Hi,
Please find attached the VLAN design template.
VLAN is a way of micro-segmenting a L2 / L3 topology into separate broadcast domains. Each VLAN is a separate broadcast domain, ie: all broadcasts are seen by devices within the same VLAN.
Inter-VLAN communication is restricted, requires a L3 routing device to communicate between broadcast domains.
Couple of Benefits listed below
1. Saves excessive usage of physical connectivity
2. One link can pass all different broadcast seggregated packets to respective destinations
3. By using VTP further, we can also sync between devices making one as server and other clients. Updates will be sent automatically and devices will remain in sync upon any change recorded amongst them.
4. Different Vlans can be segmented across different deppt. for eg marketing and sales in the same building can be put under tow seperate vlans. Both networks will remain seperate though using the same devices to flow.
5. Bandwidth is saved a lot as well. Further you can use etherchannels to segment the bandwidth for better flow of packets.
Given the number of PC's you have, separation by device class just won't yield much of a result - your broadcast domain will still be equally flooded.
I'd recommend a mix of the two methodology. For example, lets take the subnet 10.0.0.0 and let us use the second octet for site, the third octet for vlan-id and the fourth as the host octet.
Site 1: 10.1.v.h
Finance: v = 20
HR: v = 25
IT: v = 20
etc
Switches/routers: v = 1
WAP's: v = 4, h = 200-254
Wireless clients: v = 4, h = 10-199
Printers: v = 5
Phones: v = 6
Management: v = 100
etc
Yes, that is a lot of address wastage but you get the idea. Generally we want to keep as much broadcast data into a single vlan as possible. If departmental devices can be on the same physical access layer device then that combined with dedicated vlan would be better again.
1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11: 12: 13: 14: 15: 16: 17: 18: 19: 20: 21: 22: 23: 24: 25: 26: 27: 28: 29: 30: 31: 32: 33: 34: 35:
by: from_expPosted on 2009-07-01 at 23:00:10ID: 24760749
NOTE:
Please read this post till the very end before taking your network down. I assume that you have good knowledge about your current infrastructure, applications, IP addresses. Please ask all Q before actual migration. I also assume, that all workstations are using DHCP, otherwise it would be pain to migrate. However, if all PCs have static addresses, you will just need additional task force to reconfigure all PC's to use DHCP.
I would suggest the following migration scheme.
you create additional vlans on all switches for example:
vlan 2 - servers, created on the nearest switch to the servers and on a core 4507
vlan 3 - IDF 1, created on IDF 1 and core 4507
vlan 4 - IDF 2, created on IDF 2 and core 4507
Next thing to do - interconnect all remote vlans to core switch. to do this you need out of business time (I would suggest friday evening, so you will have time to implement new topology until monday morning) and possibly console access to switches.
you logon to IDF 1 switch and configure uplink port (let it be gi0/1) as tagged with 2 vlans current default and a new one vlan3 (for IDF 1)
configure terminal
int gi0/1
desc to_4507
switchport trunk allowed vlans 1,3
switchport mode trunk
end
at this point (if you were reaching IDF switch via 4507) your connection will be lost. Don't worry about that. so you perform the same task on 4507 for a port to IDF 1 switch.
configure terminal
int gi1/1
desc to_IDF1
switchport trunk allowed vlans 1,3
switchport mode trunk
end
now you should regain connectivity to IDF 1 switch.
In the same way you proceed with other IDFs.
Now you should be plan your IP topology carefully. Each vlan will have it's own IP subnet, so you have to configure your dhcp server (let it has IP of 192.168.100.1) with additional scopes.
Let's assume you are going to implement the following IP scheme (we are not interested in your current one, because you will migrate all PCs step by step to a new topology)
192.168.100.0/24 - servers vlan 2
192.168.101.0/24 - IDF 1
192.168.102.0/24 - IDF 2
192.168.103.0/24 - IDF 3 - etc
Sure thing 4507 should be a default gw for ALL vlans within your network and should also know where dhcp server is for each vlan:
configure terminal
int vlan2
name servers
ip address 192.168.100.254 255.255.255.0
int vlan3
name IDF1
ip address 192.168.101.254 255.255.255.0
ip helper-address 192.168.100.1
int vlan4
name IDF2
ip address 192.168.102.254 255.255.255.0
ip helper-address 192.168.100.1
int vlan5
name IDF3
ip address 192.168.103.254 255.255.255.0
ip helper-address 192.168.100.1
end
Firewall should be placed in additional vlan and switch shoud have it's default gw configured to firewall.
int vlan100
name fw_vlan
ip address 192.168.200.1 255.255.255.0
end
int gi1/10
desc firewall
switchport access vlan 100
end
ip route 0.0.0.0 0.0.0.0 192.168.200.254 ---- address of firewall
Firewall should be reconfigured to a new IP address and should also allow all your subnets to internet (if needed)
At this point you are ready to reconfigure servers with new IP addresses and place then into correct vlans.
conf term
int gi1/2
desc dhcp_server
switchport access vlan 2
end
All servers shoud be rebooted after that, because they should reregister them selves in DNS.
At this point you shoud have fully functional infrastructure - servers are separated, they should be accessible from workstations (workstations should have 4507 as a default gw). If not, try to troubleshoot problems.
Only after this step you should move to the next step - moving PCs to new vlans.
To do that - move all ports on IDF1 switch to vlan 3 and reboot all PC in that switch in order to them to get new IP addresses.
Check: PCs in IDF1 should be able to get new IP with default gw, with access to internet, to servers.
If everything is ok - proceed to the next IDF.
Uff... Seems that is all.