Cisco VLANing Dispute

Unanswered Question
Jul 20th, 2010

I am a fair Cisco guy and have been working at my company for almost 5 years.  We just hired a new CIO and one of my suggestions was to have an outside party conduct an independant security assessment of the environment.  Instead, the CIO retained the consultants he used to work wiith and they recommending that we undo our present VLAN archtecture.

We presently have a 172.16.x.x segment for our managment and server VLAN which I know is a pretty big no-no.  We inherited this problem.

We also have 4 floors and have created a VLAN for each floor where we use the third octet to define the floor:

Example: 10.203.2.x for the second floor, 10.203.3.x for the third floor, etc.

I know that Cisco recommends VLANs to limit Layer2 Broadcasts and compartmentalize network issues but I am trying to be a voice of truth in this new mess.

They are proposing creating one network for client PCs and I do not see this as a need since it already exists.  I see this change more as a way to create unsubstantiated work to bill.   I am not looking for anyone to take side but more provide direction?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Nagaraja Thanthry Tue, 07/20/2010 - 13:53

Hello,

I would prefer the current architecture better compared to a single VLAN for

all PC's for multiple reasons.

-- With single VLAN for all PC's, if there is a broadcast storm in one

segment, that will affect the entire network and entire network will have

down-time. It will be harder to identify the fault point with that kind of

architecture

-- With this kind of architecture, if one PC gets affected by a

virus/Trojan, it could spread to rest of the network pretty quick

-- If somebody decides to add a dumb hub and create a physical loop in one

corner of the network that will affect the entire network and the entire

network segment will go down

To avoid above scenarios, it is suggested that the network be divided into

smaller broadcast domains. I do not see any advantage with having a unified

LAN for the entire network.

Hope this helps.

Regards,

NT

Richard Burts Tue, 07/20/2010 - 13:58

Gerald

There are a couple of things in your post that are not clear to me.

- what is it about 172.16 that you consider to be a big no-no? how many devices are in that VLAN? (how large is the broadcast domain - this has a lot more to do with whether the VLAN is appropriate)

- when you say that the consultants want to undo your existing VLAN architecture, what do they want to put in its place?

- you describe a structure with a VLAN per floor, and then you say that there is a network for client PCs. I am not sure how these statements relate.

Perhaps you can clarify some of these?

HTH

Rick

gerard.martinez Wed, 07/21/2010 - 06:21

- what is it about 172.16 that you consider to be a big no-no? how many devices are in that VLAN? (how large is the broadcast domain - this has a lot more to do with whether the VLAN is appropriate)

the 172.16.4.x is both VLAN1 and our server segment.  There are about 70 used IP addressed and multihomed/team interfaces including IP addresses of the actual switches.

- when you say that the consultants want to undo your existing VLAN architecture, what do they want to put in its place?

We have 10.203.x.x and the consultants want to replicate the existing architecture in the 172.16.x.x address space.  I think it sounds redundant as both address spaces povide the same functionality.

- you describe a structure with a VLAN per floor, and then you say that there is a network for client PCs. I am not sure how these statements relate.

We presently have a VLAN defined for our 4 floors (approximately 250 devices in total) in the 10.203.x.x IP space.  Using subnetting we use the third octet to define what floor the VLAN is located.  These are the PC segments.

David Salazar Tue, 07/20/2010 - 14:10

Hello, Gerard Martinez

The more precise recommendation both theoretical and practical level is:

- You must confine the scope of a VLAN to a single room wiring. (That is if you define the segment Vlan 101 User Network 10.0.0.0/24 on Floor 1, no ports can be configured in vlan 101 wiring in another room).
- This supports the fact of not using VTP to distribute information of VLANs and optimizes the traffic that passes through the trunks and the use of bandwidth.

Imagine that the machines use the default Microsoft Windows NetBIOS (TCP and / or UDP ports 137, 138) to navigate through "Network Neighborhood" generates a broadcast, that (s) package (s) pass for all trunks and switches that are configured any port in the same vlan that the machine that generated the packet.

This would be little optimism.

Personal experiences have expanded VLANs across the network are a headache when doing a troubleshooting.

I hope to have helped a little.

gerard.martinez Wed, 07/21/2010 - 05:59

I agree with you on this David and have placed this in a non-personal email to management and this firm and it has just turned into a stand-off.  I just need to find a way to bring the truth to the surface.

I know first hand how bad a single VLAN for all devices can be since the present VLAN architecture was put into place to eliminate our previous topology where all devices used to be on the same VLAN1.

One a side note:  I asked this firm to present their proposed VLAN architecture and their respond is to recreate the concept we presently have of using the 10.203.x.x segment and having the third octet define where the VLAN is located as stated in my first post but with the difference of using the 172.16.x.x address space.

Jon Marshall Tue, 07/20/2010 - 16:05

Gerard

As Rick says, this statement is a little unclear -

They are proposing creating one network for client PCs and I do not see this as a need since it already exists.

What do you mean by this ie are they proposing one vlan for all PC's ? If so what do you mean by you already have this as you seem to be suggesting that you don't have this ie. you have 4 vlans for PCs.

You are right in that your management vlan should not be the same as the server vlan and if they didn't pick up on that then i am surprised and would question their expertise.

More importantly than all that, if they are proposing one vlan for all PC's what is their reasoning. The points provided by the other posters in this thread are good points but if we knew why they are proposing one vlan for all PCs we could be more specific.

Jon

gerard.martinez Wed, 07/21/2010 - 05:45

Jon.

What I mean by this is that this outside party is proposing just creating a new set of IP blocks in the 172.16.x.x range for our PCs & client printers.  I do not see a benefit in doing this as the present 10.203.x.x blocks provide the same functionality and moving to this proposed scheme looks more like someone's personal desire than a technical need.

I would believe that if there was a true benefit to doing this there would be a benefit established.  Instead this firm is hiding behind "It will eliminate administration overhaed in the future.

vmiller Wed, 07/21/2010 - 07:58

I "think" I see where there may be some ambiguity in this discussion. My take is there is no reason why the client vlans could not be

addressed out of 172.16.x.x with the same numbering scheme of the third octet for the VLAN/Subnet ID. This does make some assumptions on what you have deployed so far and that the time & resources exist to change things. Using the class B would be consistent in terms of how folks usually

deploy things, but I don't see a big advantage to re addressing just to re address.

Actions

This Discussion