Advertisement

09.27.2007 at 05:51AM PDT, ID: 22856412
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
6.6
How do I Vlan, Switch and Vlan a larger test envirment ?
Zones: Network Design & Methodology, Network Management, Network Operations
Tags: vlan, switch
I am new to vlans and have a very old CCNA but have little experience.

We currently need two vlans, 500 systems ( call it vlan 500 ) and 200 systems ( call it vlan 200 ).  All teh supporting servers ( DNS etc ) are on vlan 500.

 I need to understand how to do the vlans across the layer 2 and layer 3 switches.  ( by the way we have new dell switches ).  

Vlan 200 is an isolated vlan and we do not want viruses or other problems to be able to pass to the vlan 500.  We only want requests for DNS, DHCP, RDP, PXE, ICMP and Ghost to pass from vlan 200 to 500.   We only want the replies for these services to go from Vlan 500 to Vlan 200.

Originally the plan was to implement the vlans in one layer 3 switch and the layer 2 switches and we hoped the layer 2 switches should be able to communicate with the one layer 3 switch.

After some discussion with a switch engineer at Dell, asked us to consider implementing the vlans on the layer 2 switches and also on the layer 3 switch.  He stated talking about IP addressing and I do not know exactly what kind of ip scheme would make these work.

I selected ip address ranges
10.10.10.10  255.255.0.0  vlan 200
10.20.10.10  255.255.0.0  vlan 500

I need suggestions on a good layout of this network / vlan.  We also need to understand more about access lists and the IP scheme to make it all work.

Thank you in advance

D
Start your free trial to view this solution
Question Stats
Zone: Networking
Question Asked By: itguy411
Solution Provided By: tvman_od
Participating Experts: 2
Solution Grade: A
Views: 59
Translate:
Loading Advertisement...
09.27.2007 at 06:09AM PDT, ID: 19970788
tvman_od:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
09.27.2007 at 03:10PM PDT, ID: 19975150
ngravatt:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
09.27.2007 at 03:18PM PDT, ID: 19975180
ngravatt:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
09.27.2007 at 05:36PM PDT, ID: 19975773
tvman_od:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
09.27.2007 at 09:16PM PDT, ID: 19976497
ngravatt:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
09.28.2007 at 05:00AM PDT, ID: 19977914
tvman_od:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
09.29.2007 at 06:46AM PDT, ID: 19983904
itguy411:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
09.29.2007 at 07:31AM PDT, ID: 19984003
tvman_od:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
09.30.2007 at 02:06PM PDT, ID: 19988043
itguy411:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
09.30.2007 at 02:08PM PDT, ID: 19988047
itguy411:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
09.30.2007 at 05:26PM PDT, ID: 19988402
tvman_od:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
10.01.2007 at 05:45AM PDT, ID: 19990318
itguy411:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
10.01.2007 at 06:24AM PDT, ID: 19990575
tvman_od:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
 
