+ Post New Thread
Page 1 of 3 123 LastLast
Results 1 to 15 of 34
Wireless Networks Thread, To Vlan or not Vlan? in Technical; Hi, We have a DHCP change coming up, going to a /20 from /4. The school is currently flat networked, ...
  1. #1

    Theblacksheep's Avatar
    Join Date
    Feb 2008
    Location
    In a house.
    Posts
    1,934
    Thank Post
    138
    Thanked 290 Times in 210 Posts
    Rep Power
    193

    To Vlan or not Vlan?

    Hi,

    We have a DHCP change coming up, going to a /20 from /4.

    The school is currently flat networked, two domains, one DHCP range for:
    12 servers (admin, CC3, exch, file servers)
    650+ CC3 desktops (another 100 this summer)
    150+ CC3 laptops
    300+ linux mini-books (another 400 this summer)
    200+ Admin laptops

    LEA is gateway, the first address on our range and we cant use the first 20 IPs.



    While planning out the IP range, I've been segmenting servers, switches etc to reserve them (previously one big DHCP - yuk) which then brought me to VLANS.... I like the idea of separating computers onto separate networks, especially the teacher laptops.

    We have a 5308XL core, 5304 secondary switch + wireless module, then a mix of 2620, 2650, 2524, 2626 main switches.

    The equipment seems like its here but is it worth it doing?
    Have those that have setup VLANS noticed performance benefits?
    Any issues with CC3?

  2. #2

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,078
    Thank Post
    853
    Thanked 2,676 Times in 2,270 Posts
    Blog Entries
    9
    Rep Power
    769
    If you are bothering with subnetting then you should definatly use VLANS. They will restrict broadcast traffic to the individual subnets and should give you a quicker network due to better use of your bandwidth. CC3 is just a Windows overlay and should not be effected by VLANS as they are transparent to the individual computers.

    Edit: All name resolution traffic uses broadcasts and the more stations that you get the more broadcasts will flood to every port on your network eating up CPU cycles on each machine and burning bandwidth. Additionally if you have a busted network card or loop back in your network that floods the network with rubbish this will limit the slow down/halt to the VLAN segment that the offending station is on. (as is said by localzuk below)
    Last edited by SYNACK; 16th July 2008 at 04:20 PM.

  3. #3

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,652
    Thank Post
    516
    Thanked 2,443 Times in 1,891 Posts
    Blog Entries
    24
    Rep Power
    831
    I would say a definite yes to VLANing your network. I wouldn't give the reason of speed as the main point though. I would give the main reason as being preventing broadcast storms/worms spreading throughout the entire network. Instead just a single VLAN would be affected.

    But then, I'd have to find out more about CC3 as I've never used it.

  4. #4

    mattx's Avatar
    Join Date
    Jan 2007
    Posts
    9,240
    Thank Post
    1,058
    Thanked 1,068 Times in 625 Posts
    Rep Power
    740
    Keep It Simple. Always been my motto.
    Last edited by mattx; 16th July 2008 at 04:19 PM.

  5. #5

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,652
    Thank Post
    516
    Thanked 2,443 Times in 1,891 Posts
    Blog Entries
    24
    Rep Power
    831
    Quote Originally Posted by mattx View Post
    Keep It Simple. Always been my motto. Worms won't stop spreading just because you have VLANS btw
    They will with the core switch he has. By default, broadcast traffic cannot traverse VLANs with that switch, and as such most worms that have spread via broadcast traffic (which is most of them!) would only be able to get to machines on that VLAN.

    Introduce even tougher ACLs on the core switch and you can be even more secure.

    And in this case, simple is not best. Having over a thousand machines on a single network is bad practice. VLANs are the way to go.

  6. #6

    Join Date
    Feb 2008
    Posts
    270
    Thank Post
    14
    Thanked 44 Times in 35 Posts
    Rep Power
    22
    Why would you want a /4 subnet mask? Am I understanding that right or was it a typo ?

    Definately use Vlans if you have switches capable of it and you have a L3 device to route traffic across them - I have about 750 nodes on our network; subnetted it down and created around 20 vlans; With Vlans you have less wasted bandwidth making your network more efficient plus you get enhanced security by only allowing certain vlans access to specific resources.

    I suggest you get a copy of Ethereal or Wireshark - capture a minutes worth of packets from a machine on the flat network / all in the native vlan. now put the machine into its own vlan and see the difference.

    400 to 500 is the absolute max you should have on the same segment and thats asking for trouble - imagine if you get a faulty NIC creating a broadcast storm with the amount of machines you have at the moment!
    Last edited by ssiruuk2; 16th July 2008 at 04:56 PM.

  7. #7

    Theblacksheep's Avatar
    Join Date
    Feb 2008
    Location
    In a house.
    Posts
    1,934
    Thank Post
    138
    Thanked 290 Times in 210 Posts
    Rep Power
    193
    @ssiruuk2: We're on 1024 IPS... One large DHCP. Changing to 4096 and adding 500 IPs to the existing circa 1000.

    Thanks for the opinions.

    I had been thinking although the network i've inherited is technically simple, having so many machines on one large network is no longer simple because of the data and traffic flows. I got the impression Vlanning would help because (althought appears complicated) it will simplify the data flow.

    Looks like I have alot to work out!

    If Vlan was used I planned to split: Servers (tagged?), switches (tagged?), wireless modules(tagged?), admin desktops, admin (teacher) laptops, then CC3 user areas by buildings, CC3 wireless by department + minibooks wireless. Or is this over the top? My priority is seperating the teacher laptops, as they are our biggest risk (but thats for another time).
    Last edited by Theblacksheep; 17th July 2008 at 12:14 AM.

  8. #8

    Join Date
    Oct 2005
    Location
    East Midlands
    Posts
    737
    Thank Post
    17
    Thanked 105 Times in 65 Posts
    Rep Power
    36

    vlans

    Hi,

    Yes i agree this is a good candidate for vlans as there are simply too many devices on a one flat network.

    With vlans on CC3 there were some build issues but these are sorted with few changes to the hosts file on the build server i.e. any of your CC3 DCs. I would say the broadcast of traffic is one of the plus side of it, but its security and ability to match your physical layours of where devices are to your logical network is another.

    As others have said, you can use ACLs are your core switch to restrict traffic to and from one vlan to another. Idially you will have a default route on your L3 switch to point all internet bound traffic to your internal proxy server or router.

    We are a CC3 site that uses vlan on an all cisco network infrastructure and it works very well.

    Few things to remeber:

    = don't rush the implementation
    = design the subnets so they capable of meeting the needs in few years time i.e. allow for more ip addresses per subnet
    = document everything and create standard procedure for changing ports from one vlan or another (i know this is for later on but well worth it)

    = Test, test and test especially if you are going to by dynamically assigning vlan to each device using a VMPS or Radius and doing 802.1x authentication.

    Go for it!

    Ash.

  9. #9

    mattx's Avatar
    Join Date
    Jan 2007
    Posts
    9,240
    Thank Post
    1,058
    Thanked 1,068 Times in 625 Posts
    Rep Power
    740
    Whats the port that exposes full traffic if the switch thinks there is another switch on that port [ Vlan or not ] that that port is open ? [ Seriously thinking of VLANing our wireless network.....] Anyone ?

  10. #10

    Join Date
    Oct 2005
    Location
    East Midlands
    Posts
    737
    Thank Post
    17
    Thanked 105 Times in 65 Posts
    Rep Power
    36
    Quote Originally Posted by mattx View Post
    Whats the port that exposes full traffic if the switch thinks there is another switch on that port [ Vlan or not ] that that port is open ? [ Seriously thinking of VLANing our wireless network.....] Anyone ?
    Trunk port?

  11. #11

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,652
    Thank Post
    516
    Thanked 2,443 Times in 1,891 Posts
    Blog Entries
    24
    Rep Power
    831
    Quote Originally Posted by ashok View Post
    = don't rush the implementation
    = design the subnets so they capable of meeting the needs in few years time i.e. allow for more ip addresses per subnet
    = document everything and create standard procedure for changing ports from one vlan or another (i know this is for later on but well worth it)

    = Test, test and test especially if you are going to by dynamically assigning vlan to each device using a VMPS or Radius and doing 802.1x authentication.
    Agree with all of these! Especially the testing and taking your time planning.

    My move from a flat network to a subnetted/vlanned network took about a month of planning and testing, to make sure I had every aspect covered. Also, ensure to factor in any changes needed to things like your edge router(s) if they are controlled by an external body (ours are, so we had to apply to get the subnet mask changed on it).

  12. #12

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,154
    Thank Post
    114
    Thanked 527 Times in 450 Posts
    Blog Entries
    2
    Rep Power
    123
    Quote Originally Posted by SYNACK View Post
    Edit: All name resolution traffic uses broadcasts and the more stations that you get the more broadcasts will flood to every port on your network eating up CPU cycles on each machine and burning bandwidth.
    Err, not quite!

    If your machine is configured properly then name resolution will use DNS or WINS and only fall back to broadcast if they fail. Having got the IP address for the name there is then a broadcast ARP request (if the MAC address is not already in the cache)

    You can watch this process with Wireshark which is really helpful to see what is using your network and how.

  13. #13

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,078
    Thank Post
    853
    Thanked 2,676 Times in 2,270 Posts
    Blog Entries
    9
    Rep Power
    769
    Quote Originally Posted by srochford View Post
    Err, not quite!

    If your machine is configured properly then name resolution will use DNS or WINS and only fall back to broadcast if they fail. Having got the IP address for the name there is then a broadcast ARP request (if the MAC address is not already in the cache)

    You can watch this process with Wireshark which is really helpful to see what is using your network and how.
    If it is setup properly it will do this once it has acquired the appropriate mac address for the ip address by broadcasting. It will initially broadcast to find the MAC of its default gateway unless it already has it cached. It will also broadcast to find the MAC equivalent of any ip addresses that are within its local segment that it needs to talk to directly.

    DNS and WINS handle ip addresses and host names only, and ARP request is still required to locate the MAC address of any system with an ip that is in the same network segment.

    This is exactly the kind of traffic that a properly routed and segmented network will avoid as then all of the traffic for ip addresses outside the local segment are directed at the MAC of the default gateway rather than spewing ARPs everywhere.

    It will also help if you have any misguided printers anywhere broadcasting Appletalk and IPX rubbish if no one has remembered to disable those protocols.

  14. #14

    Join Date
    Feb 2008
    Posts
    270
    Thank Post
    14
    Thanked 44 Times in 35 Posts
    Rep Power
    22
    Blacksheep - I'm sorry but I just dont get it. Are you sure you are currently on a 240.0.0.0 mask (/4)

    You mentioned 1024 available hosts (/22) at the moment and moving to 4096 (/20) ? From your eariler post I thought your subnet mask was going from /4 to /20 so available hosts per subnet should be going down not up? That doesn't add up to me!

    Randomly a /4 mask gives you a whopping 268,435,456 available hosts on that network!! Whoever thought that was a good idea before you took this on?!

    I think you might want to look at segmenting your network up further to be honest looking at the size of it if you are going to vlan it properly. Why not create more and much smaller subnets/vlans for various departments / buildings or one for each IT suite etc? I got mine down to 32 or 64 hosts per vlan (/26 and /27 mask) in the end as we have a lot of roaming users so didnt want any of the dhcp scopes to fill up and run out of available addresses.

    When you have a proper grasp of creating the vlans on your equipment and the associated trunk links (we are Cisco here none of this HP "tagged" speak!) , dhcp scopes and default gateways that actually get all this working.. its easy to get granular on your network for each function or department. i.e we have one for each wireless SSID, one for printers, one for admin staff and offices, one for each IT room, another for each floor of classrooms etc etc.

    If you want any help then pm me as I'm glad to help if you get stuck.

    Are you going to use static vlans created manually on each switch or use VTP (Vlan Trunking Protocol) or whatever the HP equivalent is? This will save you time if you have lots of switches - With VTP you create your vlans on your VTP switch that is controlling the show so to speak and it will propogate the vlan Ids down to all other swtiches on your network in the same VTP "domain". You just have to then assign your ports on each switch into the correct vlan. I went for VTP here (with authentication) - It's a doddle took me a couple of days to do our system here a few summers back. 25 + switches and about 750 - 800 outlets in all including printers, wireless etc.

    Good luck with it

  15. #15

    Join Date
    Oct 2005
    Location
    East Midlands
    Posts
    737
    Thank Post
    17
    Thanked 105 Times in 65 Posts
    Rep Power
    36
    Quote Originally Posted by ssiruuk2 View Post
    Blacksheep - I'm sorry but I just dont get it. Are you sure you are currently on a 240.0.0.0 mask (/4)

    You mentioned 1024 available hosts (/22) at the moment and moving to 4096 (/20) ? From your eariler post I thought your subnet mask was going from /4 to /20 so available hosts per subnet should be going down not up? That doesn't add up to me!

    Randomly a /4 mask gives you a whopping 268,435,456 available hosts on that network!! Whoever thought that was a good idea before you took this on?!

    I think you might want to look at segmenting your network up further to be honest looking at the size of it if you are going to vlan it properly. Why not create more and much smaller subnets/vlans for various departments / buildings or one for each IT suite etc? I got mine down to 32 or 64 hosts per vlan (/26 and /27 mask) in the end as we have a lot of roaming users so didnt want any of the dhcp scopes to fill up and run out of available addresses.

    When you have a proper grasp of creating the vlans on your equipment and the associated trunk links (we are Cisco here none of this HP "tagged" speak!) , dhcp scopes and default gateways that actually get all this working.. its easy to get granular on your network for each function or department. i.e we have one for each wireless SSID, one for printers, one for admin staff and offices, one for each IT room, another for each floor of classrooms etc etc.

    If you want any help then pm me as I'm glad to help if you get stuck.

    Are you going to use static vlans created manually on each switch or use VTP (Vlan Trunking Protocol) or whatever the HP equivalent is? This will save you time if you have lots of switches - With VTP you create your vlans on your VTP switch that is controlling the show so to speak and it will propogate the vlan Ids down to all other swtiches on your network in the same VTP "domain". You just have to then assign your ports on each switch into the correct vlan. I went for VTP here (with authentication) - It's a doddle took me a couple of days to do our system here a few summers back. 25 + switches and about 750 - 800 outlets in all including printers, wireless etc.

    Good luck with it
    Yes i agree a subnet with 256 or 512 possible ip addresses would be better, rather than a really big subnet.

    I sometime get confused with HP's terminology as well with the tagged and untagged etc, with cisco its a trunk port which carries traffic from all vlans and native vlan which carries untagged traffic if you like.

    Ash.

SHARE:
+ Post New Thread
Page 1 of 3 123 LastLast

Similar Threads

  1. VLAN Configuration
    By robknowles in forum Wireless Networks
    Replies: 1
    Last Post: 28th May 2008, 04:01 AM
  2. vlan and dhcp
    By Uraken in forum Wireless Networks
    Replies: 2
    Last Post: 17th March 2008, 11:18 AM
  3. VLAN creation
    By localzuk in forum Wireless Networks
    Replies: 19
    Last Post: 1st October 2007, 10:29 AM
  4. How secure is a VLAN?
    By Ben_Stanton in forum Wireless Networks
    Replies: 5
    Last Post: 26th July 2007, 09:15 AM
  5. VLAN setup
    By dezt in forum Wireless Networks
    Replies: 4
    Last Post: 29th November 2006, 08:36 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •