07-14-2016 10:41 AM - edited 03-08-2019 06:38 AM
Hello All,
We are are SME. 250 users, two facilities connected through fiber where datacenter is one facility.
We are on flat network , vlan 1. I am trying to see how to make best use of vlan.
We don't have layer 3 switch in other plant but will get one.
I have couple of ideas so wanted some input.
1) Should I put everything in both facilities on separate vlan
So Facility A, Voice VLAN, Server and Switches VLAN, camera VLAN, wireless VLAN, pcs VLAN, industrial equipment VLAN and same for Facility B.
OR
I should keep 1 voice VLAN, 1 server and switches VLAN, 1 Camera VLAN, 1 Wireless VLAN, 1 PCs VLAN and 1 each for for both sides for industrial equipment VLAN.
We don't have any restriction for access to things and each user has similar access to servers.
Since everybody needs access to servers, communicate with each other and few people who move around between buildings or need access to cameras and servers.So looking to best way going about it.
I was also looking into allowed Vlan part and not sure if we should implement that and how it would help. I was thinking more for stuff like camera, industrial equipment and to prevent their broadcast to travel across buildings. So was thinking if someone in other facility may want to watch camera over other side and if if restrict vlan across lets say the fiber link across buildings, they may not be able to do so. Even though there may not be any device in that VLAN on other side.
I am assuming that we may have to subnet for best practices for each vlan. So not to change each and everything thinking of using /24 subnet instead of /16 we are using. IS that good idea/bad?
This way a lot of (network hardware) will stay in its IP range and we will have to change the subnet to /24 on most of the hardware.
As we are using like x.x.1.1-254,x.x.2.1-254,x.x.3.1-254,etc to just provide different ip range.
Please let me know if I have some misunderstanding on some concept and please provide your inputs.
Thanks
L
Solved! Go to Solution.
07-15-2016 01:18 AM
Hi L,
In my opinion you are going down the correct path.
In order to reduce the effects of a flat network/broadcast domain,
a positive step is to break down into smaller networks/VLANS.
How to carry this out and in what method really all depends on
what hardware youhave to work with.
If you only have an L3 switch at site"A" you can still put this to
good use and let that L3 sitch perform all the inter VLAN routing.
Using /24 subnets for each vlan is fine as long as you have the address space.
Get away from deploying anything on VLAN 1 if possible as VLAN 1 inherits
many Cisco traits like default native for trunks, CDP nei etc etc.
This is mentioned in many Cisco "Best Practise" docs.
Something like below would get you started.
SITE "A" SITE "B"
L3 Switch with an SVI for each VLAN for routing. L2 Switch.
VLAN 20 - Switch Net Management VLAN 20 - Switch Net Management
VLAN 51 - DATA CENTRE 1ST VLAN
VLAN 52 - DATA CENTRE 2ND VLAN
VLAN 53 - DATA CENTRE 3RD VLAN
------------TRUNK -------
ONLY ALLOW VLANS 20,201-205
VLAN 101 - DHCP/PCs VLAN 201 - DHCP/PCs
VLAN 102 - VOICE VLAN 202 - VOICE
VLAN 103 - WIRELESS VLAN 203 - WIRELESS
VLAN 104 - CAMERAS VLAN 204 - CAMERAS
VLAN 105 - INDUSTRIAL VLAN 205 - INDUSTRIAL
Configuring allowed VLANS on a trunk is something like this (dependant on switch type)
!
interface gigabit 0/24
description *** TRUNK TO SITE B ***
switchport
switchport encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 20,201-205
no shut.
!
Regards
Alex
07-15-2016 09:23 AM
Hi L,
1) I only mentioned "as long as you have address space for /24 mask"
as I was not sure whether you were using private addressing like network 10.
or an assigned public range.
2) I suggested assigning more than 1 vlan to your data centre elements
as they usually have the subnet you access your apps on in one subnet/vlan
and backups and inter server chats on other subnets - thats all - just a suggestion.
All helps in keeping broadcast traffic down.
3) If you are definitely using L3 switches at both ends of the sitA to sit B link,
then I would suggest that you form this link as L3 and not an l2 trunk.
You would need to assingn some IP add for the link and configure some L3 routing.
Example ( Vlans can be what you want - just suggestions)
Site "A" L3 switch with the link to site "B"
!
int gig0/24
description *** L3 LINK TO SITE B ***
no switchport
ip address 10.255.255.254 255.255.255.252
no shut
!
ip route 10.6.201.0 255.255.255.0 10.255.255.253 name route_to_B-Vlan-201
ip route 10.6.202.0 255.255.255.0 10.255.255.253 name route_to_B-Vlan-202
ip route 10.6.203.0 255.255.255.0 10.255.255.253 name route_to_B-Vlan-203
ip route 10.6.204.0 255.255.255.0 10.255.255.253 name route_to_B-Vlan-204
ip route 10.6.205.0 255.255.255.0 10.255.255.253 name route_to_B-Vlan-205
ip route 10.6.206.0 255.255.255.0 10.255.255.253 name route_to_B-Vlan-206
!
Site "B" L3 switch with the link to site "A"
!
int gig0/24
description *** L3 LINK TO SITE A ***
no switchport
ip address 10.255.255.253 255.255.255.252
no shut
!
ip route 0.0.0.0 0.0.0.0 10.255.255.254 name default_route_to_A
!
!
You will need to create SVIs at both ends but this solution will stop layer2 b/casting
between sites totally helping with security etc.
