All other Cisco networking related discussions.
Wed Nov 28, 2007 3:01 pm
A+, Network+, CCNA, CCNA Security

Network Design and ACL

Thu Sep 14, 2017 12:02 pm

hey guys,

So I'm task with designing the schema for a new building with multiple floors (6 floors) 400 - 1000 users. I was wondering how is everyone segmenting/designing their vlan/subnet. Do you guys do it by wiring closet/floor or by department from a security and networking aspect?

the topology is access switches with layer 2 uplinks to two core nexus 9k switches.

wiring closet/Floor

IDF/Floor 1 Data =
IDF/Floor 1 Voice = 10.0.65./24

IDF/Floor 2 Data =
IDF/Floor 2 Voice =

IDF/Floor 3 Data =
IDF/Floor 3 Voice =

Wireless =
Guest Wireless =

Example of Department

IT data =
HR data =
Finance data =

Voice =

Wireless =
Guest Wireless =

Also, Do you guys ACL on the vlan/subnet interface? My security guy wants to do it by department and ACL everything they needs access to. This seem to be a very manual way of doing it and has lots of overhead.

IT data has access to everything
HR data has access to HR servers and internet.

All network design I have read did it by wiring closet/floor where multiple departments uses the same vlan/subnet. But, with this way, there isn't a good way to ACL that vlan/subnet.

Thanks in advance

User avatar
Junior Member
Thu Aug 27, 2009 12:43 am

Re: Network Design and ACL

Thu Nov 30, 2017 7:52 pm

Your overall design seems fine. A couple of switches on each floor leading back to the main Nexus 9k's.

Option 1:

Now, if you want to allow access based on the department you should put each department in their own VLAN. This allows you to easily segregate each employee into the correct department/VLAN. Now on the Nexus 9k's you can apply ACLs to limit their access, although this can become somewhat manual, most of the solutions will be fairly manual. The time-consuming portion of this setup will be department/employee moves because you will have to start changing access port VLAN assignments and potentially trunk port configurations.

Option 2:

The alternative would be to use a form of SSO (Single Sign-On) functionality which doesn't rely on the VLAN of the user but instead places the User in SSO group and based on the group they are in, specific access is permitted. Fortigate has a product using SSO to allow users access based on Windows AD groups. This would allow all of floor 1 to be on one subnet/VLAN and rules be applied based on their Windows AD groups. The benefit to this is that no matter where your users move to, there are no VLAN or port changes required, their access floats around the floors with them. This will require the purchase of a Firewall if you don't already have one.

Let us know if you have any further questions


Return to Cisco General

Who is online

Users browsing this forum: No registered users and 84 guests