At the moment we have only two VLANs - the 'main one', which is the defualt vlan, which encompasses the entire network.

And a second VLAN, which is port based, not dynamic, and allows specific ports on the 3550s in two of the buildings to connect to dedicated edge switches in two suites. Thus, the trunk ports between those two buildings/switches are members of both vlans.

This allows us to segregate the computing and it department, and allows them to have their own secure connection to the internet - as there is a link from one of the 3550s to a dmz network.

So I think quite a simple vlan setup - definetly nothing that requires dynamic vlans or packet tagging.

thanks.

Physically your design is good, but logically your layer 2 design is bad. You should never have 1 vlan span so many switches. You should really segment the network into seperate vlans, generally speaking one vlan (subnet) per access switch if possible. I've attached a visio with a little more detail

Thanks for the reply. Once I have figured out how to download the attachment I'll take a look - i actually prepared my own visio chart to depict the solution I am looking at - but did not know I could have posted it iup.

Anyway, my limited understanding of using VLANs (other than to segregate an area of the network), suggests that th primary reason why VLANs are important is to control broadcast traffic on the network, by not allowing broadcast traffic across the VLANS.

I also understnd that the ports that the servers are plugged into would need to be memebers of ALL the VLANs, to allow all clients to 'see' them.

However, I did think that a lot of the NetBIOS services on a typical network still used broadcast packets for various purposes that are necesary - even though having DNS/WINS gets rid of the need for a lot of this type of traffic.

Therefore, would I actually be complicating my setup by trying to make each building/floor/access switch its own vlan/subnet? What security/performance risks are we running by having just a single VLAN.

A pointer to some Cisco/MS whitepapaers would suffice - but I am fairly sure we chose to to implement VLANs a while back becuase of the additional complexities that they impose.

You are correct in stating that you use vlans to segment a network into seperate broadcast domains. But another reason you use vlans is to constrain the size of your spanning-tree domains. In your design you would have 20 (more if you have multiple access switches per building) switches belonging to one vlan. A general rule of thumb is no more than 7. This isn't good for two reasons: if a link went down it might take a few minutes for STP to converge and because if for any reason you got a STP loop your network would completly melt down (I've seen this happen many times).

Your servers would NOT be members of all vlans, just one. Clients would be routed to the servers over the network, all your clients need is a default gateway set to the local routers interface IP address.

Generally speaking the only protocols you can't route are LAT and NetBeui. You can use helper address for netbios, thereby eliminating the need for a flat network.

Security is a completly different topic that would take up another thread. If you want you can post your email and we can take this off the forum.

I've included some links on STP, there are some referneces to broadcast storms and other STP related issues as well.

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800951ac.shtml

http://www.cisco.com/en/US/tech/tk389/tk390/technologies_tech_note09186a00800a7af3.shtml

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080136673.shtml

FYI, just click on the icon on the right side of the visio to download it