To Vlan or not Vlan?
We have a DHCP change coming up, going to a /20 from /4.
The school is currently flat networked, two domains, one DHCP range for:
12 servers (admin, CC3, exch, file servers)
650+ CC3 desktops (another 100 this summer)
150+ CC3 laptops
300+ linux mini-books (another 400 this summer)
200+ Admin laptops
LEA is gateway, the first address on our range and we cant use the first 20 IPs.
While planning out the IP range, I've been segmenting servers, switches etc to reserve them (previously one big DHCP - yuk) which then brought me to VLANS.... I like the idea of separating computers onto separate networks, especially the teacher laptops.
We have a 5308XL core, 5304 secondary switch + wireless module, then a mix of 2620, 2650, 2524, 2626 main switches.
The equipment seems like its here but is it worth it doing?
Have those that have setup VLANS noticed performance benefits?
Any issues with CC3?
If you are bothering with subnetting then you should definatly use VLANS. They will restrict broadcast traffic to the individual subnets and should give you a quicker network due to better use of your bandwidth. CC3 is just a Windows overlay and should not be effected by VLANS as they are transparent to the individual computers.
Edit: All name resolution traffic uses broadcasts and the more stations that you get the more broadcasts will flood to every port on your network eating up CPU cycles on each machine and burning bandwidth. Additionally if you have a busted network card or loop back in your network that floods the network with rubbish this will limit the slow down/halt to the VLAN segment that the offending station is on. (as is said by localzuk below)
I would say a definite yes to VLANing your network. I wouldn't give the reason of speed as the main point though. I would give the main reason as being preventing broadcast storms/worms spreading throughout the entire network. Instead just a single VLAN would be affected.
But then, I'd have to find out more about CC3 as I've never used it.
Keep It Simple. Always been my motto.
They will with the core switch he has. By default, broadcast traffic cannot traverse VLANs with that switch, and as such most worms that have spread via broadcast traffic (which is most of them!) would only be able to get to machines on that VLAN.
Originally Posted by mattx
Introduce even tougher ACLs on the core switch and you can be even more secure.
And in this case, simple is not best. Having over a thousand machines on a single network is bad practice. VLANs are the way to go.
Why would you want a /4 subnet mask? Am I understanding that right or was it a typo ? :eek:
Definately use Vlans if you have switches capable of it and you have a L3 device to route traffic across them - I have about 750 nodes on our network; subnetted it down and created around 20 vlans; With Vlans you have less wasted bandwidth making your network more efficient plus you get enhanced security by only allowing certain vlans access to specific resources.
I suggest you get a copy of Ethereal or Wireshark - capture a minutes worth of packets from a machine on the flat network / all in the native vlan. now put the machine into its own vlan and see the difference.
400 to 500 is the absolute max you should have on the same segment and thats asking for trouble - imagine if you get a faulty NIC creating a broadcast storm with the amount of machines you have at the moment!
@ssiruuk2: We're on 1024 IPS... One large DHCP. Changing to 4096 and adding 500 IPs to the existing circa 1000.
Thanks for the opinions.
I had been thinking although the network i've inherited is technically simple, having so many machines on one large network is no longer simple because of the data and traffic flows. I got the impression Vlanning would help because (althought appears complicated) it will simplify the data flow.
Looks like I have alot to work out!
If Vlan was used I planned to split: Servers (tagged?), switches (tagged?), wireless modules(tagged?), admin desktops, admin (teacher) laptops, then CC3 user areas by buildings, CC3 wireless by department + minibooks wireless. Or is this over the top? My priority is seperating the teacher laptops, as they are our biggest risk (but thats for another time).
Yes i agree this is a good candidate for vlans as there are simply too many devices on a one flat network.
With vlans on CC3 there were some build issues but these are sorted with few changes to the hosts file on the build server i.e. any of your CC3 DCs. I would say the broadcast of traffic is one of the plus side of it, but its security and ability to match your physical layours of where devices are to your logical network is another.
As others have said, you can use ACLs are your core switch to restrict traffic to and from one vlan to another. Idially you will have a default route on your L3 switch to point all internet bound traffic to your internal proxy server or router.
We are a CC3 site that uses vlan on an all cisco network infrastructure and it works very well.
