Solved

Need help splitting a /25 network into multiple VLANs

Posted on 2004-09-17
4
325 Views
Last Modified: 2010-08-05
First let me give an overview of my current design and my intentions, so I can be corrected if there's an easier way:

I currently have a LAN with all of the machines connected via 3 switches (Olicom 8720 layer 3, Catalyst 2924, and Catalyst 3548).  The Olicom is the first switch in line, and the two Cisco's are connected beneath it.  I have roughly 40 machines connected to the 3 switches combined, all sharing the same subnet (10.0.0.128/25 with gateway 10.0.0.129).  What I'm hoping to do is break the network up into multiple smaller subnets so that I can put a Linux machine between the Olicom and the rest of the switches to act as a passive bridge firewall (for the purpose of throttling/examining traffic).  I've been told that breaking the network up into VLAN's, and using the Olicom switch as a router will solve my problem.

First, I planned out my subnets:
VLAN1 - 10.0.0.240/28 [10.0.0.240 -> 10.0.0.255]
gateway: 10.0.0.241  broadcast: 10.0.0.255

VLAN2 - 10.0.0.192/27 [10.0.0.192 -> 10.0.0.223]
gateway: 10.0.0.193  broadcast: 10.0.0.223

VLAN3 - 10.0.0.224/28  [10.0.0.224 -> 10.0.0.239]
gateway: 10.0.0.225  broadcast: 10.0.0.239

VLAN4 - 10.0.0.128/26  [10.0.0.128 -> 10.0.0.191]
gateway: 10.0.0.129  broadcast: 10.0.0.191

Next, a few of the existing servers need IP changes because they fall on subnet boundaries (network, gateway, or broadcast IP's), so I'll be sure to clear all of those up.  I also know that I'll need to define specifically what ports on each switch will belong to what VLAN, and I'll need to update the subnet masks currently defined on the servers to match their appropriate VLAN's (right now they're all 255.255.255.128).  In addition, I need to turn the switch ports that connect each switch into trunk ports, so they will carry all VLAN traffic.  Once I have the network split into VLAN's and things are running properly then I'm planning on introducing the passive bridge firewall via a Linux box with dual ethernet interfaces.

The setup I'm hoping to use is:  Olicom -> Linux firewall -> Catalyst 2924 -> Catalyst 3548

I'm aware that with that setup there will be no redundancy in my topography - if the Linux machine or the 2924 goes out, the 3548 will go with it, however, I don't think it would work any other way.  If I hooked both Catalyst's up directly to the Olicom then I would only be able to put the firewall in between one of them, and I could only monitor that portion of the traffic.

So here's my question - are there any inherent design flaws with the plan laid out above?  I've done lots of reading and self-learning on Cisco's IOS, switching capabilities, subnets, etc, so I think I have a good idea of how things work - but I have 0 experience actually implementing those technologies.  Is there an easier way?  Is there some way to achieve a redundant topography while still preserving the ability to monitor 100% of VLAN traffic?  What type of configuration will I need to do on the Linux machine in order to handle the VLAN traffic?  I anticipate using the iproute2 utilities to setup the bridge, and configure my traffic shaping, but is there something special that needs to be done since the machine will be connected via trunk ports?  Also, what would be the best method for deploying these changes in a production environment?  Should I setup the VLAN's on the switches first, or should I change the machines subnet masks first?  Will either method allow them to continue serving internet traffic during the migration?  Thanks in advance!

0
Comment
Question by:astanley218
  • 2
4 Comments
 
LVL 4

Accepted Solution

by:
bfarmer earned 250 total points
Comment Utility
It looks fine on the surface, but needlessly complex.  I don't see that there is any necessity for (or benefit to)  breaking out the VLAN's.

How do you get off network now?  Is there a router hanging off the Olicom?  That would seem the best place for adding your Linux bridge/firewall.



0
 
LVL 11

Assisted Solution

by:PennGwyn
PennGwyn earned 250 total points
Comment Utility
Make sure your linux firewall supports trunking!

You still will not be monitoring 100% of traffic -- only broadcasts, and traffic that tries to cross VLAN boundaries (which might be good enough).

> Is there an easier way?  Is there some way to achieve a redundant topography while still preserving the ability to monitor
> 100% of VLAN traffic?  

No.  A useful firewall needs to see both sides of a conversation, so redundant links require redundant firewalls WITH some way to share state data -- not trivial even for major IT shops.

> Also, what would be the best method for deploying these changes in a production environment?  Should I setup the VLAN's
> on the switches first, or should I change the machines subnet masks first?  Will either method allow them to continue
> serving internet traffic during the migration?

The address/mask settings reflect the layer 3 (VLAN) topology.  You can't reliably change one without the other.




0
 

Author Comment

by:astanley218
Comment Utility
I thought about putting the firewall in front of the layer3 switch, but I'm concerned about the reliability of the firewall.  I was going to put several machines outside of the firewall (higher profile clients), but now that I think more about it that's a horrible idea.  It also brings to light a new question - what would be my best choice hardware-wise for a very reliable, capable linux firewall/bridge?  We currently average about 3Mbits with peaks up to 6 - would I be OK with an older Dell Poweredge or HP server (~1ghz, 512MB ram) or would I need something more powerful?  I'm also assuming that with this option I would be able to monitor 100% of the traffic into and out of my network.

0
 
LVL 4

Expert Comment

by:bfarmer
Comment Utility
The Dell or HP would both make decent platforms.  3-6Mbps isn't much of a load under normal circumstances.  Throw a few trojan-infected clients on your network and it will sweat, but so would a beefier box (though a beefier box would have extra cpu cycles for diagnostics, log checking, etc.).  

Personally, I would be more concerned with configuration-related issues than hardware reliability, especially as this is a new environment.  You should plan on retaining another box to use for testing configuration changes, software upgrades, etc.  before deploying them into production.

0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

In a WLAN, anything you broadcast over the air can be intercepted.  By default a wireless network is wide open to all until security is configured. Even when security is configured information can still be intercepted! It is very important that you …
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now