Solved

Easiest way of implementing VLANs

Posted on 2009-07-01
6
1,262 Views
Last Modified: 2012-05-07
I have a big LAN of almost 500 users, in a building of 3 levels, and I have 15 servers (MS-AD, DNS, applications ,etc) every network device  is  in the same  VLAN (1) the default. I have  cisco switches  2950 for edge switches and  a CISCO 4507 for core switch. Now I have network problems , regarding to  many broadcastings  problems, retransmissions, etc, With all these problems I have been advised to implement VLANS  in order to limit the  broadcastings,,but  I would like help  for  finding  the best way for implementing VLANS,, I just want to segment the  Servers,, and  each IDF of each floor. I don't need to segment per users, or per applications just for avoiding broacstings.
I attach a diagram for better understanding.
lan-connections-br.jpg
0
Comment
Question by:Apolo Victores
  • 3
  • 2
6 Comments
 
LVL 21

Expert Comment

by:from_exp
ID: 24760749
NOTE:
Please read this post till the very end before taking your network down. I assume that you have good knowledge about your current infrastructure, applications, IP addresses. Please ask all Q before actual migration. I also assume, that all workstations are using DHCP, otherwise it would be pain to migrate. However, if all PCs have static addresses, you will just need additional task force to reconfigure all PC's to use DHCP.


I would suggest the following migration scheme.

you create additional vlans on all switches for example:
vlan 2 - servers, created on the nearest switch to the servers and on a core 4507
vlan 3 - IDF 1, created on IDF 1 and core 4507
vlan 4 - IDF 2, created on IDF 2 and core 4507

Next thing to do - interconnect all remote vlans to core switch. to do this you need out of business time (I would suggest friday evening, so you will have time to implement new topology until monday morning) and possibly console access to switches.
you logon to IDF 1 switch and configure uplink port (let it be gi0/1) as tagged with 2 vlans current default and a new one vlan3 (for IDF 1)
configure terminal
int gi0/1
desc to_4507
switchport trunk allowed vlans 1,3
switchport mode trunk
end

at this point (if you were reaching IDF switch via 4507) your connection will be lost. Don't worry about that. so you perform the same task on 4507 for a port to IDF 1 switch.
configure terminal
int gi1/1
desc to_IDF1
switchport trunk allowed vlans 1,3
switchport mode trunk
end

now you should regain connectivity to IDF 1 switch.

In the same way you proceed with other IDFs.

Now you should be plan your IP topology carefully. Each vlan will have it's own IP subnet, so you have to configure your dhcp server (let it has IP of 192.168.100.1) with additional scopes.
Let's assume you are going to implement the following IP scheme (we are not interested in your current one, because you will migrate all PCs step by step to a new topology)
192.168.100.0/24 - servers vlan 2
192.168.101.0/24 - IDF 1
192.168.102.0/24 - IDF 2
192.168.103.0/24 - IDF 3 - etc

Sure thing 4507 should be a default gw for ALL vlans within your network and should also know where dhcp server is for each vlan:
configure terminal
int vlan2
name servers
ip address 192.168.100.254 255.255.255.0
int vlan3
name IDF1
ip address 192.168.101.254 255.255.255.0
ip helper-address 192.168.100.1
int vlan4
name IDF2
ip address 192.168.102.254 255.255.255.0
ip helper-address 192.168.100.1
int vlan5
name IDF3
ip address 192.168.103.254 255.255.255.0
ip helper-address 192.168.100.1
end

Firewall should be placed in additional vlan and switch shoud have it's default gw configured to firewall.
int vlan100
name fw_vlan
ip address 192.168.200.1 255.255.255.0
end
int gi1/10
desc firewall
switchport access vlan 100
end
ip route 0.0.0.0 0.0.0.0 192.168.200.254 ---- address of firewall

Firewall should be reconfigured to a new IP address and should also allow all your subnets to internet (if needed)
At this point you are ready to reconfigure servers with new IP addresses and place then into correct vlans.
conf  term
int gi1/2
desc dhcp_server
switchport access vlan 2
end

All servers shoud be rebooted after that, because they should reregister them selves in DNS.

