Design Ideas - VLANs?

[Packet7]

Hello,
Our LAN has grown over the past year and I was wondering if I could get some feedback based upon the following info.
Currently, our LAN consists off:
- Approx 15 Servers, 300 PCs, no VLANs on four (4) floors. We have a Managed AT&T WAN (connects all US offices), old Cabeltron Switches with some semi-old Cisco 2900 series. All floors uplink to our Data Center via 1000-BASE-SX on old GPIM Cabletron modules. The 2900's hang off the Cabletrons for Ports and some are used as redundant Fiber uplinks via GBICs. Our Core DC Switch is a 3548 (10/100) and about 2 years old. Our current LAN operates smooth and we have had zero downtime over the past few years regarding our Routing/Switching (except for the NYC Black Out )

Due to the condition of the Cabletron's and older 2900's, we ordered a few new 3500 series with GBIC modules, and a 4506 w/ Supervisor II + for the DC. We also purchased 2 WS-X4306-GB cards (6 GBIC Modules each - 12 GBIC 1000-BASE-SX) and a 48 Port Gigabit Ethernet module (leaving two modules open).

I had very little to do with the purchasing, but need to design and configure the equipment ASAP. I've had minmal experience with Switching, but have had some success in the past by researching and taking my time. So, any ideas?

I was thinking as a short term goal:
- Install the 4506, uplink each floor to a new 3500 and configure trunking on the Fiber ports. Hang the older 2900's and Cabletron off the newer equipment and use for ports. Test, monitor and review all switches for errors.

Long term:
- assign each floor a VLAN ID. Configure each Switch for the respective VLAN and configure the 4506 for Layer 3 VLAN routing. Add static routes to each switch, or review with AT&T to make sure no Routing protocols are being advertised on our E0 Edge router (US WAN). Maybe consider running a routing protocl on the LAN?

Anyway, I am interested in your comments. Mostly a messaging and Firewall dude, so please be easy on me! )
Yes, my company is too cheap to hire a Networking Pro, so they throw these things at me...

Thanks!


Rgds,

John

 

[baddos]

long term plan sounds good.

 

[vipergg]

Anyway, I am interested in your comments. Mostly a messaging and Firewall dude, so please be easy on me!
Yes, my company is too cheap to hire a Networking Pro, so they throw these things at me...


Look on the bright side , you have real job security if they won't hire anyone else .

 

[baddos]

Basically... You could setup your 4506 with one user VLAN per floor, a server VLAN, and a mangement VLAN.

It would be up to you if you want the flexibility of setting up a 802.1q or ISL trunk to each switch, or if you just wanted to statically assign it to one VLAN.

I would recommend Fiber cabling to each floor, then plug whatever other equipment into that fiber enabled switch.

 

[NetEng631]

The standard in most large enterprises, who have upgraded, today is to go with all layer 3 switching in the core. Basically what your doing. I would configure each switch as it's own VLAN and assign a subnet to each one. You will have to take into consideration on how large your subnet should be. If your using rfc1918 address then assign averything a /24 and don't worry about it. if not then subnet out the addresses as you need them. You will have to set up DHCP to work with the new subnets. I would definetely run OSPF or anything you would like between your core switches and your WAN routers. You really don't need trunking. Also make sure your 4506 has the correct code and the correct modules to do Layer 3. I think they do but make sure. You may wind up in the situtation where half of your floor will be one subnet and the otherside a different one. Don't worry about that. Yes if someone wants to print from one side of the floor the other they will have to get routed. With Layer 3 switching everything is so fast that you will never know it.

NetEng

 

[Packet7]

Awesome. Thanks to all for the helpful feedback! One questions, the 4506 is only showing one trunk (to another cisco). Do I need to configure each Fiber uplink (Cabletron as well), or should it Auto-sense?

Thanks again.

Rgds,

John

 

[baddos]

A trunk port only needs to be setup if you want more than one VLAN to tunnel through that port. If you only want the switch connected to that port to be on one VLAN, then you don't need to configure it.

 

[Packet7]

Thanks Baddos. I got confused and caught up in it. Makes sense now.

Cheers.

Rgds,

John

 

[patrckb]

John,

Let me back us up a minute.

You don't state that you actually have any problems you want to address. For what purpose to you want to have VLANs?

Are you seeing too many broadcast per second? IMHO, anything greater than 75 broadcast per second is too much. Less than 50 is acceptable, in my mind. But a flat network of only 300 nodes shouldn't be seeing that many [unless you're running Novell, then I could see that].

Maybe there is something else that needs fixing rather than using VLANs.

Do you want to isolate one set of users / servers / other resouces for security reasons?

My point is that "if it ain't broke, don't fix it."

You may have just not stated what business need you are trying to fullfill. But don't implement VLANs for the sake of being able to say you have VLANs.

FWIW,
Patrick

Patrick Bartkus, CCNP, CNX, SCM Sr. Network Engineer
GA Dept of Labor IT Network Services
If truth were not absolute, how could there be justice?

 

[baddos]

300 pcs means he should segment his network.

 

[Packet7]

Hello,

Thanks for the comments Pat. Our Network actually is vert stable and shows no signs of any delays. I guess you could say I am planning for the future and wanted to get some feedback. As you can tell from our design, I have the same attitude, "If it ain't broke, don't fix it". I can see a future needs for isolation, especially with our Finance group. The IT Director likes the new design I created, but I am trying to stay in front of possible problems and design changes. Thanks.

Rgds,

John

 

[Lequang]

ON 4506:
- Create 4 Vlans (one per floor)
- Create 1 Vlan for your DC
- Create 1 Vlan for Management.
- Create 1 Vlan for Firewall (if needed)
- Create 1 Vlan for Wan (if needed).

Have 1 DHCP server , DNS server in DC

Assign AS many ports as you need on 48-ports to Vlan-DC + 2 ports for Management Vlan
Assign 2 ports to connect Firewall
Assign 2 ports for Wan (if Wan is not connected to FW, but directly connected to Internal Lan.

Hope this help

 

[ilpadrino]

Good thread, how can configure Vlans talk to specific devices located in different Vlans? For example, from Lequang's last, you would want your workstations, each on a separate Vlan to communicate with the DC, which is on another separate Vlan.

 

[Lequang]

Hi There

On the each floor:

ip subnet-zero
no ip domain-lookup
!
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
spanning-tree uplinkfast
spanning-tree backbonefast
!
!
interface FastEthernet0/1 to
switchport access vlan 100 (for each floor)
switchport mode access
no ip address
spanning-tree portfast
!
repeat the previous section with all the ports

interface GigabitEthernet0/1
description === Uplink to Charly 1 ===
switchport mode trunk
no ip address
!
interface GigabitEthernet0/2 (for your uplink to C4506)
description === stack-port to G16_02_02 ===
switchport mode trunk
no ip address
spanning-tree stack-port
!
interface Vlan1 (is management Vlan for your edge switch)
description === Management ===
ip address x.y.z.w 255.255.255.0
no ip route-cache
!
-------------------------------------------------------
on 4506
-------------------------------------------------------
interface GigabitEthernet1/2
description === G16_05_01 === (where your uplink come to)
no ip address
switchport
switchport trunk encapsulation dot1q
switchport mode trunk

------------------------------------
interface Vlan1 (= management of 4506)
description === Management ===
ip address x.y.z.w 255.255.255.0
!
-------------------------------------
interface Vlan100
description === Trading ===
ip address a.b.c.d 255.255.255.0
no ip redirects
standby 1 ip 172.31.253.18 (optional if you have 2 C4506)
standby 1 timers 1 4 (optional if you have 2 C4506) standby 1 priority 125 (optional if you have 2 C4506)
standby 1 preempt (optional if you have 2 C4506)

-----------------------------------------------------
What I suggest is :
0. Design a segment (IP/Vlan for management
1. Design your IP segment for each floor
2. Vlan name and number for each floor.
Data Center is considered as a floor
3. Assign Module Port GBIC for each floor on C4506

4. Config your edge switch and assign ports to Vlan of the floor
5. On C4506: configure the uplink GBIC port to the floor
Configure the vlan corresponding to the floor

To answer the question 'how the PC on the floor connect to the DC:
All the Vlans will use layer-3 switching to route betwwenn Vlans and that's it.

If you need more info please give me your email address.

Hope this help

 

[wallst32]

Just out of curiosity, what is the benefit or purpose of a single VLAN on each floor? I could see if you wanted to connect certain devices on multiple floors via the same subnet, but that doesn't seem to be the case. I'm more of a systems than network guy, just trying to gain a better perspective on design.

 

[ccmuser]

There are two schools of thought on Vlan design.. Geographic, or functional(ie.. all servers on one vlan, all exeutives on another, all regular pc on a third, phones of 4th.. ect.)

most large implementations are a hybrid. All pc's on a floor have same vlan. servers phones and special access/priority cases stay consistant through all closets.

 

[baddos]

Simplicity is the major reason for having 1 vlan per floor.

If you segment based off of department or job function, it's a management nightmare to keep track of what PC's are on what VLAN.

If you know a PC is on floor 2, then you'll know what VLAN they are on.