Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Subnetting vs. vlans best practice

Status
Not open for further replies.

Jasonlees

MIS
Aug 19, 2009
23
US
What is best practice to use subnetting vs vlans and trunking? For a smaller network with approx 30-40 servers and 7subnets, is it a better topology to use a layer 3 switch with trunking to segment the network or subnet thru the fw or switch and run layer 2 swiches to each subnet?
 
You are better off with a layer-3 switch to do your inter-VLAN routing rather than have it done on the FW.

Creating multiple subnets on one VLAN doesn't do anything useful for you.
 
Ok, thanks. So its better from a performance standpoint/security standpoint to use vlan's vs. just using interfaces off the firewall to create subnets?
 
A layer 3 switch will process traffic a lot faster than a firewall will to route your vlans .
 
@vince: I agree you should use both: and vlans and a different subnet for each vlan.

@Jasonlees: vlans have nothing to do with security!
keep in mind that the L3 switch routes everything.

But what we dont know is: how many users are there, and are there security things to keep in mind?

if you have < 100 users and no security things, you could use one vlan
< 250 users: use 1 or 2 subnets for users and 1 for the servers

we use for 800 users:
1 L3 switch for connecting the workgroupswitches and the servers
- 1 vlan and /24 subnet per 120 pc's, so that we can use a backup dhcp server
- and 1 vlan for our 100 servers

we are not a bank, so no blokking rules/acl's or fw's between those vlans.

for the dmz: then we need some security:)
- an extra (non routable) vlan on the L3 switch
and a fw to route between the lan, internet and dmz interface on the core (+ some fw rules;-)

hope this will give you a better view
 
^^^Wtf are you doing>? These posts are almost a month old..
Usually the issue is already solved an irrelevant.

Burts did we finish drafting the stupid test....er member qualification test up?

CCNP
 
You missed this one, ISP...

"@Jasonlees: vlans have nothing to do with security!"

Is that right? And where did you do your Cisco training???

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
lol, i was so busy looking at the date.....
i don't know whats wrong with some of these people, not only are they misinformed, they wish to spread it to others.

CCNP
 
ok, enlighten me, or go both to the dungeon..
 
Here is your epiphany, LOOK AT THE DATE BEFORE POSTING> Common sense.

CCNP
 
Yeah I know it's an old thread before you flame me :p, but it's made me think a bit as, at what point do you subsitute router/l3 switch routing between subnets to going through a dedicated firewall to route.

You can lock down via ACLs on the router/switch but at what point would you move the subnet to a firewall interface?
 
There is no set threshold, it depends on your needs. And more then likely if there are a large number of users in that subent (/21 for instance) you may have both a router and a firewall (asa of course). But it really depends on what you need and what is in that subnet. Banking institutions with less then 5 employees at a site, often have a tiered Firewall/router system of getting traffic in or out.

CCNP
 
Well, first off VLANs can be locked down to specific MAC addresses (static or dynamically learned), offer security at L2, and have MAC ACL's available to implement.

As far as management goes, it is far easier to document and manage a network that has logically separated VLANs. Whether you use a L3 switch or RoAS, you can lock VLANs down even further with L3 acl's.

You can also choose to have strictly L2 vlans that can only communicate with nodes in the same vlan.

A L3 switch that routes its VLANs will perform MUCH faster than IP subnetted LANs.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
We use an array of /22-/24 networks, mainly for historical reasons (and a lack or time and effort to normalise it a bit) never more than 100-150 devices per subnet but often 20+ IPs on a server (web farm).

I got into the habit of when a new subnet was required simply adding it as an interface (physical or virtual) at the firewall level (non-cisco) and letting that route it and creating an associated layer 2 VLAN. Often this is required due to the stupid amount of NAT rules and restrictions between the various networks and VPNs and how piss easy it is to sort a complex set of NAT rules on our main firewall.

It was only recently that I realised how much more effecient some of the network could be made and this thread popped up shortly after. There has to be a break point from an administrative view point (and speed) where the firewall is better to use, I just don't know where that is.

I could stick all the NAT and ACL rules into a 3570 or similar but would 300+ seperate rules and translations slow it to an almost crawl?

On that particular note I notice that Layer 3 switches are not included in the Router performance pdf from Cisco. I've also not seen anywhere Router statistics for a Layer 3 switch. How does the routing throughput compare?
 
They are line speed, Due to hardware base asics. In other Words, They are much faster then pure routers.

CCNP
 
I think each interface has its own ASIC.

Also, I was mostly answering meneer, but I hope you found some use.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Our retired L3 switch (120 gb rj45 and fiber ports) was able to use ACL's, but the limit was around 25%, so only 50 rules. (yes >50 rules would take the coreswitch down..)

W've put a simple cisco (1xxx/ 2xxx model not sure any more) router, which could do much more with ease.

According to this

Cisco switches with it's asics are also made for ACLS's
So it looks like (no expirience) that you don't need a router.
But a firewall does more then ACL's, was your question if you could do everything only with an ACL on a (fast) switch?
 
Hmm to be debated. I have seen some 3560 with 20 pages of printed acls doing 100+ Mbps/sec. And a couple of 3750's doing crazying security things I have never seen.

CCNP
 
I would still use a fw, no question, but a L3 switch to route the vlans, not the fw. I am not understanding the confusion here...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top