Hope this helps
Regards
Alex
07-15-2016 01:18 AM
Hi L,
In my opinion you are going down the correct path.
In order to reduce the effects of a flat network/broadcast domain,
a positive step is to break down into smaller networks/VLANS.
How to carry this out and in what method really all depends on
what hardware youhave to work with.
If you only have an L3 switch at site"A" you can still put this to
good use and let that L3 sitch perform all the inter VLAN routing.
Using /24 subnets for each vlan is fine as long as you have the address space.
Get away from deploying anything on VLAN 1 if possible as VLAN 1 inherits
many Cisco traits like default native for trunks, CDP nei etc etc.
This is mentioned in many Cisco "Best Practise" docs.
Something like below would get you started.
SITE "A" SITE "B"
L3 Switch with an SVI for each VLAN for routing. L2 Switch.
VLAN 20 - Switch Net Management VLAN 20 - Switch Net Management
VLAN 51 - DATA CENTRE 1ST VLAN
VLAN 52 - DATA CENTRE 2ND VLAN
VLAN 53 - DATA CENTRE 3RD VLAN
------------TRUNK -------
ONLY ALLOW VLANS 20,201-205
VLAN 101 - DHCP/PCs VLAN 201 - DHCP/PCs
VLAN 102 - VOICE VLAN 202 - VOICE
VLAN 103 - WIRELESS VLAN 203 - WIRELESS
VLAN 104 - CAMERAS VLAN 204 - CAMERAS
VLAN 105 - INDUSTRIAL VLAN 205 - INDUSTRIAL
Configuring allowed VLANS on a trunk is something like this (dependant on switch type)
!
interface gigabit 0/24
description *** TRUNK TO SITE B ***
switchport
switchport encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 20,201-205
no shut.
!
Regards
Alex
07-15-2016 08:47 AM
Hello Alex,
Thank you for your reply.
We have L3 switch 4500x which connects Site B and plan to put L3 in Site B to replace l2 switch which connects this 4500x as there are other l2 switches hanging off Site B L2 switch.
Why did you mention as long as you have address space for /24 mask.
10.6.0.x
10.6.1.x
10.6.3.x and so on til 254.
So we should be able to get 254 subnet and 254 hosts per subnet so should be able to put everything in their own subnets.
Why would we need VLan 51,52,53 , why not just 51. Is it because you are splitting server, switches, something else in their own vlan.
Now for the configuration part.
In this case, On Site B side, we would not really restrict any vlan to get on trunk.Since we want the traffic to leave trunk towards site A to access Internet, Servers. Is that correct?
Now, My confusion also is: since it is trunk mode, so we will only stop broadcast from Site A hopping onto trunk to site B but Broadcast across vlans 201-205 will propogate towards Site A from from Site B and onto other trunk ports. Is that correct? So we really won't reduce broadcast much towards Site A.
Another unrelated question is: How do we connect management Vlan port on switches to network. As this ethernet port has to be plugged on to some switch to be able to connect to them.
So if main switch at site B which connects to Site A has 4 switches hanging onto it. Then all those 4 switches management Vlan port has to be physically connected to this main switch at site B. And if This Main switch at Site B lose connectivity to Site A then all those switches become inaccessible. Is that correct or in real life we connect them differently. Just trying to get better grasp on the management Vlan port also.
Thanks,
L
07-15-2016 09:23 AM
Hi L,
1) I only mentioned "as long as you have address space for /24 mask"
as I was not sure whether you were using private addressing like network 10.
or an assigned public range.
2) I suggested assigning more than 1 vlan to your data centre elements
as they usually have the subnet you access your apps on in one subnet/vlan
and backups and inter server chats on other subnets - thats all - just a suggestion.
All helps in keeping broadcast traffic down.
3) If you are definitely using L3 switches at both ends of the sitA to sit B link,
then I would suggest that you form this link as L3 and not an l2 trunk.
You would need to assingn some IP add for the link and configure some L3 routing.
Example ( Vlans can be what you want - just suggestions)
Site "A" L3 switch with the link to site "B"
!
int gig0/24
description *** L3 LINK TO SITE B ***
no switchport
ip address 10.255.255.254 255.255.255.252
no shut
!
ip route 10.6.201.0 255.255.255.0 10.255.255.253 name route_to_B-Vlan-201
ip route 10.6.202.0 255.255.255.0 10.255.255.253 name route_to_B-Vlan-202
ip route 10.6.203.0 255.255.255.0 10.255.255.253 name route_to_B-Vlan-203
ip route 10.6.204.0 255.255.255.0 10.255.255.253 name route_to_B-Vlan-204
ip route 10.6.205.0 255.255.255.0 10.255.255.253 name route_to_B-Vlan-205
ip route 10.6.206.0 255.255.255.0 10.255.255.253 name route_to_B-Vlan-206
!
Site "B" L3 switch with the link to site "A"
!
int gig0/24
description *** L3 LINK TO SITE A ***
no switchport
ip address 10.255.255.253 255.255.255.252
no shut
!
ip route 0.0.0.0 0.0.0.0 10.255.255.254 name default_route_to_A
!
!
You will need to create SVIs at both ends but this solution will stop layer2 b/casting
between sites totally helping with security etc.
Hope this helps
Regards
Alex
07-15-2016 10:39 AM
Hello Alex,
Thanks for your detailed reply. I will need to study a little bit on layer 3 routing and re read this stuff. If you could also clarify management vlan doubt that would be great.
Thanks,
L
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide