Segmentation and DHCP Server Config Question

[slash8]

Hi. Pardon this noob question. My network is currently flat (single VLAN) with around 100 desktops/laptops and I want to implement basic segmentation. We have a Fortinet Firewall that is also the DHCP Server and recently acquired an L3 switch that I will be using as the core/distribution (see the attached diagram). So my question is where should I create the VLANs, VLAN routing, ACL, and DHCP server? Which of these should be configured in the firewall and which should be in the L3 switch? Thank you so much!

[deanwebb]

Segmentation is done for two reasons - network traffic distribution and security.

Having separate offices in their own VLANs provides a level of organization in knowing which location is where based on IP address. IPv4 is easier to read than IPv6, but both can be managed to make human-readable address ranges. However...

... different device types have different security considerations. Printers and IoT devices are not as well-managed as PCs, typically, and present a two-way security risk. They can host malware that one does not have tools to remove other than a complete factory reset - or in some cases, replacement - and are also vulnerable to malware coming at them from more resilient PCs. One can also argue that such devices should have zero or limited Internet connectivity to complete their functions. In such cases, having those devices on their own VLAN means that the security of those VLANs can be managed.

Combining the two means separate VLANs for different devices at all locations, which may be impractical for smaller locations. In such a case, a microsegmentation solution that works with the firewall would be appropriate for handling different device types. That means getting a visibility solution into the picture and a lot more complexity than the first questions you ask.

So let's answer those questions from a routing and switching perspective and set aside the security. The L3 router is where I would have the VLANs created and live. For DHCP, I would get it off of the firewall and stand up a separate group of servers to provide resilience and better flexibility for DHCP service. DO NOT RUN DHCP ON PRODUCTION CISCO GEAR. Even Cisco advises against doing so.

[slash8]

Hello thank you so much for the reply and inputs! Sorry for the late reply, I am swamped at work at the moment lol. I also would like to give separate VLANs for each office however it might be a challenge to manage since there are lots of offices (about 17) with unequal number of devices (e.g one office has as much as 12 but one office only has 4). If I at the moment I at least divide it into two, say VLAN 10 for operations and VLAN 20 for admin/finance, but they will have the same ACL access to the internal servers. Does that make a difference in terms of security if say VLAN 10 is hit with ransomware/malware?
 
As much as I want to separate the printers as well, I can't do it at the moment since the switches in each offices are unmanaged ones lol. And thanks for sharing microsegmentation. Is that something applicable in our setup? I'd have to read more into that first.

Lastly, for the R&S side, I will leave the VLAN creation and routing to the L3 switch as you suggested. However we don't have another DHCP server at the moment, so I take it that it is better to have the Fortinet Firewall do it at the moment rather than the L3? Although I may have to test and simulate it first in GNS3 since I am not sure how to configure those. Thank you so much!

[deanwebb]

Give all the offices a /24 like 10.0.1.X, 10.0.2.X,... 10.0.17.X.

Internal servers should also be divided. Then only the admin/finance have access to admin/finance server resources in the ACL. Instead of an ACL, another method is to use identity-based security with a tool like CyberArk, Okta, or something similar. Make sure you have multi-factor authentication in place, as username/password is barely any security at all.

Yes to better the Fortinet than the Cisco for DHCP.