Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Easiest way of implementing VLANs

Posted on 2009-07-01
6
Medium Priority
?
1,282 Views
Last Modified: 2012-05-07
I have a big LAN of almost 500 users, in a building of 3 levels, and I have 15 servers (MS-AD, DNS, applications ,etc) every network device  is  in the same  VLAN (1) the default. I have  cisco switches  2950 for edge switches and  a CISCO 4507 for core switch. Now I have network problems , regarding to  many broadcastings  problems, retransmissions, etc, With all these problems I have been advised to implement VLANS  in order to limit the  broadcastings,,but  I would like help  for  finding  the best way for implementing VLANS,, I just want to segment the  Servers,, and  each IDF of each floor. I don't need to segment per users, or per applications just for avoiding broacstings.
I attach a diagram for better understanding.
lan-connections-br.jpg
0
Comment
Question by:Apolo Victores
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 21

Expert Comment

by:from_exp
ID: 24760749
NOTE:
Please read this post till the very end before taking your network down. I assume that you have good knowledge about your current infrastructure, applications, IP addresses. Please ask all Q before actual migration. I also assume, that all workstations are using DHCP, otherwise it would be pain to migrate. However, if all PCs have static addresses, you will just need additional task force to reconfigure all PC's to use DHCP.


I would suggest the following migration scheme.

you create additional vlans on all switches for example:
vlan 2 - servers, created on the nearest switch to the servers and on a core 4507
vlan 3 - IDF 1, created on IDF 1 and core 4507
vlan 4 - IDF 2, created on IDF 2 and core 4507

Next thing to do - interconnect all remote vlans to core switch. to do this you need out of business time (I would suggest friday evening, so you will have time to implement new topology until monday morning) and possibly console access to switches.
you logon to IDF 1 switch and configure uplink port (let it be gi0/1) as tagged with 2 vlans current default and a new one vlan3 (for IDF 1)
configure terminal
int gi0/1
desc to_4507
switchport trunk allowed vlans 1,3
switchport mode trunk
end

at this point (if you were reaching IDF switch via 4507) your connection will be lost. Don't worry about that. so you perform the same task on 4507 for a port to IDF 1 switch.
configure terminal
int gi1/1
desc to_IDF1
switchport trunk allowed vlans 1,3
switchport mode trunk
end

now you should regain connectivity to IDF 1 switch.

In the same way you proceed with other IDFs.

Now you should be plan your IP topology carefully. Each vlan will have it's own IP subnet, so you have to configure your dhcp server (let it has IP of 192.168.100.1) with additional scopes.
Let's assume you are going to implement the following IP scheme (we are not interested in your current one, because you will migrate all PCs step by step to a new topology)
192.168.100.0/24 - servers vlan 2
192.168.101.0/24 - IDF 1
192.168.102.0/24 - IDF 2
192.168.103.0/24 - IDF 3 - etc

Sure thing 4507 should be a default gw for ALL vlans within your network and should also know where dhcp server is for each vlan:
configure terminal
int vlan2
name servers
ip address 192.168.100.254 255.255.255.0
int vlan3
name IDF1
ip address 192.168.101.254 255.255.255.0
ip helper-address 192.168.100.1
int vlan4
name IDF2
ip address 192.168.102.254 255.255.255.0
ip helper-address 192.168.100.1
int vlan5
name IDF3
ip address 192.168.103.254 255.255.255.0
ip helper-address 192.168.100.1
end

Firewall should be placed in additional vlan and switch shoud have it's default gw configured to firewall.
int vlan100
name fw_vlan
ip address 192.168.200.1 255.255.255.0
end
int gi1/10
desc firewall
switchport access vlan 100
end
ip route 0.0.0.0 0.0.0.0 192.168.200.254 ---- address of firewall

Firewall should be reconfigured to a new IP address and should also allow all your subnets to internet (if needed)
At this point you are ready to reconfigure servers with new IP addresses and place then into correct vlans.
conf  term
int gi1/2
desc dhcp_server
switchport access vlan 2
end

All servers shoud be rebooted after that, because they should reregister them selves in DNS.

