Designing a VLAN, can a pro here look over my check list please?

Hey guys, I am designing a VLAN and have done my thorough research and I was hoping someone may give me a little advice on my choices.

The network is based around three computer labs, which have around 60 machines in each lab. Lab 1 has full access to the university network and the internet. Lab 2 has some access to the university network and the internet. Lab 3 has no access to the university network only the internet.

So I looked into layer three switches etc, but decided a router on a stick, with a layer two switch was cheaper and better. As for the switches in my network, as there will be three VLANs with 60 machines on each, do I need to watch out for how many ports are on a switch? This is all hypothetical and will be built in packet tracer.

The methods I decided were best to use was things such as encapsulation 802.1q for tagging frames on trunks between the switches. The part I had trouble researching was how to deny access to certain parts or all of the university networks, I came across access lists, but I couldn't make out too much on how this was done, or if it was even the best way to tackle restricting VLAN access to the network.

It is very confusing, as I didn't know if it would be better with a few layer 3 switches and no router or layer 2 switches, I feel a router on a stick and a few layer 2 switches is the way ahead but I'm not sure.

Another thing I was considering was the security factor of the network. I felt port violation was the best for security and perhaps using stickies to assign certain computers to certain ports?

I know I am asking a lot here but I only ask because I am working hard on this and I want some advice on the decisions I've made before I go full steam ahead with my design.

I appreciate any input whatsoever!

Many thanks!
Who is Participating?
RKinspConnect With a Mentor Commented:
Hello deucalion,

Redundancy is when you have two of something, where one is the backup of the other. It is sometimes used as high availability, but the difference is that redundancy means a backup that will only go up when one is down. High availability means you have two working simultaneously and if one fails, your network is still up. In the attached image is a design with redundant Layer 3 switches, so that if one fails, your network is still running. The design can be used with or without vlans.

One the attached network, the lines represent cables. The solid lines are "active", meaning that traffic goes through them. The "dotted lines" are blocked. They are connected but there is a protocol called spanning tree that disables these lines so that there is no "loop" on the network that would cause a big problem of packets going on forever. In case the left Layer 3 switch fails, the links on the right one would be enabled. This is a sample redundant design, I will not go into stacking of switches which is an alternative that has both switches active (High availability scenario).

The TRUNK is actually between the layer 3 switch and the layer 2 switch. Note that the Layer 2 switches are not interconnected. This is because spanning tree would disable these links so not to form a loop. Also, it less expensive cabling wise because I assume that the Layer 2 switches are distant in this design.

Like diepes mentioned, if your internet is an ethernet cable you can connect straight into your Layer 3 switch.

Don't worry about 802.1x. "Stickies" and "port violation" are also known as mac locking (limited number of MACs per port).

other important security recommendations: change all default passwords. use SSH instead of telnet. Have a separate management vlans for all your configurable equipment.



Ok, first things first. You are planning a 2 layer network, meaning you have access layer and core/distribution layer.

The access layer are the switches that connect to the computers, they should be layer 2 only (or have layer 3 disabled) and support vlans, this will ensure that computers not on the same vlan do not talk to each other. "Do I need to watch out for how many ports are on a switch?".  Yes, because they are connecting your computers together, or connecting to the switches that today are connect to your computers. These switches will connect to the core/distribution using a link that has 802.1q trunking, this means that all vlans can travel up, but will not talk to each other at this point.

The core/distribution layer you have the Layer 3 switch or router. It needs enough ports to connect to the rest of the network. This type of equipment supports Layer 3 physical interfaces (meaning on vlan per physical connection) but most support Layer 3 logical interfaces, which are configured on the equipment and are "connected" to a physical port logically.  How is this done? You create a logical interface for every  VLAN that you need talking to each other (also known as routed), like "Interface vlan 1", "interface vlan 2" and so on. These interfaces have IP addresses and will be used as your gateway on computer configurations. You also assign these vlans to the 802.1q trunk ports like you would a switch. Once these configs are done and routing is enabled, the VLANs will talk to each other through the router.

ACLs or access control lists are an acceptable method of security between VLANs. They apply rules to limit communications between networks, like 192.168.10.x will not talk to 192.168.20.x, but can talk to the internet. There are different types of rules, this is just a simple example. As far as I know, ACLs and VLANs are accepted by PCI (payment card industry) security standards as a means of separating networks.

I do now know what you mean by "port violation", but port security and mac locks are ways of limiting the number of mac addresses on a port, which is a good way to stop somebody from sticking a switch on there. Authentication (802.1x) is a better way, but is meant for end users or machines and you need an authentication server.

In my experience, people tend to go with Layer 3 switches because they have more ports so easier to expand and have better speeds when not routing, but it all depends on the particular network.

Let us know what equipment you are considering experts can probably chip in with particular configuration commands. two cents


deucalion0Author Commented:
Hello RKinsp, thanks very much for all that information!

It has helped me clear some things up in my head especially with the layers. As the vlans are a hypothetical scenarion based on three laboratories withing the university building, I am assuming that if I was to include a router in the equation, this would not be the main router connected to the outside, the internet for example? So it would be a router connected to my layer 2 switches which will be connected to 180 machines split into 3 vlans. So I could just use a layer 3 switch, instead of a router as I don't need the WAN here as the layer 3 switch will be connected to the router which will do all the WAN requirements.

Okay, I think I follow now. As for equipment, I was googling which was the best layer two switch as I need about 200 ports for the network so how many ports are on which switch and which are the best. The trouble is, there is far too much information on Cisco hardware it is confusing.

Out of curiousity, if a large network of computers in a building is configured using routers and switches, when they need outside access to the World Wide Web, is there a specific type of router that goes out? I just see all these packet tracer assessments I have completed there is most of the time a router at teh top of the network, I am not sure if this is for routing the netwrok internally or for routing traffic into the internal netwrok from the outside.

I think I better head to bed, I am garbling nonsense now, sorry about that.

Thanks again for all your help!
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Hehe, don't worry, your nonsense seems to make sense.

Anyways, let's see...

this would not be the main router connected to the outside, the internet for example?

It could be, it all depends on what router you have there and what it supports. If it's a configurable router, it will do and you can use that to route in between the local networks as well as the internet.

So I could just use a layer 3 switch, instead of a router as I don't need the WAN here as the layer 3 switch will be connected to the router which will do all the WAN requirements.

Correct, if you already have a configurable internet router, using an additional router would be superfluous and add unecessary delay on the packets. Using a Layer 3 switch or the single internet router will do.

Best equipment to use: if you are in the US, google Gartner Enterprise LAN magic quadrant. That should get you some brands. Also, always check at least two to balance out features/cost.

Out of curiousity, if a large network of computers in a building is configured using routers and switches, when they need outside access to the World Wide Web, is there a specific type of router that goes out?

That all depends on your ISP. The one main feature you will need no matter what ISP is NAT and PAT- Network Address Translation and Port Address Translation. These features will let you use your internal IP Addresses as one or more public addresses. Other things you want to look for is possible Firewall, Denial of Service protection, and whatever connection port your ISP requires (ethernet, serial, etc.). VPN is good if you ever want to have users connecting from the outside to the inside of your network.

Regarding packet tracer assessments, I am not sure what kind of assessment you mean, but it is common for people to use routers for testing because they center most of the communication to the outside world or between your VLANs, also they are the ones most sensitive to bandwidth usage. For example, transmitting high res video on your internal network that runs at 1000 mbps won't really affect you. Transmitting high res video on a single serial link that runs 2 mbps might be an issue.

good night


deucalion0Author Commented:
Hey RK, thanks for that info. I have been doing further research into my vlan design, I'll share where I am so far. So I spent some time reading up on 802.1x and I am not sure exactly what it does and if its any good for vlan security, as there was some negative comments on this as well as positives. I was wondering if I just set up access lists then that would be enough? The 802.1x seems to have servers and clients and just stuff that seems overly complicated, I would continue to read up on this if I felt it was very beneficial to my vlan setup as oppossed to just there as additional but not really necessary security, if that makes sense.

I was thinking about stickies, so that a port once connected to computer will only allow that specific computer to run on that port. When I mentioned port violation earlier, I meant that if someone disconnects the ethernet cable from the computer and connects their laptop, then the port shuts down.

