VLANS so many vlans
So where I work we seem to have a lot of vlans (around 50) in a single domain the reason being to reduce broadcast traffic (so I'm told anyhow). All the switches are HP pro curves and we use IP Helper to span vlans to get DHCP addreesses.
Now I'd love to get rid of as many of these as possible but before I do I thought I'd see if anyone could see any potential issues and also if anyone could offer any advice on how'd they'd go about this?
50 seems a lot but obviously we don't know the situation fully :)
There's a few common approaches to vlans - some separate networks by location, by cabinet, by room sometimes. Some, including myself prefer to separate certain services; for instance servers, printers, wireless, guest wireless, clients, isolated network for testing maybe, CCTV, VOIP systems if you have that and have those few vlans spanning your entire site. Printers are often the worst culprits for broadcast traffic I find - ours before we vlanned everything up were beyond diabolical!
Fifty does seem like rather a lot. As @synaesthesia says the general school of thought is either to group by location or by similar requirements.
Documentation is the key thing. Make sure you know why the VLANs are there and what they are doing before you unpick it.
A good segregated network is great... a bad one is a nightmare!
VLANs do cut down broadcast traffic, but that's not their only function.
Given that VLANs are also subnets you're going to have to re-IP anything you change, at least the mask and default gateway.
Why do you want to get rid of them?
This. A thousand times this.
Originally Posted by pantscat
I'm relatively happy with our layout. The district is comprised of seven buildings and most of the VLANs go building first, then service, but a couple span the entire district.
Each building has its own:
- management VLAN for switches
- wireless management VLAN for access points
- wireless VLAN for instructors
- wireless VLAN for students
- instructional VLAN for student and staff wired systems
- server VLAN
- security VLAN for IP cameras
District spanning VLANs are:
- one for HVAC controllers
- one for the phone switches
The phone switches and HVAC controllers didn't number enough to warrant separate VLANs for each building. Having them in their own VLANs enabled us to limit remote access to just those subnets as well for when contractors need to get in. Most of the subnets have 23bit masks and the links between the buildings are all trunk links over private fiber. I purposely left all the classroom ports on one VLAN too. Room layouts change too often and I would be pulling my hair out trying to keep up with port assignments for staff/printer/student devices.
First and foremost though as already stated, you need to completely document what you have, understand it, and have a plan before you start changing things. Going into something like this blind would cause much hilarity to ensue.
Thanks for the replys guys, I think my first task will be to document what everything does and how it does it then think about what to do next.......I'll let you know how I get on!
Just to chip in that the VLANs alone whilst containing broadcast traffic within a given subnet does not solve all networking issues.
You could have 50 VLANS on a single network and if one subnet/vlan kicks off across all switches without the corresponding traffic controls your network can still be ground to a halt.
Admittedly having 50 VLANs on a single domain means something is doing a lot of inter VLAN routing and if this isn't up to scratch you can end up with a lot of latency between subnets.
I have 8 Vlans at one site I thought that was enough, but I'm about to pull the CCTV off of it completely now and isolate it over its own fibre uplinks and some dedicated switchgear as the traffic from clients on the data network are routing through the core switch to view CCTV on the DVR LAN and this sits at up to 10mbps all day long on the shared uplinks.
VLANs are a great way to get the most out of your structured cabling but it doesn't mean you have to push everything across the same wire.
Removing a VLAN means you have to move all related traffic and IP management onto another so a lot of basic stuff like is the DHCP scope large enough to service the influx of new clients?
Are the new co-habitants of the consolidated VLANs happy to work together?
You need to do a lot of Visualisation as many of the potential impacts of merging previously separated traffic together may not be apparent until you do it by which time its too late and you have the world and his dog on your back!
Sounds like 50 is far too many but are the implications of collapsing them down more hassle than the gains to be had from simplified management?
Thanks m25man that was really interesting and hit home for me as there are definitely latency issues on the network.
Most of vlans seem to segregate departments which only contain normal workstations so once I've documented the structure I'll look at slowly breaking down the vlans.
As for the actual break down of the vlans, could I potentially just remove the vlan on the ports and add the workstations to the default untagged vlan?
Yes, that's how it goes or switch them to an alternative VLAN. Just be careful of DHCP exhaustion and if your running VoiP and IP phones be careful you don't break anything you cant fix.
I probably have close to 50 vlans but I like it. The folks the designed it did it similar to that of @Duke5A ‘s setup.
Each data closet gets its own data vlan
Each buildings wireless, hvac, and ip cameras get their own vlans
Switch management in a vlan
Servers in a vlan
Several wireless vlans based on guest student staff etc.
The idea behind this design in addition to separation of services is troubleshooting. I can look at an IP and find out what building and what data closet.
In hind sight there are a few changes I would make, but it’s not worth the hassle now.
The HVAC as a /24 vlan in each building and only 2 or 3 devices in it, that could have been spanned across the district.
Wireless management could have been spanned across the district (maybe?)
Some of the larger data closets have two /24’s with no consistency of which port is on what vlan. I have two computer labs that some pc’s are on one vlan and some on another. At some point I need to convert those to a /23
Another benefit of multiple data vlans is when the time coms I’ll be able to setup filtering per building based on their IP.
As others have said someone set them up for a reason so find out what they are all for before you change anything.
@ADMaster raises a very valid point regarding multiple data LANs as grouping by IP is a very easy way to manage access especially as you get closer to the gateway.
I can see how this could appeal to sites where granular control at the IP layer is needed and indeed in a lot of commercial applications I can see how it could work well.
A good example are shared premises such as Business and Enterprise lettings like Regus Office suites where many tenants get access to shared Internet and Comms Rooms.
Its not unusual to get 30 or 40 businesses wanting their own networks but need shared Internet Access.
Managing a building like that will consume Data VLANs quickly but Inter VLAN routing is almost non existent maybe just the Phone system, CCTV, and Building Management System thus multiple VLAN routing latency wouldn't occur.
Latency has always been the biggest problem I have ever seen on multiple data VLANs, its not that it doesn't work just that sometimes through no fault of the NM a packet has to travel across far to many hops to get to its destination and back again via some times grossly underpowered switches with ARP Tables overflowing with entries and this can have devastating effects on application performance. You know the type of stuff, shared databases that use file locking instead of SQL and Accounts packages dragging data across several VLANs every time a field is updated.
Having 50 VLANs on your backbone will not be an issue if it has sufficient trunks or LAGs (depending what vendors terminology you use) but if your tagging a single uplink with 50 VLANs its maybe not the most optimal method, but I have seen many exactly like this.