Link to home
Create AccountLog in
Avatar of dqnet
dqnet

asked on

VLANS and our need for them?

Hi folks,

We currently have approximately 150 workstations which are spread across 4 floors and each floor has its departments. Most departments reside on one floor however.

The setup is reasonably straightforward, we have one VLAN for data and one VLAN for voice.
All servers and desktops reside on the 10.10.10.x with printers on 10.10.11.x and wireless on 10.10.13.x all sitting in one VLAN--- So as you can see we are pretty much in a little mess.

What would be an ideal setup..?  I read the link here:

https://www.experts-exchange.com/questions/24940142/Allocating-VLAN's.html

Which gives good information to various setups however I would like to have more of a tailored answer.

The questions are really I want to reduce broadcast traffic and increase throughput.
I want to implement inter-department or floor security (finance cant see procurement) etc.
I also want to mitigate any risk of viruses traveling from department to department maybe via separate subnets?

All departments have vlan capable Cisco switches and our core server and client switches are 2960's (servers on one switch, clients and departmental up-links on another).
We also have a spare Cisco 3750 which I guess we can use to do the routing?

Thanks experts - long question I know :)
Avatar of Ken Boone
Ken Boone
Flag of United States of America image

So if you want to reduce broadcast, then add vlans.  Each vlan is its own broadcast domain.  The less devices on a vlan the less broadcasts that each every machine sees.

Increase throughput??? hmm... Given 150 workstations on that gear, I don't know that you will "see" increased throughput.  Too many variables.  If you had say 400+ workstations on a vlan, then maybe you would see an improvement, but probably more due to the lack of broadcasts that interupt each NIC than throughput.

Now you want to implement some type of inter-department security.  Vlans are great for this.  This makes it easier to add ACLs to block inter department traffic.

You need to decide how you want your vlans broken up.  If the requirement is prevent departments from seeing each other, then you need a vlan for each dept.  If you have a lot of depts that could be excessive.  So like HR only has 2 people - do you really need a vlan just for 2 people - maybe if you want to isolate them, but more than likely its things like finance, accounting, that sort of stuff that needs to be protected.  

I guess what I am saying is with 150 workstations, its not a huge deal, so don't go overboard, but go ahead and split out the important stuff you want to have more control over.

Yes I would use a layer 3 switch for the routing between the vlans as well as the place you would put your layer 3 ACLs.
My high level recommendation:

1. Place the servers in their own VLAN (probably on their own switch) to isolate them. If possible, put a firewall and/or IPS between them and the rest of the network

2. Subnet the different floors.
    Floor 1 = 10.10.10.x
    Floor 2 = 10.10.20.x
    Floor 3 = 10.10.30.x
    Floor 4 = 10.10.40.x

3. VLAN traffic within each floor by department
    Printers = VLAN 11 (10.10.11.x, 10.10.21.x, 10.10.31.x, 10.10.41.x)
    Wireless = VLAN 13 (10.10.13.x, 10.10.23.x, 10.10.33.x, 10.10.43.x)
    Accounting = VLAN 14 (10.10.14.x, 10.10.24.x, 10.10.34.x, 10.10.44.x)
    HR = VLAN 15 (10.10.15.x, 10.10.25.x,10.10.35.x, 10.10.45.x)
       etc.

Then you can permit the different VLAN's to talk to each other so you could have people in the same department yet on different floors.

Again, this is a very high level description and there could be some adjustments needed or perhaps even better methods.

I suggest sitting down and drawing out what/who is where and what/who they need to be able to "talk" to. Then start on designing how to change the infrastructure.
Topology and goal are the main criteria
Main functions of VLAN is security, management and efficiency

You can have up to 500 vlans as recommended by Cisco.

Most ideal setup have voice in separate VLAN just to protect voice data for security and quality purposes
Some engineers separate servers, printers, departments with vlans.

Research into private vlan also. This is a VLAN inside a VLAN. Sub VLAN if you will. This is good for security. It adopts promiscuous, community and isolated modes.
This will solve the issue of protecting your 2 users while maintaining a single data VLAN structure.

Be aware that routing slows down traffic also (ASIC recommended). You need to route between vlans. Layer 3 switches route faster than conventional routers. Consider implementing IP CEF and QoS also.

All the best
Avatar of dqnet
dqnet

ASKER

This is all great information! Thanks!

Just a few last questions;

1. If there is a server that hosts a "general" share as such can this act as a bridge for all the other VLANS to send traffic and ultimately go back to excessive broadcasting?
For example if we have a share on a server that all departments need to use would we have to use ACL's to permit all VLANS to have access to the server VLAN? Also, would this not defeat the purpose of broadcast reduction as all VLANS would have access to this one share?

2. When designing VLANs could we also limit the protocols that can travel between them? Like to prevent viruses and worms we could limit traffic to only to Kerberos traffic for authentication between the domain controller but prevent all other protocols like HTTP and NETBIOS, etc.? Another goal is to limit any AV outbreak to that department only.

3. Would the uplink ports between the switches all be trunk ports and allow all traffic through them?


I am really liking the idea of breaking up the departments into their own VLAN's. Each department has at least 15 members of staff and was wondering if this really is something that companies sized at 150 do?

A suggestion was to put a firewall between the servers and clients which sounds really good but could traffic type not be filtered on ACL's alone? What additional benefits will the firewall bring unless DPI or AV based firewalls are used?

Thanks!! :)
There is no minimum restriction for number of hosts in a VLAN. If it suits your topology, you can have 1 host per VLAN. It only affects time and effort on management. If it meets your needs, and management is of little concern, then go for it. On the bright side, it sets you up on a strong foundation for growth accommodation.

Access to file shares do not use broadcast but SMB. And yes, broadcast can be re-transmitted between vlans if configured. An example is the use of dhcp agent or IP helper.

Yea, the uplinks will be trunk ports.

You can limit any traffic you want with acls. If your device supports VACLs you can employ that too.

Routers and firewalls are similar in functions and features. One is focused on security while the other focuses on routing. ....And yes, acls or route maps will serve the same purpose. If you are thinking of DMZ, a firewall is more appropriate
Brief description of our configuration. Not a lot of detail for security purposes.

Organization fluctuates between 180-220 employees geographically located around the state in 12 different buildings.

3 of those buildings are multi-floored.

Example 1:  HR is located in the basement of one of the multi-floored buildings and is on it's own VLAN.

That same building houses the the public area (main floor) and two upper floors with separate departments. Each floor is separated into at least one VLAN.

All phones in one building are on the same VLAN.

Basic design is:

Overall network is 10.x.x.x

Building designation is the second octet so building 1 is 10.1.x.x

For example the phones in building 1 would be 10.1.100.x

The basement would be something like 10.1.10.x
Second floor 10.1.20.x
Third floor 10.1.30.x
Fourth floor 10.1.40.x

Now let's say there are two departments on the second floor. Each one could be on it's own VLAN without disrupting the overall structure.

Marketing:  10.1.21.x
Property Management:  10.1.26.x

The firewall I mentioned isn't necessary in front of the servers however a good IPS is a good idea. We use a Tipping Point (HP) with multiple legs. The servers sit behind one leg and the internet access is protected by another leg.  

Yes the uplink ports would need to permit any traffic that needs to reach outside of the immediate switch.  

A very basic description is:

VLAN's contain traffic within ports on the same VLAN on the same switch.

Switches contain traffic within the same switch. Uplink ports permit traffic that is destined to a location that is not on that same switch and "usually" it goes to a router to determine where to send it. Layer 3 switches have the ability to route traffic so a separate router is not neccessary.

ACL's can be designed on either a router or layer 3 switch to permit/deny traffic based on protocol/port.

Again, that is a VERY basic description.
Avatar of dqnet

ASKER

@Akinsd :-

Hmm, so no broadcast traffic will travel over the shared general share to query the other side of the VLAN? so if marketing vlan wants to access the file share and the file share is also accessible by another vlan on a separate vlan and the actual server share is on a third vlan doesnt that mean all 3 vlans need to broadcast to locate each other? Or am I understanding the concept wrong? I just want to make sure I can squeeze any last bit of performance out of the configuration as right now we have so many devices on the same vlan and one objective is to re-organise all subnets into separate networks using vlans.


@pony10us :-  I was just wondering, if we put the internet facing servers on a separate 'external' VLAN, how would it communicate with the external backend database servers?
If the internet facing server VLANS need to access the other internal servers VLANS wouldnt that defeat the purpose of some sort of DMZ or is that a totally different implementation? If so, how does that work?

