+ Post New Thread
Results 1 to 11 of 11
Wired Networks Thread, Procurve VLAN Perfomance question, tag ALL VLANS to ALL ports on ALL switches in Technical; Hi, Ignoring issues with security of the IP subnets assigned to my different VLANs does tagging all ports on every ...
  1. #1

    Join Date
    Aug 2008
    Location
    Derby
    Posts
    6
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Procurve VLAN Perfomance question, tag ALL VLANS to ALL ports on ALL switches

    Hi,

    Ignoring issues with security of the IP subnets assigned to my different VLANs does tagging all ports on every switch have a bad effect on performance?

    We have a L3 Procurve 2600 (J9264a) as our core switch which handles the inter VLAN routing, most of our other switches are L2 2510G

    We have 30 or so wifi access points which assign VLANs dynamically dependent on who is logged on. At the moment I have tagged ALL VLANS on just the ports that the access points are connected to on the various switches around the buildings.

    For an easier life after some patch panel re-wiring jobs I am about to perform, I was thinking about just tagging all VLANS to all ports on every switch. I know this will work but I wasn't sure if there is/how much of a hit we would take to the performance of the network?

    I'd be most grateful if anyone has a definitive answer?

    Cheers,
    Dan.

  2. #2
    foofighterjim's Avatar
    Join Date
    Nov 2011
    Location
    Birmingham
    Posts
    521
    Thank Post
    50
    Thanked 94 Times in 70 Posts
    Rep Power
    36
    If all VLANs are tagged on all ports and switches wouldn't that defy the topological reasons for VLANing in the first place?

  3. #3

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    18,523
    Thank Post
    527
    Thanked 2,645 Times in 2,047 Posts
    Blog Entries
    24
    Rep Power
    924
    Quote Originally Posted by foofighterjim View Post
    If all VLANs are tagged on all ports and switches wouldn't that defy the topological reasons for VLANing in the first place?
    Not necessarily, as each port would have its "default" vlan untagged, meaning the VLANs still exist to segregate things. I'm not 100% sure here. The main disadvantage is security - any device can connect to anything, and can therefore broadcast on any VLAN. You can also end up causing odd loopbacks if 2 are bridged etc...

  4. #4

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,271
    Thank Post
    884
    Thanked 2,749 Times in 2,322 Posts
    Blog Entries
    11
    Rep Power
    785
    802.11x and MAC address based VLAN assignment? May as well do it right if your switches support it.

  5. #5

    Join Date
    Aug 2008
    Location
    Derby
    Posts
    6
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by localzuk View Post
    Not necessarily, as each port would have its "default" vlan untagged, meaning the VLANs still exist to segregate things. I'm not 100% sure here. The main disadvantage is security - any device can connect to anything, and can therefore broadcast on any VLAN. You can also end up causing odd loopbacks if 2 are bridged etc...
    Each port is untagged on the default vlan, so for a device to connect to a particular VLAN/subnet they would have to enable the VLAN settings on the NIC on a particular device. This would mean physically connecting to a network socket and this is a security risk I feel ok with, rogue devices in our school would almost exclusively be wireless devices such as mobiles/tablets etc.

    The reasons for my different VLANs was to cut down the broadcast traffic (we were previously a flat network on a /21 subnet!!!!) it also allows a different route to the internet with particular ease based on AD groups. If there is no performance hit then tagging all ports on all switches gives me an easy life as I can make changes without having to worry about ports.

    Thanks for the responses so far.

  6. #6

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    18,523
    Thank Post
    527
    Thanked 2,645 Times in 2,047 Posts
    Blog Entries
    24
    Rep Power
    924
    You're just moving the config work there though. Rather than configuring the switch ports, you're configuring the device. Normal networking principals call for end devices not to want special configuration.

    You'll eventually find items that don't support tagging, and then you'll end up with exceptions all over the place.

    Also, you won't be able to tell at a glance which VLAN a port is using at any one time, so diagnostics will be more difficult.

  7. #7

    Join Date
    Aug 2008
    Location
    Derby
    Posts
    6
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Fair enough. But as we are setup right now it is only the WiFi access points that use the tagged VLANs and they do this dynamically according to rules on the controller. The untagged VLAN is what ALL our wired devices are running on so no extra config.

  8. #8

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,271
    Thank Post
    884
    Thanked 2,749 Times in 2,322 Posts
    Blog Entries
    11
    Rep Power
    785
    It will hit the speed as every frame from every port will need to be checked before it can be switched, whether this cripples your network or not is up to the switches and how many hosts. You could console in before and check the CPU usage, memory usage and queue depth before the change then again afterwards. Both at busy times of day to see the effect.

    Again, this is not the right way to configure the switches and an automated vlan assignment based on mac address would be much better but it may still work if there is enough spare cpu horsepower and memory on all of your switches to accommodate the checking of every single frame at least once before it gets anywhere.

  9. #9

    Join Date
    May 2011
    Location
    Jus North of London, close but not too close
    Posts
    911
    Thank Post
    201
    Thanked 80 Times in 74 Posts
    Rep Power
    52
    Whats to stop a student looping a cable between 2 wall ports and bringing all your vLANS down.

    Unless of course you set up multilple vLAN spanning tree protocol on your edge switches.

    And don't say they won't do it because I have seen it before.

  10. #10

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    18,523
    Thank Post
    527
    Thanked 2,645 Times in 2,047 Posts
    Blog Entries
    24
    Rep Power
    924
    Indeed. We run 802.11x and MAC based auth on our network (MAC based for wired, 802.11x for wireless). The only ports that are tagged with "all" VLANs are the uplinks on each switch. The WAPs are tagged only on the wireless VLANs, and untagged on the management VLAN.

    We rarely have to change any port config unless we completely move things around in the school, or if a specific piece of hardware doesn't work properly with the delay caused by the MAC based auth (printers are the main culprits for this).

  11. #11
    AButters's Avatar
    Join Date
    Feb 2012
    Location
    Wales
    Posts
    562
    Thank Post
    187
    Thanked 126 Times in 97 Posts
    Rep Power
    46
    Quote Originally Posted by foofighterjim View Post
    If all VLANs are tagged on all ports and switches wouldn't that defy the topological reasons for VLANing in the first place?
    Yes - I fail to see the need for all of the broadcast traffic on each vlan to be forcibly broadcast to every port on the network. That does seem to kinda defy the "performance improvement" part of VLANs in the first place?

    I only tag what needs to be tagged. I have whole switches that do not have VLANS set up on them as they are only ever going to be curriculum switches. Of course it can all be changed with a mouse click if needed.



SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 1
    Last Post: 11th July 2014, 08:36 AM
  2. Replies: 18
    Last Post: 8th November 2012, 11:39 AM
  3. Replies: 5
    Last Post: 27th January 2011, 03:34 PM
  4. Replies: 4
    Last Post: 22nd July 2010, 01:54 PM
  5. [Gentoo] restrinct access to certain ports on a server
    By RabbieBurns in forum *nix
    Replies: 1
    Last Post: 27th May 2010, 04:20 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •