cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2515
Views
0
Helpful
29
Replies

a flat vlan!

atimpanaro
Level 1
Level 1

Hi,a costumer of mine asked to segment his lan using vlan.

I want to create 4 vlans distributed across the building floors. So, for example at floor 1 are present vlan 1 and 2, at floor 2 are present vlan 2 and 3, at ground flor is present vlan 4 (where I have the servers).

Each pc must talk ONLY with other pc within the same vlan and with servers on vlan 4. No comunication between vlan 1-2, 1-3, 2-3.

Another requirement is that I cannot change the pc's ip addresses. So I cannot create different ip subnet for each vlan, but all the vlan must share the 10.1.0.0/16 network.

I'm using some cat3500xl at the wiring closet and cat 4006 at the core level. The uplink are in f.o. Gb.

Any idea on how realize this job?

Thanks to all.

Andrea.

29 Replies 29

Gilles Dufour
Cisco Employee
Cisco Employee

if your customer doesn't want to re-address the PC, than there is no way of doing this.

The reason is that a VLAN is by definition a Virtual Lan that needs is one ip segment.

You also need a L3 device to route between the VLANs.

If you don't segment your ip block, then you can't route between the vlan and therefore you need bridging which is the equivalent of not configuring vlans.

gdufour,

if PCs of VLAN 1,2 and 3 did not need to connect to servers in VLAN4, i think we can segment the network by using trunking, is it true?

then suppose we can put each server in all VLAN 1,2 and 3 so i think it will be OK too. but i'm afraid a server can not belong to many VLAN if we use trunking.

is this true for all cisco switches?

PC in vlan 1,2,3 need to connect to server in vlan4.

No, a single port can belong to a single vlan.

you can bridge between vlan. But as I said before, if you do this, you get back to a flat topology which is just more difficult to manage.

The reason to go to a Vlan design is to separate the broadcast domains. Therefore, you need re-addressing.

Your customer might be affraid of down time due to this task. But if you can find a nice way to re-address all devices it might be better than try to find a solution with no re-addressing.

Hello,

thanks for your messages.

No, the costumer isn't afraid about down-time to change ip addressing. The problem is that he has a cobol application that works with the mac-address references.

What about private vlan?

Do you think they can help me?

Many thanks

Hi,

First I just want to tell you that you can assign on a Catalyst 2900XL/3500XL a port to several VLANs. This allows you to have the same IP subnet for all your VLANs and the there would be a Layer 2 separation between the different VLANs, preventing communication between hosts eventhough they belong to the same subnet.

The overlapping-VLAN port (not a trunk port) can be connected to the server (or common resource) and communication can take place since the IP network is the same.

On the other hand, the private VLAN could also be an option. The users that you need to communicate with each others can be connected to community ports, they will be able to communicate with ports within the same community and to the promiscuous port (where you server should be connected).

You can create several community VLANs within the same primary VLAN and a single isolated VLAN where your server(s) will be positionned.

Hope I could be of any help.

Regards.

Wassim, thank for your post.

Ok, cat 2900xl/3500xl support multi/overlapping vlan, but my servers (or common resource) are connected to the cat 4006 at the data center which doesn't support multi/overlapping vlan.

About Pvlan: If i'm not wrong, I belive that cat 2900xl/3500xl don't support comunity ports. My end users are connected on the 3500xl switches.

so the problem persist.

Many Thanks

Andrea.

I think Wassim had a good point with the PVLAN.

BTW, how many devices are we talking about ?

How many PC and how many servers ?

I'm new at this but have you thought about Dynamic Vlans with VTP pruning?

Hi,

If you go along with the PVLAN suggestion, remember that VTP and PVLANs can't be configured together on the same switch. You also can't trunk PVLANs. At least this is the last I knew but maybe things have changed in newer code releases.

Hugginsa,

yes, I have thought, Ok for dynamic vlan (but I can also assign vlan based on port, it's not a problem because there isn't a very often user mobility).

VTP Pruning is another thing. It prevents to sending out vlan traffic over a trunk if this vlan doesn't exist on the spoke (for example) switch.

Bye and thanks for your thinking!

I'm talking about 400 PCs and 20 Serves.

And I suppose the PC have a fix IP address. No DHCP ?

I still think you should re-address and use DHCP (except for the servers).

You could do this by keeping the server addresses.

Then, you take a new range of address in the 10.x.0.0/16 and you start migrating 1 floor at a time. And I would go with DHCP so next time your customer wants to change sth, it's easier to manage.

Once a floor is migrated, it will be using a new VLAN and a new range of addresses.

A Layer 3 switch will route between the VLANs.

The floors that are still not migrated will still be in the same vlan as the servers.

At the end, all floors are migrated and only the servers are left in the initial VLAN.

You should have not much downtime by doing this.

My problem is not downtime related the changeover of IP Address. Pls see post (1.1.2.1)and (1.1.2.1.2)

Bye

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco