The company that I work for has a vlan setup for each floor and each floor is connected via a switch which is then trunked to the management switch. From my understanding of a vlan, the purpose is to logically connect machines that are not physically connected. In our case, we have vlans on floors that are physically connected already so I would deem the need for vlans unnecessary.
To explain it better here is a brief example: the 2nd floor is vlan2 and consists of finance, IT, etc. The same goes for the 4th floor, it is vlan4 but consists of dispatch, HR, finance, etc.
Why would one setup vlans like this? Wouldn't you set it up so that finance is on vlan2, and IT on vlan4, etc.?
The segregation of vlan is only to reduce the broadcast domain. Every vlan means you are using one subnet pool for that vlan. Envisage you are living in a society which is having 255 residential home. If any of the guest come then he has to search all the 255 homes. Now you want to reduce the domain by creating further numbers in society. Lets say divide the society in three parts one is A, another is B and another is C. Every subnumber is having 51 homes, now the domain is like society.A ( 1- 51) and so on.
The same concept is in vlans. It hardly matters which vlan you use for which department.
Now a days another advantage of using vlans is that you can restrict the vlan 2 to communicate with vlan 3 by using vrf lite.
The explanation by Shivlu is interesting. I would start from the same premise that the motivation for VLANs is to reduce the size of the broadcast domain and would then take a different approach in answering the question.
Probably we can agree that if the entire company were in a single broadcast domain (no VLANs configured) so that a broadcast from a PC in HR on the second floor is received and processed by every PC in the entire company that it might be too big and would be inefficient. So configuring VLANs will help to reduce the volume of broadcasts and allow individual PCs to process more efficiently.
Then the question becomes how to design and implement the VLANs. I would suggest that one approach is physical (and in some respects easier) and that the other approach is logical (and in some respects more challenging). The physical approach is to design and implement VLANs by physical location, as has been done by the company of the original poster. This is easier to implement because on a floor all PCs are in the same VLAN so it is easy to figure out. And you do not have issues that if someone moves into an offic on the second floor who works for a different department than the previous office occupant then you need to reconfigure the VLAN. The other approach is logical and is what is suggested by the original poster in which you design VLANs to reflect departments. This approach has some benefits, such as the fact that all traffic from a department (such as HR) is segregated from users in other departments. (If a user in Network Engineering happens to run Wireshark to do a packet capture they would not see any traffic from HR) But this approach is more challenging to implement. When setting up the VLAN you have to be careful to correctly identify the department of every port on the switch. And there are challenges when new employees come in, or when current employees change offices. So moves, adds, changes are more challenging when you take the logical approach to VLANs.
So to answer the question of the original post: Are VLANs necessary? I would suggest that in most modern corporate networks that YES VLANs are necessary. The implied question of which approach to use is more difficult and really depends on the particular environment of each company.
That is a great explanation of vlans. I just wanted to make sure we were doing it properly, and for the right reason. I'm not sure if it can do any harm but I want to be on the safe side.
well actually, you can restrict vlan 2 from speaking to vlan 3 by not having a routing protocol between them ... you don't require vrf lite for that.
I agree with the first two responses. However, I think an important question to ask is how large is the user group? Everytime one says "floor" we automatically assume LOTS of users. But what if there are only 5 users per floor? What is the "flow" of traffic?
Are there any other switches or vlans or buildings we're connecting to?
So my question is, is there documentation showing why it was configured this way, did the engineer have something else in mind?
There are many different ways to skin a cat....
You are 100% correct. Each floor ranges between 8-20 workstations. There is a switch on each floor which in my opinion already separates the floors so I am confused about the need for the vlan on each floor. I understand that it will help break up the broadcast domain but doesn't each switch also make its own broadcast domain? Each floor is then routed to the management switch via fibre.
On the contrary, we do have a system that requires a terminal on each floor so in that case I can see the need for the vlan but for that system, and that system only
Unfortunately, there is no documentation supporting why the original enginner designed it in this manner.
Ok what concerns me a little is that in your example you mentioned that Finance Dept. was on floor 2 and also
on floor 4. I'm not sure if you were just giving an example or if this is what you actually have. If that's the case, then the depts should be assigned to their own VLAN's. But it seems your network is structured around physical floors.
This means that a computer on floor 4 on VLAN 4 that's suppose to be in the finance dept. is actually separate from the finance dept computers in floor 2 on VLAN 2. That's not good design!!
In any event, it sounds like you are looking to do what's called an "End-to-End" vlan where all the vlans span the switch fabric.
One thing to keep in mind is that switches DO NOT segment off broadcasts. Only VLAN's or layer 3 devices like a router do.
It doesn't sound like you have that many hosts but I'd still design it as if you did because this way you're covered for growth and it would be proper design anyways...
As for the system that requires a terminal, I'm still a little unclear on that only because we'd need to know a little bit more about it's functions and services it offers but it doesn't sound like a deal breaker....
Yes. I was just giving an example but what I mean to say is that for me, there doesn't seem to be any type of logical sense as to why our network is setup in the way that it is. The vlans do have a mix of departments where vlan 2 has IT and Finance, and the secretary together. For the sake of simply cutting down on broadcast domains it makes sense and I am assuming that is the only reason why it was put into place. It would be a huge burden to have to maintain a vlan for each separate department because each floor has 3 or 4 different departments.
I mentioned the terminal only because that is a "department" that is spanned between the floors and in that situation, I could see the need for the vlan. I was solely looking at it from a logical sense and I felt that my traffic should not be on the same segment as the finance traffic. But as someone posted before, maybe it was you, but it would be very difficult to maintain if it were designed diferently.
You're definitley right, your traffic should not be seen by other traffic from other depts! It's also a security issue too. There are companies with well over 50 vlan's! So your situation really isn't all that bad. Say you have 5 depts tops. Then all you do is create 5 vlans and that's it!!
The 5 vlans would span all the switches, a finance host could be on any floor and they would have full access to other finance hosts. User vlans, same thing...IT vlans, etc etc...
You can do it this way or just leave it as is. LOL. If you do decide to truly segment off the hosts per dept, then I can already tell you that if you have multiple "finance" hosts on different vlan's, you'll have to reconfigure their IP addressing so they can all speak to one another on the same segment...
BTW: I don't think I meant to say designing vlan's by physical location is "wrong". I think that came off wrong, it's just a different approach, to me that approach seems a little less scalable....but everyone's networks are different and have different needs....
If you have any other questions please feel free to ask.
i've quickly skimmed the responses to this so apologies if i'm repeating anything however ...
the setup you describe is actually Cisco best practise for enterprise networks ...
Although to be more specific, they recommend restricting vlan's to one switch or at most to the group of switches on the same floor and not span them across too many switches. The reason behind this is that spanning tree convergence time (even R-spanning tree) is not fast enough. Any switch that goes down or vlan that goes down will only affect the local vlan ... all other area's will converge via the L3 routing protocol (which is alot faster)
creating vlans for each department (across different floors) is an outdated design because of the long convergence time (refer to above explanation). that doesn't mean you shouldn't create separate vlans for the different departments (especially if you want to restrict them access) but these vlans again should not span across too many switches.
Hope that helps
PS: you can do a search on cisco for SAFE and then go thru the different design guidelines for the different environments.