BCHCAdmin
asked on
Intervlan routing
Question on vlan routing. when our network was set up - all data ports were set up in the native vlan (1). We set up a voice vlan using vlan 23. Vlan 23 voice works fine. I would like to set up other vlans for the different closets/departments. When I set up a new vlan (say VLAN 100), I can not get it to talk to devices in the native vlan 1. I have set up a computer on vlan 100 with an IP address in that vlan (10.0.100.25) and set the gateway to the vlan IP address 10.0.100.1. However, it is not routing to vlan 1. Should it? or do I need to move all the devices in that vlan to another vlan?
Thanks
Thanks
Are you routing via a router or a switch?
VLANs are just subnets. You don't create a bunch of VLANs everywhere that you wouldn't normally create a subnet. VLANs are "virtualized" ways to but boundaries around subnets in the same way you would put a physical boundary around a subnet via the physical cabling. With the right equipment you can create huge complex LANs and not create one single VLAN.
As a general rule, for every 200 Hosts create a Subnet.
Avoid creating subnet for policital reasons or for O.C.D. reasons. You don't create subnets for Blue machines and Red machines and Yellow machine just because they happen to be different colors. You don't always create a new subnet just because it happens to be a different Room or different Department (political reasons).
VLAN23? VLAN100? Those names don't mean anything. An IP Segment is an IP Segment is an IP Segment is an IP Segment,...it doesn't matter how you got there or what you "named" it.
Routing. It requires a router to move between Subnets (VLAN or not VLAN is irrelevant). VLANs can be created within a Switch,..but a Switch is not a router,...the two segments will not communicate.
There is a such thing as a Layer3 Switch which is a Router and Switch crammed into the same piece of hardware,...but a Switch, being used as a Switch, does not route anything.
As a general rule, for every 200 Hosts create a Subnet.
Avoid creating subnet for policital reasons or for O.C.D. reasons. You don't create subnets for Blue machines and Red machines and Yellow machine just because they happen to be different colors. You don't always create a new subnet just because it happens to be a different Room or different Department (political reasons).
VLAN23? VLAN100? Those names don't mean anything. An IP Segment is an IP Segment is an IP Segment is an IP Segment,...it doesn't matter how you got there or what you "named" it.
Routing. It requires a router to move between Subnets (VLAN or not VLAN is irrelevant). VLANs can be created within a Switch,..but a Switch is not a router,...the two segments will not communicate.
There is a such thing as a Layer3 Switch which is a Router and Switch crammed into the same piece of hardware,...but a Switch, being used as a Switch, does not route anything.
And again, are you routing between the vlans using a router or switch (layer 3). The configuration is a bit different depending.
As far as when and where to vlan. The reasoning for doing so is usually paced against the need to segregate data. The short of it is that if you have no concerns about traffic from every machine to any other machine being visible to all machines on your network, then pwindell is correct, leave it be. However, if you have data integrity concerns, whether in reference to confidentiality or, as you show above, prioirity, delay sensitive traffic (your ip phones), it is a good idea to begin vlanning or going with hard subnets physically divided by routers.
As to waiting until you get to 200 hosts on a subnet to vlan, this is a rule of thumb, which is getting shakey due to the increases in the amounts of traffic being seen on networks today and depending on what an admin has going on, isn't always the best route, just a guideline.
An example. I run two networks with less than 70 devices per network. On each of these networks, I run 9 subnets, using vlans to segregate 4 of them. This is done because of:
1. Data sensitivity and traffic management (security)
2. Resource availability and confidentiality
3. Traffic management (throughput) and prioritization
A better rule of thumb is to limit the complexity to what you need to accomplish the goals of your network and policies. Do what you need to do to meet the requirements you are met with, to ensure availability of your data to the personnel/hosts that need access to that data and ensure the confidentiality of network assets to only those entities that actually need it. If you are going to put all of your eggs into one basket, make sure that you can actually accept that risk. If you are going to segregate them into different baskets, put them into the baskets needed to get the job done but don't complicate it without clearly definable gains to doing so.
As far as when and where to vlan. The reasoning for doing so is usually paced against the need to segregate data. The short of it is that if you have no concerns about traffic from every machine to any other machine being visible to all machines on your network, then pwindell is correct, leave it be. However, if you have data integrity concerns, whether in reference to confidentiality or, as you show above, prioirity, delay sensitive traffic (your ip phones), it is a good idea to begin vlanning or going with hard subnets physically divided by routers.
As to waiting until you get to 200 hosts on a subnet to vlan, this is a rule of thumb, which is getting shakey due to the increases in the amounts of traffic being seen on networks today and depending on what an admin has going on, isn't always the best route, just a guideline.
An example. I run two networks with less than 70 devices per network. On each of these networks, I run 9 subnets, using vlans to segregate 4 of them. This is done because of:
1. Data sensitivity and traffic management (security)
2. Resource availability and confidentiality
3. Traffic management (throughput) and prioritization
A better rule of thumb is to limit the complexity to what you need to accomplish the goals of your network and policies. Do what you need to do to meet the requirements you are met with, to ensure availability of your data to the personnel/hosts that need access to that data and ensure the confidentiality of network assets to only those entities that actually need it. If you are going to put all of your eggs into one basket, make sure that you can actually accept that risk. If you are going to segregate them into different baskets, put them into the baskets needed to get the job done but don't complicate it without clearly definable gains to doing so.
To atlas_shuddered
We're on the same page. :-)
I just see way too much of both extremes. Some people putting way too many machine on one segment even though any networking classes teaches you to not do that,...and then you have the other people going "bonkers" with needless segmenting,....so I am trying to combat both extremes.
I still go with the 254 host model because the next jump goes up to 510 and no one is going to convince me that it is a "good & proper" thing to put that many on a segment. Faster networks don't mean the same degredation isn't happening,..it only means it is less "humanly visible" as early.
We're on the same page. :-)
I just see way too much of both extremes. Some people putting way too many machine on one segment even though any networking classes teaches you to not do that,...and then you have the other people going "bonkers" with needless segmenting,....so I am trying to combat both extremes.
I still go with the 254 host model because the next jump goes up to 510 and no one is going to convince me that it is a "good & proper" thing to put that many on a segment. Faster networks don't mean the same degredation isn't happening,..it only means it is less "humanly visible" as early.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Wow - hot topic...
yes - I forgot to give more details. We are running the following:
Cisco 4510 Core Switch (Layer 3) Running as VTP Server
Cisco 3560 Closet Switches (layer 2 - running as VTP Client) There are 6 of these 3560 wiring closets.
System kind of evolved to have two subnets that did not need to talk to each other - but all were running on ports on VLAN 1. When we set up VOIP, (Cisco CallManager) - we set up another VLAN for voice. That runs fine. We are above 200 hosts (not including Voice) - on the system and I feel going to VLANs would be a better option than changing the subnet mask to allow more hosts in the same subnet. Plus - I would like to get the two separate subnets currently on Vlan 1 to be able to share printers. Would like to set this up using VLAN routing on the 4510 as opposed to doing anything on our network router as that is controlled by "someone else" and it is like pulling teeth to get anything done there.
Does that help?
yes - I forgot to give more details. We are running the following:
Cisco 4510 Core Switch (Layer 3) Running as VTP Server
Cisco 3560 Closet Switches (layer 2 - running as VTP Client) There are 6 of these 3560 wiring closets.
System kind of evolved to have two subnets that did not need to talk to each other - but all were running on ports on VLAN 1. When we set up VOIP, (Cisco CallManager) - we set up another VLAN for voice. That runs fine. We are above 200 hosts (not including Voice) - on the system and I feel going to VLANs would be a better option than changing the subnet mask to allow more hosts in the same subnet. Plus - I would like to get the two separate subnets currently on Vlan 1 to be able to share printers. Would like to set this up using VLAN routing on the 4510 as opposed to doing anything on our network router as that is controlled by "someone else" and it is like pulling teeth to get anything done there.
Does that help?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Correct - all the vlans are getting passed down the the 3560s. The default route on the 4510 is to our router and that is all good.
System kind of evolved to have two subnets that did not need to talk to each other - but all were running on ports on VLAN 1. When we set up VOIP, (Cisco CallManager) - we set up another VLAN for voice. That runs fine. We are above 200 hosts (not including Voice) - on the system and I feel going to VLANs would be a better option than changing the subnet mask to allow more hosts in the same subnet. Plus - I would like to get the two separate subnets currently on Vlan 1 to be able to share printers. Would like to set this up using VLAN routing on the 4510 as opposed to doing anything on our network router as that is controlled by "someone else" and it is like pulling teeth to get anything done there.
