?
Solved

Vlan understanding

Posted on 2010-11-14
6
Medium Priority
?
556 Views
Last Modified: 2013-11-05
I am a newbie to vlan's, and I am just looking to get the Vlan 101 overview. We have always used a big flat network, everyone on a 192.168.x.x 255.255.0.0 network. As we start to look at making the network cleaner, I am just looking for a simplistic reply. We would have an outside company coming in to set this up for us, but I just want to see if I can take what I know about vlan's, and the answer I get here, to at least have a little better understanding. I am going to use a simplistic example, loosely related to our overall setup.

Example:

We have 2 Buildings, Building A, and Building B. In Building A, we have 10 staff in Group 1 and 20 staff in Group 2. In Building B we have 20 staff in Group 3 and an additional 15 staff in Building B that belong to Group 1 from Building A.   The buildings are connected with fiber, both buildings have 2 3com 48 port 5500G POE switches, and Building B connects to the Internet gateway that comes into Building A. I would want each group to be in their own Vlan, say Group 1 in Vlan 2, Group 2 in Vlan 4, Group 3 in Vlan 6. Internet connection goes into a firewall device in Building A that all users share. So, all users in Building B would route their Internet requests through Building A. Feel free to assign your own IP address ranges to all devices, etc..  

I appreciate your replies! Thank you!
0
Comment
Question by:heydude
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 5

Expert Comment

by:Ahmed Ezzat AbuRaya
ID: 34133796
If you want communication to happen between users from different VLANs then you need a layer 3 device (e.g. a router) to implement basic routing between them, because without a layer 3 device, the users in the VLANs have no connectivity and are isolated.
0
 

Author Comment

by:heydude
ID: 34133803
The 5500g is a layer 3 switch
0
 
LVL 32

Expert Comment

by:aleghart
ID: 34133823
VLAN1 - default 192.168.101.xxx
VLAN2 - inter-switch VLAN 192.168.102.xxx
VLAN3 - IP phones - 192.168.103.xxx
VLAN4 - public wireless - 192.168.104.xxx
VLAN11 - Group 1 - 192.168.11.xxx
VLAN12 - Group 2 - 192.168.12.xxx
VLAN13 - Group 3 - 192.168.13.xxx
VLAN14 - Group 4 - 192.168.14.xxx

The internet router would go on the default VLAN1.
VLANs 4, & 101-104 would all have routes to the internet via the router on VLAN1, but not to each other.
VLAN 3 would have route to the internet if necessary (external PBX/servers), or not.

I've had recommendations to create a separate VLAN for switch-to-switch communication.  This could be used to keep the management interface and logging off the normal networks.  I've not done it in practice, but it's there.

I've never liked using 192.168.1.x or 192.168.0.x because there are constant conflicts with remote users' LAN when they connect with a split-tunnel VPN client.  The client can't tell the difference between local LAN addresses and remote network addresses.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 32

Expert Comment

by:aleghart
ID: 34133830
I have user devices (iPhones, etc.) and visitors, contractors that want wireless access.  A wireless access point that handles VLANs is great...I can connect them to their own LAN and even block communications between devices on that LAN.  Give them no routes except to the internet.

At the router/firewall level you can implement bandwidth throttling or a different set of filters based on the VLAN.  Depending on your router, you also have the option to route them through a specific WAN interface, such as an ADSL circuit, instead of sharing your T1/DS3 or campus network.

Multiple VLANs on the WAP also allows users to connect a printer or laptop and still see the rest of their workgroup...the WAP will give them an IP on their appropriate VLAN.
0
 

Author Comment

by:heydude
ID: 34133852
aleghart,

The network setup you are describing is very similar to our network currently, but not separated into Vlans yet.  I just cannot get the routing straight in my mind with the Vlan's. The stuff that I have been reviewing has had different ip ranges setup for each Vlan. Say one range was 192.168.x.x, another was 10.x.x.x, and another was say 172.x.x.x for the different Vlan''s. I guess that is where I am getting confused. Once it clicks, it will be fie, I just can't seem to get it all to click though.
0
 
LVL 32

Accepted Solution

by:
aleghart earned 2000 total points
ID: 34133889
192.168.11.x  can never see traffic from 192.168.12.x .  They are completely separate networks, even though they are "one number" different.  As a matter of fact, neither could see the public internet without your router connecting them to the outside world.

All you're doing is using a router to connect 192.168.11.x (Group 1) to your internet router on 192.168.101.x, then it can hop out to the internet.

Group 2 would have a similar route.  But, no route between 192.168.11.x and 192.168.12.x, so they are blind to each other.

The numbering, as you see, is arbitrary.  10.x.x.x just allows for more nodes on a flat network.  192.168.x.x is limited to 254 devices in a flat network.  The similar appearance of "192.168." does not make routing between networks any easier or harder.  Each network has a subnet mask of 255.255.255.0 - which means that only traffic with the same 3 of the address can talk.
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Outsource Your Fax Infrastructure to the Cloud (And come out looking like an IT Hero!) Relative to the many demands on today’s IT teams, spending capital, time and resources to maintain physical fax servers and infrastructure is not a high priority.
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses
Course of the Month11 days, 7 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question