HP Switches 2530 vs 1950 vs 1920

Dashrender

Good to know, thanks.

Dashrender

@scottalanmiller said:

What I would recommend considering is this:

1. Get a new switch designed around migrating to OBFN (stackable.)
2. Slowly move IPs over time to the new IP range as you can do so easily.
3. Every time you replace a switch, get another stack member and move things over.
4. Profit

Would you start with a whole new IP range for the new network?
For example I currently use
172.168.30.x main network
172.168.40.x remote location 1
172.168.50.x remote location 2
172.168.60.x remote location 3
172.168.70.x remote location 4
172.168.80.x VOIP
172.168.90.x Wireless
172.168.100.x VPN

For my migration should I create something like 192.168.192/22?
We are closing 2 of the remote locations, so I'll still need two of those smaller networks for them.

scottalanmiller

Well it depends BUT from looking at yours I would use 172.168.30.0/22 and put all new devices above 172.168.31.0 so that there is no overlap.

scottalanmiller

For security reasons, keeping VLANs or physically separate networks for VPN, DMZ and WiFi might make sense.

Dashrender

OK, Let's talk about those.

The VPN currently has to allow access to both the servers and the PC's because we have some people who RDS into their PC at work, and others who just connect to the servers. Unless I do more segregation, there isn't much gained by splitting out VPN from the main network.

DMZ - yeah well that's always good to split, assuming you have one. Which currently I don't. Which begs, for a company my size is it worth the efforts of maintaining a DMZ? I currently host email in house and will for at least the next two years.. after that we might be ready to move to O365.

The WiFi is currently limited only to staff, and even the staff are not allowed to join their personal devices to the network.
I've talked to the board about offering free WiFi to patients, which of course the staff would take full advantage of for their personal stuff too, but so far they've said no. IF I did that, it would definitely be on its own VLAN for that SSID and only allowed out to the internet, and u-turns allowed at the firewall if found to be required.

Additionally - is it worth the effort to have servers be in there own VLAN separate from workstations?

scottalanmiller

@Dashrender said:

DMZ - yeah well that's always good to split, assuming you have one. Which currently I don't. Which begs, for a company my size is it worth the efforts of maintaining a DMZ? I currently host email in house and will for at least the next two years.. after that we might be ready to move to O365.

DMZ is necessitated by use, not by size. But often you don't need one, but if you do, obviously you gotta do something to secure it well.

For email as the only thing being hosted, normally I would not bother.

scottalanmiller

Especially if only for two years. How long before you would have it implemented? At least six months, I'm sure. Then the time frame gets less and less.

A Former User

@Dashrender said:

The WiFi is currently limited only to staff, and even the staff are not allowed to join their personal devices to the network.
I've talked to the board about offering free WiFi to patients, which of course the staff would take full advantage of for their personal stuff too, but so far they've said no. IF I did that, it would definitely be on its own VLAN for that SSID and only allowed out to the internet, and u-turns allowed at the firewall if found to be required.

Keep in mind not all firewalls/routers allow hairpining.

Anyway I would not ask to put in a Guest network if you didn't have one. We have one here that is separate and we'd love to get rid of it but people think they need it. We block streaming, P2P and most media type things on it though.

Dashrender

As part of patient satisfaction I think we should have one. If we put it on it's own internet pipe the cost would be less than $100 a month, but we are moving soon to a new 100/20 pipe from a 10/10 pipe... so we'll have plenty of bandwidth, and with the limitations that creative mentions kinda makes it a non issue.

A Former User

@Dashrender said:

As part of patient satisfaction I think we should have one. If we put it on it's own internet pipe the cost would be less than $100 a month, but we are moving soon to a new 100/20 pipe from a 10/10 pipe... so we'll have plenty of bandwidth, and with the limitations that creative mentions kinda makes it a non issue.

we have 100/100mb pipes. But if you give a mouse a cookie... that bandwidth can be used up in no time if you let it be.