Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VLAN'S implementation

wath aspects I must consider before segmenting a network with vlans

Hall of Fame Super Blue

Re: VLAN'S implementation

Hi Jorge

1) How big to make your vlans. A /24 or /25 is usually a good starter.

2) Can you match vlans to depts etc. within your company. If you can makes it easier to apply access-lists, QOS etc.

3) Following on from 2 even if you can't match vlans to depts always look to have servers in their own vlans.

4) Readdressing. Usually 1 IP subnet per vlan so you will need to readdress some machines. If you use DHCP for clients that is a big plus.

5) Following on from 4 the use of "ip helper-addresses" for clients to get an IP address.

6) Are there any applications/servers that rely on layer 2 adjacency to work. If so make sure they go into the same vlan.

7) Inter-vlan routing. Where will you do it ie.

i) on a router with separate interfaces. Not very scalable and becomes expensive.

ii) On a router using 802.1q encapsulation on interfaces. Okay but a better option

iii) On a layer 3 switch.

Those are a few things to think about. I'm sure others will add to this list.



New Member

Re: VLAN'S implementation

Hi Jon,

I'd like to jump in here and ask a question regarding vlans. I work in a hospital with about 250 desktops and many departments. I see most responses to setting up VLANS is to segment by dept. Well, here I'd say 90% of our computers are accessing our hospital medical software (Meditech, btw) so I wonder if setting up VLAN's would show any benefit. For example, if I set up a separate VLAN for our Accounting Dept, they are still going to connect to Meditech more often than anything else, including email.

BTW, our core switch is a 4006 and our wiring closets are using 2950's with some D-Links and 3coms.


Hall of Fame Super Blue

Re: VLAN'S implementation

Hi Paul

Two things really.

1) Setting up vlans by dept. is more of an ideal than anything. In your case it looks like you do have defined depts. Where i work we don't so our vlans are defined by the floor ie. in our major sites we tend to have 2 vlans per floor for pc's/printers etc. So it's not always possible.

2) However if you can it is one good way to organise your network. Again it is a general assumption but in a lot of cases people in the same dept need the same sort of access. Now you say that they all need access to your Meditech system. That's okay because there will always be servers/systems in common to many users. But perhaps your accounts dept. also need access to financial systems on servers that other depts have no need to access. It's a lot easier to restrict access based on 1 IP subnet applied to one vlan interface than a lot of individual IP addresses across many vlans. And you may want to give priority to certain depts - again QOS implementation can be a lot more straighforward if it's based around vlans.

In short, if the dept/vlan model doesn't fit your business then don't use it, we certainly don't but it can be useful in some setups.


Hall of Fame Super Bronze

Re: VLAN'S implementation

Supposed you wanted to implement some kind of security layer on servers running the medical software application at the Layer2 and Layer3 layer?

Very hard to implement when users and servers reside in the same Vlan, correct?

Viruses can be transmitted to servers and from servers rather easily when you have the user and server subnet in the same Vlan.

It's Best Practice to separate that traffic since it gives you a more granular approach during troubleshooting. On a Flat network, blocking src and dst devices can be a hard task.




New Member

Re: VLAN'S implementation

Thank you Jon and Edison. I found both answers to give me "food for thought" and rated both Very Helpful.