Wireless Networks Thread, To Vlan or not Vlan? in Technical; Hi,
We have a DHCP change coming up, going to a /20 from /4.
The school is currently flat networked, ...
16th July 2008, 05:03 PM #1
To Vlan or not Vlan?
We have a DHCP change coming up, going to a /20 from /4.
The school is currently flat networked, two domains, one DHCP range for:
12 servers (admin, CC3, exch, file servers)
650+ CC3 desktops (another 100 this summer)
150+ CC3 laptops
300+ linux mini-books (another 400 this summer)
200+ Admin laptops
LEA is gateway, the first address on our range and we cant use the first 20 IPs.
While planning out the IP range, I've been segmenting servers, switches etc to reserve them (previously one big DHCP - yuk) which then brought me to VLANS.... I like the idea of separating computers onto separate networks, especially the teacher laptops.
We have a 5308XL core, 5304 secondary switch + wireless module, then a mix of 2620, 2650, 2524, 2626 main switches.
The equipment seems like its here but is it worth it doing?
Have those that have setup VLANS noticed performance benefits?
Any issues with CC3?
16th July 2008, 05:07 PM #2
If you are bothering with subnetting then you should definatly use VLANS. They will restrict broadcast traffic to the individual subnets and should give you a quicker network due to better use of your bandwidth. CC3 is just a Windows overlay and should not be effected by VLANS as they are transparent to the individual computers.
Edit: All name resolution traffic uses broadcasts and the more stations that you get the more broadcasts will flood to every port on your network eating up CPU cycles on each machine and burning bandwidth. Additionally if you have a busted network card or loop back in your network that floods the network with rubbish this will limit the slow down/halt to the VLAN segment that the offending station is on. (as is said by localzuk below)
Last edited by SYNACK; 16th July 2008 at 05:20 PM.
16th July 2008, 05:10 PM #3
I would say a definite yes to VLANing your network. I wouldn't give the reason of speed as the main point though. I would give the main reason as being preventing broadcast storms/worms spreading throughout the entire network. Instead just a single VLAN would be affected.
But then, I'd have to find out more about CC3 as I've never used it.
16th July 2008, 05:14 PM #4
Keep It Simple. Always been my motto.
Last edited by mattx; 16th July 2008 at 05:19 PM.
16th July 2008, 05:24 PM #5
They will with the core switch he has. By default, broadcast traffic cannot traverse VLANs with that switch, and as such most worms that have spread via broadcast traffic (which is most of them!) would only be able to get to machines on that VLAN.
Originally Posted by mattx
Introduce even tougher ACLs on the core switch and you can be even more secure.
And in this case, simple is not best. Having over a thousand machines on a single network is bad practice. VLANs are the way to go.
16th July 2008, 05:47 PM #6
Why would you want a /4 subnet mask? Am I understanding that right or was it a typo ?
Definately use Vlans if you have switches capable of it and you have a L3 device to route traffic across them - I have about 750 nodes on our network; subnetted it down and created around 20 vlans; With Vlans you have less wasted bandwidth making your network more efficient plus you get enhanced security by only allowing certain vlans access to specific resources.
I suggest you get a copy of Ethereal or Wireshark - capture a minutes worth of packets from a machine on the flat network / all in the native vlan. now put the machine into its own vlan and see the difference.
400 to 500 is the absolute max you should have on the same segment and thats asking for trouble - imagine if you get a faulty NIC creating a broadcast storm with the amount of machines you have at the moment!
Last edited by ssiruuk2; 16th July 2008 at 05:56 PM.
16th July 2008, 07:13 PM #7
@ssiruuk2: We're on 1024 IPS... One large DHCP. Changing to 4096 and adding 500 IPs to the existing circa 1000.
Thanks for the opinions.
I had been thinking although the network i've inherited is technically simple, having so many machines on one large network is no longer simple because of the data and traffic flows. I got the impression Vlanning would help because (althought appears complicated) it will simplify the data flow.
Looks like I have alot to work out!
