Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

vLANs for Newbies 2

Status
Not open for further replies.
Stevehewitt

Stevehewitt

IS-IT--Management
Jun 7, 2001
2,075
GB
Hi all,

Got a big hardware refresh coming up, including switches and a new VMWare Farm plus 2 new SAN's.

As part of this, and only being with the company for 6 months and having no VMWare training; I'm in the middle of a VMWare FastTrack course.

It appears that VMWare recommend having seperate vLANs for various parts of the system for security and performance reasons.

I'm not new to networking, but I've never had any experience with vLANs at all.
We have a new Juniper SSG-320M Firewall which i've yet to deploy (half way through) and I'm thinking that between a new VMWare farm, new switches and a new firewall this is the ideal time to look at implementing some best practice and deploying some vLANs.

I'm after some basics. In particular, if I have 3 or 4 vLANs - do I need 4 routers to communicate between them? I suspect not, after hearing about trunking, therefore having a single port going to a single router, where the router essentially treats them all as seperate networks due to the vLAN tags.

For example, if I have a management vLAN, office vLAN, VMWare Kernel vLAN - could they all travel over the backbone to a single interface on our Juniper SSG, and I could then use virtual routers to route between the vLAN's?

Would I even need to use Virtual Routers on the Juniper? What do other routers do to route between vLAN's? Can the vLAN's have the same IP range and subnet ID? E.g. could I not use 192.168.0.x/16 for vLAN 101, and 192.168.0.x/16 for vLAN 102? If so, how on earth does the router know how to route the traffic?!!

Sorry for the long post, but to summarise:

1. Is it correct that you can set a switch that carries multiple vLANs to have a Trunk port, whereby it will carry all traffic for all networks to a router?

2. If so, does this mean that I can use just a single 1gig NIC on the Juniper firewall for all the traffic? (Bandwidth shouldn't be an issue)

3. Would I need to use virtual routers on the Juniper firewall?

4. Do the vLAN's have to exist on seperate network IP ranges and subnets?

5. Are there any potential issues or common mistakes I need to look out for when implemeting this?

Thanks in advance. Any help will go towards me doing a FAQ for anyone else who could be in my shoes! (with credit obviously!)

Cheers,



Steve.

"They have the internet on computers now!" - Homer Simpson
 
Sort by date Sort by votes
1. Yes

2. Yes, as long as it supports 802.1q (VLAN Trunking)

3. I'm not familiar with Juniper, but it is a lyer 3 device so it should handle inter-VLAN routing

4. Absolutely

5. Carefull design will save you a lot of headaches later.

VLANs are normally set up geographically or by function
VLAN floor1
VLAN floor2
or
VLAN accounting
VLAN sales
Whichever makes the most sense in your circumstances.

Of course, make sure the switches you use have VLAN capability.

There's many other minor things.

If you need help, you know where to come!

MCSE CCNA CCDA
 
Upvote 0 Downvote
Steve, check out your inventory and see what you have -- sounds like your company has spent money and you may well have layer three switches that can handle the routing between VLANs internally. This is always preferable, because good switches can handle multiple Gbps of traffic while your proposed "router on a stick" method of inter-VLAN routing is limited by the speed of the interface (typically 1 GBps.) Of course, your SAN vendor may recommend dedicated switches (not even shared using VLANs) to handle your traffic load.

However, in answer to some of your questions:

1. Yes, that's what a trunk is -- single wire with multiple (virtual) networks running on it.

2. Not sure how the Juniper fits in

3. If the Juniper is capable of handling VLANs, and assuming it works like Cisco, you create logical sub-interfaces for the physical ethernet port, and thus the single cable carries all the traffic.

4. Absolutely they do, you can get creative with subnet assignments but that's the second-most important feature of VLANs (first being security). Here I use 192.168.X.0/24 for data, 172.16.X.0/24 for voice, and 10.X.X.0/24 for management VLANs.

5. Don't go bonkers creating a zillion VLANs all over the place, you'll want to slit your wrists later. Think it through, and have a logical reason each time you decide to create a VLAN. "Why does this need to be separate?" "Does it make sense to break this out?" That kind of stuff.

Yell if you get stuck, I've not used Juniper before but most of this stuff is the same.
 
Upvote 0 Downvote
Thanks all - very useful info. Got me pondering all through the night about switching now! :)

jpm121 - so Layer 3 swiches will essentially act as a stupid router, whereby is the switch fabric gets traffic from vLAN 101 that needs to go to the vLAN 102 network it will pump it out over the correct port?

Sorry for asking such a stupid question, but rather double check! :)

Cheers,



Steve.

"They have the internet on computers now!" - Homer Simpson
 
Upvote 0 Downvote
I've got a Juniper 320M on order right now. I haven't played with it yet, but I've been reading the manual. It's fully 802.1q compliant, and should be able to perform just about any configuration you can work out. A very sweet appliance, very open-ended.

I run multiple VLANs, and I don't route between any of them. Setup properly, a single NIC can participate in multiple VLANs simultaneously. For instance, you mention a management VLAN, there's probably no good reason to ever route that traffic to another VLAN. I have a monitoring pc whose single NIC is participating in 4 VLANs (no routers involved).

I agree with others in this thread, planning is EVERYTHING. Spend some time looking at this from every angle and keep it as simple as possible.

--
The stagehand's axiom: "Never lift what you can drag, never drag what you can roll, never roll what you can leave.
 
Upvote 0 Downvote
so Layer 3 swiches will essentially act as a stupid router, whereby is the switch fabric gets traffic from vLAN 101 that needs to go to the vLAN 102 network it will pump it out over the correct port?"

Yeah, that's correct on a basic level except for the "stupid" part; in addition to routing you can apply access lists to restrict traffic flows. For example, you may create a VLAN for developers working on software, and you want that absolutely restricted from touching anything on the other VLANs. Or you may restrict everyone on the factory floor from access to the accounting VLAN. Maybe you're set up simply and just want to block PC users from messing with phone settings on the voice VLAN.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

CryptoTuke
  • Locked
  • Question
Maximum buffer size on Winsock for sending one block of data over TCP / IP
Replies
1
Views
636
maybeimaleo
maybeimaleo
joserodriguezan
  • Locked
  • Question
Looking for a free software application to recieve SMNP alerts.
Replies
0
Views
417
joserodriguezan
joserodriguezan
Tony D
  • Locked
  • Question
NAT Port Forwarding
Replies
0
Views
417
Tony D
Tony D
dbuxton101
  • Locked
  • Question
Insert digit to telephoneNumber for PABX
Replies
2
Views
87
sbcsu
sbcsu
robertjo24
  • Locked
  • Question
USB Ethernet Tap for Wireshark
Replies
3
Views
115
sbcsu
sbcsu

Part and Inventory Search

Sponsor

Back
Top