VLAN Nightmare

planzone · ‎06-17-2009

Greetings all,

I inherited a nice little nugget. I am curious how I can go about flattening these vlans so I can create some simple vlans that are easy to manage. They way this admin has it - is that if a printer needed to be physically moved within the office environment the port needed to be issues the switchport access command. This is not desirable and I am not certain why this practice was used. The switch is a L3 3750 switch.

The future state is noted below. I suppose I would like to know, how can I transition to the desired future state.:

Oh and of course I would like to do this with minimal interuption :)

FUTURE STATE: (where I want to be)

Vlan2: would be infrastructure this is where servers etc would be added that require a static IP.

VLAN12: Is where I would put any PBX related devices that require static IP

VLAN14 Guest wireless (can be DSL)

VLAN17 I would setup a RF GUN vlan (wireless)IP would be via DHCP

VLAN 99 is where my PC's and printers sit on. this is the vlan wheer almost 99 percent of the devices would sit on.

everything would be 22 bit mask.

The idea is if you plug a printer in to any port that is on vlan 99 it would give it an ip addy via dhcp then the admin can go into it and make it static. and does not need to manually flip ports for it to function and easy to administer. And of course same with pc's just plug and go and do not need to administer the switch. There are several IDF's and I would use VTP

Please review attachment of current state.

Any ieas? Hints? Tips?

Massive amounts of aspirin?

Jon Marshall · ‎06-17-2009

Pete

Before you go ahead and make changes -

"This is not desirable and I am not certain why this practice was used."

Looking at the config there is an Expand device in use. The Expand device is a WAN accelerator. On 2 of the L3 vlan interfaces there is a route-map for PBR applied which directs traffic to the Expand device. I suspect that this is the reason the admin separated printers from PC's altho i could well be wrong.

Do you know if WAN acceleration is in use ?

By the way. as a side issue, having your printers on their own dedicated vlan can be a good security move. What this allows you to do is to apply acl's to all the client PC vlans so that traffic is only allowed to

1) printers

2) servers

3) Internet

4) + any other company specific devices

ie. you do not allow client traffic from one vlan to go to another client vlan. Then if one of the clients gets infected you have at least limited the propogation of the virus and servers generally tend to be better protected than clients.

If you had printers mixed in with clients then you could not do this because client vlans would need to talk to other client vlans because of the printers.

Jon

planzone · ‎06-17-2009

Hi Jon,

there is no longer an expand device on the network that was something they were testing. That config needs to be removed. Thanks for pointing that out.

However the objective is to make this easier to manage. The current setup is not.

The enterprise does not have a fulltime or individual to manage cisco devices all day long. so ACL betweeen vlans is something that I do not require at this time. I wish for all the vlans to talk to each other.

I essentially want to flatten the current vlan 111 and 102 to a vlan called 99.

I do appreciate your input.

Jon Marshall · ‎06-17-2009

Pete

Understood, just wanted to make sure it wasn't going to create more problems than it solves. If all you want to is flatten 111 & 102 then i would migrate 111 to 102 as the printers will probably be statically addressed whereas your clients will presumably be using DHCP.

You say you want to use a /22 - is this for vlan 111 & 102. I would not use a /22 due to broacast traffic - /24 or even /25 would be my preference although you could get away with a /23.

Can you get a /23 from your existing subnets ie.

vlan 102 = 10.99.2.0/24

is 10.99.3.0/24 used anywhere as you could use this ie. 10.99.2.0/23.

Jon

planzone · ‎06-17-2009

Is this because to reduce the amount of broadcasts in a single subnet/vlan? Just looking for clarification on a 22 bit mask vs the 24.

There is potential to have more then 500 hosts in this vlan.

You are providing excellent suggestion regarding performance. But I am looking for it to be easy. So I am looking for the best of both worlds :) There isnt anyoen full tiem at this specific site to manage things.

Jon Marshall · ‎06-17-2009

Basically yes. /22 allows for over 1000 hosts in the same subnet. It does depend on the type of application traffic within that subnet but i have found /24 or /25 to be a good choice.

If you have a 1000 hosts and they are using apps that rely partially or wholly on broadcasts then that's a lot of traffic each host will need to process. In addition a virus will spread very quickly between the same hosts on the same subnet.

Jon

planzone · ‎06-17-2009

True - but essentially every pc is going to be on that subnet.

Chuckle I still need the answer to my initial question. Which is - what is the process to flatten the two vlans to 1?

1. Create vlan?

2.Create Scope?

3. test?

anything else?

please validate if this is correct.

Again I appreciate your input and your suggestions for performance is awesome.

Jon Marshall · ‎06-17-2009

Pete

"Chuckle I still need the answer to my initial question. Which is - what is the process to flatten the two vlans to 1?"

Sorry, got sidetracked.

Like i say it make sense to flatten both vlans into the existing printer vlan - vlan 102 and change the subnet mask from 255.255.255.0 to 255.255.254.0 on the 10.99.2.0 network. As each vlan is only /24 then you only need a /23 to accomodate both vlans. This does assume 10.99.3.0/24 is not in use anywhere within your network.

The above has the advantage of not having to readdress your printers. But if you wanted to start from scratch then

1) Choose new IP subnet

2) Create new vlan at L2

3) Create new L3 vlan interface using address from 1)

4) Set up scope in DHCP

5) Set ip helper-address if DHCP server is not in new vlan

6) allocate existing switchports into the new vlan

Jon

3)