Thanks folks!
So they don't have to broadcast between the vlans in order to communicate.  So there is no issue with the concept of 3 vlans, 1 being the file share and then 2 other vlans.  The other 2 vlans can access the share but not each other if you set up the ACLs to prevent the unwanted traffic between those two vlans.

Internet facing servers should most definitely be put in a DMZ segment off of a 3 legged firewall.  1 leg is the internet, 1 leg is the inside and 1 leg is the DMZ.  All communications to the device on the DMZ should flow through the firewall.  What happens is you configure some holes through the firewall to allow the necessary ports to communicate between the web server on the DMZ that the public accesses and the sql server on the inside which has all the data.  The public never talks directly to the inside.  They communicate with the DMZ server, the DMZ server communicates with the backend server.  So for any internal servers that a DMZ server needs to communicate with you set up very specific firewall rules just to allow communications between those devices and you specify what ports are allowed.  You don't just say any ip traffic between the two.  You would for instance say the DMZ server can initiate TCP traffic using the SQL destination port when talking to internal server x.x.x.x.

This is what limits exposure.  If the website gets hacked, the hacker only has access to the DMZ segment, not the inside.  Can they get inside?  Maybe, but now it takes a lot more work, and they have a very limited scope of holes to work through.  Its all about defense in depth.

So the DMZ "vlan" is a vlan that is not routed on the inside of the network.  It is connected to a leg on a firewall and must route through the firewall to get anywhere.
You have to tell the PC what share to connect to. Eg \\shares\folder. The PC now connects via server message block (SMB)

A PC needing IP address sends out an arp message (broadcast). A server then responds to the arp and communication exchange begins.

Routers block broadcast by default otherwise, a broadcast from a device would traverse the whole Internet. You have to configure a router to relay a broadcast and specify where to send it.

Research broadcast, IP helper, dhcp agent etc for better understanding
kenboonejr:  Very well stated.  

dqnet:  Keep in mind that if you go down the route of VLAN's that your ACL's become extremely important.

Example:

VLAN 2 = 10.1.0.x
VLAN 200 = 10.1.200.x

You don't want all computers to be able to "talk" between the VLAN's however you have one computer 10.1.0.75 running a program that presents a web page and you want the computers in VLAN 200 to be able to view that page.  Let's say it isn't secure so it would be port 80. You need to put in an ACL permitting this traffic.

ip access-group 102 in
!
access-list 102 permit tcp any host 10.1.0.75 eq www

This will permit the desired traffic (http) accross the all VLAN's (in fact anyone) to just the one computer.  Again, this is just an example and not a complete ACL.
Avatar of dqnet

ASKER

It makes much more sense now, I just have one further question;

All our workstations and servers are static IP's, does this automatically reduce the broadcast traffic and somewhat help? I mean I know how arp works and the DHCP concept but if the IP's are all statically mapped and the CAM tables on all our switches have an idea of how to get what to where then doesn't the broadcast traffic significantly?

Thanks guys
So what you are saving on is the DHCP broadcast only - which really isn't very much traffic.  This happens at the beginning of the negotiation for an IP address and then it repeats at the mid-life cycle point to renegotiate.  So technically yes you have cut down on some broadcasts.  On a network you side, this traffic would be negligible.  

The machines still need to send broadcast to find out the MAC address of the other machines it is talking to.  This is part of the ARP process.  The Arp query is sent as a broadcast as well.  This you still have.  When machine A wants to ping machine B, machine A sends out an ARP broadcast looking for machine B and asking Machine B what is your MAC address.  This happens whether or not you use DHCP.  Once machine A knows machine B's mac address it puts it in machine A's arp table so it doesn't need to do this continually.  The ARP entries do time out however, and there would typically be more of this type of broadcast traffic than DCHP requests.

Again, on a normal sized network this type of traffic would be negligible as well.
Avatar of dqnet

ASKER

But I dont understand what is meant they will then communicate over SMB.

I mean in order for a computer in VLAN 10 to communicate with a server in VLAN 20 it needs to have a route to it. When it has this route (via the 3750) it still needs to locate the machine via "ARP'ing" for the server's MAC address in which the 3750 will need to forward that traffic from of Port 1 on the 3750 (VLAN 10) out to Port 2 on the 3750 (VLAN 20) and all other ports until the correct port replies back.

