Hi, We are experimenting with VLANs and want to know if the proposed scenario will work. I have drawn a quick flowchart and attached it as a PDF document. Can you please take a look and tell me what you think?
Questions: " Will this work? " What sort of Cisco Switch will be needed to manage the VLANs? " Is it ok to have Hubs between the Cisco Switch and the offices? The hubs are only needed to create more ports to plug into for each building. What should be used here? " Is it ok to have the IP phones on their own VLAN? " Is splitting up the VLANs by MAC addresses the way to go? " If an office decided to install its own SBS server how will this affect everything? Would it be possible for an office to install their own
Questions: " Will this work? yes. " What sort of Cisco Switch will be needed to manage the VLANs?
would depend on the number of users, if the end points require POE.
" Is it ok to have Hubs between the Cisco Switch and the offices? The hubs are only needed to create more ports to plug into for each building. What should be used here?
I would not use hubs. i dont' even think you can buy hubs any more. it depends on the number of users - and the data throughput. " Is it ok to have the IP phones on their own VLAN?
Recommended.
" Is splitting up the VLANs by MAC addresses the way to go?
VLANS should be split based on functional business areas.
" If an office decided to install its own SBS server how will this affect everything? Would it be possible for an office to install their own
Depends on how you were to do this - SBS has its own limitations.
We dont require POE but it would be nice for future expandability I guess. Users would start at around 15 but could go up to 50 or a bit more. Can we start with something small and add to it later?
We need to figure out amount the amount of users that will be on each 'hub', but say it was 20 on each what would we need to look at?
Yes we will split the VLANs based on functional business areas but due to physical contraints it would be difficult to do it by physical ports on the Cisco router. Therefore we would need to differentiate the VLANs by MAC address or simiar.
Can we put a regular router/switch on its own VLAN? Then anything that is plugged into that switch will automatically become part of that VLAN?
hi! your diagram looks pretty good still i suppose to use switches instead of hubs. hubs should never used nowadays (they work in half duplex mode - collisions and errors on switches, they resend each packet to all ports). it is possible to get very cheap (linksys, netgear) switches if price is an issue. as for the equipment, I have no exp with mac-based vlans on cisco (do cisco switches support mac-based vlans?), but nortel switches do support mac-based vlans. as for voice vlan - it is common practice to use separate vlans for voice and data.
still if you want to archive better scalability I would suggest using ordinal 802.1q based vlans and using switches, with vlan support. as for cheapest, i can say that d-link switches work perfectly (we have more than 100 switches installed within our network)
are the work stations connecting through the IP phones? i.e. do you need 20 ports or 40 ports? POE for the ip phones is advantagous. VLANS are designed so that they cross over switches using trunk ports. they can also cross geographically as needed.
you need to have a core switch, then distribution switches as you topology.
Switches have a native VLAN that all ports are assigned to by default.
To give you all a bit more info on the scenario there is a main building with some small buildings surrounding. The main building will hold the servers and the core switch. We have cat 6 running from the main building to the smaller ones.
Therefore we need to put a 'sub switch' in each building so that we can split the ethernet out to each individual office within the buildings.
There may be a need for an extra switch in some of the individual offices. So in that case it would be Core Switch > Sub Switch for building > Sub Switch in individual office.
Overall the entire network may need to support 50-75 users. Each building will probably only have about 20-30 users with each office broken down into about 4 users.
not really - the same VLAN options apply. you can terminate in each office to a distribution switch, and then the trunk the distribution switches to core switches in the central building. or terminate all ports in the central building, to distribution switches then trunk to the core switches. POE for the ip phones would also be a consideration here.
depends upon your security requirements - physical - network.
you need to look at the vlan security options for the trunks as well.
any user in any building can belong to any VLAN - provided the VLAN is configured on the switchport correctly.
i'd suggest high end CISCO 2950's as the core. with either lower end 2950's or Catalyst Express500 for distribution.
you'd be much better off with the 2950's as the throughput is so much higher. Check otu the switch throughputs when comparing which vendor / option to run with.
ok, all sounding good. Im going to have fun reading about all this stuff :)
Im a bit confused still about how it would work if a user in one of the offices plugged in their own switch. Would the devices plugged into this automatically get added to that offices VLAN?
the idea is that you want to prevent a user plugging in a switch. This is a security threat. and the core and sitribution switches should be set to disallow that occuring.
the idea is that VLAN's are advertised by the core swtich and the adminsitrator controls vlan assignment at the distribution switch level for the end users. My suggestion would be to hire someone to set this up for you if you have sufficient budget, and transfer as much administration knowledge as you can thorughout the project.
as for additional threats... I don't think automatic vlan propogation (vtp) is good idea. you can configure each switch (you will have only 4-5 of them) manually. as to prevent loops - on cisco pvst is enabled by default. 2960 - rather good models, I would recommend them also.
in order to avoid this you have several options: 1. policy enforcement 2. 802.1x implementation 3. disable free ports.
so the first and the last are most easy to archive. the 2nd option contains some hidden problems, like devices which does not support dot1x authentication.
The idea is that you have administrative control over what user can and cannot do.
the concept here is to prevent exactly that - what happens if the person that does implement a wireless AP is attempting to remove sensitive information from the organisation ?
>We get a Cisco switch to act as the 'core switch' >The 'core switch' is connected to the ISA server and the Asterix IP phone server. >The 'core switch' is also connected to the 'sub switches' in each building. >We configure each office to be its on VLAN based on physical ports on the 'sub switch'. The IP phones become their own VLAN as well.
-If someone wants to have a wireless AP we can however not recommended. -If someone wants their own SBS server we can. Just need to connect it to the VLAN switch and configure as normal?
Q: Are cisco 2960 switches the way to go across the board? Anything cheaper? Q: The IP phones are able to connect 'inline' with the ethernet cable going to a computer nearby. We cant do this if we are seperating the VLANs based on physical ports on the switch can we? Q: How hard is it to configure the VLANs. I havnt played with a cisco switch before.
a: cisco can be replaced by any L2 switch with vlans and qos support (dell, hp?), if you want cisco - 2960 the smallest model. a: you should check the manual for ip phone. possible, that your ip phone supports tagging and can have 2 vlans - voice and data. a: rather easy, and straightforward