Quick question on local vlans and end-to-end vlans
So as I have been reading through documentation on these I have had a question constantly popping into my head.
What about some sort of hybrid design. Not necessarily keeping one or three vlans on a switch, but keeping these vlans segregated at the distribution layer.
vlan 2 - Admin
vlan 3 - IT
vlan 4 - Finance
vlan 5 - Voice
Then keeping these segregated at the distribution block. Mapping these using dynamic vlan assignment controlled in a radius server.
Then in another distribution block (say you have two distribution blocks)
vlan 6 - Admin
vlan 7 - IT
vlan 8 - Finance
vlan 9 - Voice
From there doing the same thing on these and segregating these at the distribution block. Having a seperate policy for the radius servers based on which switches are authenticating the users. Would this be a bad design or would this be something advisable. So you would have four vlans on each of the switches potentially, but each building would have its own vlans and you wouldn't have broadcasts and other layer two traffic going over the trunks between switches. Then the only traffic going across the trunks would be to servers and voice between users.
I know that it is best to keep layer two traffic from crossing layer three devices (i.e. merging vlan 5 and vlan 9 because they are both voice). But what are some of the reasons for not doing this. Is it advisable to hybridize this further. I know the 80/20 has been switching to 20/80 with VDI and cloud computing. Devices are going outside of their LAN for more and more information. I am trying to think of a way to keep things segregated and allow for security policies in the distribution layer. Are IP and layer four ACLs falling out of favor for security policies? I just keep on trying to put those into context and I am thinking about how you would lock down access to say a finance server. If yoou didn't map someone to a vlan/subnet from finance the ACLs would just get gigantic. Would this just be something that you would rely on LDAP for instead? Are ACLs becoming something for QoS, routing updates, and PBR only?
[toc:faq]The ProblemOn traditional switches whenever we have a trunk
interface we use the VLAN tag to demultiplex the VLANs. The switch needs
to determine which MAC Address table to look in for a forwarding
decision. To do this we require the switch to do...
[toc:faq]Introduction:Netdr is a tool available on a RSP720, Sup720 or
Sup32 that allows one to capture packets on the RP or SP inband. The
netdr command can be used to capture both Tx and Rx packets in the
software switching path. This is not a substitut...
IntroductionOSPF, being a link-state protocol, allows for every router
in the network to know of every link and OSPF speaker in the entire
network. From this picture each router independently runs the Shortest
Path First (SPF) algorithm to determine the b...