You don't put two subnets on one VLAN.
Subnets and VLANs are the same thing
Subnet = VLAN
VLAN = Subnet
They are the same thing,...the distinction is in how they established at the hardware level.
You don't put two subnets on one VLAN.
Subnets and VLANs are the same thing
Subnet = VLAN
VLAN = Subnet
They are the same thing,...the distinction is in how they established at the hardware level.
ASKER
If you have a group of computers/servers on one subnet (say IP 192.x.x.x) and another group of computers/servers on another subnet (say IP 10.x.x.x) but they are all running on the native VLAN - wouldn't you say they are on the same VLAN but have different subnets?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So - back to my original question.....can I leave my 10.0.0.x subnet on vlan 1 (or do I need to move it to another vlan)? I want to put 192.x.x.x. on its own vlan - and then I will also have a 10.0.10.x subnet down the road as well. I would like to be able to have all 3 vlans speak to each other where necessary.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
> but you do not have to have different IP subnets on the same vlan, although it's a good idea for the reasons already mentioned.
I meant, you MAY have different IP subnets on the same vlan, although it's NOT a good idea for the reasons already mentioned.
I meant, you MAY have different IP subnets on the same vlan, although it's NOT a good idea for the reasons already mentioned.
By the way, vlans and subnets are NOT the same thing. A VLAN is a layer 2 technology,
No it isn't that simple. Cisco Products do VLANs at both Layer3 and Layer2 and they are treated as two separate things. HP Procurve products only do Layer3 VLANs,...they are worthless without being associated with a Layer3 IP Segment
Do they both "touch" Layer2?,..yes,..the Switches have to be able to deal with the tagging correctly, and keep the ports (which are L2) associated with the correct VLAN,..of course.
"VLAN" has become the latest technology "buzzard". Too many people think because such a thing exists,...then you have to use it, even if they don't know what they are doing with it. From what I have been seeing in places it has become a tool to "cover up" bad networking practices where the Physical Layer was not designed properly in the first place. Back when I got in the business VLANs had not even been invented yet and we all got by just fine without them and LAN's physical structure was a lot better engineered back then and not the sloppy messes I see today.
In the end I think you and I are on the same page here,...so I don't know what the problem is.
No it isn't that simple. Cisco Products do VLANs at both Layer3 and Layer2 and they are treated as two separate things. HP Procurve products only do Layer3 VLANs,...they are worthless without being associated with a Layer3 IP Segment
Do they both "touch" Layer2?,..yes,..the Switches have to be able to deal with the tagging correctly, and keep the ports (which are L2) associated with the correct VLAN,..of course.
"VLAN" has become the latest technology "buzzard". Too many people think because such a thing exists,...then you have to use it, even if they don't know what they are doing with it. From what I have been seeing in places it has become a tool to "cover up" bad networking practices where the Physical Layer was not designed properly in the first place. Back when I got in the business VLANs had not even been invented yet and we all got by just fine without them and LAN's physical structure was a lot better engineered back then and not the sloppy messes I see today.
In the end I think you and I are on the same page here,...so I don't know what the problem is.
What? VLANs are defined as a broadcast boundary. Always. Doesn't matter were you are actually handling the routing. It is a layer 2 technology. Subnetting occurs at layer 3. Because the two are often used in conjunction to one another, some folks will make the mistake of assuming that VLANs operate at layer 3 but this is not the case at all. VLANs are, by definition, a technology used to physically segment a network virtually across equipment that may not reside in the same physical geography. This is accomplished by tagging the port, and therefore all traffic that generates from those ports, as belonging to a given physical (VLAN) segment. Subnetting, however, is a logical segmentation of the network, by design, through the use of a single gateway interface. All vendors define VLANs in the same fashion (IEEE standard) as far as functionality and implementation, no exceptions. The fact that you can define vlan tagging on a layer three interface does not indicate that it is a layer three technology. In fact, the layer three interface is used to transfer data between the underlying, differing, layer 2 (VLAN) interfaces/segments.
You're just twisting my point to mean something I don't mean.
An argument can be made that it even blurs the line between Layer2 and Layer1 for that matter. For example running multiple L3 segments over the same VLAN is similar to multi-netting where multiple L3 segments are run directly over the same physical wire (L1) in the physical realm (L1).
The hardware manufacturer does make a difference in what you can do with it. With the Procurve equipment we have,.. the VLAN is worthless if you don't run it in conjunction with the Layer3 subneting. Yes it is a Layer2 functionality within the switch but until you tie it to Layer3 you can't do anything with it. Cisco products I'm sure have more variety in what you can do with it.
In the original question that we seem to have gotten away from,..he needs to run 1 subnet over 1 VLAN,...nothing else seems to makes any sense there and it is doing nothing but confusing the crap out of him and half of everyone else.
Broadcast boundary? If it is Layer2 then how is it also a broadcast boundary when broadcast domains are at L3?
An argument can be made that it even blurs the line between Layer2 and Layer1 for that matter. For example running multiple L3 segments over the same VLAN is similar to multi-netting where multiple L3 segments are run directly over the same physical wire (L1) in the physical realm (L1).
The hardware manufacturer does make a difference in what you can do with it. With the Procurve equipment we have,.. the VLAN is worthless if you don't run it in conjunction with the Layer3 subneting. Yes it is a Layer2 functionality within the switch but until you tie it to Layer3 you can't do anything with it. Cisco products I'm sure have more variety in what you can do with it.
In the original question that we seem to have gotten away from,..he needs to run 1 subnet over 1 VLAN,...nothing else seems to makes any sense there and it is doing nothing but confusing the crap out of him and half of everyone else.
Broadcast boundary? If it is Layer2 then how is it also a broadcast boundary when broadcast domains are at L3?
Being layer 2, and its own broadcast boundary, VLANs necessitate a layer 3 device (gateway) to traverse traffic to a differing VLAN (layer 2) which contains its own broadcast boundary. Broadcast traffic from vlan 100 is not visible to devices on vlan 101. By vlanning, you a segmenting the switch itself, virtually by all means, but nonetheless, segmenting, the same way that placing a switch in the place of a hub segments a collision domain into multiple collision domains.
More importantly, I am not twisting your words to make a point. Your assertion that cisco (or any other manufacturer for that matter) perform vlanning at both layer 2 and 3, and moreover, your assertion that vlans could also be defined as layer 1 is erroneous. Just because layer x traffic appears within layer y segments/packets/frames/bi
It is a simple solution. If he needs to dice the network out, vlanning is the simplest method to begin with. If he desires that segmented traffic to communicate to any other vlan, he will need to set up routing, which will mean defining vlan interfaces on the core device(s) and defining the default gateway. For layer 2 to communicate to layer 2, it will be necessary to define a layer 3 gateway to traverse traffic from one to the other.
More importantly, I am not twisting your words to make a point. Your assertion that cisco (or any other manufacturer for that matter) perform vlanning at both layer 2 and 3, and moreover, your assertion that vlans could also be defined as layer 1 is erroneous. Just because layer x traffic appears within layer y segments/packets/frames/bi
It is a simple solution. If he needs to dice the network out, vlanning is the simplest method to begin with. If he desires that segmented traffic to communicate to any other vlan, he will need to set up routing, which will mean defining vlan interfaces on the core device(s) and defining the default gateway. For layer 2 to communicate to layer 2, it will be necessary to define a layer 3 gateway to traverse traffic from one to the other.
your assertion that vlans could also be defined as layer 1 is erroneous.
There you go twisting my words again. I never said they can be define as L1!!!
I'm trying to say that VLANing effects more than just L2. EFFECTS! Not "defined as".
You,..know all it is here is like a bunch of "big kids fighting in the sand box" and trying to go out of their way to nit-pick and poke as many holes as possible in what anyone says. If I want to follow anyone around with a magnifying glass and examine every spec of what they say I can find something wrong in every post written. I'm really getting tired of this crap,...all I am trying to do is guide the guy into a solution to get the job done,...and what I have told him will work,..will be reasonably simple to understand and maintain.
There you go twisting my words again. I never said they can be define as L1!!!
I'm trying to say that VLANing effects more than just L2. EFFECTS! Not "defined as".
You,..know all it is here is like a bunch of "big kids fighting in the sand box" and trying to go out of their way to nit-pick and poke as many holes as possible in what anyone says. If I want to follow anyone around with a magnifying glass and examine every spec of what they say I can find something wrong in every post written. I'm really getting tired of this crap,...all I am trying to do is guide the guy into a solution to get the job done,...and what I have told him will work,..will be reasonably simple to understand and maintain.
http://www.formortals.com/implementing-vlan-trunking/
Do you have a sniffer or logging ability?