I am thinking about changing my current vlan setup.
As the network grows I round like to further reduce broadcast traffic and any unnecessary security issues.
I just wanted to know how you guys did it as every school I speak to do it differently.
I know this has been covered but it was some time ago.
For eg do you have them for printers, phones wireless etc.
Or do you do them by departments or blocks.
What scopes have you got configured?
Ours is done by blocks.
Servers on vlan2
Downstairs on vlan3
Upstairs on vlan4
It suites on vlan 5
Outside blocks on vlan 6
Wireless on vlan 8
That's great thanks.
Originally Posted by newpersn
How many clients have you got?
What mask you using?
What core switch have you got installed?
THis is our vlan topology
@CyberNerd: Aren't /23 subnets a little excessive? Never mind the /16 for your servers!
The 16 is historic - before we vlanned, everything was 16 so rather than change the scope, we added other vlans and slowly migrated everything off the 16 subnet.
Originally Posted by Ric_
The 23's are too big at 500 devices per vlan- but I don't think that matters because it's all RFC1918, it'll never get to that many devices. I could have chosen a smaller subnet, but I dont see any issue other than it looking quite big.
Broken up by logical elements
ILO ( and other Management interfaces )
Client ( more than 1 )
With redundant routing at the CORE(s)
Interesting VLAN number for your blade centre management ;). I also tend to use /23's for most of our "fixed building switch stack" VLANs with wireless pools normally being a /22 or /21 (dependant on wireless usage). We've also got a /20 that our servers sit on due to historic setup that was decided before I started and was easier to just continue with it while we migrated away from a flat network :)
Originally Posted by CyberNerd
Forgot to say that we currently have around 15 VLANs for various things. Mostly our VLANs are centered around separate comms room/floor location (similar to @CyberNerd), along with separate VLANs for each wireless SSID, servers/printers, DMZ, VPN connections and VoIP phones.
Design and implement once, sit back and feel relaxed when your are ready for pretty much anything. Here is what we have in place:
Network Devices Management
Clients Area 1
Clients Area 2
Clients Area 3
Clients Area 4
Wireless Students 1
Wireless Students 2
Wireless Staff 1
Wireless Staff 2
Building Control Systems
Access Control Systems
Everything works better if you can restrict the number simultanesous devices per subnet to <256. For Wireless this is pretty much essential. Our core switch/router has ACL rules to restrict packets between some of the subnets. Not all of the subnets are used. (for example only one of the 'Areas' subnets is in use due to the physical toplogy of the site and low client count, the BCS 'VLAN is awaiting the existance of a BCS which may never happen, many of the 'second' vlans are there ready for when our relevent device count makes then necessary to employ)
If you want to get fancy, you can have two MSTP groups and load balance your vlan traffic across links that would otherwise be redundant. <- I've never done this. I have seen it done. It adds to complexity, which may not be a good thing depending on the skill available when adding additional network devices.
Also my subnets for each vlan are HUGE. This is because for simplicity they are all the same size (I only ever have to remember the subnet mask and the ip of the first host...). The BYOD/Guest subnet needs to be large because the churn rate of devices through it when considered from teh point of DHCP leases means that smaller ones are at risk of IP exhaustion when we have ramped up to our expected device levels. I could have set shorter lease times for those subnet, but why make more work and differing configurations when the standard one will do?
Core is an HP A5500 Stack (Comware). A Cisco engineer can get it to do pretty much anything I need it to after spending 15 minutes with the documentation.
That's the core I have..
Could I see you documentation for this please.
So I'm assuming you have dhcp scopes for each?
Do any of you use wds? Does the ip helper work in the same way,
If your using VLANs and want imaging, if DHCP is on another server just use the next-server option, it'll work and your clients (even on a different IP Range) should get an address providing your firewalling is setup correctly.
I have VLANS setup as below.
VLAN 50 - Servers
VLAN 80 - Clients
VLAN 99 - Guests
VLAN 101 - Phones / VOIP
VLAN 102 - WIFI
VLAN 166 - LAB Network
VLAN 77 - Environmental
My imaging servers (Fog, ZEN, WDS) are all on the servers VLAN, but in my pfsense router I have the next-server option set to the IP of my imaging server, all of my clients when I reboot and boot to Network get the correct range and start imaging, I can even boot into Linux or GParted if need be using PXE.
All of our network security is on the servers VLAN also, Firewalling, Proxying, AV etc and everything on the other VLANS goes through fine.
So if IP Helper shouldn't make a difference in this case.
I can't seem to get my clients vlans to obtain an ip from dhcp. I have configured dhcp with a new scope and created a new interface with the same mask but it just won't get an address.
I just need to add the route!!! Silly me