Need Advice...Planning To Implement VLANS on our Network...

[FastHackem]

Our Network:

Ethernet, Windows NT environment, Cisco Routers, Hubs, Aironet Wireless Radios interconnecting our school district across the city (about 15 schools). Everyone is in VLAN 1 (default). Each school is in its own domain. We have an extended star top.

I need to create a proposal on how VLANS would benefit us over our non-VLAN environment. Please list as many advantages as you can.

 

[chadell]

Vlans lets you to distribute your network based in logical topology, reduce broadcast domains, increase network security,... Christian Adell tl06530@salleurl.edu

 

[onyx4000]

Here is an easy reason, like the person said before: reduce your broadcast domains...if you have a NIC thats freaking out, your whole network will hear it, and those broadcasts will have to traverse all of your WAN links.

 

[FastHackem]

Thanks for the replies (keep them coming, especially instructors).

I have some questions:

Each school is in its own domain with 1 router and switches(1 or more). Since each school is in its own broadcast domain (dictated by the router), how does VLANing improve in this aspect over just a flat non_Vlan scheme?? Please more reasons (I really need them).

Thanks,

Eric, CCNA, Net+, A+, APS

 

[marsd]

Security, manageability.

Vlans can integrate strict port based filtering that
can beat many of the man in the middle attacks so popular
today. Especially on a wireless net where traffic is
available and crypto is broken, it's good to be able to
to have rulesets like this.

If you have just one vlan though, I really don't see the
point, sorry. As long as you can manage and monitor your
traffic at layers 2 and 3 with your current switches and
you have the capcity for port trunking, and/or isl for
aggregating bandwidth the vlan isn't necessary in my opinion.

Now a vlan for each school might make sense.

 

[boxplan]

Concerning a NIC card that is "freaking out" and broadcasting a storm. How often does this actually happen?

 

[FastHackem]

So marsd,

If 1 school is in its own vlan (for ex. vlan 8) and it connects into the main switch via aironet radio at the main building (which is the high school) then it really doesn't benefit us?? Is that what you are saying.

What if every school is in its own vlan which then ties into the high school (via Aironet radio). Can you see the bigger picture. Will Vlans help us??? (In the big picture, with all domains/vlans/schools tied in)

 

[wybnormal]

Help? Depends on what "help" is...

VLANs are a way of controlling traffic flows. Either in or out of a group(subnet) By default nothing gets in or out of a VLAN unless routed by a layer 3 device(MLS notwithstanding).

So.. the plus is Security by blocking traffic flows.. ie.. you could have a vlan set up for the server and users of the front office. Keep all the records from prying eyes unless the access lists lets them through. Or they login via one of the terminals and has the password.. whole different issue.

Traffic flow control. Keep heavily used groups from nailing other users on the same wire. One example would be a custom app that likes to use chatty broadcast packets.. every workstation on the wire has to process these broadcast packets unless they are isolated somehow. And an older PC could easily be overwhelmed resulting in calls to the helpdesk "my pc is slow" but without any apparent reason because by the time you get there, the broadcast storm is over.

Network Management. You can use a test VLAN to deploy a new project without endangering the production network.. mostly ;-) You can traffic traffic stats by VLAN to who is the heavy users and make adjustments accordingly.

Dynamic VLANs/. THese are fun.. messy to setup but can offer some interesting benefits. Roaming users with laptops. Their home VLAN travels where ever they are.. This is NOT for the faint of heart to configure and use but it's worth mentioning.

Spanning tree issues. It's possible with VLANs to tune your spanning tree topology to match the campus. What might be elected as a root bridge would not be you first choice for some reason. It gets nastier over a flat network where a new switch or a *rogue* switch inserted could cause some serious issues. If it's vlaned off, then the issues remain local. Esotric?? not really.. networks nowdays are getting complicated enough to where stuff ignored 2 years ago will bite you in the butt if you choose to ignore today.

A side bar to security is how you can group the servers in a vlan and now tightly control access to can even see the server farm.. much less use it. You can tighten it up to only web traffic goes to the webserver, only TCP goes to the database server and so on. Yes you can do this with subnets but the packets still go everwhere they should not. The VLAN traffic only goes to the ports that you have "blessed" to be part of the VLAN.

'nuff for now

MikeS Find me at

http://www.packetattack.com

"Diplomacy; the art of saying 'nice doggie' till you can find a rock" Wynn Catlin

 

[Guest_imported]

From my own experience in schools, it is nice to have the students and teachers on different vlans in order to protect tests, personal files, etc... It can also help narrow traffic- often lab computers are accessing the internet and tying up network resources while teachers might be trying to use a central server for attendance and grading. With separate vlans, the internet traffic will have the same opportunity to affect other network traffic.

 

[FastHackem]

This is all great stuff people, keep it coming. I assume Arbolt that you meant (in your last sentence), with separate vlans, the internet traffic will not have the same oppotunity..........?? I am learning so much from you guys, I have more questions..

How on Earth do you all design large networks, trying to keep track of every vlan, what traffic is allowed on them and so forth??

Our large school network is not VLAN, I am looking at totally re-vamping the way it connects. Any advice on the structured approach I should take???

Thanks,

Eric

 

[Guest_imported]

Yes, sorry, the internet will have less affect on other network traffic if vlans are implemented in that scenario. As for your design, what are you considering- this may help us help you (it will give us an idea of your resources).

