Link to home
Start Free TrialLog in
Avatar of shootbox
shootboxFlag for Italy

asked on

Segmenting only with VLAN (no subnetting) on an LACP network

Hi,

I was having a discussion with one of our network engineers regarding the possibility to save time and IP addresses when segmenting to different networks, by only using VLANs instead of subnetting + using VLANs.

i.e
his method: subnet to create a new network, assign a VLAN to that network on the switchport and all machines interfaces (VMs)
my thoughts: do not subnet, just assign the VLANs to the switchport and the machines

Since our assigned addresses are real world routable IP addresses, my suggestion could save a lot of IPs, if for example you need to set up a new network for 5 machines, you automatically subnet to an 8 ip network and lose 3 ips. and even if not, then you will still always leave room for upscaling and lose IP addresses.
Also, without subnetting, it's less effort and time.

Now, I do know from googling that my method can work, and you don't HAVE TO subnet + VLAN to segregate your network.
However, what he claims is that they cannot do that, because of a protocol restriction - running Link Aggregation Control Protocol does not allow this kind of configuration.
I tried to put the pieces together as to how and why the use of LACP would prevent such configuration, but I'm clueless.

Any thoughtS?
Avatar of giltjr
giltjr
Flag of United States of America image

Actually I don't know what LACP has to do with it.

You can't do what you want because of the way layer 2 (MAC) and layer 3 (IP) work.

Where did you read that you can have multiple VLAN's all  on the same IP network?

A "lan" is a layer 2 network.  A VLAN is nothing more than a virtual layer 2 network.   Layer 2 uses MAC addresses to communicate between devices.  No layer 2 traffic can cross between separate layer 2 networks.  That is, if you have VLAN10 and VLAN20, no traffic at layer 2 will cross those VLAN's.  Broadcast traffic for VLAN10 will NEVER get to VLAN20 and broadcast traffic from VLAN20 will NEVER get to VLAN10.    

A IP network is a layer 3 network.  A layer 3 network is identified based on IP address and network/subnet mask.  In order for traffic to cross between layer 3 networks you must have a layer 3 "router" to forward traffic between two different IP networks.

All devices that are on the same layer 3 network, must be on the same layer 2 network.  Why, because when host#1 with IP address #1 wants to talk to host#2 with IP address #2 and they are on the same IP network, host#1 will send a ARP out asking "what is the mac address of the device with IP address #2."  An arp is a layer 2 broadcast.  Going back to lan/vlan, no layer 2 traffic crosses LAN/VLAN boundaries.

So if host#1 and host#2 are on different layer 2 networks host#2 will never see the arp request and thus never respond.
Avatar of shootbox

ASKER

Each of the machines on each VLAN will have a default gateway (router/firewall) on which routing rules will be configured so that, for example, a Webserver on VLAN1 can reach the SQL server on VLAN2 on a specific port.

why would I also need VLAN1 to be on a different NETWORK (subnet) than VLAN2 for that?

It seems that I would have to enable Proxy Arp for that, which is a feature I don't really know.
http://gcharriere.com/blog/?p=620

but be that as it may, that still does not rule out the option of segmenating only by VLANs instead of VLAN+Subnetting. seems that Private VLAN is also an alternative?
ASKER CERTIFIED SOLUTION
Avatar of giltjr
giltjr
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Oh,

Not 100% sure what you mean by "a Webserver on VLAN1 can reach the SQL server on VLAN2 on a specific port."

If you mean tcp port, a tcp port is only part of what it uses.  It must use the IP address also.

Which IP hosts in the same subnet normally need to be part of the same VLAN.

PVLAN's are unique and can be used to to create what appears to be unique VLAN's where hosts can be part of the same IP network.  However this is really not easy to setup and use as you have to create mapping's to allow one PVLAN to communicate with another.

http://blog.ine.com/2008/01/31/understanding-private-vlans/
The ARP resolution issue makes the most sense :) thanks