Re: new network best practices

jcw009 · ‎04-23-2004

I have the opportunity to create a new network in a building, as well as reconfigure my current network this summer. I was wondering about doing the following:

1) Put the management interface of all my switches in one vlan

2) Put all the servers on another vlan

3) Put all the printers on another vlan

I would hope that this eases some of the headaches of managing my current network. I'm always guessing the ip address of switches or drilling through sh cdp neig[tab].

My current setup uses a 3550-12G as a collapsed backbone with fiber going to 2950-48 and 3500XL-48 edge switches, trunking between all switches on the fiber. Also, most of my vlans correspond with physical areas of builidngs. (So much for "virtual")

Are there traffic implications I should take into consideration before recommending/implementing the above scenario?

Thanks

Jeff

Georg Pauwen · ‎04-23-2004

Hello Jeff,

your setup sounds good, just make sure that you use VLAN 1 as the management VLAN for all your switches and not another VLAN. Traffic-wise you should be ok as well, considering that all your trunks are fiber.

Regards,

Georg

n2-goes · ‎04-26-2004

Hello,

I think you are on the right track but I would put the managment vlan on a different vlan than 1. Vlan1 should not have user traffic on it even SNMP traffic.

Regards,

Nadine.

jcw009 · ‎04-26-2004

Georg & Nadine,

What are the advantages of your two different suggestions?

1) use vlan1 as the management vlan

2) use non-vlan1 as the managemnt vlan

I think it would be good to move away from vlan1 from a network-management perspective. I'd like to move all the hosts I can off of vlan1. There are a lot of clients on that vlan, and they shouldn't be there.

Georg: Is there any "danger" in using a vlan other than vlan1 for my management addresses?

Thank you both for responding!

Jeff

n2-goes · ‎04-27-2004

Hi,

There is no ip traffic on vlan1 only spanning tree traffic. This way there is better performance both for the management traffic and switch traffic. The other bonus is a little bit more security on the layer 2 network.

Nadine.

richard.troman · ‎04-29-2004

The main reasons for not using vlan 1 are spanning tree and security.

If you use vlan 1 and also put users in vlan 1, when you trunk to another switch the defualt native vlan is 1. Hence any changes to your switch layout results in a STP change which results in outage to the users. Also management traffic is transmitted in the user vlan, which makes it easier for someone to get your management info.

It is becoming normal to shut down vlan 1. Assign a vlan for dead or holding users, i.e. ones that are not assigned a vlan. Make this the default vlan for all ports. Your ideas about different vlans for different functions make sense. On trunks betwen swithces trunk only the switches that need to be trunked. Make the native vlan something else, should be the same on both switches.

This was if you make a change to the switch layout it will only affect the VLANs and STP for the switches you are changing or that run those vlans.

However the final say is yours. You could quite be quite happy with using vlan 1 as your management vlan, as the management vlan will have to span your network anyway and you may not have many network changes that would result in an outage. Try to keep users out of it though.

Hope that helped :-)

jcw009 · ‎05-03-2004

I'm sorry I don't quite understand the statement: "On trunks betwen swithces trunk only the switches that need to be trunked. Make the native vlan something else, should be the same on both switches."

Should the ports connecting switches be assigned to the same management vlan? If this is the case, all gbic ports on my lan will be assigned to that vlan. Right now they are all trunked.

Is there some performance impact by trunking all my switches together, or by not trunking the switches?

Thanks!

n2-goes · ‎05-03-2004

Hello Jeff,

Just a bit of clarification:

When you trunk, you allow more than 1 vlan on the link. If you use Dot1Q encapsulation on the trunk, Vlan1 is used for STP.

In Dot1Q, one vlan will send packets without tagging them and by default it is vlan1. You can choose another vlan as the native vlan but both end of the trunk must be configure with this new vlan.

Users can be assigned to any vlan but to assure intervlan connection you need a router or a switch that support routing.

To manage switches, I create a vlan other than vlan1 where I connect a Monitor station with OpenView and Cisco work that I use to manage all network equipments.

HTH,

Nadine.