Hello,
I was wondering if somone could give me an opinion on the scenarios I've come up with to segment a LAN.
Background: We have several office/plant locations. We want to segregate all workstations in all plants from the office computers in all plants. Mainly to segregate broadcast traffic to prevent viruses, etc, as the plant computers run manufacturing equipment, but also for security to prevent unauthorized access from office employees. Each branch/plant currently has a Cisco 2600 that connects it via an MPLS WAN to our main facility which has a Cisco 3600 router. This the only access these branches have (no direct internet). Most branches have a Cisco Cat 2950 as switch.
Our IT dept needs access to the plant computers, as do engineers in Germany. The plant computers themselves need access to the internet for software and OS updates.
Option 1 - Create a VLAN for all plant computers and trunk them all together. My thinking is to either only allow routes for certain IPs to access inside the plant VLAN, or to have a VPN server on this plant segment that can handle office connectivity as well as the German engineer connectivity. Allow all plant computers to route outbound to the internet.
Option 2 - Place a Cisco 1700 or 2600 in between the two networks and also use ACLs to limit access. Use the same VPN configuration as Option 1 for access. Allow all plant computers to route outbound to the internet.
Option 3 - This one seems a little unconventional, but realistically is it any different from Option 1? Simply change all the IP addresses on the plant computers to a different network, create the appropriate routing statements in the 2600 routers, and then use the same VPN setup as option 1 and 2?? Wouldn't this method still prevent broadcasts? The only issue would be if someone physically changes their IP to the same network address as the plant computers. This could allow a compromise.
Thanks for any suggestions you might have.
Max