Few things to remeber:
= don't rush the implementation
= design the subnets so they capable of meeting the needs in few years time i.e. allow for more ip addresses per subnet
= document everything and create standard procedure for changing ports from one vlan or another (i know this is for later on but well worth it)
= Test, test and test especially if you are going to by dynamically assigning vlan to each device using a VMPS or Radius and doing 802.1x authentication.
Go for it!
Whats the port that exposes full traffic if the switch thinks there is another switch on that port [ Vlan or not ] that that port is open ? [ Seriously thinking of VLANing our wireless network.....] Anyone ?
Originally Posted by mattx
Agree with all of these! Especially the testing and taking your time planning.
Originally Posted by ashok
My move from a flat network to a subnetted/vlanned network took about a month of planning and testing, to make sure I had every aspect covered. Also, ensure to factor in any changes needed to things like your edge router(s) if they are controlled by an external body (ours are, so we had to apply to get the subnet mask changed on it).
Err, not quite!
Originally Posted by SYNACK
If your machine is configured properly then name resolution will use DNS or WINS and only fall back to broadcast if they fail. Having got the IP address for the name there is then a broadcast ARP request (if the MAC address is not already in the cache)
You can watch this process with Wireshark which is really helpful to see what is using your network and how.
If it is setup properly it will do this once it has acquired the appropriate mac address for the ip address by broadcasting. It will initially broadcast to find the MAC of its default gateway unless it already has it cached. It will also broadcast to find the MAC equivalent of any ip addresses that are within its local segment that it needs to talk to directly.
Originally Posted by srochford
DNS and WINS handle ip addresses and host names only, and ARP request is still required to locate the MAC address of any system with an ip that is in the same network segment.
This is exactly the kind of traffic that a properly routed and segmented network will avoid as then all of the traffic for ip addresses outside the local segment are directed at the MAC of the default gateway rather than spewing ARPs everywhere.
It will also help if you have any misguided printers anywhere broadcasting Appletalk and IPX rubbish if no one has remembered to disable those protocols.
Blacksheep - I'm sorry but I just dont get it. Are you sure you are currently on a 240.0.0.0 mask (/4)
You mentioned 1024 available hosts (/22) at the moment and moving to 4096 (/20) ? From your eariler post I thought your subnet mask was going from /4 to /20 so available hosts per subnet should be going down not up? That doesn't add up to me!
Randomly a /4 mask gives you a whopping 268,435,456 available hosts on that network!! :confused: :D Whoever thought that was a good idea before you took this on?! :doh: :doh:
I think you might want to look at segmenting your network up further to be honest looking at the size of it if you are going to vlan it properly. Why not create more and much smaller subnets/vlans for various departments / buildings or one for each IT suite etc? I got mine down to 32 or 64 hosts per vlan (/26 and /27 mask) in the end as we have a lot of roaming users so didnt want any of the dhcp scopes to fill up and run out of available addresses.
When you have a proper grasp of creating the vlans on your equipment and the associated trunk links (we are Cisco here none of this HP "tagged" speak!) , dhcp scopes and default gateways that actually get all this working.. its easy to get granular on your network for each function or department. i.e we have one for each wireless SSID, one for printers, one for admin staff and offices, one for each IT room, another for each floor of classrooms etc etc.
If you want any help then pm me as I'm glad to help if you get stuck.
Are you going to use static vlans created manually on each switch or use VTP (Vlan Trunking Protocol) or whatever the HP equivalent is? This will save you time if you have lots of switches - With VTP you create your vlans on your VTP switch that is controlling the show so to speak and it will propogate the vlan Ids down to all other swtiches on your network in the same VTP "domain". You just have to then assign your ports on each switch into the correct vlan. I went for VTP here (with authentication) - It's a doddle took me a couple of days to do our system here a few summers back. 25 + switches and about 750 - 800 outlets in all including printers, wireless etc.
Good luck with it :)
Yes i agree a subnet with 256 or 512 possible ip addresses would be better, rather than a really big subnet.
Originally Posted by ssiruuk2
I sometime get confused with HP's terminology as well with the tagged and untagged etc, with cisco its a trunk port which carries traffic from all vlans and native vlan which carries untagged traffic if you like.