At this point you shoud have fully functional infrastructure - servers are separated, they should be accessible from workstations (workstations should have 4507 as a default gw). If not, try to troubleshoot problems.

Only after this step you should move to the next step - moving PCs to new vlans.
To do that - move all ports on IDF1 switch to vlan 3 and reboot all PC in that switch in order to them to get new IP addresses.
Check: PCs in IDF1 should be able to get new IP with default gw, with access to internet, to servers.
If everything is ok - proceed to the next IDF.

Uff... Seems that is all.
0
 
LVL 32

Expert Comment

by:Kamran Arshad
ID: 24761689
Hi,

Please find attached the VLAN design template.
VLAN is a way of micro-segmenting a L2 / L3 topology into separate broadcast domains. Each VLAN is a separate broadcast domain, ie: all broadcasts are seen by devices within the same VLAN.
 
Inter-VLAN communication is restricted, requires a L3 routing device to communicate between broadcast domains.  
 
Couple of Benefits listed below
 
1. Saves excessive usage of physical connectivity
 
2. One link can pass all different broadcast seggregated packets to respective destinations
 
3. By using VTP further, we can also sync between devices making one as server and other clients. Updates will be sent automatically and devices will remain in sync upon any change recorded amongst them.
 
4. Different Vlans can be segmented across different deppt. for eg marketing and sales in the same building can be put under  tow seperate vlans. Both networks will remain seperate though using the same devices to flow.
 
5. Bandwidth is saved a lot as well. Further you can use etherchannels to segment the bandwidth for better flow of packets. 
 
 
Given the number of PC's you have, separation by device class just won't yield much of a result - your broadcast domain will still be equally flooded.
 
I'd recommend a mix of the two methodology. For example, lets take the subnet 10.0.0.0 and let us use the second octet for site, the third octet for vlan-id and the fourth as the host octet.
 
Site 1: 10.1.v.h
Finance: v = 20
HR: v = 25
IT: v = 20
etc
Switches/routers: v = 1
WAP's: v = 4, h = 200-254
Wireless clients: v = 4, h = 10-199
Printers: v = 5
Phones: v = 6
Management: v = 100
etc
 
Yes, that is a lot of address wastage but you get the idea. Generally we want to keep as much broadcast data into a single vlan as possible. If departmental devices can be on the same physical access layer device then that combined with dedicated vlan would be better again.

Open in new window

0
 

Author Comment

by:Apolo Victores
ID: 24767248
Thanks for your solutions!, I will certainly do what you are recommending,, I missed to tell  you that I have 12 accesspoints  for wireless users,, and  a TCPIP  subnet of  1022  host (22 subnet bits) ,, (179.7.X.X/255.255.252.0) ,, and  the question would be,, Do I need to assign separated ip subnets for each  VLAN? ,, or How Can I manage those IPs  in the  DHCP server?

Thanks!!
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 21

Expert Comment

by:from_exp
ID: 24770056
Yepp, you need separate IP subnet per vlan. You can manage DHCP scopes on DHCP server. Client in each vlan will get its lease from a correct pool for that vlan.
However you can consider if you need every IDF in its own vlan. Possibly you can group them according to departments.
0
 
LVL 21

Accepted Solution

by:
from_exp earned 2000 total points
ID: 24770063
as for wireless - my solution - to allow wireless only via firewall, however physically APs can share the same switches, but should be placed in special wifi vlan.
0
 

Author Closing Comment

by:Apolo Victores
ID: 31599063
Thank you for your solution!,,it is really complete a accurate!
0

Featured Post

Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
Load balancing is the method of dividing the total amount of work performed by one computer between two or more computers. Its aim is to get more work done in the same amount of time, ensuring that all the users get served faster.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question