VLAN Assignment and Configuration

VLANs (Virtual Local Area Networks) are essential for segmenting and isolating
network traffic within an organization. Each VLAN acts as a separate network,
reducing broadcast traffic and improving security. In this design, we have five
main blocks (departments), each assigned its own VLAN to maintain traffic
separation and enforce security policies.
1. VLAN Assignment Overview
Each VLAN will have its own subnet and range of IP addresses. This segregation is
key to maintaining a secure and efficient network, as it limits unnecessary
interaction between departments while still allowing flexibility for internal
communication.
2. Inter-VLAN Routing
Inter-VLAN Routing allows devices on different VLANs to communicate through a Layer
3 device, typically a router or Layer 3 switch.
In this network design:
• Admin Block, Operations Block, IT Support Block, and Development Block will have
inter-VLAN routing enabled to allow communication between these departments.
• Finance Block will be isolated to prevent access to its VLAN from any of the
other blocks, except authorized personnel or systems, as mentioned earlier.
This configuration allows:
• Employees from different departments to collaborate efficiently.
• Separation of sensitive resources (such as Finance) from the rest of the network
to prevent unauthorized access.
3. VLAN Configuration Details
Admin Block (VLAN 10)
• VLAN ID: 10
• Subnet: 172.16.0.0/19
• Use case: This VLAN hosts all the administrative staff and servers handling
internal management. This includes HR, executive management, and the organization's
primary file servers.
• Security policies:
• Inter-VLAN routing enabled for communication with other non-sensitive VLANs.
• Strict role-based access control (RBAC) and least-privilege policies enforced.
Operations Block (VLAN 20)
• VLAN ID: 20
• Subnet: 172.16.32.0/19
• Use case: This VLAN includes all departments focused on day-to-day operations and
service delivery, such as logistics and customer service.
• Security policies:
• Inter-VLAN routing enabled with the Admin, IT, and Development VLANs for seamless
operations.
• Monitored for sensitive data leaks or misconfigurations.
IT Support Block (VLAN 30)
• VLAN ID: 30
• Subnet: 172.16.64.0/19
• Use case: All IT support staff and network management activities are assigned to
this VLAN. It handles network configuration, user support, server maintenance, and
more.
• Security policies:
• Inter-VLAN routing enabled with the Admin, Operations, and Development blocks for
fast technical support.
• Elevated privileges required to access critical systems, with detailed logging.
Development Block (VLAN 40)
• VLAN ID: 40
• Subnet: 172.16.96.0/19
• Use case: This VLAN is dedicated to software developers, researchers, and
engineers. It includes development servers, testing environments, and research
databases.
• Security policies:
• Inter-VLAN routing enabled with IT Support and Admin blocks to allow
collaboration.
• Isolated access to testing servers and external systems to prevent cross-
contamination of production environments.
Finance Block (VLAN 50)
• VLAN ID: 50
• Subnet: 172.16.128.0/19
• Use case: This VLAN handles all financial transactions, payroll, and budgeting.
It contains highly sensitive data and must be protected against unauthorized
access.
• Security policies:
• Inter-VLAN routing disabled, ensuring no access from any other VLAN.
• Strict access control lists (ACLs) implemented to block traffic from other VLANs.
• Only authorized personnel and finance systems have access, with mandatory multi-
factor authentication (MFA).
• Traffic from this VLAN is logged and monitored to detect any suspicious
activities.
4. Access Control Lists (ACLs) for VLAN 50 (Finance Block)
To ensure that the Finance Block (VLAN 50) is completely isolated from the other
VLANs, we will apply ACLs on the core router. The following steps outline how the
ACLs will be applied:
• Deny Traffic from Other VLANs:
• Deny any traffic from VLANs 10, 20, 30, and 40 trying to communicate with VLAN
50.
• Example ACL configuration: deny ip 172.16.0.0 0.0.31.255 172.16.128.0 0.0.31.255
deny ip 172.16.32.0 0.0.31.255 172.16.128.0 0.0.31.255 deny ip 172.16.64.0
0.0.31.255 172.16.128.0 0.0.31.255 deny ip 172.16.96.0 0.0.31.255 172.16.128.0
0.0.31.255
• Allow Internal Communication within Finance VLAN:
• Allow internal communication within VLAN 50 to enable devices within the Finance
department to talk to each other. permit ip 172.16.128.0 0.0.31.255 172.16.128.0
0.0.31.255
• Permit Necessary Services (e.g., for Internet Access):
• Permit certain traffic to external networks, such as internet access for Finance,
while keeping internal resources isolated. permit ip 172.16.128.0 0.0.31.255 any
5. Captive Portal Authentication on VLANs
A captive portal will be implemented for user authentication on all VLANs except
the Finance Block, where stricter access methods are used. Each time a user tries
to access the network, they will be redirected to a login page before being granted
access. This captive portal will:
• Authenticate employees using Active Directory or LDAP credentials.
• Allow guests to access the network using limited guest accounts with access time
restrictions.
6. Benefits of VLAN Segmentation
• Enhanced Security: By isolating traffic, VLANs prevent unauthorized access to
sensitive resources. In this case, the Finance Block's VLAN is completely isolated.
• Reduced Network Congestion: VLANs reduce broadcast traffic, making the network
more efficient.
• Improved Management: Easier to manage and troubleshoot specific blocks or
departments without affecting the entire network.
• Scalability: VLANs allow for future expansion without needing significant changes
to the overall network architecture.
By implementing this VLAN structure, we ensure a secure, scalable, and efficient
network that supports inter-departmental collaboration while safeguarding sensitive
financial data. The combination of VLAN segmentation, inter-VLAN routing, ACLs, and
captive portal authentication offers a robust solution for both security and
usability.