Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 265
  • Last Modified:

HELP NEED SUPPORT REGARDING STANDARDS

Hello All

I am currently utilising VLANs in our network - for obvious reasons. Unfortunately my senior manager wishes to ditch the VLANs in favour of a single flat network - Despite from the obvious broadcast problems they appear to be moving towards this. I need support with my case and am failing - is there a defined standard RFC that will define the recommended host per subnet? I cannot find one.. Can anyone assist. This question is urgently required so that I do not lose my network so any gurus would like to comment .... with supporting documentation links if possible. Am I correct or am I going mad!!

Byron
0
BYRONJACKSON
Asked:
BYRONJACKSON
  • 5
  • 2
  • 2
  • +3
2 Solutions
 
purplepomegraniteCommented:
By host per subnet, you mean the number of clients on one subnet?  If so, there isn't a set or suggested limit - except the obvious ones (i.e. 192.168.0.x can only have 254 clients).  It is more dependent upon the infrastructure and what it can support in the way of bandwidth.

Chances are that if all your vlans are over the same infrastructure anyway, you won't have a bandwidth issue.  I personally favour single networks except where there is a need to isolate devices (i.e. for security purposes) on a single infrastructure.
0
 
gpriceeeCommented:
Really, my first question is, "Do you have any HIPAA, SOX, GLB, or any other regulations to which you must comply?"

How many nodes do you have?

Curious: Why "ditch" the VLAN's?  Is your layer 3 too difficult to manage?  It seems to me that a different problem exists that your seniro manager cannot resolve or that your team might not be able to resolve.  What's going on?  
0
 
lrmooreCommented:
There are "rules of thumb" for a flat network (single broadcast domain). If TCP/IP only, then 500 nodes
Any other "chatty" protocols like Netbeui (25 nodes), IPX/SPX, Appletalk, etc will reduce that number

Agree w/gpriceee. There must be something else going on that TPTB (The Powers That Be) are blaming on the VLAN infrastructure.

Do you have any documentation, network plan, design document or anything else that outlines the reasons that they are setup with VLAN's today? There had to be a reason at some point. Poor implementation can certainly cause major issues that are difficult to troubleshoot..

0
Big Data Means Big Business

In data-dependent industries like IT, finance, and healthcare, there’s a growing demand for qualified analysts to fill leadership roles. WGU’s MS in Data Analytics has IT certifications from Oracle and SAS built into its curriculum at a flat fee that could save you money.

 
neteducationCommented:
There is no official rule of maximum hosts per subnet. I've had networks with about 30'000 Hosts connected in one plain network (of course switched).. however most of those hosts were unix-hosts that dont broadcast around to much...

On the other hand I had a network with about 500 Hosts, most of them windows, and even though everything was still working fine, my managed switch reported every now and then some port that still had packets in queue, so the network must have been pretty loaded...

How many hosts are you talking about ?
0
 
lrmooreCommented:
The current thoughts are to segregate network segments at Layer 3, vs L2 vlans, but that still does not create the broadcast barrior zones that VLAN's do.
I am a very strong proponent of well-designed VLAN infrastructure, but only if there is a well-defined purpose and is well documented.
0
 
purplepomegraniteCommented:
I agree with lrmoore in the well-defined purpose and documentation.  If everyone would document their networks properly life would be a lot easier!  I can't think when I last went to a new (to me) network and found an up-to-date plan...
0
 
BYRONJACKSONAuthor Commented:
Hello All

OK Thanks for your response - the reasons as far as I can tell this is to ensure that our network falls within the /20 - currently we have a stepping stone router that deals with this so this is not the issue and we see no problems.

We are predominently Windows 2003 and Windows XP although we still require NETBEUI in some areas - around 300 clients on this site plus VMS, UNIX etc. VLANS were inherited from a Company division - however I kept them in order to segregate our manufacturing (MACHINERY & VMS systems), UNIX and Admin areas.  Our switches are pretty old (NORTEL) but they cope with the current VLAN traffic very well.  In total we have 5 VLANS - I read somewhere that the recommended number of hosts/clients was 500 as from neteducations response just need to tie that clear from the comments that flatnetworks work .. not sure if I would be keen to use them here.

Basically I feel that the move towards a single network will be problematic and I am not being given good reasons to change. We suffer like most other businesses from the occasional virus and the VLANs make this more palatable - Our network is clearly documented stable and all of those glorious things - not by me though! any documentation in the VLAN favour??? Thanks for the comments guys..

Byron :-)
0
 
lrmooreCommented:
Maybe you can take another track.. use the old saying "if it ain't broke, don't fix it!"
Outline the "massive" amount of work this is going to entail to re-consolidate everything into one big happy LAN, be sure to add in all the printers, VMS systems, Unix systems and verything else that will have to be physically touched to make this happen. Add up the number of man-hours at a rate of $100/hour and show how much it's going to cost to fix something that isn't broken in the first place.

Virus/worm containment is one great argument FOR vlans
Netbeui containment is one great argument FOR vlans
Security between Admin and Manufacturing is a great argument FOR vlans
Download this excellent White Paper "VLAN Best Practices" from Fluke Networks:
http://whitepapers.bcr.com/detail/RES/1096300865_989.html
0
 
lrmooreCommented:
Couple of more arguments FOR VLAN's
- Wireless. If you ever plan to setup wireless, you want all your wireless clients is a secured VLAN
- Voice. If you ever plan to migrate to VoIP, then VLAN's are almost a requirement

0
 
BYRONJACKSONAuthor Commented:
lrmoore - Thanks for the above have downloaded - very interested in the VOIP ... I suppose that I could reason the same for our H323 traffic?
0
 
lrmooreCommented:
>I could reason the same for our H323 traffic?
Absolutely!
0
 
neteducationCommented:
as for 300 clients thats should not be a problem to handle in one flat network, if you are only talking tcp/ip.... but with NETBEUI I would not do it anymore eigther.
0
 
gpriceeeCommented:
This sounds like your network:
http://www.nwfusion.com/news/2002/0527specialfocus.html
"While some IT professionals find VLANs useful for securing and managing network clients, James Labonte, network engineer at St. John's Hospital in Springfield, Ill., finds VLANs a useful tool for taming the mix of chatty and hard-to-manage legacy protocols running on his network."

Security Standpoints:
http://www.sans.org/newsletters/statusupdates/17.php
"2. Partition your internal networks. Your organization has already
invested the money in a switch infrastructure. This means you have the
ability to create VLANS for various parts of your organization. To go
from VLAN to VLAN requires a routing function and that is an opportunity
to apply an access control list. This may be your best, and cheapest,
insurance against a worm running amuck inside your network."

http://net21.ucdavis.edu/newvlan.htm
"VLANs have the ability to provide additional security not available in a shared media network environment. By nature, a switched network delivers frames only to the intended recipients, and broadcast frames only to other members of the VLAN. This allows the network administrator to segment users requiring access to sensitive information into separate VLANs from the rest of the general user community regardless of physical location. In addition, monitoring of a port with a traffic analyzer will only view the traffic associated with that particular port, making discreet monitoring of network traffic more difficult."

http://www.dell.com/downloads/global/products/pwcnt/en/app_note_8.pdf
"Any inter-VLAN traffic must first traverse a layer-3 device such as a router in order to communicate with
another VLAN. Thus, logical segmentation not only optimizes bandwidth utilization, but also provides
security by isolating segments behind layer-3 devices, which typically can filter traffic using access control
lists (ACLs). Even if two nodes share a common IP subnet, they will not be able to directly communicate if
they are in separate VLANs."

0
 
PennGwynCommented:
> Even if two nodes share a common IP subnet, they will not be able to directly communicate if they are in separate VLANs.

My first thought was that this could only result from an ugly legacy mess.  But then I realized it could also happen if a user was attempting to breach security by renaming his machine to a privileged address -- without VLANs, he would waltz right on in.



0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 5
  • 2
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now