Showing results for 
Search instead for 
Did you mean: 

Cisco Community Designated VIP Class of 2020


Quick question on local vlans and end-to-end vlans

So as I have been reading through documentation on these I have had a question constantly popping into my head.

What about some sort of hybrid design. Not necessarily keeping one or three vlans on a switch, but keeping these vlans segregated at the distribution layer.


vlan 2 - Admin

vlan 3 - IT

vlan 4 - Finance

vlan 5 - Voice

Then keeping these segregated at the distribution block.  Mapping these using dynamic vlan assignment controlled in a radius server.

Then in another distribution block (say you have two distribution blocks)

vlan 6 - Admin

vlan 7 - IT

vlan 8 - Finance

vlan 9 - Voice

From there doing the same thing on these and segregating these at the distribution block.  Having a seperate policy for the radius servers based on which switches are authenticating the users.  Would this be a bad design or would this be something advisable.  So you would have four vlans on each of the switches potentially, but each building would have its own vlans and you wouldn't have broadcasts and other layer two traffic going over the trunks between switches.  Then the only traffic going across the trunks would be to servers and voice between users.

I know that it is best to keep layer two traffic from crossing layer three devices (i.e. merging vlan 5 and vlan 9 because they are both voice).  But what are some of the reasons for not doing this.  Is it advisable to hybridize this further.  I know the 80/20 has been switching to 20/80 with VDI and cloud computing.  Devices are going outside of their LAN for more and more information.  I am trying to think of a way to keep things segregated and allow for security policies in the distribution layer.  Are IP and layer four ACLs falling out of favor for security policies?  I just keep on trying to put those into context and I am thinking about how you would lock down access to say a finance server.  If yoou didn't map someone to a vlan/subnet from finance the ACLs would just get gigantic.  Would this just be something that you would rely on LDAP for instead?  Are ACLs becoming something for QoS, routing updates, and PBR only?

Everyone's tags (4)
CreatePlease to create content
Content for Community-Ad