Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VLAN segmentation 1

Status
Not open for further replies.

DomiNosroB

Technical User
Feb 11, 2003
12
US
Hi all,

I currently have several Baystack 450-24T switches with software version 4.4.0.6. I have them daisy chained together with a router plugged into one of the ports on one of the switches. So some hosts' packets have to go through as many as 7 switches before it reaches the router. I want to seperate all the users, so that no user can see anything but the router. I realize that I am limited to 4096 individual vlans, but this shouldn't be a problem since I only utilize about 250 ports.

The closest I have come to achieveing my goal is

1.Make each port a member of the default vlan as well as its own unique vlan

2. Then making the ports that connect each switch together a member of every vlan on the switch.

3. Setting the default vlan id for each user port to its own unique vlan id.

This works somewhat, it does seperate the users on the switch and allows users to see the router, but once the packet leaves its home switch it can see every host along the way to the router.

The current physical setup cannot change.

Can I utilize the trunk port features? I am not sure how to set that up, any help is appreciated.

Thanks,
Robert
 

Kinda busy so I haven't given this much thought. However, the first thing that jumps out is this. I believe you're in violation of the 5-4-3 Ethernet rule.

In a tree topology...between any two nodes in the network you can have *no more* than 5 segments, 4 repeaters (switches/hubs), and no more than 3 of the segments can have user connections on them...(non-user connections would be the segment or trunk used to connect two switches/hubs together).

re: the current physical setup. Is that set in stone??

Anyway....good luck...I'll revisit when I get a minute.
 

Please disregard my last.

With switches the 5-4-3 rule doesn't apply due to buffering capabilities that most hubs don't have.

I had a stupid attack...*sheepish grin*
 
Untagged BS450 ports can not be members of more than 1 port based VLAN. I'm not sure just what you are trying to do. Maybe some more background will gleen a workable solution. Unlike a hub, a switch basically limits an individuals "view" to their own traffic, excepting broadcasts. What type of router is in place? Assuming a Nortel router and all Nortel switches:
On the router, create 1 port based IP VLAN for each user w/routing enabled if necessary. Tag the router port that all the switches collapse to. Make each VLAN a member of that port on the router. Each subsequent switch will need a tagged connection to the other, with the VLANs defined(23 more vlans for every subsequent switch as you move away from the router). Take the user out of the default VLAN and put one each into one of the newly created VLAN's for each user/untagged port. Each user will then have a different IP range and will be in a different VLAN.

YIKES-- convoluted and a LOT of work......Maybe I'm missing the point :-(
 
Long time ago that I visited tek-tips.
Hope I'm not to late.

This seems an odd configuration to me having every PC its own subnet but anyway.

You don't need to configure tagging/trunking on the router and the switch port where it connects to, access port config is OK. Configure ALL user VLAN's and the router VLAN (e.g. 1) on this port and make the PVID the routers VLAN (e.g. 1).
Configure all PC ports in different VLAN's and use for PVID the router VLAN (e.g. 1).
Make all switch uplinks tagged/trunked and configure ALL VLAN’s on these tagged ports (PC and router VLAN's) PVID is not important on tagged ports.

regards
Ikke

 
you mean you have 7 switch between the pc and the router?

ich...
we have seen heavy traffic degradation with anything more than 4 level...
heavy usage, but then, try to make something more like a star design, not a chain like that. you try to avoid that as much as possible.

and having one vlan for each pc is weird... just imagine the routing needed...
you CAN create 4094 different vla, however the baystack have a limit in itself... look in the documentation...
if a remember correctly, for a bps2000 the limit is 256 different vlan...
i'll try to found my source for this information.
 
Thanks for the replies. As to the question of "why do all this?", well, My goal is to seperate all users so that no one can each another host. This is because the users connecting to these switches are at hotels and apartment complexes, and we therefore don't want users trying to get into other computers on the network. We could segment into subnets, but we should be able to get it setup this way.

I have modified the setup somewhat to achieve my goal for some of the locations. I have the original setup, but now each switch connects to a root switch which has each port on its own vlan with pvid unique for each port and the uplink port on the root switch is part of each vlan on the root switch.

This setup still does not allow for daisy chaining link I want, because each switch has to connect directly to the root switch.

I will try WillyHe's suggestion, but it may be a few weeks.

Thanks for the input everyone!
 
Is this what you are trying to do?

Your solution will work but you need a lot of interfaces/subnets on the router.
With BayStack switches there is a different solution requiring only one subnet on the router.

- Configure VLAN tagging/trunking on all uplink ports, configure all VLAN's on these uplink ports or only the router VLAN and the VLAN's needed to connect the guest PC’s to the router.

- Configure a VLAN, e.g. VLAN 1, for the router and put this on ALL ports, PVID on the port where the router is connected must be 1.

- Configure on each guest PC port one VLAN and make PVID this VLAN, configure all guest PC VLAN's on the router port.

- Select a subnet big enough to support all hosts and configure the default GW address on the router. The PC's can reach the router via their VLAN and the router can reach the PC's via his VLAN, the PC's cannot reach each other because the others PC's VLAN is not configured on the local PC port.

- Like the router you can also connect e.g. a printer, server, ... and only the selected PC VLAN's can use these devices.

- If some PC's need to be able to communicate to each other you simply configure each others VLAN on their port(s) (check the local PVID is still the local PC VLAN number).

Let me know the result.

It is also possible to get this working without the use of tagging/trunking on the switch uplink ports but this is more complicated and more difficult to maintain.

regards
Ikke
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top