network design to segregate public and staff

Posted by barb on Server Fault See other posts from Server Fault or by barb
Published on 2010-12-24T00:29:02Z Indexed on 2010/12/24 0:56 UTC
Read the original article Hit count: 665

Filed under:

My current setup has:

  • a pfsense firewall with 4 NICs and potential for a 5th
  • 1 48 port 3com switch, 1 24 port HP switch, willing to purchase more
  • subnet 1) edge (Windows Server 2003 for vpn through routing and remote access) and
  • subnet 2) LAN with one WS2003 domain controller/dns/wins etc., one WS2008 file server, one WS2003 running Vipre anti-virus and Time Limit Manager which controls client computer use, and about 50 pcs

I am looking for a network design for separating clients and staff. I could do two totally isolated subnets, but I'm wondering if there is anything in between so that staff and clients could share some resources such as printers and anti-virus servers, staff could access client resources, but not vice versa. I guess what I'm asking is can you configure subnets and/or vlans like this:

  • 1)edge for vpn
  • 2)services available to all other internal networks
  • 3)staff which can access services and clients
  • 4)clients which can access services but not staff

By access/non-access, I mean stronger separation than domain usernames and passwords.

© Server Fault or respective owner

Related posts about networking