Question : Problem: VLANs placement on connected switches

In an effort to reduce network broadcasts, improve security and separate teachers workstations from public computers, i want to implement VLANS on my flat network. Also, i want to put ACL on my switches and routers to secure my folders from unauthorized access. All the users are connected to switches connected to catalysts 2948G-L3 which in turn connect (through fiber) to a core which Catalyst 5000.
Here's a segment:

catalyst 5000
______ _
      |__|------|_|---servers
       |
|Fiber
       |
_
|_|catalyst 2948G-L3
|
|100Mb/s cat5
|

|____|HP Procurve 2650
| |
| |
teacher student
My questions are:
1. To best maximize bandwidth, where is the best place to implement the VLANS? (From what i figured it would be very complicated to put them on the first which that a computer connects to since i'd have to create trunking ports all the way up to the core.)
2. How can i make all the VLANs be able to communicate with some of the services provided by the server (e.g e-mail) without being able to do anything else? With ACL on the CORE switch (catalyst 5000)?
3. Would it be a better idea to subnet the network (192.168.0.0/16) and not use VLANs?

Sorry for the long Qs.
Thanks for your imput,
Tiby

Answer : Problem: VLANs placement on connected switches

> 1. To best maximize bandwidth, where is the best place to implement the VLANS? (From what i figured it would be very
> complicated to put them on the first which that a computer connects to since i'd have to create trunking ports all the way
> up to the core.)

... and if you DON'T do that, you'll have missed the whole point. VLANS without trunking are not terribly useful.

> 2. How can i make all the VLANs be able to communicate with some of the services provided by the server (e.g e-mail)
> without being able to do anything else? With ACL on the CORE switch (catalyst 5000)?

You need a router to carry traffic between VLANs, and it can provide ACLs. Do you have an RSM in your 5000? If so, that's the place to do it.

> 3. Would it be a better idea to subnet the network (192.168.0.0/16) and not use VLANs?

No. If you subnet it without VLANs, you still have the same broadcast traffic issues and you still need a router. Note that you WILL need to provide a different subnet on each VLAN, but you need the VLAN separation at Layer 2 to get the benefit of the separated subnets.

Random Solutions

Problem: New system will not boot after CMOS reset (clear RTC RAM)

Problem: HP Lights Out Card Configuration

Problem: Simultaneous wireless n & g - 3Comm & Airport Extreme - multiple devices

Problem: Howz the Intel 865 GBF Motherboard with Intel P-4 2.6cGHz HT 800 MHz processor

Problem: iPhone 3G Daylight Savings Exchange Calendar Meeting Issue

Problem: WTF's up with my iSCSI network config ???

Problem: Users cant print to a HP 1022n, job hangs in queue and can't be deleted

Problem: HP Scan Jet 5590 Internal Error Problem when scanning to email

Problem: XP Drive Won't Boot Up After Working For Months

Problem: CPU Not recognized as correct speed in Inspiron 9300