VLAN Segmentation Best Practice

Unanswered Question
Jun 22nd, 2007
User Badges:

Hello all, I have a general question about the best practice of VLAN implementation. We are in the process of redesigning our network and are unsure about the best way to segment the VLAN's, we have three server VLANS that need to talk to all the vlans and after that we dont want the other VLANS to talk to each other at the access layer. What is the best practice for this ACL's? PVLANS? Static Routes? Our current implementation is using EIGRP for routing and there for every VLAN can talk to everything which is why we are trying to improve upon. Any suggestions are greatly appreciated. Thank you.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
abdel_n Fri, 06/22/2007 - 09:06
User Badges:

Hi Anthony,

Here is a very brief recommendations Cisco provide before deploying VLANs, of caurse you can develop each point from Cisco documentation according to your enterprise size.

I)- Hierarchical and scalable network addressing:

- Allocate IP address spaces in contiguous blocks: design the IP addressing scheme so that blocks of 4, 8, 16, 32, or 64 contiguous network numbers can be assigned to the subnets in a given building distribution and access switch block, this approach allows each switch block to be summarized into one large address block.

- At the Building Distribution layer, continue to assign network numbers contiguously out toward to the access layer devices.

- A single IP subnet correspond with a single VLAN. Each VLAN is a separate broadcast domain.

- Subnet at the same binary value on all network numbers, avoiding variable length subnet masks when possible, to minimize error and confusion when troubleshooting or configuring new devices and segments.

II)- When mapping VLANs onto the new hierarchical network design, keep these parameters in mind:

- Examine the subnetting scheme that has been applied to the network and associate a VLAN to each subnet.

- Configure routing between VLANs at the distribution layer using multilayer switches, you can control VLANs interconnections using simple ACL.

- If you need to filter out some traffic inside a given VLAN you can use VACL.

- Make end-user VLANs and subnets local to a specific switch block.

- Ideally, limit a VLAN to one access switch or switch stack. However, it may be necessary to extend a VLAN across multiple access switches within a witch block to support a capability such as wireless mobility.

- If you need to improve security within a single VLAN, you can implement PVLAN to isolate hosts/servers from each other while still comminicating with gateway ports.

III)- Different types of traffic may exist on the network and that should be considered before device placement and VLAN configuration:

- Network management (BPDUs, CDP, SNMP, RMON? May be assigned to specific VLAN to separate management traffic from customer traffic).

- IP telephony (signaling data and data packets, generally assigned to voice VLAN to allow effective QoS implementation).

- Multicast (Multicast server placement, implement PIM, CGMP IGMP to control and contain multicast traffic).

- Normal data (typical applications like DB, File Transfer, email, http).

- Scavenger class (traffic with protocols and patterns exceeding normal data flow).

Good work,



This Discussion