VLAN segmenting

[dwscott]

I'm fairly new to HP VLans. I have a 5308, a 4000m and several buildings with a mix of 2524s, 2224s and 2324s procurves in them (along with some off-brand stuff). The 4000 and 5308 are not currently, but I would like them to be my central switches for the campus. I want to bring in traffic from several buildings into either the 4000 or 5308 and have all that traffic on a particular VLAN. Traffic from other buildings I want on another VLAN. There may be 1 more VLAN for common resources, but mostly I want these two main VLANs to be as "invisible" as possible to each other.

Currently all switches are on the default VLAN, and on 1 big 10.x.x.x network.

Can I simply create 3 VLANs on my 4000, and an IP to each VLAN interface, then add the ports uplinking each building to the VLAN of my choice, without having to configure the switches in each building? Would that buy me the segmentation and subnetting I *think* I want? Am I over simplifying? Pointers, people, pointers?!!

David

 

[vipergg]

I would take a close look and see how many users you have in each building and consider breaking it up maybe by building . Certainly would be easier to keep track of . I wouldn't have a subnet bigger than 254 addresses , this makes it too big of a broadcast domain . Your thinking is correct I would just look at the traffic and make your vlans accordingly . I wouldn't limit myself to just 3 vlans if you have a lot of users , there is nothing wrong with having more than 3 vlans . If you have multiples , if you have a problem on a particular vlan it probably won't affect the others unless it is virus or something along those lines . Segmenting also allows you to apply acl's if need be to control something like a virus .

 

[dwscott]

So basically, each port coming in from a building would be added to its own VLAN in the 4000/5308, each on it's own subnet. Do you have any idea if my DHCP server will hand out the appropriate address range based on VLAN subnet? (I figure it should, just picking your brain). Of course, the DHCP server would have to be on the same VLAN(s) or a common VLAN.

The virus example is accurate. I'm trying to isolate traffic as much as possible to keep viruses/trojans from flooding my network. The reason I'm looking at one network for the buildings is the addition of 720/760 access points that would *hopefully* allow me to knock specific users off if they became infected. But that's down the line a bit.

 

[Redfox1]

I don't know what kind of connections you have between the buildings but I would want to limit broadcasts at each building BEFORE it hits your main switches;

You could do the following:
Configure each switch for each building to be their own VLAN (or one vlan per floor per building)

Connect the switches with Trunk ports (multiple 100Mbs) to the central one; Enable VLAN Tagging on these ports if you want to be able to place Y user from Building A to Building B and still be on the same subnet...

You could use a 2626 or another vendor's simple router to route traffic to the main core...

In most HP ProCurves you can enable a "IP Helper" that's what you need to do and DHCP should be fine...