I have an office that i’m designing it’s network.
it has the following already existing hw;
Cisco ASA firewall.
1 core cisco switch
4 edge cisco layer 3 switche (all Gb)
10 apple airport express.
Natted services:
– CCTV/dvr
– open directory/dns/file server
– 4 distinct type of end users/departments.
I’m considering the following:
internet -> ASA -> DMZ(open directory + dvr) | internal gateway (iptables or TMG) providing caching and shaping traffic -> core switch -> edge switches (vlans mentioned)
These are the questions i’m thinking about at the moment:
1. Who handles dhcp ? core switch or gateway (windows/linux)
2. i need per user logging, how can i enable that with vlans? in other words i want to go into my gateway and see that user X from vlan Y has traffic to destination Z. is that possible ? or i’m bound to just see the subnet source for each vlan ? (this part is related to where dhcp is set)
3. should i put ccttv/dvr and open directory in two separate vlans inside the DMZ?
4. what’s the best practice for Access points to use as a bridge or they should serve their own DHCP ?
5. i need to add VPN access. should i rely on ASA or it’s better to use a separate appliance.
6. in case i acquired a vpn appliance for users to connect to. what’s the best location for it ? in DMZ or outside the firewall.