Loading Advertisement...
Microsoft
  • Internet Protocols
  • Applications
  • Development
  • OS
  • Hardware
  • Windows Security
Apple
  • Operating Systems
  • Hardware
  • Programming
  • Networking
  • Software
Internet
  • Search Engines
  • File Sharing
  • WebTrends / Stats
  • Spy / Ad Blockers
  • Web Browsers
  • New Net Users
  • Web Development
  • Chat / IM
  • Anti Spam
  • Web Servers
  • Anti-Virus
  • Email Clients
Gamers
  • Tips
  • Online / MMORPG
  • Puzzle
  • Emulators
  • Action / Adventure
  • Role Playing
  • Consoles
  • Game Programming
  • Strategy
  • Sports
  • Misc
  • Computer Games
Digital Living
  • Hardware
  • New Net Users
  • New Users
  • Software
  • Digital Music
  • Gaming World
  • Home Security
  • Apple
  • Networking Hardware
Virus & Spyware
  • Vulnerabilities
  • IDS
  • Encryption
  • Anti-Virus
  • Operating Systems Security
  • Software Firewalls
  • WebApplications
  • Cell Phones
  • Operating Systems
  • Internet
  • Hardware Firewalls
Hardware
  • Handhelds / PDAs
  • Displays / Monitors
  • Components
  • Networking Hardware
  • Peripherals
  • Laptops/Notebooks
  • Storage
  • Servers
  • Desktops
  • New Users
  • Misc
  • Apple
Software
  • System Utilities
  • Industry Specific
  • Network Management
  • Photos / Graphics
  • Page Layout
  • VMWare
  • Misc
  • Web Development
  • OS
  • CYGWIN
  • Voice Recognition
  • Message Queue
  • Quality Assurance
  • Security
  • Firewalls
  • MultiMedia Applications
  • Development
  • Database
  • Office / Productivity
  • Business Management
  • OS/2 Apps
  • Server Software
  • Internet / Email
ITPro
  • OS
  • Storage
  • Encryption
  • Operating Systems Security
  • Apple Hardware
  • Laptops & Notebooks
  • Servers
  • Networking Hardware
  • Peripherals
  • Devices
  • Displays / Monitors
  • WebTrends / Stats
  • Search Engines
  • Firewalls
  • WebApplications
  • IDS
  • Vulnerabilities
  • Email Clients
  • File Sharing
  • Spy / Ad Blockers
  • Web Browsers
  • Web Servers
  • Networking
  • Anti-Virus
  • Chat / IM
  • Anti Spam
Developer
  • Web Servers
  • Web Browsers
  • Game Programming
  • Dev Tools
  • Industry Specific
  • Office / Productivity
  • Database
  • CYGWIN
  • Web Development
  • Search Engines
  • File Sharing
  • WebTrends / Stats
  • Programming
  • Content Management
  • Application Servers
  • Protocols
Storage
  • Removable Backup Media
  • Storage Technology
  • Servers
  • Grid
  • Remote Access
  • Backup / Restore
  • Misc
  • Hard Drives
OS
  • Miscellaneous
  • Security
  • Development
  • Linux
  • VMWare
  • MainFrame OS
  • Unix
  • Apple
  • OS / 2
  • AS / 400
  • BeOS
  • Microsoft
  • VMS / OpenVMS
Database
  • Oracle
  • Miscellaneous
  • MySQL
  • Software
  • Sybase
  • Contact Management
  • PostgreSQL
  • Data Manipulation
  • Clarion
  • InterSystems Cache
  • Siebel
  • MUMPS
  • OLAP
  • SQLBase
  • SAS
  • GIS & GPS
  • 4GL
  • Berkeley DB
  • DB2
  • Informix
  • Interbase / Firebird
  • FoxPro
  • Reporting
  • LDAP
  • Filemaker Pro
  • MS SQL Server
  • dBase
  • MS Access
Security
  • Misc
  • Web Browsers
  • Software Firewalls
  • Operating Systems Security
  • File Sharing
  • Spy / Ad Blockers
  • Vulnerabilities
  • WebApplications
  • IDS
  • Anti-Virus
  • Encryption
  • Anti Spam
  • Email Clients
  • VPN
  • Chat / IM
Programming
  • Editors IDEs
  • Installation
  • Handhelds / PDAs
  • Multimedia Programming
  • System / Kernel
  • Algorithms
  • Game
  • Signal Processing
  • Project Management
  • Open Source
  • Database
  • Misc
  • Languages
  • Processor Platforms
  • Theory
Web Development
  • Scripting
  • Blogs
  • Web Servers
  • Software
  • Search Engines
  • Web Graphics
  • Images
  • Internet Marketing
  • Images and Photos
  • Components
  • Document Imaging
  • Web Languages/Standards
  • Illustration
  • WebApplications
  • Fonts
  • WebTrends / Stats
  • Authoring
  • Digital Camera Software
  • Miscellaneous
Networking
  • Protocols
  • Apple Networking
  • Network Management
  • Message Queue
  • Application Servers
  • Content Management
  • File Servers
  • Email Servers
  • Misc
  • Java Editors & IDEs
  • Wireless
  • Networking Hardware
  • Backup / Restore
  • System Utilities
  • ISPs & Hosting
  • Web Servers
  • Storage Technology
  • Removable Backup Media
  • Servers
  • Broadband
  • Grid
  • OS / 2
  • Novell Netware
  • Unix Networking
  • Windows Networking
  • Security
  • Telecommunications
  • Operating Systems
  • Linux Networking
Other
  • Community Advisor
  • Lounge
  • Community Support
  • New Net Users
  • Philosophy / Religion
  • Math / Science
  • Miscellaneous
  • URLs
  • Expert Lounge
  • Politics
  • Puzzles / Riddles
Community Support
  • Suggestions
  • New to EE
  • New Topics
  • Community Advisor
  • CleanUp
  • Announcements
  • General
  • Feedback
  • Input
  • EE Bugs
 
09.27.2007 at 06:09AM PDT, ID: 19970788
tvman_od:
There is no difference in ethernet operations in L2 and L3 switches. L3 just capable of doing basic routing between Virtual interfaces. Think about Vlan IP interfaces as ports connected somewhere inside the switch. It will have it's own MAC address and all other attributes of ethernet interface. Logically it's a separate entity, so you can assign IP addresses, apply ACLs, etc.

In your case it would be a good idea to avoid connecting servers from different VLANs which will communicate to each other to the same L2 switch because traffic will cross uplink to reach L3 router and cross it again on the way to it's destination at L2 switch. Everything else is trivial. In some cases you can try to use separate uplinks for both Vlans
 
09.27.2007 at 03:10PM PDT, ID: 19975150
ngravatt:
For simplilcity, configure the same VLANs on all the switches.  Connect each switch together with trunk ports, using 802.1q and crossover cables.

All the layer 2 switches HAVE to connect to the layer 3 switch IF you want traffic from one VLAN to get to the other.

For security though, you should configure an entire switch to only be on one VLAN.  As before, to get traffic to another VLAN (in this case, another switch) you have to connected it to the Layer 3 switch, but you will not need trunk ports.

One of you layer 3 switches should be your default gateway, and all systems should have a path back to it.  This is the only way to allow communication between VLANS.
 
09.27.2007 at 03:18PM PDT, ID: 19975180
ngravatt:
the layer 3 switch should have each VLAN configured on it, and an IP address assigned to it as the default gateway.  like this:

interface vlan 200
name 200
ip address 10.10.0.1 255.255.0.0

interface vlan 500
name 500
ip address 10.20.0.1 255.255.0.0

that is, 10.10.0.1 is the default gateway for vlan 200.
Assisted Solution
 
09.27.2007 at 05:36PM PDT, ID: 19975773
tvman_od:
ngravatt, I would not agree about security improvements if you configure a single VLAN in the switch. There is no way to break boundaries between VLANs unless you have access to management interface.
Besides that part of the config is a little bit incorrect, you cannot configure name of the VLAN under interface config section.
 
09.27.2007 at 09:16PM PDT, ID: 19976497
ngravatt:
that is exactly what my dell switch config file looks like.  i copied and pasted it.

also, there is something known as VLAN hopping.  Never actually heard of the vulnerability being exploited, but i have read about how it works.
 
09.28.2007 at 05:00AM PDT, ID: 19977914
tvman_od:
ok, ageed on first. VLAN hopping is possible if you allow auto-negotiating on the access ports and don't filter VLANs on trunk ports or connect non-trusted devices to ports in trunk mode. So, I consider it as a poor design issue and not a problem of VLAN technology by itself.
 
09.29.2007 at 06:46AM PDT, ID: 19983904
itguy411:
I asked the question

They are looking for one large vlan and two smaller ones.  Every test envirement I have seen that uses layer 2 switches limit the vlan to the size of the swith and usually to the rack the switch resides in.  I am concerned about broadcasts in a test / performace test envirement.

I am looking for as much as an archatectural answer as an implimention answer.  

