06-07-2009 06:19 AM - edited 03-06-2019 06:07 AM
OK so at work we are trying to do vlaning, but here is the catch the
whole network is flat... no routers (but one faceing outside) and no
subnets. So we are trying to do this without using an IP address for the
vlan interface, will that work?
To my knowledge since you there is no subnets and your network is just one whole flat network, you could have vlans just for that whole network but would it be worth it?
Solved! Go to Solution.
06-07-2009 02:26 PM
Joshua
It depends on the switch. If the switch is L3 capable then you can create L3 vlan interfaces and then your clients can communicate. Alternatively if you had a router as well as a switch you could use the router to route between the vlans.
Vlans work at L2. A broadcast from a machine in a vlan will be received by all other machines within that vlan.
Generally speaking in an average network you would have multiple vlans. Each vlan would have it's own IP subnet eg.
vlan 10 -> 192.168.5.0/24
vlan 11 -> 192.168.6.0/24
each device in vlan 10 would have an IP address out of the 192.168.5.1 -> 254 range and each device in vlan 11 would have an IP address out of the 192.168.6.1 -> 254 range.
You would then on a L3 switch or router have a L3 interface for each vlan eg.
int vlan 10
ip address 192.168.5.1 255.255.255.0
int vlan 11
ip address 192.168.6.1 255.255.255.0
each client in vlan 10 would have it's default-gateway set to 192.168.5.1 and each client in vlan 6 192.168.6.1.
Usually client addresses are handed out via DHCP.
Just to reiterate - vlans are L2 concepts. For vlans to communicate they need a L3 device to route between them. This L3 device could be a router or a L3 switch.
Jon
06-07-2009 08:25 AM
By the way, this is not for my "work" or anything like that. I just got asked this question and I gave an appropriate answer to what I know of VLAN's and how you can implement them. I just wanted to know what you all think of the situation.
06-07-2009 08:29 AM
". . . will that work?"
Probably.
". . . would it be worth it?"
Probably not.
What are you trying to accomplish?
[edit]
Only saw your new post after my post. Don't have time to respond to the new post; maybe later today . . .
06-07-2009 08:33 AM
My friend asked me this through an email. I asked him the same question what he was trying to accomplish but I did not get a reply.
I think they want to segment their network. However, I told him that since you have no subnets on your network you would first need to create subnets and then create your vlans appropriately you want the VLANS to actually mean something in your network.
Right now on their network everything can see everything else.
06-07-2009 10:33 AM
VLANs and subnets are different things, and although often used together, neither requires the other.
Your friend should explain what he wants to accomplish or what he things their current network problem might be.
Some of the later Cisco switches support private VLAN for security purposes, but other than that, often little need to implement VLANs unless they're going to be used to "host" different networks.
06-07-2009 10:40 AM
THank you, I always tie Vlans and subnets together by accident because of I get in that tendency to say "vlan 10 is in this subnet in this building" bad habit.
I will see if I can get any more information.
06-07-2009 11:13 AM
They are trying to break up broadcast domains in their network thats the goal.
They seem to be using 3com stuff. Here is what I was told;
they are 3Com switches
but we are at this point trying to set up a test environment
we have a 4900 layer 3 switch plugged into 3 laptops representing three
schools
We we put on laptop on a VLAN it looses DHCP and we as of right now only
have one port for trunking put how do you route across a switch with
only one switch with many vlans on it? Do you need another switch to
trunk to it?
06-07-2009 11:26 AM
Unless you plan to have VLANs on L2 switches beyond the L3 switch, shouldn't need to configure VLANs on those switches or use VLAN trunks.
On the 4900, define one or more VLANs; define one more more ports as access ports for those VLANs. Connect 3Com switches to 4900 ports to place that 3Com switch, and any devices attached to it, within VLAN defined on 4900.
For each VLAN on 4900, define IP address, unique subnet per VLANs. This will be gateway used by hosts on that VLANs.
Enable IP routing on 4900. (Once done, hosts with hard coded IP addressing, should be able to ping each other on different VLANs/subnets.
For DHCP, you'll need to define IP helper (for VLAN interface) to forward host request to DCHP server. Not needed if DHCP server on host subnet.
06-07-2009 11:28 AM
Joshua
If you split your network up into vlans but then have no way of routing between vlans then these vlans are isolated from one another. And it doesn't matter what IP addressing scheme you use ie. different subnet per vlan or same subnet for all vlans.
A vlan is a logical separation of ports at layer 2. So if you create 10 vlans which will indeed create 10 broadcast domains, if you do not have 10 L3 interfaces, one for each vlan, then these vlans will be isolated from each other.
Any machines in the same vlan will be able to communicate with each other but that's it.
As mentioned a vlan does not have to equate to an IP subnet altho it usually does.
Jon
06-07-2009 11:35 AM
I appreciate the replies / help. I am getting a better understanding of this (And I hope my friends situation gets resolved).
06-07-2009 12:56 PM
This is what I got from his latest email
so from what it sounds VLAN's need IP address? and what config's need to
be made on the PCs??
The kid I am working with is trying to do layer 2 VLANing which I
thought was crazy.. so from what it sounds there is no way to get VLANs
to talk to each other with only one switch, like on that one switch we
have 3 VLANs I guess there is no way to get them to talk without
bringing in another switch right??
06-07-2009 02:26 PM
Joshua
It depends on the switch. If the switch is L3 capable then you can create L3 vlan interfaces and then your clients can communicate. Alternatively if you had a router as well as a switch you could use the router to route between the vlans.
Vlans work at L2. A broadcast from a machine in a vlan will be received by all other machines within that vlan.
Generally speaking in an average network you would have multiple vlans. Each vlan would have it's own IP subnet eg.
vlan 10 -> 192.168.5.0/24
vlan 11 -> 192.168.6.0/24
each device in vlan 10 would have an IP address out of the 192.168.5.1 -> 254 range and each device in vlan 11 would have an IP address out of the 192.168.6.1 -> 254 range.
You would then on a L3 switch or router have a L3 interface for each vlan eg.
int vlan 10
ip address 192.168.5.1 255.255.255.0
int vlan 11
ip address 192.168.6.1 255.255.255.0
each client in vlan 10 would have it's default-gateway set to 192.168.5.1 and each client in vlan 6 192.168.6.1.
Usually client addresses are handed out via DHCP.
Just to reiterate - vlans are L2 concepts. For vlans to communicate they need a L3 device to route between them. This L3 device could be a router or a L3 switch.
Jon
06-07-2009 02:35 PM
Thank you Jon. I will let him know, I pretty much told him to really take advantage of VLAN's and segment their network he would need to do what you said.
In my experience I never just made a "Vlan" named it and try to route that on the network. Because thats what they are trying to do.
06-09-2009 05:08 AM
You better get your friend's reply about this. What is the problem and what is he trying to achieve.
An example is what I've seen before;
- big flat network, /16.
- all users, servers, and printers in this network.
- multiple servers spread in this big flat network.
Because of security, I enforced network revamp. However, some servers are too expensive to move. e.g. internal applications tied to IP Address (old way) and will cost a lot of $$$ to recompile them. Planning;
- plan the segments (e.g. per service, per department, per floor, per building).
- identify the servers that are too expensive to move around, use their IP Address as base for the server segment.
- slowly move other servers nearer to the IP Address of expensive servers and use the new subnet mask for the servers (NOT the gateway).
- slowly move the users/services to their new network segment.
Of course its NOT as simple as that. Need coordination from other admin (e.g. system, printers, applications) and lots of impact assessment. In the end, its worth all the trouble - security, performance, manageability is in place.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide