LinkBack URL
About LinkBacks
Reply With Quotetmcd35 (3rd December 2009)
Following on from another thread (VLAN for wireless? Do we need it?) and temporarily ignoring my own advice ('if it ain't broke don't fix it'). What would you guys suggest is best practice?
I have a flat network getting close to it's limit on DHCP leases. We have around 375 PC's and lappy's. Our wirless network is unmanaged and all our switchs support VLAN's (I think).
Would it be best to explore the possibilities of segragating the network? If so how should I look at VLAN'ing? AP's, classroom PC's, printers, servers?
What about routing 1x Linux VM with a virtual NIC on each VLAN?
Other than infinate IP's, what other benefits would I get from doing this?
You *really* want to do any routing on a layer 3 switch as it will be considerably faster. Certainly a VM would be unsuitable for routing due to the I/O requirements.Originally Posted by tmcd35
Benefits can (depending on switches) can be:
Smaller broadcast domain, reducing broadcast traffic.
ACLs to control traffic flow between vlans
Unauthorised/Guest VLAN
Dynamic vlan assignment (if you have 802.1x).
Default gateway to send all external traffic via a firewall/switch.
Non routed vlans (eg for Printers) so traffic has to go via a machine with access to the vlan (eg Print server).
tmcd35 (3rd December 2009)
Vlan's have massively improve are network.
So you have printers on one vLan that only the print server can access. I assume all the servers are on another and server requests are routed to that vLAN. I'm guessing we could run seperate vLAN's for admin, student and APs to improve security.
Would you have a seperate VLAN for each ICT suite, or just a students PC's vLAN?
I'm guessing the Layer3 routing is done on the root switch (I'll have to check if my HP 4108's do Layer3). All other switched need to support vLAN's to correctly send data back to the root switch for routing?
On a similar note, what do people think about user storage areas?
Next summer I'm planning to get a NAS box (or maybe a SAN) as a central store for VM images running across three (possibly four) Hyper-V servers. The NAS (or SAN) will be connected to the servers on their own seperate Layer3 switch.
Should I plumb this NAS switch into our main network and move data shares on to the NAS. Or should I run the data shares from within Virtual Machines (basically what I'm doing now)?
Currently we've got a Sun 7110 serving as the VM image store and our user data store. The 7110 connects through to a Windows VM that then serves files out to the rest of the network. It's got multiple network connections - some are on a separate network that only the VM servers and it sit on. The rest of it's network interfaces sit on the standard network.
We will be moving to using CIFS directly on the 7110, removing a unnecessary layer of abstraction at some point in the next few months. Unfortunately when we started to use it for everything we couldn't get it to join AD, but in the latest releases this isn't a problem
tmcd35 (3rd December 2009)
4108GL do basic routing as that what we are using.
tmcd35 (3rd December 2009)
I'd like to hear more peoples views on best practice for VLAN's and NAS usage, however I have stumbled upon a problem.
Rather than repost the problem here I'll throw in a shameless link to my blog (www.tmcd35.net). Now that's sorted, advice please...
Anyone know a good way of tracing connections between switches and ultimatly between switches and wall sockets without having to unplug cables and then waiting to see who complains?
Looks like I may spend next half term wandering the halls with a cable tester
Last edited by tmcd35; 5th December 2009 at 01:20 PM.
Hi tmcd35
If your switches are managed, one way to trace which port is serving what, and without pulling the network apart, would be to find the MAC address of the device, then check the MAC address table of each switch to see where that MAC address was seen. A little long winded I know, but using this method you should see exactly which path the device in question takes throughout your network topology.
Also worth mentioning make sure the client is active to stop the address ageing out of the switch MAC tables.
As for VLAN's, in the past I have used VLAN's to segregate the LAN between Curriculum and Admin networks, it free's up IP addresses (by creating a new subnet) and offers another level of security, and other benefits like scalability and better performance (more control over broadcast domains etc)
Typically, a decent level 3 core switch is best (IP lite is ok, but usually the hardware is not as good performance wise than a true layer 3 switch) that is designed to switch at layer 3 for best perfomance.
The key to managing a VLAN network is good documentation, knowing exactly how your network is bolted together is paramount, especially if you are using "port-based" VLANs.
I wouldn't go VLAN mad though, ask yourself why you want/need to VLAN (ie, running out of addresses, security or performance issues) and in the good ole tradition of (if it ain't broke
As for NAS, well that's out my comfort zone
Jaco
Last edited by Jaco45er; 6th December 2009 at 09:17 PM. Reason: Spelling mistakes due to hangover
tmcd35 (6th December 2009)
If you were going to do this, I would really recommend you first map out your network visually showing what connects to what and where and then you can sort out vlans easily.
So something like dia or visio would be handy. Cisco Packet tracer would be excellent for this if you can get a copy (eg trial or if your apart of their academy program).
The VLAN idea was one I was, still am in a way, exploring to tidy up my network, add security and give me some new IP's. I've got to add atleast 1 VLAN next summer when I bring the data network online - but that's really a seperate issue. The issue with that is more - 'how do I present it to the rest of the network', through file server VM's or provide some direct access to the NAS (probably faster?).
Considering the current state of the network documentation I think my priority is going to be remapping the entire network (oh joy of joys!). Any tools or tips I can find to make this job easier would be much welcome but I've already resigned myself to the fact I'm going to have to visit each and every network point with a cable tester
I've got dia - I love it. Very useful for visualising how the network looks and what changes you want to make.
If you have managed switches (you might need to enable the interfaces) they can generaly create reports on what is connected to where, which of course isn't perfect but it will give you some idea.
tmcd35 (6th December 2009)
For those using RBC / LA assigned IP Ranges I would also suggest you ask your local bods whether introducing a new range via VLANs / NAT is going to cause an issue accessing services they provide. If you need a larger range they may be able to provide you with one, or at least an additional range that you can then work with too ... and since this requires a move to a Layer 3 network then you might also finally have justification to upgrade your network hardware
Very good point (A fellow Kettriner I seeFor those using RBC / LA assigned IP Ranges I would also suggest you ask your local bods whether introducing a new range via VLANs / NAT is going to cause an issue accessing services they provide. If you need a larger range they may be able to provide you with one, or at least an additional range that you can then work with too ... and since this requires a move to a Layer 3 network then you might also finally have justification to upgrade your network hardware
I know a couple of Senior schools who only use their assigned network for the connection between the routers Ethernet interface and the external ethernet of their firewall, only using 2 addresses on a 255.255.252.0 network, then internally they do what they like.
@Jaco45er - You have PM
Terry extra ip addresses or a complete new scope is free. You just need to raise a request with the help desk.
tmcd35 (6th December 2009)
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