This needs to be simple and I am thinking about putting in 24 vlans in a 48 port switch, 2 ports per vlan.  That way we can support 24 pairs of switches or is their an advantage to make 48 vlans so we do not have as much communications from switch to swtich ?   Can we leave the layer 2 switche totally unconfigured and use them as unmanaged unconfigurerd switches and use the layer 3 switch as all the intelagence ?  

 
09.29.2007 at 07:31AM PDT, ID: 19984003
tvman_od:
You should understand, that traffic can cross VLAN boundaries using L3 device only. So if one of the systems will need to communicate with another in other VLAN it will have to cross L3 switch.

archetectural decision should me made based on estimated traffic profile, in other words you need to know how each system will communicate with the rest of the network. I have few 9x3750 stacks of switches and in controlled environment I don't see any problems with broadcast traffic, which is minor compared to available bandwidth. Using single VLAN will give some performance advantages if hosts communicate to each other and will not need to cross L3 device wich will introduce some additional delay and increase CPU load on the L3 router. If it's a server-farm which serves external clients and all the traffic will cross L3 router and then hit the servers, then separation will give some additional security.

Any way, I cannot give anything more specific without assesment of your resources and specific task.
 
09.30.2007 at 02:06PM PDT, ID: 19988043
itguy411:
I can not give exact information due to my employer however it is a 100% test lab.  The only stuff that should be crossing vlans is the minor DHCP or DNS request.  

We will be doing iscsi testing also.

 
 
09.30.2007 at 02:08PM PDT, ID: 19988047
itguy411:
What is the difference between leaving all layer 2 switches unconfigured and putting them in vlan 500 ?  What is the difference between putting 48 vlans on the layer 3 switch and leaving the layer 2 switches unconfigured  OR putting each on in each of the 48 vlans ?  

 
 
09.30.2007 at 05:26PM PDT, ID: 19988402
tvman_od:
The difference is if you put 48 Vlans on L3 switch and any of hosts will need to communicate to a neighbor at another L2 switch it will need to cross L3 routing process in the switch.
1.You will need to assign different subnets to each Vlan
2. Load on L3 device will be higher because L2 switching is done using hardware only methods and L3 routing using much more software components. iSCSI creates really heavy traffic, so you want to minimise number of L3 devices on the path from clients to storage devices. In order to increase security use MAC address filtering and 802.1x authentication.
3. You want to configure at least basic elements on L2 switches to be able to monitor activity over SNMP and have  an option to enable/disable ports, change speed/duplex, enable fast STP on ports for endpoints and normal STP for uplinks.
 
10.01.2007 at 05:45AM PDT, ID: 19990318
itguy411:
OK, at this point I figure I am going to do a layer 3 switch and a bunch of layer 2 switches with just enough configuration to make it all work well.  There is little traffic to go across the single layer 3 switch so that should be good.

Now lets say I make a vlan 2 on the layer three switch.  I have an ip of 10.10.0.1 255.255.0.0  Now it hooks to a layer 2 switch I want to configure to be the only vlan 2 switch.     What do I need to do in the configuration ?

I assume:
I need to create vlan 2 on the layer 2 switch.
I need to give it an IP and a default gateway, would 10.10.0.2 255.255.0.0 work ?  
What other issues should I be aware of ?

Thank you all in advance

itguy411
 
10.01.2007 at 06:24AM PDT, ID: 19990575
tvman_od:
You are correct

For each Vlan you need to create a separate Vlan ip interface on L3 device
Vlan 1 10.10.0.1 255.255.0.0
Vlan 2 10.11.0.1 255.255.0.0
....

Vlan 100 10.101.0.1 255.255.0.0

Because your switches are not Cisco I cannot give you a sample of CLI sequence.
So you configure management IP interface on L2 switches with any available IP from corresponding Vlan

Make sure that you configure all the port in access mode, not auto-negotiating for trunking. Most likely you can use range porgramming features to change setting for all ports in specified range.

Accepted Solution
 
 
20080236-EE-VQP-29 / EE_QW_2_20070628