Dell 3548 Switch: Vlan + DHCP

[Deep23]

I am currently in training in a company (a software)

To validate my internship I have to submit a placement report which revolves around a project in a company, the project is as follows.

At the moment the company has several offices and open spaces all the world is on the same subnet as 10.0.0.0/22. The problem is that network performance is weak and internal security is compromised, so my project is to divide the open-spaces and offices in vlan with an explicit nomenclature ie 1D140 appointed office on the first floor. So the name would be 1D140 vlan and IP addressing 10.14.140.X. I subsequently need to create a specific Vlan VoIP with QoS, but this is not the immediate problem (well I think).

My problem is that as you understand I need a DHCP address pool for each vlan and thus the idea would be not having to put a DHCP by vlan but to a kind of inter-vlan routing or something along these lines Checkpoint>> Other Servers>> DHCP>> ipcop>> Switch Dell 3548>> VLANs

I thought of the function Ip helper-address, but unfortunately it does not exist on the Dell.

Apart from that I have no idea how to do this, I have done much research, I found very little interest on the dell switch, I have some ideas on cisco on mode trunk ( 802.1q) who looks complicated to put in place on the dell.

[Big Fish]

What I remember, at this stage of your presentation of the situation, is that you intend to make the assignment to a VLAN of the network. And to see how this is possible, you have measured all the implications of this choice? In other words, a user will not be on the same subnet network depending on where it connects. For me it's a very strange (and bad) idea in terms of security. I much prefer a user is always in the same Vlan and that according to its identification.

What do you think?

[Deep23]

With regard to the assignment to VLANs is a good question, I have not yet settled on how I was going to do that, however I have noted in your message that it is possible to assign people to VLANs authentication this can be a very interesting option. However, I do not understand what my solution may pose security problems (can you enlighten me).

In the current context of things a person works in his office and has no need to move. Did I misunderstood?

So to summarize, Yes, I want to make Vlan port.

[Big Fish]

With regard to the assignment to VLANs is a good question, I have not yet settled on how I was going to do that, however I have noted in your message that it is possible to assign people to VLANs authentication this can be a very interesting option. However, I do not understand what my solution may pose security problems (can you enlighten me).

In the current context of things

This poses a problem of security. Available network resources (information, various features) are based on the person. It is understandable why a CEO, a salesperson, an assistant, and have different access levels of confidence different. We understand that this is not a history of networks made but the level of confidence. The deduction is needed, if the VLAN is designed as a security elements (and this is a good idea) is that a person must be in the proper Vlan when it connects to the machine. But since we do security, it will not change voluntarily, accidentally or otherwise, and that this device must accept work habits current (I take my laptop in a meeting but I want to stay connected ).

The mistake is to think that only kind of users.

a person works in his office and has no need to move.

It has a very good reason to want to change: access to information that should not normally be accessible. Here you are missing. And as you become a professional, experience aside, you are accused of negligence. Security can not believe that the pirate meets your rules of the game. The development of laptops, wifi and other highly mobile terminals are only making the problem more acute.

Moreover when you talk about vlan per port is partly just because it is assumed that the port is connected to a cable that resulted in him taking in any given area. Nothing prevents a person (not necessarily the company!) Using an outlet or another.

For the user to assign a vlan per port is not physically secure, it is not flexible (how you do in meeting rooms with people of a different level of confidence?) And it is very cumbersome.

In my opinion if you want to contribute VLANs security you should use a solution based on 802.1x.