Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VLAN layout

Status
Not open for further replies.
k3lvin

k3lvin

Technical User
Jan 13, 2008
143
GB
Hey just after some advice here. Currently on our network we have servers, clients, printers and network devices all using one IP range and on the default VLAN. Obviously this is not very good and would love segment the network using different VLANs for different devices. My plan is to have the following on their own VLAN

VLAN2 Servers (15 hosts)
VLAN3 Clients (150 hosts)
VLAN4 Printers (20 devices)

My TWO questions are: should network devices (ie layer2/3 switches, hardware firewall) be on their own VLAN? If not what VLAN group should they be part of?

What VLAN should be used as the DEFAULT_VLAN?

Thanks very much any feedback on would be much appreciated.
 
Sort by date Sort by votes
I don't see any problem with keeping switches, network based appliances like firewalls, and servers on the same vlan. Then like you said, having clients, and if you want, printers on separate vlans respectively.
The default vlan is VLAN 1 by default.

 
Upvote 0 Downvote
What should be on the default vlan? Or should I leave this reserved?

Do network devices need to be part of all the vlans?
 
Upvote 0 Downvote
For your size network, it's no big deal, but if security is an issue, best practice is to not manage your switches on the same network as your data. (on page 4 under Best Practice)

Since all switches know about VLAN1, it's to make sure your not plugging in a new switch and will be automatically on your management VLAN. You will have to manually config it in the new VLAN where you have created a subnet for management.

I personally, I use VLAN 1 for my users and servers on another.
 
Upvote 0 Downvote
It's considered a good idea to not use VLAN1.

Network devices do not need to be on all VLANs - only on VLANs that they need to pass traffic for.

My golden rule is this: have as few VLANs on each switch as you can, and have each VLAN span as few switches as possible.
 
Upvote 0 Downvote
So we repatached our patch panel during the weekend and we can actually see our switches now! I am now about to start testing the routing between vlans. This URL is an example layout: we have more L2/L3 switches but if I can understand this scenario the rest should be easy.

VID50 192.168.50.x (Blue) Servers
VID60 192.168.60.x (Grey) Clients, switches, gateway, everything else...
VID70 192.168.70.x (Yellow) Printers

All 3 VLANs above need will need to talk to each other.

My first question is do the ports need to be tagged or untagged? For example SW2 module C ports would all need to be untagged to VID50 I think? Would I ever need to tag ports in the scenario in the URL?

My second question is some of you said to use VLAN1, others said not to. Would my setup above work if I did not use VLAN1 for any ports?

Thanks in advanced really appreciate the support.
 
Upvote 0 Downvote
The ports with edge devices on them (servers, printers, etc...) should have their ports UNtagged.
The exception to this is with virtualisation - VMWare or ESX servers would often have tagged ports because the different virtual servers within them are on different VLANs.

As your additional VLANs are not on your SW1, you do not need to trunk them to it.

Therefore SW2, B24 is just untagged in VLAN 60.

Personally, I would call my Layer3 switch "SW1".
 
Upvote 0 Downvote
Thanks I understand the concept of vlans now but I'm having problems getting my vlans to communicate to each other so hopefully you can help me, here is my test setup:

On the HP ProCurve 5308XL browser settings:
Default Gateway: 192.168.0.1 (our firewall)
VLAN50 has Port 1 untagged
VLAN50 IP address: 192.168.50.254
VLAN50 Subnet mask: 255.255.255.0
VLAN60 has Port 2 untagged
VLAN60 IP address: 192.168.60.254
VLAN60 Subnet mask: 255.255.255.0

Host A is plugged into port 1
Host A IP settings:
IP Address: 192.168.50.5
Subnet Mask: 255.255.255.0
Default gatway: 192.168.50.254

Host B is plugged into port 2
Host B IP settings:
IP Address: 192.168.60.5
Subnet Mask: 255.255.255.0
Default gatway: 192.168.60.254

Firewalls and AVs disabled on the hosts.
I have also tried setting the hosts gateway to our firewall 192.168.0.1

Host A can not ping Host B and vice versa! Where am I going wrong? Do I need to enable inter vlan routing on the console?
 
Upvote 0 Downvote
Ok I answered my own question in the last post! I have managed to get the vlans to route to each other. I consoled into the switch and enabled IP routing (kind of helps!) Question about hosts connected to these vlans:

Should the default gateways of host A and B be their respective vlan address or the switches default gateway?

Thanks!
 
Upvote 0 Downvote
A Layer 2 switch has a default gw
A layer 3 switch has a default route

A "VLAN address" is a layer 3 switch interface which is the default GW for the subnet it belongs to.
(A dodgy design might have multiple Layer3 switches with interfaces in the same subnet, also when you are running VRRP).
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

eca2
  • Locked
  • Question
Basic VLAN Configuration
Replies
1
Views
124
AH64Armament
AH64Armament
kryptor
  • Locked
  • Question
VLANs causing me a headache!!
Replies
1
Views
255
meneerB
meneerB
PretorianGhost
  • Locked
  • Question
VLAN Trunking J9782A
Replies
3
Views
142
VinceWhirlwind
VinceWhirlwind
DUMB4EVER
  • Locked
  • Question
3COM 3CR17333-91/HP 4210 VLAN questions
Replies
0
Views
95
DUMB4EVER
DUMB4EVER
Ceaserx
  • Locked
  • Question
Vlan restrictions
Replies
1
Views
74
VinceWhirlwind
VinceWhirlwind

Part and Inventory Search

Sponsor

Back
Top