 

[wybnormal]

Design? I use a white board, a mechanical pencil and an eraser. Everything gets drawn out.. notes made, people talked to , servers audited, base lines made of traffic and so on. It's not something you rip off on a napkin and then toss together the next day. Or at least, most are not ;-)

It takes a solid understanding of all the parts to put together a decent network design. It also takes input from EVERYONE concerned or will use it. You need to get an idea of where everyone wants to go in the near and far future. I've seen way too many networks go in and be underpowered from the day the switch is fliped because nobody did their homework.

MikeS Find me at

http://www.packetattack.com

"Diplomacy; the art of saying 'nice doggie' till you can find a rock" Wynn Catlin

 

[marsd]

Regarding wybnormals comment on vlan -vs- flat switched
networks..amen-a new switch inserted in a formerly
stable environment can be big trouble. You try to convince people that stability is important but...

Fast Hackem, no I meant that a vlan for each school makes sense for many reasons. It will actually facilitate your management and security. You had mentioned that all of the the schools were currently in vlan 1. This arrangement
is the same as a flat net where these guys are concerned.

With your current situation a network monitor can say "we
have problems with the network." With a vlan the tech could say "we have problems with traffic at so & so school", and depending on the sophistication of the solution, may be able to pinpoint the bottleneck to the port attached node or segment, and take action.

Working in a k-12 environment I really wish that the
tech coordinator had gone ahead and invested in managed
switching and a high end router instead of the junk
(cisco-1000, dumb switches)we have.

 

[FastHackem]

Outstanding,

Thanks everyone! I see your point wybnormal, I am tackling a digital monster.

I have another very important question:

-Can a port on a switch be a member of two vlans simultaneously??

Thanks,

Eric

 

[wybnormal]

The short answer and safe answer is no. The new answer and one that can bite really hard is yes with some of the new hardware and IOS code, you can put a port into multiple VLANs.. but I would not do it unless you have no other choice..

MikeS Find me at

http://www.packetattack.com

"Diplomacy; the art of saying 'nice doggie' till you can find a rock" Wynn Catlin

 

[wybnormal]

I got to thinking about this question a bit more and I will add one more thing.

I took the question literally.. ie.. can the port 0/1 be a member of VLAN 1, VLAN 2, VLAN100 etc at the same time? And *IF* you are asking of the port can be a member of 2 VLANs for the device attached to it, no.. not really without some fiddling.

BUT- in the strict sense of the question(which I missed last night) the answer is yes, and it's called a Trunk. The issue here is that a trunk *normally* does not attach to a end station but acts a conduit between switches, routers and sometimes servers( depending on the NIC used)

So to get the *right* answer, one first needs to indentify the topology and architecture that one is working with.

MikeS
Find me at

http://www.packetattack.com

"Diplomacy; the art of saying 'nice doggie' till you can find a rock" Wynn Catlin

 

[FastHackem]

Thanks Normal,

I assume that if you configure switch ports for "normal" (no pun intended) vlan membership, then each port would not be a member of more than 1 vlan, correct?? I understand your trunking point. Let me try to explain my situation a little bit more:

-We have a workstation that needs to be a member of two different domains, which are on different subnets. The teacher runs a server app on one domain, but needs to access it from the other domain. Since the domains can't see each, she has to log off join the other domain, blah, blah, blah. I know we could shorten the trouble by adding another NIC, one for each domain, but what fun is that? I take it you can't have more than 1 trunk on a switch?? So making the port a member of two vlans is out, or is there another way Master Normal??

 

[jevansau99]

Fast, with your layer 3 device you can just route between the subnets. You may be making it more complicated than it needs to be . you can control this access through an access list on your router.

 

[SahryShaheen]

I read through all the posts regarding Vlan.
One problem that I have encountered a problem with Vlans where I need to allow everyone access to Internet and another administration software. I do not know exactly how I can acheive this.
We are using a Core switch CISCO 4006 which serves the Server Farm and the Edge/Distribution switches. For Edge/Distribution we are using Cisco 3550-XL.We have 745 users on the LAN divided into 8 Vlans. We are using 802.1q trunking between Vlans.

Could you shed any light on this please.

 

[SahryShaheen]

This to answer,in part, FASTHACKMAN question.
There comes a time where you need to reconstruct an old network.
The old network configurations where like islands somehow separated by specific use of servers or orgonized such that a group of users needed to work on some specific software were placed in the same network.

A better approch is to divide the network into two or three layers.

either :
Core ---> Edge ---> Distribution
or by use of switches at edge layer:
Core ---> Edge&Distribution

of which the latter is more appropriate.

However in doing so you will encounter several problems:
1)- Several DHCPs may have been at work
You should make one DHCP,DNS,WINS server Active.
2)- Several Workgroups may share same name
You should re-organaize workgroups.
3)- Novell servers that did not see each other will now see
each other on one big LAN
You should organize the Forest properly before you
connect them to the LAN.
4)- Workstation Names conflict with each other or Servers
You should make sure no Server/Workstation share the
same name.
5)- Switching from one brand of switch/HUB to another
You have to make sure that NIC drivers are all
upgraded.
6)- A bigger LAN may require you to use another class of
private (None Routable) IPs
You should select an appropiate Class of IP to suit
the number of workstations you may be having.
7)- VLAN Strategy to segment the LAN
If the equipment chosen for the task accept VLAN
overlaping, then divide your LAN based on
departments. Otherwise divide your LAN based on
services to be used for each group.
8)- To handle traffic properly
Separate working Zones as much as possible by
using separate switches for each zone.
Use Gigabit backbone either Fibre Optic or UTP
to each working Zone.(From the Core switch).
Use UTP 100 Mhz to serve Workstations at each
zone (Edge/Distribution Switch).

These are some preliminary ideas that came to mind.
I hope you find them usefull.

Best Regards
SharyShaheen