shutdown
interface Ethernet0/11 - Ethernet0/47
description To production team
switchport
switchport access vlan 300
no shutdown
interface Ethernet0/47
description Connection to Acc switch 1
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 48 mode active
interface Ethernet0/48
description Connection to Acc switch 1
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 48 mode active