We're looking to improve our outdated VLAN setup that's become overly complicated and messy. Currently, we have many empty VLANs and devices incorrectly placed, with no proper documentation. We're a production and assembly site with about 1,500 employees and minimal physical servers—most things run on VMware with external Fibre Channel storage. I've outlined a preliminary structure for our VLANs that includes segregated areas for operational technology (OT), management, backups, R&D, and more, but I'm seeking advice on best practices and effective strategies to keep things simple and efficient for the future.
4 Answers
There's no universal answer here, but in environments like yours, I recommend separating different devices and vendors into distinct VLANs. This enhances security, especially since many industrial devices can be insecure. If you're using Wi-Fi, make sure to put clients and IoT devices on their own VLANs too. Think about implementing a Network Access Control solution while you're at it; it could really simplify client authentication across your new VLANs!
Your VLAN strategy should align with your networking goals—VLANs help isolate broadcast traffic and improve controls like access control lists. Just keep in mind that routing between VLANs can impact performance, especially if they're managed at higher levels. Balancing between many VLANs and operational efficiency is key; start with a few, then expand as necessary.
For best practices, I suggest maintaining a star topology with a high-availability router to help manage those purpose-built VLANs. Just remember that if R&D needs unique requirements, factor those in as child VLANs. Also, I’ve found it helpful to number VLANs and keep a comprehensive documentation list for better management.
It's great that you're thinking about VLAN segmentation for security—keeping OT and backup networks separate is wise. Since you've got a manufacturing environment, consider using functional VLANs tied to departments. Simplification is definitely key; cleaning up your VLANs will streamline management and improve security. Good luck with the redesign!
That's a solid point about NAC! If they can streamline security while improving usability, it could save a lot of headaches down the line.