Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
285
Views
0
Helpful
3
Replies

Need VLAN design suggestions

oalexis
Level 1
Level 1

‎08-06-2003 08:24 AM - edited ‎03-02-2019 09:23 AM

hi folks,

I am currently upgrading my backbone to gigabit ethernet over fiber. I just got some new switches. 4000 at the core and 2950's for each floor.

1)We have three floors with about 150 clients total

2)we already have two subnets.one for web server domain and other for corporate.

3)I want to keep it simple and put the routing power of the 4000 to use.

I was thinking I could have three Vlans. One for the client,one for the servers,one for the web domain. Any other ideas? Does it matter that broadcasts will be going over the fiber links? If so,how can i stop this?

Thanks

Labels:
0 Helpful
3 Replies 3

Tiger905
Level 1
Level 1

‎08-06-2003 04:21 PM

If you are using IP only (no IPX), with 150 users, there's no need for your corporate VLAN to be split up. IP does not generate alot of broadcasts. Routing between the servers and client workstations will not gain you anything. As for broadcasts and multicasts, try limiting them on the gig ports running to the core.

And definately get someone who knows how to use NAI's Sniffer and baseline your server response times.

Hope this helps. Good luck.

0 Helpful

milan.kulik
Level 10
Level 10
In response to Tiger905

‎08-06-2003 11:00 PM

Hi,

my opinion is:

1)IP does not generate alot of broadcasts. But Windows DO. See http://www.cisco.com/warp/customer/473/winnt_dg.htm for details.

If you are building a new network I recommend to ROUTE between servers and clients even while it is not necessary just now. But it gives you possibilities to the future: access restrictions for some user groups to some servers, moving some servers to other site with no problem, etc., etc.

2)Another question is the management VLAN and VLAN1 problem. You can read different recommendations in some Best Practices guides: usually it's recommended to use a separate VLAN for network devices management (see http://www.cisco.com/warp/customer/473/103.html, e.g.).

I agree but my personal opinion is:

Use VLAN1 as management VLAN and move users to other VLANs. Also leave VLAN1 as the native VLAN on 802.1q trunks.

This approach is not recommended from security point of view. The arguments are: VLAN1 is the default one, so if you connect a new (or intruder) switch to the network, all it's ports are in VLAN1, and if you lose or misconfigure your current switch config, it might be possible to connect to your management VLAN.

There are also some "VLAN hopping" attacks described using native VLAN1 on trunks. BUT I've seen so many IOS bugs caused by VLAN1 not beeing the management VLAN or VLAN1 not beeing native or VLAN1 not allowed on trunk that I think not using VLAN1 as management just brings you problems. But I agree it might be a good idea to move users to other VLANs - broadcast storms will not disrupt your management access, and also attacks from user ports would be much more difficult.

Regards,

Milan

0 Helpful

oalexis
Level 1
Level 1
In response to milan.kulik

‎08-07-2003 05:39 AM

Many thanks for your input guys. You both present great arguments. Therefore I am still unsure if to create three Vlans or not. I guess I'll have to do some more reseach to see what most people would do.

Really appreciate your input guys.

Many thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents