To VLAN or not to VLAN... that is the question!

[neilault]

We currently have two IP ranges provided by the SWGfL and due to the way they setup the routing through thier router it turns out that all traffic on the secondary range is capped at 30MB speeds and therefore has very slow network access at busy times!

SWGfL recommend that the routing is done at our network level via a layer 3 switch and to therefore VLAN the two ranges. Obviously this is a huge lot of work to configure each switch (we have over 50) and as I understand it each port will belong to a particular VLAN and would require planning.

The other option as I see it, is to request a complete new IP range big enough to accomodate all the IPs we need and setup everything on this new range and therefore not need any routing. I know we would have to run both IPs on our servers until the external domain records were updated.

To further complicate things we have BT installing a new VoIP system in the next couple of weeks and they have not suggested setting that up on a VLAN but woul dit be advisable to do?

What would you do? VLAN or new IP range?

Please help!

[nephilim]

If you had the option to accomodate a larger IP range, and can change the IP ranges in all of the machines then do that. Go with VLAN second.

[_Adam_]

Assuming you have a largish network (based on 50 switches x 24 ports avg), I would begin thinking about introducing VLANs. On a flat network you're pretty much running on a single VLAN so adding a couple will still have you working until you begin moving over.

Main reason would be to limit the impact of broadcasts. Depending on your network would could use VLANs to further segment it down to smaller areas.

[cpjitservices]

yeah segmentation would be good

[rbance]

Assuming you have a largish network (based on 50 switches x 24 ports avg), I would begin thinking about introducing VLANs. On a flat network you're pretty much running on a single VLAN so adding a couple will still have you working until you begin moving over.

Main reason would be to limit the impact of broadcasts. Depending on your network would could use VLANs to further segment it down to smaller areas.

Wouldn't think...would be doing at this size...

[bantonia]

VLAN's are good to segment your network. mitigating broadcasts. You can also dice and slice your network introducing a security layer into the network.

Ignoring the broadcast advantages, the alternative is to chuck in a single layer 3 switch and make your allocated IP address range, which you get 30Mb as a DMZ and choose your own address range and then use NAT. You can also throw in VLAN's on top. Using your own IP address range you can add transparent proxying if required.

We use around 7 or so VLAN's for different functions, one is to keep Admin away from Curriculum machines.

[IrritableTech]

Personally I would vlan. I'm guessing from the amount of switches, your network is fairly large? I like to vlan and reduce the broadcast domains on anything bigger than a /22 subnet.

I'd also go for a new subnet from SWGFL (we did) because our LEA does not like natting addresses. They like to know what machine a request comes from.

Speak to SWgfL they are there to help. They might also get you in touch with a neighbouring school who have had the same problem to fix.

[bantonia]

Personally I would vlan. I'm guessing from the amount of switches, your network is fairly large? I like to vlan and reduce the broadcast domains on anything bigger than a /22 subnet.

I'd also go for a new subnet from SWGFL (we did) because our LEA does not like natting addresses. They like to know what machine a request comes from.

I Agree, VLAN's the way to go but VLAN's tend to multiply and you end up NATing anyway. Whatever the LEA likes or dislikes, it is up to the School/College Leadership Team or the Network Manager to decide what goes. True the LEA might like to know where the traffic is originating so they can tie down security such as AVCO transfers but when the member of the admin team is absent and your finance person requires a transfer of documents then you are stuck to go to that one machine. By giving them the NAT address any one of your machines in those NATted address ranges can do the job if the software is installed.

There are advantages of doing VLAN's, DMZ and NAT.