Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
957
Views
6
Helpful
10
Replies

Question about VLAN

Leonardo Pena Davila
Spotlight
Spotlight

‎05-25-2004 09:51 AM - edited ‎03-02-2019 03:55 PM

Hello, in my workplace there is a network with several switches and routers, we want to implement some VLANs. My colleague propose to create one Vlan with all the switches and create another vlan with all the servers.Actually Vlan50 for local servers, Vlan51 for Regional servers and Vlan52 for national servers.I'm not sure it is a good idea to put all the switches into on Vlan. Which benefits can I get? Second, if I put all the servers in the same Vlan I think the traffic in this segment could be greater when several users are trying to accede. Can anyone tell me if I 'm right or if the suggestion of my colleague can improve the performance in the network.

Thanks a lot for your help

Regards

Lp

Labels:
0 Helpful
10 Replies 10

smif101
Level 4
Level 4

‎05-25-2004 10:50 AM

Well in the situation for having a VLAN for the switches I would recommend it. It provides a way to seperate managment traffic from everything else and it eases the access to the management VLAN. As far as seperating the servers, it depends on how many servers there is all together and the amount of traffic that is produced from these servers. If there is only 20 servers I would just keep them on the same subnet. However if there is 200 servers then I would think about segmenting them. But keep in mind that you really won't be saving anything if these servers are access via remote clients because you are always going to be limited to your WAN connection.

Jason Smith

www.smif101.com

0 Helpful

Rodrigo Marchina Soares
Level 1
Level 1

‎06-10-2004 06:39 PM

VLAN is a great idea to your network.

You create a broadcast domain to each VLAN.

The traffic (origin) only go to the specific network (destiny).

You create a colision domain to each port in a switch.

0 Helpful

Craig Norborg
Level 4
Level 4

‎06-15-2004 12:01 PM

Another big deciding factor on whether to put the VLAN's in or not is the amount of traffic going between the VLAN's and how you're implementing them.

The management VLAN should be very small amount of traffic, so that doesn't matter at all. But, if your "local" servers are sending alot of data to the "regional" servers (ie: many megabits/sec) or another VLAN, you would need to make sure you're using Layer-3 switching to route between the VLANs and not a router-on-a-stick approach.

If you use a router that is trunked into the switches for routing between VLANs and the traffic level is high, the router will get bogged down very quickly and become a bottleneck in the network. You would be better off leaving them on the same L2 network if this is the case.

0 Helpful

boban
Level 1
Level 1
In response to Craig Norborg

‎06-22-2004 09:06 AM

VLANS and Layer3 switching aren't interchangeable. Wouldn't you need to actually segment out your network to use Layer3 switching(actually routing)? VLANS are still a Layer2 technology ... right?

0 Helpful

Craig Norborg
Level 4
Level 4
In response to boban

‎06-22-2004 10:16 AM

Hmm. Yes, in a way VLANs are a layer 2 technology. Lets say you have a single 2950 switch. On it you put two VLAN's, VLAN1 and VLAN2. You put a server on VLAN1, while putting a client on VLAN2. Since they are on separate Layer2 "virtual" networks (ie: VLANs) they cannot see eachother, even if they are on the same logical subnet. Of course having 2 VLANs on the same logical subnet won't do much for you, they are separate networks. So you instead have them on different subnets.

They still won't be able to get to eachother without some kind of router inbetween. That mean you either put a router-on-a-stick on the switch (ie: trunk the router to the switch and route between the VLANS) or a layer-3 switch, which is really a basic router integrated into a switch.

So while VLANs themselves operate by making different layer-2 broadcast domains, you need a router of some sort (ie: classic router or layer-3 switch) to get between them to really be of any use than isolating traffic.

Hope that answered it for you...

ja1064
Level 1
Level 1
In response to Craig Norborg

‎09-24-2004 12:55 PM

craig:

i want to create a vlan for students and one for adminstrative with no connection between them

i have a 2610 currently connected to the switch.

Do need another ethernet interface?

if not where do i find info on somehow configuring a single ethernet to handle two different networks.

if this is part of the 'router on a stick' concept a search of tech support as well as All ciso didn't find anything obvious to me.

tnx

0 Helpful

Craig Norborg
Level 4
Level 4
In response to ja1064

‎09-24-2004 03:50 PM

Well, the only reason you would need to put a router in there is if you do want connectivity between the two VLANs. If you simply create two separate VLANs on a switch, you will have two LANs with no connection between them.

By putting a router in the mix and giving it access to both LANs, there will be connectivity between them, you would have to put ACL's in to deny access between the LANs. This would be useful if you wanted to give them both Internet access, but didn't want them to be able to access eachother.

Setting up a router on a stick is very simple, but you do need a FastEthernet rather than an Ethernet. I wasn't able to get it to work on a simple Ethernet port reliably myself, but I could be wrong...

The setup is approximately this, on the switch, configure the port to the router using dot1q trunking. On a 2950 or other newer switches, you can leave out the "encapsulation" line:

interface FastEthernet0/X

switchport trunk encapsulation dot1q

switchport mode trunk

speed 100

duplex full

!

On the router its pretty easy too, just configure sub-interfaces and dot1q encapsulation. You need to be running an "IP Plus" image at least, simple "IP Only" images won't do this, here's an example:

Interface FastEthernet0/0

speed 100

duplex full

!

Interface FastEthernet0/0.1

description Management VLAN

encapsulation dot1q 1 native

ip address 192.168.0.1 255.255.255.0

!

Interface FastEthernet0/0.10

description Student VLAN

encapsulation dot1q 10

ip address 192.168.1.0 255.255.255.0

!

Interface FastEtherenet0/0.20

description Administrative VLAN

encapsulation dot1q 20

ip address 192.168.2.0 255.255.255.0

!

Thats the basics of the "Router on a stick" concept. Note that the VLANs need to exist in the VLAN database on the switch, individual ports you want on each VLAN would be a "switchport access vlan X".

Hope this gets you started!!

0 Helpful

ferro
Level 1
Level 1

‎07-27-2004 03:45 AM

Hi,

better to put switches in a vlan to restrict access them only for administrator...

u can segment ur lan by application to avoid traffic problems,... ie accounting users with their servers, developers with theirs... etc

and finally us a separate vlan (or more) for mail server, web, etc.. u can replicate to avoid high traffic between vlans if more than one group us the same service, and if this is aplicable!

scottmac
Level 10
Level 10

‎09-25-2004 05:38 PM

A frequently overlooked option is to use 802.1q (and 'P') NICs in the servers.

802.1q NICs provide a logical interface in the server for each VLAN defined ... as if you had a physical interface that server only the clients in that VLAN.

Doing so will allow you to put the server interface directly in the VLAN and forgo some of the (otherwise) necessary routing hops.

You'd be creating a virtual "zero hop" environment for the clients, be able to restrict traffic based on function / department / security schema, and reduce the broadcast domains down to manageble levels. You can also restrict traffic to the servers that are necessary for that department to function. Any enterprise-level services (mail, web, Internet access, etc) can still be reached through a router, as normal.

"KISS" is still one of the best design rules to strive for. Keeping the clients in the same broadcast domain with the servers is about as simple as it gets for medium-to-large networks.

FWIW

Scott

0 Helpful

aamey
Level 1
Level 1
In response to scottmac

‎09-29-2004 11:13 AM

I work with JA1064 who posted a message in this conversation above regarding 2 VLANs.

Although we don't need the two VLANs to talk to each other locally, there is a router (2610) plugged into that switch that both VLAN members need to go out of. The router connects the site to the frame relay network which both the students and employees need to go out of to access the Internet via our Corporate site's Internet links.

So, it will be: student PC - through local switch (own VLAN), out router, over frame, to remote

router(s), out firewall, to Internet. Same path for employees - but separate local VLAN.

Our goal is to segregate the student network from the employee network throughout the frame relay network, yet allow both to share the Corporate Internet connection which is across the frame network at Corporate.

We have read the basic steps for setting up a vlan - vtp domain config, define vlan, add port(s). Anything else need to be done for both VLANs to go out the router? Will the router recognize and forward packets from both local VLANs w/o any added configuration? Will this setup prevent the students at each site from seeing servers at other sites across the frame network? Additional VLANs will not be setup at all sites since some sites don't have students at them.

I know that was not explained very well, so let me know if you need further clarification.

Thanks!

April

0 Helpful
Customers Also Viewed These Support Documents