Where is the reduction in broadcast traffic that everyone is mentioning?
Sorry, excuse the ignorance, I'm just really confused.
High level explanation:

The reduction in traffic comes with the routes.  Traffic will remain within the "local" VLAN (this is the broadcast portion) unless it can't locate the destination at which point it will look at it's routing table to determine where to send it.  When a device looks to send traffic to VLAN 20 the switch will know to automatically route that traffic to Port 2 instead of broadcasting to all the remaining ports.

Does that help any?
So SMB is just a protocol that Microsoft uses to copy data.  It runs over IP.

So yes a computer in vlan 10 needs a default route to its default router NOT a route to vlan 20.  The purpose of a default route is that is what gets used when you send an IP packet to a network that is not your own.  The default router will need to have the routes to the networks you are trying to reach or a default route of its own.

So the only machine that machine A on vlan 10 needs to ARP for when trying to get to machine B on vlan 20 is the default gateway.  You never ARP for anything that is not on your local network.  The PC on vlan 10 will never know the MAC address of the PC on vlan 20.

The deal is with broadcast traffic every device on a network has to stop what its doing and inspect the packet.  So when you have vlans and split everything up, there are less PC in a given VLAN.  So if there is 250 machines on a vlan, then everytime they ARP, etc.. Every machine on the network sees it.  When you set up a vlan and say only have 50 machines in it instead of 250 you have cut down on the amount of  broadcast that each machine sees.

That is why I said in the start that you don't need to go overboard with this as you stated you only had about 150 machines if I remember right.  You will most likely not visibly see a difference in performance with numbers that low.  Will there be an improvement - Yes - Will anyone notice it - probably not.

Hope that helps.
Well stated.  There will not be enough of an improvement in speed to be noticed by most. In the size you have the real benefit to VLAN's would be security through isolation.
Avatar of dqnet

ASKER

Right I see.. :) yep much clearer. Just one last thing before we wrap up this question :)

I understand how the default gateway and how routes work. It isn't so much about that.

Let's say Marketing IP range 10.10.11.x (VLAN 11) finance 10.10.12.x (VLAN 12) respectively.

Let's take the below example;

Let's say Client A is on 10.10.11.x  range with a /24 meaning so cannot see Client B on the 10.10.12.x /24 range which means it would automatically forward the packet it to its default gateway which would be in this case our NSA firewall, 10.10.11.254 on one of its interfaces.

The NSA needs to have a VLAN 12 attached to one of it's other interfaces and attached to the to another port on the 3750 in order for the packet to get to VLAN 12? Or does the 3750 inspect the packet before it gets to 10.10.11.254 and see it already has a route to the 10.10.12.x range and automatically routes it there without having to forward it to the firewall (10.10.11.254)

The idea is to make the 3750 do the routing without having to change the default gateway on all devices to be the 3750. At present all devices are on 10.0.0.0 range with a /8 and the firewall is the default gateway so its a little bit of a mess.

Unless again, I am understanding incorrectly?


(p.s. I understand its not an enormous network but that's not the answer to the question)
If you are running the 3750 in layer 3 then you should have the default gateway of the devices pointed to it instead of the firewall.

"Configuring InterVLAN Routing with Catalyst 3750/3560/3550 Series Switches"

http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a008015f17a.shtml
Avatar of dqnet

ASKER

So let me get this straight. Any devices that need to connect to other ports on the 3750 will need to have there gateway address as their interface address on the 3750?
e.g.
VLAN 10 (interface FE/0) 10.10.10.1    ---- Workstation gateway = 10.10.10.1
VLAN 20 (interface FE/1) 10.10.11.1    ---- Workstation gateway = 10.10.11.1
VLAN 30 (interface FE/2) 10.10.12.1    ---- Workstation gateway = 10.10.12.1

What if the Client A on VLAN 10 had a netmask of 255.0.0.0 expecting Client B which also has 255.0.0.0 as a netmask however it was VLAN 20. What happens then?

Thanks.
SOLUTION
Avatar of Ken Boone
Ken Boone
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
ASKER CERTIFIED SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Avatar of dqnet

ASKER

EXACTLY what I needed.. Simply perfect.

There are only 500 points to assign so I'll have to split them

Thanks again folks, perfect.