VLAN'S implementation

jorge.ficachi · ‎03-06-2008

wath aspects I must consider before segmenting a network with vlans

Jon Marshall · ‎03-06-2008

Hi Jorge

1) How big to make your vlans. A /24 or /25 is usually a good starter.

2) Can you match vlans to depts etc. within your company. If you can makes it easier to apply access-lists, QOS etc.

3) Following on from 2 even if you can't match vlans to depts always look to have servers in their own vlans.

4) Readdressing. Usually 1 IP subnet per vlan so you will need to readdress some machines. If you use DHCP for clients that is a big plus.

5) Following on from 4 the use of "ip helper-addresses" for clients to get an IP address.

6) Are there any applications/servers that rely on layer 2 adjacency to work. If so make sure they go into the same vlan.

7) Inter-vlan routing. Where will you do it ie.

i) on a router with separate interfaces. Not very scalable and becomes expensive.

ii) On a router using 802.1q encapsulation on interfaces. Okay but a better option

iii) On a layer 3 switch.

Those are a few things to think about. I'm sure others will add to this list.

HTH

Jon

paulc · ‎03-06-2008

Hi Jon,

I'd like to jump in here and ask a question regarding vlans. I work in a hospital with about 250 desktops and many departments. I see most responses to setting up VLANS is to segment by dept. Well, here I'd say 90% of our computers are accessing our hospital medical software (Meditech, btw) so I wonder if setting up VLAN's would show any benefit. For example, if I set up a separate VLAN for our Accounting Dept, they are still going to connect to Meditech more often than anything else, including email.

BTW, our core switch is a 4006 and our wiring closets are using 2950's with some D-Links and 3coms.

Thanks!

Jon Marshall · ‎03-06-2008

Hi Paul

Two things really.

1) Setting up vlans by dept. is more of an ideal than anything. In your case it looks like you do have defined depts. Where i work we don't so our vlans are defined by the floor ie. in our major sites we tend to have 2 vlans per floor for pc's/printers etc. So it's not always possible.

2) However if you can it is one good way to organise your network. Again it is a general assumption but in a lot of cases people in the same dept need the same sort of access. Now you say that they all need access to your Meditech system. That's okay because there will always be servers/systems in common to many users. But perhaps your accounts dept. also need access to financial systems on servers that other depts have no need to access. It's a lot easier to restrict access based on 1 IP subnet applied to one vlan interface than a lot of individual IP addresses across many vlans. And you may want to give priority to certain depts - again QOS implementation can be a lot more straighforward if it's based around vlans.

In short, if the dept/vlan model doesn't fit your business then don't use it, we certainly don't but it can be useful in some setups.

Jon

Edison Ortiz · ‎03-06-2008

Supposed you wanted to implement some kind of security layer on servers running the medical software application at the Layer2 and Layer3 layer?

Very hard to implement when users and servers reside in the same Vlan, correct?

Viruses can be transmitted to servers and from servers rather easily when you have the user and server subnet in the same Vlan.

It's Best Practice to separate that traffic since it gives you a more granular approach during troubleshooting. On a Flat network, blocking src and dst devices can be a hard task.

HTH,

__

Edison.

paulc · ‎03-06-2008

Thank you Jon and Edison. I found both answers to give me "food for thought" and rated both Very Helpful.