Solved

Vlan understanding

Posted on 2010-11-14
6
522 Views
Last Modified: 2013-11-05
I am a newbie to vlan's, and I am just looking to get the Vlan 101 overview. We have always used a big flat network, everyone on a 192.168.x.x 255.255.0.0 network. As we start to look at making the network cleaner, I am just looking for a simplistic reply. We would have an outside company coming in to set this up for us, but I just want to see if I can take what I know about vlan's, and the answer I get here, to at least have a little better understanding. I am going to use a simplistic example, loosely related to our overall setup.

Example:

We have 2 Buildings, Building A, and Building B. In Building A, we have 10 staff in Group 1 and 20 staff in Group 2. In Building B we have 20 staff in Group 3 and an additional 15 staff in Building B that belong to Group 1 from Building A.   The buildings are connected with fiber, both buildings have 2 3com 48 port 5500G POE switches, and Building B connects to the Internet gateway that comes into Building A. I would want each group to be in their own Vlan, say Group 1 in Vlan 2, Group 2 in Vlan 4, Group 3 in Vlan 6. Internet connection goes into a firewall device in Building A that all users share. So, all users in Building B would route their Internet requests through Building A. Feel free to assign your own IP address ranges to all devices, etc..  

I appreciate your replies! Thank you!
0
Comment
Question by:heydude
  • 3
  • 2
6 Comments
 
LVL 5

Expert Comment

by:Ahmed Ezzat AbuRaya
ID: 34133796
If you want communication to happen between users from different VLANs then you need a layer 3 device (e.g. a router) to implement basic routing between them, because without a layer 3 device, the users in the VLANs have no connectivity and are isolated.
0
 

Author Comment

by:heydude
ID: 34133803
The 5500g is a layer 3 switch
0
 
LVL 32

Expert Comment

by:aleghart
ID: 34133823
VLAN1 - default 192.168.101.xxx
VLAN2 - inter-switch VLAN 192.168.102.xxx
VLAN3 - IP phones - 192.168.103.xxx
VLAN4 - public wireless - 192.168.104.xxx
VLAN11 - Group 1 - 192.168.11.xxx
VLAN12 - Group 2 - 192.168.12.xxx
VLAN13 - Group 3 - 192.168.13.xxx
VLAN14 - Group 4 - 192.168.14.xxx

The internet router would go on the default VLAN1.
VLANs 4, & 101-104 would all have routes to the internet via the router on VLAN1, but not to each other.
VLAN 3 would have route to the internet if necessary (external PBX/servers), or not.

I've had recommendations to create a separate VLAN for switch-to-switch communication.  This could be used to keep the management interface and logging off the normal networks.  I've not done it in practice, but it's there.

I've never liked using 192.168.1.x or 192.168.0.x because there are constant conflicts with remote users' LAN when they connect with a split-tunnel VPN client.  The client can't tell the difference between local LAN addresses and remote network addresses.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 32

Expert Comment

by:aleghart
ID: 34133830
I have user devices (iPhones, etc.) and visitors, contractors that want wireless access.  A wireless access point that handles VLANs is great...I can connect them to their own LAN and even block communications between devices on that LAN.  Give them no routes except to the internet.

At the router/firewall level you can implement bandwidth throttling or a different set of filters based on the VLAN.  Depending on your router, you also have the option to route them through a specific WAN interface, such as an ADSL circuit, instead of sharing your T1/DS3 or campus network.

Multiple VLANs on the WAP also allows users to connect a printer or laptop and still see the rest of their workgroup...the WAP will give them an IP on their appropriate VLAN.
0
 

Author Comment

by:heydude
ID: 34133852
aleghart,

The network setup you are describing is very similar to our network currently, but not separated into Vlans yet.  I just cannot get the routing straight in my mind with the Vlan's. The stuff that I have been reviewing has had different ip ranges setup for each Vlan. Say one range was 192.168.x.x, another was 10.x.x.x, and another was say 172.x.x.x for the different Vlan''s. I guess that is where I am getting confused. Once it clicks, it will be fie, I just can't seem to get it all to click though.
0
 
LVL 32

Accepted Solution

by:
aleghart earned 500 total points
ID: 34133889
192.168.11.x  can never see traffic from 192.168.12.x .  They are completely separate networks, even though they are "one number" different.  As a matter of fact, neither could see the public internet without your router connecting them to the outside world.

All you're doing is using a router to connect 192.168.11.x (Group 1) to your internet router on 192.168.101.x, then it can hop out to the internet.

Group 2 would have a similar route.  But, no route between 192.168.11.x and 192.168.12.x, so they are blind to each other.

The numbering, as you see, is arbitrary.  10.x.x.x just allows for more nodes on a flat network.  192.168.x.x is limited to 254 devices in a flat network.  The similar appearance of "192.168." does not make routing between networks any easier or harder.  Each network has a subnet mask of 255.255.255.0 - which means that only traffic with the same 3 of the address can talk.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Transparency shows that a company is the kind of business that it wants people to think it is.
As companies replace their old PBX phone systems with Unified IP Communications, many are finding out that legacy applications such as fax do not work well with VoIP. Fortunately, Cloud Faxing provides a cost-effective alternative that works over an…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now