I made a little drawing of my design, could you give me your opinion on it, maybe I am missing something or have something wrong?
 VLAN Plan
I want to have the best design with all aspects covered, it is just finding out what is essential and what is overly complicated.

Many thanks!
Hi I had a quick look.

1. Will you have servers ?  Where will they connect in ?  ( On Core L3 switches in separate vlan)
2. Have you considered redundancy, especially for the L3 Switch.
      - I would use 2 x L3 switches dual connected to each of the L2 switches, and no link between L2 switches.
3. Depending on the type of link you have to the INTERNET the Router might be redundant.
4. Is there any requirement for security, monitoring ?
     - Firewall, Proxy etc.
deucalion0Author Commented:
I wrote out a huge spiel but lost it all as the page didn't load :(

Ah well.

 I want to know more about your idea to use 2 L3 switches and not connect the L2 together, that sounds interesting, but I need to explain and justify every part of this design, could you tell me why this would be beneficial please? So all traffic goes through the however many L2 switches I have then they all go into the L3 switches, so would that be a single trunk connection from the L2 to the L3 switches?

I dont think I will need to consider anything other than the main vlan, the router in my design basically shows where my vlan ends, with the router which goes out to the internet, the task at hand is to concentrate on the vlan.

I definitely have security requirements but as yet I have no idea what I need I lloked into 802.1x security but that messed my brain up so I gave up on that for now, but the securer the better.

I am not really sure what redundancy is I remember reading up on it but I have forgotten what it is, I feel it is something I may need to consider though, is this in case one fails?

I do appreciate all of your help on this, it is helping undertsand the decisions I hvae made and why I chose certain methods in this design.

Thank you!
diepesConnect With a Mentor Commented:
The drawing from RKinsp: is what i had in mind.

A failure of a L2 switch would only impact the directly connected pc's and nothing else.  A failure of the L3 layer will bring everything down, and is the reason for a backup at this point.

As to the (see dotted above) backup links, there is a couple of ways to utilize them to increase the uplink bandwidth between L2 and L3, Thus using them as backup and for increased capacity.
  1. As mentioned by RKinsp: look into L3 swtiches that can stack (Look like one switch)
  2. Use 2 vlan's for the pc's on each L2 switch splitting the ports, where one L3 switch/uplink will service one vlan, and the other the 2nd Vlan.
  3. Terminate the uplinks from L2 to L3 on Routed ports, that eliminate spanning tree, and then deploy GLBP to load balance the GW for the vlan/subnet.

Other consideration when designing.
 1. Where is your servers ?
 2. What is the traffic flows you expect ?   e.g. 10% between workstations, 70%to from servers, 20% internet ?
 3. You can also calculate you over-subscription on the uplink ports, one way of evaluating different designs. e.g. 48port x 1Gig with uplink 2 x 1G  =  24:1 over subscription on uplinks if you can use both.
 4. How bandwidth intensive will the applications be ? Do you need to plan for 10G on the uplink side.
deucalion0Author Commented:
Very helpful and in depth solutions, left me with a lot to think about but I knew exactly what to concentrate on.

Many thanks for all your guys help
deucalion0Author Commented:
Guys, thanks a lot for all that information. Wow netwroking is tough, very complex and has to be well thought about before continiuing with a design. I will use all the information you guys gave me to researcha nd learn and build the design with explanations and my understandings as to why I chose those aspects of design.

I think I understand the design you guys have came up with but I will draw this up and post it here so hopefully you can double check my understanding is right. I don't know why I am determined to understand this so fully it just feels important.

Thanks again guys.
deucalion0Author Commented:
Guys I knocked this up quickly as it is my interpretation of what the network will be like, without considering servers, as I am unsure about that aspect just now. The use of a backup L3 switch is a great idea, but how exactly can it be used as to in crease capacity, is this difficult to setup? Also as diepes mentioned:
2. Use 2 vlan's for the pc's on each L2 switch splitting the ports, where one L3 switch/uplink will service one vlan, and the other the 2nd Vlan.

Hav I split the vlans up in my plan the way you mentioned? Or should there be two connections from each L2 switch to the L3 switch, one for each vlan? Also are all these link set up as trunking? They should be right?

Here is my new plan:
 vlan plan 2
Thanks again for your help!
deucalion0Author Commented:
I forgot to mention that there will be 1000 machines in vlan1 and 60 in each of the other three vlans, so does that mean I will need many L2 switches? I forgot to think about this aspect, the amount of hosts and therefore the amount of switches. I never see many examples of a newtwork with a lot of hosts, perhaps because it would be a mess.
Assuming a L2 switch has 50 ports, I would need two each for vlan2, 3 and 4 and 20 L2 switches on vlan1, could a L2 switch take a single trunk connection from 20 L2 swithces. Man I am confused.

Thanks for your patience!

Hello Deucalion,

I don't think the vlan design you sent is quite what diepes meant. To split usage on the Layer 3 swtiches, what you need is to use one layer 3 switch as a main or primary for VLAN 1 and 2 and the other Layer 3 as primary for vlan 3 and 4. This is done using VRRP or HSRP (routing protocols) and MSTP (multiple spanning tree). If you use two stacked switches, you don't need to worry about this,.

All your links from Layer 2 to Layer 3 can be 802.1q trunk if the Layer 2 switch has more than one VLAN. If it doesnt, you can use a regular link. If your layer 3 switches are stacked, you can use Link Aggregation (LACP 802.3ad) so that both links between the Layer 3 and a single Layer 2 are treated as one.

Regarding the quantity of switches, typical layer 2 switches are 1 rack unit high, they have 24 or 48 access ports and 2 or 4 uplinks (Gigabit fiber or utp). There are layer 2 switches that stack, means that you can connect up to 8 switches and treat as one (384 ports total), so you can reduce uplinks (Cisco, HP, Enterasys, etc.). You would use maybe 4 uplinks for every 8 switches like this.

There are also some chassis layer 2 access switches (I know HP has one) that can have more ports on a single switch but don't "stack". I think it's like 192 ports or something, so you would use 2 uplinks for every one of these (1 to each L3 switch).

These are suggestions. Like Diepes mentioned, you should check your bandwidth requirements before going into how many uplinks you will place.

deucalion0Author Commented:
Hey guys, I am in the final stages of finishing my design, but there is one thing I am still of unsure of. In order to use back up links to increase bandwith when using two L3 switches, one for redundancy, is there a specific prorocol for doing this? I cannot find anything that explains this clearly.
Also I decided that the main university network will remain as it is and not a vlan, so there will only be vlan 1,2 and 3 with access rights configured to the university network. How does this in effect change the proposed solution of L3 switch one is primary for vlan1 & 2 and L3 switch two is primary for vlan 3 & 4 if there are now only three vlans?

Could I have it so L3 switch one was primary to the main network and vlan 1 and the L3 switch two handled traffic on vlan 2 & 3 connecting to the L3 switch one ?

I have done a lot thinking on this, I hope I am on the right path.

Thanks for all your help.
Hello deucalion,

All traffic should be treated as a VLAN. The trick is that you should have a "default" for what we call "untagged" traffic, that is traffic that does not come with a VLAN tag. The default is usually VLAN 1. So what happens is that the switch treats everything that comes marked into a VLAN into the appropriate VLAN and everything that does not into the default VLAN. Since most switches come with VLAN 1  as the defaul, that is why it is not recommended to use VLAN 1 for tagged or marked traffic.

For your redundancy, if you are not using stacked switches, you need to looking into two protocols: VRRP (virtual router redundancy protocol) at the layer 3 switch and MSTP (multiple spanning tree) for all switches.

You can split the primary/backup whichever way you find best, this is done by setting the primary IP Interface (L3) with VRRP and the ROOT switch with MSTP. Once you get into particular configurations, this will be more clear.

I think you are on the right path, my only recommendation is set aside a test environment for your configs before implementing.

Good luck

deucalion0Author Commented:
Thank you RK, you explain things very well, all the posts you put up here are great reference points for me to come back to the more I read everyting the clearer it becomes. I decided to create two designs to show my understanding of different technologies. I think I have cracked the first design, the simpler one, the second, will be redundancu with high availability using stacked  L3 switches. I will use all the information provided by you and diepes to create this and research switch stacking. Can I ask a quick opinion of my simple design please? It makes sense now that you mention all traffic is to be considered vlan traffic, but on the native vlan which is vlan 1 I believe, it receives no tagged packets so the entire university newrok can be on vlan1.

Here is my design, it should be a straight forward network, the next one will be the more complex one.
 vlan plan 3

Many, many thanks!
Your design looks good.

Just an observation, you have different alternatives of where to tag your vlans. If you are using the L2 switches as dedicated to a single VLAN, you can use regular "untagged" uplinks and configure all the "tagging" on the L3 switch ports.

If your L2 switches will have mixed vlans (a few computers from vlan 10, a few from 20, etc.) you have to use VLAN tags at this level and use 802.1q trunk uplinks.


deucalion0Author Commented:
Thanks again RK and thats a great tip for where to use tagging!

I have designed my second plan, the more complex one, I think for the purpose of my task I have covered enough between the two designs using lots of different techniques and protocols. The second design is the one I shall be proposing as the solution, but I need to know one thing, when splitting up the vlans per layer 2 switch and splitting this between the layer 3 switches, how exactly does this benefit the network? Is it because it is symetrical in a way and that each piece of hardware is dedicated to its own part of the network therefore making more efficient use of the hardware?

Essentially just splitting everything up? I just couldn't find out information that says in writing why it was beneficial to do this, I just need to back up my idea, even although I think I see why it is beneficial. Here is the second diagram:
 vlan plan4
I am almost finished, I just need to write everything up, it has been a huge learning experience having to design this. Oh I forgot to ask, the native vlan is 1 right? It is OK to have this as the main university network as it doesn't really need to be on a vlan?

Many thanks again for all your help, I couldn't have done it without your assistance.
deucalion0Author Commented:
Hey guys, I have a quick question regarding this design. I need to submit my work by tonight, and I just wanted to make sure I understood a couple of things. When stacking two layer three switches, is there a connection each  coming from these to the router? As if one fails then the other must be still connected to the router or the network will be down.

Also, the idea that was suggested where I have the layer two switches taking two vlans splitting the ports, then connect each vlan to separate layer three switches, what exactly are the benefits of doing this? I figured redundancy but there may be another reason?

Any advice on this would be appreciated, I am writing it all up at the moment.


When stacking two layer three switches, is there a connection each  coming from these to the router?
Yes, for redundancy purposes

what exactly are the benefits of doing this? I figured redundancy but there may be another reason?
If you are using "stacked" switches you gain two benefits: high-availability and more bandwidth, because when the L3 switches are stacked, the links will form a Link Aggregation (LAG) and work active-active so you essentially double the bandwidth. Also, you are using both L3 switches simultaneously, meaning that you are not wasting money for something that is just sitting there waiting for the other one to break.
If the switches dont actually stack, you get the redundancy (back-up) and if you configure MSTP you can split traffic between the two, but only one link will be active per-vlan, so you don't double the bandwidth.

Oh I forgot to ask, the native vlan is 1 right? It is OK to have this as the main university network as it doesn't really need to be on a vlan?
That is correct, 1 is the default vlan on switches that support vlan. No problem in considering the rest of the network as 1.

Benefits of using VLANs:

Security - you are segregating traffic, so users cannot access another VLAN unless they go through the L3 switch, which can have an Access Control List to limit who talks to who

Broadcast domains - splitting in vlans you are breaking up the broadcast domains. Depending on the network traffic, there could be alot of broadcasts and take up bandwidth. Also a broadcast storm (caused by loops or attacks) can knock down an entire network, this way it will only knock out a segment

QoS - configuring VLANs makes it easier to use Quality of Service configurations. That means you can set priorities per VLAN or type of traffic. This will be good for implementing stuff like IP telephony in the future

Guests - you can have guest vlans that only talk to the internet, this way an unauthorized user will not compromise security (802.1x can be used for dynamic vlans/guest)

I guess these are the major points. There are others, i just can't remember them right now ;-)

Good luck!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.