cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1576
Views
0
Helpful
6
Replies

LAN Users on different VLAN than Servers

julito4589
Level 1
Level 1

I'm in the process of planning the restructuring on a portion of our network. Currently LAN users and servers are on the same subnet and on the same vlan. I'm planning to create a new subnet on a new vlan and move all LAN users to it. Thus LAN users and servers will be on different subnets and vlans.

Some info on the network:

- Cisco C3825 router acts as the gateway for both servers and LAN users (there's a C3925 in front of this router acting as the edge router and participating in BGP)

- Cisco 3560X switch is immediately behind the C3825 and acts as the core switch where all servers connect to and lower level switches for LAN users uplink to.

 

My plan is configure the LAN users or server vlan on each of the corresponding interfaces on the switch. For those interfaces where a server that LAN users have to have access to, I'm going to need to configure a trunk and allow both the LAN users and server vlans.

Unfortunately the C3560X is not configured as a Layer 3 switch yet, so the traffic between vlans will have to traverse to the C3825. Other than this, is there anything in this design that would cause security or performance issues?

6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

For those interfaces where a server that LAN users have to have access to, I'm going to need to configure a trunk and allow both the LAN users and server vlans.

No you don't, that is what routing is for.

The server does not need to be in every vlan, it can just be in it's own vlan and clients are routed to the server vlan.

Whether you do the routing on the L3 switch or the router is up to you but either way you do not need all servers connected with trunks.

Jon

Jon, but if I have any switches connected to the 3560 that support clients in the two vlans, the interfaces that those switches connect to in the 3560 will need to be set up as trunks and set to allow the respective vlans. Correct?

For switch connections yes you would need trunks if you have the same vlans on those switches.

Jon

Joseph W. Doherty
Hall of Fame
Hall of Fame

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

... is there anything in this design that would cause security or performance issues?

Yes, the 3845 doesn't have the performance capacity to support typical (gig) interVLAN routing.

If your 3560X has a IPBase, or better, feature license, you really want to do interVLAN routing on it.

Joseph, could you elaborate a little more on your comment about the 3825 not having the "performance capacity to support typical interVLAN routing"?

I'm planning to move about 6 VLANs to the 3560 and configure the interVLAN routing there. There'll be 2 VLANs that will need to stay in the 3825 for a bit while I make other changes in the network that will allow me to also transfer them to the 3560.

I'm assuming that this device will be able to handle this (it's currently dealing with 5 VLANs) at least for some time.

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Oops, I wrote a 3845, but lack of performance is even more true for a 3825.

A 3825 is rated at 350 Kpps.  Wirespeed Ethernet, for gig (minimum size packets), needs 1.488 Mpps, twice that for duplex.  ISRs also need their CPU for "control plane stuff".

Cisco's 2911, rated at 353 Kpps, Cisco recommends for up to 35 Mbps WAN (i.e. duplex) bandwidth.

Assuming your LAN might have more traffic between your subnets/VLANs (number of VLANs doesn't matter much, expected traffic volume is the key value), your 3825 may become a performance bottleneck.

BTW, for comparison, your 3650-X offers (for the 48 port models) 101.2 Mpps.

Review Cisco Networking for a $25 gift card