At this point you shoud have fully functional infrastructure - servers are separated, they should be accessible from workstations (workstations should have 4507 as a default gw). If not, try to troubleshoot problems.

Only after this step you should move to the next step - moving PCs to new vlans.
To do that - move all ports on IDF1 switch to vlan 3 and reboot all PC in that switch in order to them to get new IP addresses.
Check: PCs in IDF1 should be able to get new IP with default gw, with access to internet, to servers.
If everything is ok - proceed to the next IDF.

Uff... Seems that is all.
0
 
LVL 32

Expert Comment

by:Kamran Arshad
ID: 24761689
Hi,

Please find attached the VLAN design template.
VLAN is a way of micro-segmenting a L2 / L3 topology into separate broadcast domains. Each VLAN is a separate broadcast domain, ie: all broadcasts are seen by devices within the same VLAN.
 

Inter-VLAN communication is restricted, requires a L3 routing device to communicate between broadcast domains.  
 

Couple of Benefits listed below
 

1. Saves excessive usage of physical connectivity
 

2. One link can pass all different broadcast seggregated packets to respective destinations
 

3. By using VTP further, we can also sync between devices making one as server and other clients. Updates will be sent automatically and devices will remain in sync upon any change recorded amongst them.
 

4. Different Vlans can be segmented across different deppt. for eg marketing and sales in the same building can be put under  tow seperate vlans. Both networks will remain seperate though using the same devices to flow.
 

5. Bandwidth is saved a lot as well. Further you can use etherchannels to segment the bandwidth for better flow of packets. 
 
 

Given the number of PC's you have, separation by device class just won't yield much of a result - your broadcast domain will still be equally flooded.
 

I'd recommend a mix of the two methodology. For example, lets take the subnet 10.0.0.0 and let us use the second octet for site, the third octet for vlan-id and the fourth as the host octet.
 

Site 1: 10.1.v.h

Finance: v = 20

HR: v = 25

IT: v = 20

etc

Switches/routers: v = 1

WAP's: v = 4, h = 200-254

Wireless clients: v = 4, h = 10-199

Printers: v = 5

Phones: v = 6

Management: v = 100

etc
 

Yes, that is a lot of address wastage but you get the idea. Generally we want to keep as much broadcast data into a single vlan as possible. If departmental devices can be on the same physical access layer device then that combined with dedicated vlan would be better again.

Open in new window

0
 

Author Comment

by:Apolo Victores
ID: 24767248
Thanks for your solutions!, I will certainly do what you are recommending,, I missed to tell  you that I have 12 accesspoints  for wireless users,, and  a TCPIP  subnet of  1022  host (22 subnet bits) ,, (179.7.X.X/255.255.252.0) ,, and  the question would be,, Do I need to assign separated ip subnets for each  VLAN? ,, or How Can I manage those IPs  in the  DHCP server?

Thanks!!
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 21

Expert Comment

by:from_exp
ID: 24770056
Yepp, you need separate IP subnet per vlan. You can manage DHCP scopes on DHCP server. Client in each vlan will get its lease from a correct pool for that vlan.
However you can consider if you need every IDF in its own vlan. Possibly you can group them according to departments.
0
 
LVL 21

Accepted Solution

by:
from_exp earned 500 total points
ID: 24770063
as for wireless - my solution - to allow wireless only via firewall, however physically APs can share the same switches, but should be placed in special wifi vlan.
0
 

Author Closing Comment

by:Apolo Victores
ID: 31599063
Thank you for your solution!,,it is really complete a accurate!
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

This article is focussed on erradicating the confusion with slash notations. This article will help you identify and understand the purpose and use of slash notations. A deep understanding of this will help you identify networks quicker especially w…
Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now