If Vlan was used I planned to split: Servers (tagged?), switches (tagged?), wireless modules(tagged?), admin desktops, admin (teacher) laptops, then CC3 user areas by buildings, CC3 wireless by department + minibooks wireless. Or is this over the top? My priority is seperating the teacher laptops, as they are our biggest risk (but thats for another time).
Last edited by Theblacksheep; 17th July 2008 at 01:14 AM.
16th July 2008, 07:21 PM #8
Yes i agree this is a good candidate for vlans as there are simply too many devices on a one flat network.
With vlans on CC3 there were some build issues but these are sorted with few changes to the hosts file on the build server i.e. any of your CC3 DCs. I would say the broadcast of traffic is one of the plus side of it, but its security and ability to match your physical layours of where devices are to your logical network is another.
As others have said, you can use ACLs are your core switch to restrict traffic to and from one vlan to another. Idially you will have a default route on your L3 switch to point all internet bound traffic to your internal proxy server or router.
We are a CC3 site that uses vlan on an all cisco network infrastructure and it works very well.
Few things to remeber:
= don't rush the implementation
= design the subnets so they capable of meeting the needs in few years time i.e. allow for more ip addresses per subnet
= document everything and create standard procedure for changing ports from one vlan or another (i know this is for later on but well worth it)
= Test, test and test especially if you are going to by dynamically assigning vlan to each device using a VMPS or Radius and doing 802.1x authentication.
Go for it!
16th July 2008, 07:58 PM #9
Whats the port that exposes full traffic if the switch thinks there is another switch on that port [ Vlan or not ] that that port is open ? [ Seriously thinking of VLANing our wireless network.....] Anyone ?
16th July 2008, 08:19 PM #10
Originally Posted by mattx
16th July 2008, 10:13 PM #11
Agree with all of these! Especially the testing and taking your time planning.
Originally Posted by ashok
My move from a flat network to a subnetted/vlanned network took about a month of planning and testing, to make sure I had every aspect covered. Also, ensure to factor in any changes needed to things like your edge router(s) if they are controlled by an external body (ours are, so we had to apply to get the subnet mask changed on it).
17th July 2008, 10:13 AM #12
Err, not quite!
Originally Posted by SYNACK
If your machine is configured properly then name resolution will use DNS or WINS and only fall back to broadcast if they fail. Having got the IP address for the name there is then a broadcast ARP request (if the MAC address is not already in the cache)
You can watch this process with Wireshark which is really helpful to see what is using your network and how.
17th July 2008, 12:46 PM #13
If it is setup properly it will do this once it has acquired the appropriate mac address for the ip address by broadcasting. It will initially broadcast to find the MAC of its default gateway unless it already has it cached. It will also broadcast to find the MAC equivalent of any ip addresses that are within its local segment that it needs to talk to directly.
Originally Posted by srochford
DNS and WINS handle ip addresses and host names only, and ARP request is still required to locate the MAC address of any system with an ip that is in the same network segment.
This is exactly the kind of traffic that a properly routed and segmented network will avoid as then all of the traffic for ip addresses outside the local segment are directed at the MAC of the default gateway rather than spewing ARPs everywhere.
It will also help if you have any misguided printers anywhere broadcasting Appletalk and IPX rubbish if no one has remembered to disable those protocols.
18th July 2008, 07:22 PM #14
18th July 2008, 07:27 PM #15
Yes i agree a subnet with 256 or 512 possible ip addresses would be better, rather than a really big subnet.
Originally Posted by ssiruuk2
I sometime get confused with HP's terminology as well with the tagged and untagged etc, with cisco its a trunk port which carries traffic from all vlans and native vlan which carries untagged traffic if you like.
By robknowles in forum Wireless Networks
Last Post: 28th May 2008, 05:01 AM
By Uraken in forum Wireless Networks
Last Post: 17th March 2008, 12:18 PM
By localzuk in forum Wireless Networks
Last Post: 1st October 2007, 11:29 AM
By Ben_Stanton in forum Wireless Networks
Last Post: 26th July 2007, 10:15 AM
By dezt in forum Wireless Networks
Last Post: 29th November 2006, 09:36 AM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)