Re: need opinion of security experts on network design

["Patrick M. Hausen" <hausen () punkt de>]

Hello,

> 1-each floor is a separate VLAN

If you can guarantee that each floor will stay a separate collision
domain, then I would use separate LANs, i.e. Layer 2 switches for
the floors.

> 2-all switches in the floors are layer 3 switches (no layer 2 switches at all)

Why? Nothing in your architecture requires this.

> 3-no VLAN spans multiple swtiches,

Especially because of 1 and 3.

> 4-each of the floors' switches are connected via point-to-point
> interconnecting VLAN to a core switch

Now, for the core switch I would use a pair of layer 3 switches, statically
assign a VLAN for each floor to an _access_ port on each of them,
and connect each floor switch via two uplink ports to each of the core
switches.

The core switches can do the routing statically, since you only
ever configure layer 3 information on two devices. They can
provide redundancy to the access/distribution layer (floor switches
and hosts) via HSRP (in a Cisco world) or some similar means for
layer 3 and spanning tree for the layer 2 connections.

> 5-No spanning tree at all in the network as each switch is a different
> unique VLAN

No spanning tree => no redundancy on layer 2 unless I missed something.

> 6-All VLANs routing are done via OSPF protocol
> so i have about 50 VLANs with about 50 interconecting VLANs
>
> can any one gives me his opinion from security point of view on that design?

Security = C * 1 / Complexity

Your design looks overly complex for the architecture requirements
sketched in 1 - 4.

Kind regards,

Patrick M. Hausen
Leiter Netzwerke und Sicherheit
-- 
punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe
Tel. 0721 9109 0 * Fax 0721 9109 100
info () punkt de       http://www.punkt.de
Gf: Jürgen Egeling      AG Mannheim 108285
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards