10

I'm the new network manager for a school. I've inherited an environment made up of several Windows servers, about 100 Windows clients, 10 printers, 1 Cisco router, 6 Cisco switches, and 1 HP switch. Also, we're using VoIP.

There are four floors in our building. The hosts on each floor are assigned to a separate VLAN. An office on the first floor has its own VLAN. All the switches are on their own VLAN. The IP phones are on their own VLAN. And the servers are on their own VLAN.

For the number of hosts on the network, are all these VLANs really buying me anything? I'm new to the VLAN concept but it seems overly complicated for this environment. Or it's genius and I just don't get it?

Zanon
  • 233
  • 1
  • 2
  • 13
kleefaj
  • 359
  • 4
  • 15
  • This other question might be useful to you where it discussed the merits of subnetting. Similar issues come into consideration and you might find the answers there helpful: http://serverfault.com/questions/2591/when-why-to-start-subnetting-a-network – Tall Jeff Sep 08 '10 at 15:16

7 Answers7

5

Most of those VLANs make sense to me. It's good to split by function so a VLAN for servers, one for phones, and another for workstations makes good sense. You can then get fine control over the traffic flowing between workstations and servers.

What I don't see much point in is having VLANs for workstations on each floor. A single VLAN for all workstations would keep things nice and simple. Spanning VLANs across multiple switches/trunks probably won't be an issue for a network that small.

It's also pretty pointless to maintain a seperate VLAN for switch management. They can sit happily on the server VLAN.

Nothing magical about VLANs BTW... just separate broadcast network segments with each requiring a default gateway and the appropriate ACL configuration on network ports.

Chris Thorpe
  • 9,903
  • 22
  • 32
  • Actually a separate network for management is a must on most business networks to prevent inside attacks on equipment. Setting up a port for management only is easy and imho strongly recommend – morleyc Jul 03 '14 at 04:26
4

Well, could be useful to have separate VLANs for data (computers) and VoIP, so you can apply some sort of traffic prioritization. Separate VLANs for management of switches it's also useful. Separate VLANs per floor seems maybe too much for 100 Pcs, unless you plan to expand in the future.

Daniele Santi
  • 2,479
  • 1
  • 25
  • 22
  • Totally agree. Certainly you should separate out your VOIP. Separating your Servers and network management is fine. A printer VLAN can be argued either way. Separating by floor is overkill at your environment size. – gWaldo Sep 08 '10 at 12:09
1

VLANs let you divide your network in smaller logical segments; this helps both in improving manageability and in limiting unnecessary broadcast traffic.

For such a small network it might actually be overkill: you could easily handle ~100 network objects with a single VLAN and IP subnet. But I think you should stick to this configuration, for two main reasons:

1) It improves manageability; if you know f.e. that servers are in 192.168.1.X and clients are in 192.168.100.Y, it's easier to manage them. If all your addresses were in the 192.168.42.Z subnet, how could you (easily) distinguish between them?
2) It scales a lot better. If you ever move from ~100 to > 200 network objects, a single /24 IP subnet will suddenly seem a lot smaller, and a single bigger one will very easily become a mess.

For the purists: yes, I know very well that VLANs and IP subnets don't necessarily have a strict 1:1 mapping; this is only the most common use for them, which seems to be what the OP is referring to.

Massimo
  • 68,714
  • 56
  • 196
  • 319
  • 2
    IP subnets are a way to compartmentalize logical networks - as are vlans. Using both is unecessary and over-complicates the situation. For an IP network, there are additional advantages to using subnetting compared with vlans - so the latter is IMHO redundant. – symcbean Sep 08 '10 at 11:16
  • 1
    And how exactly would you use IP subnets without VLANs and layer-3 switches, if you don't have some routers around? – Massimo Sep 08 '10 at 12:36
  • @symcbean: Yeah-- what Massimo said. I'm all ears. – Evan Anderson Sep 09 '10 at 23:13
  • layer-3 switches? no routers? - I'm sure you add embellishments to the original question for days which my answer doesn't address. – symcbean Sep 10 '10 at 08:33
  • 1
    @symcbean, if you want to divide your network into multiple IP subnets, you'll also need something to divide them at layer 2, unless you want to run many IP subnets on the same Ethernet segment; and, even if you wanted to do that, you'd *still* need something to make them talk, i.e. a router (or firewall). A single good switch, like a Cisco one, can do both using VLANs for Ethernet segmentation and VLAN IP interfaces for routing; but if you don't want to use them (why?), you'll need different physical switches and at least one physical router. – Massimo Sep 10 '10 at 11:06
0

The other advantage of this design is that you can enforce Access Control Lists on the router, so that communications between VLANs are limited, and you can protect the Windows servers from enthusiastic students.

Mitch Miller
  • 575
  • 3
  • 13
0

IME you are in the ball park where segregation of traffic across networks will improve performance. However the division of the VLANs seems to have been decided on the basis of the function of the member nodes rather than any effort for managing bandwidth. Certainly with this number of nodes you could get the same aggregate bandwidth by intelligently planning where you put switches rather than using vlans.

Without seeing a detailled diagram and getting some real measurements its hard to say for sure, but I suspect that the setup you describe is giving you no performance benefits and lots of admin headaches.

you can enforce Access Control Lists on the router

Not a good reason for using vlans - use subnets, firewalls and switches.

symcbean
  • 19,931
  • 1
  • 29
  • 49
  • How do you see it improving performance? What specifically about VLAN's improves performance? Thanks. – joeqwerty Sep 08 '10 at 11:49
  • 1
    What specifically about VLAN's improves performance? Nothing. Passing CSMA/CD traffic across more than one wire in parallel (which is easiest to do based on src/dst) decreases collisions, increases optimal and effective bandwidth. – symcbean Sep 09 '10 at 09:00
  • That's what I thought you meant; that VLAN's help eliminate the conditions that lead to decreased performance, but they don't actively increase performance. Thanks for clarifying. – joeqwerty Sep 09 '10 at 14:59
0

I'd agree with the answers you have already.

Do you need VLANs? In other words are they "necessary" if we want to stick pedantically to what you ask in the title of your question? Probably not. Is it a good idea given the variety of traffic you have? Probably, yes.

There isn't a right or wrong answer, it's a question of different designs and what the designer was hoping to achieve...

Based on what you've said I agree with the comments about not needing a VLAN "per floor", but without knowing more about your setup (though I am a college network manager so I have some general idea) its possible for all we know that you have programming classes all on one floor, admin office on another, etc. and the current workstation VLANs are not about separating floors but rather about separating functions, so the programming classes can't possibly disrupt use of the LAN for word processing in other lessons, students can't easily connect to administrative workstations, maybe you have a requirement for dedicated PCs for electronic exams, and so on. If something like that is going on then maybe the extra workstation VLANs start to make more sense.

I don't suppose any documentation exists explaining the design choices made by the person who initially set this all up?

Rob Moir
  • 31,664
  • 6
  • 58
  • 86
  • No documentation at all. None. Zero. I have to guess why it's set up the way it is. Perhaps when I know more about VLANs the logic (or lack of) will become known to me. Some are clear: business office, switches, servers, phones, but otherwise it's by floor. – kleefaj Oct 07 '10 at 11:43
  • Maybe the person who set it up learnt how to create VLANs for the parts where it made sense then just went a bit crazy. You know how it is, when all you have is a hammer and a lot of enthusiasm, it doesn't take long for everything to start looking like a nail. I guess the question at this point might be: Will it be more disruptive/annoying/whatever to change it or to leave it as it is? – Rob Moir Oct 07 '10 at 13:18
  • @kleefaj - actually the lack of documentation in your case may help you to understand the setup better since you will have to map it all out and document it yourself (which you should definitely do) and figure out how the different segments talk to each other. Since your current knowledge about VLANs is limited, this will be a great learning opportunity for you and will help you design a better network configuration for your org once you fully understand the current setup. – August Dec 28 '10 at 13:49
0

VLANs segerate broadcast traffic. You don't have enough computers to worry about that. VLANs often but not always align with subnets. VLANs also let you apply some limited ACLs Switch ACLs can be a lot of upkeep with little benefit. Firewalls separate traffic better, ACLs on switch ports that can get messy.

The only argument I see for adding VLANs is if you also change your IP addressing scheme. Now, I think with only 4 floors which may be overkill.

In a company I use to work for we had a dozen buildings at our main campus and a few satellite campuses, so we had a IP addressing scheme, that allowed us to tell by an IP address what building a device was was in. That's my 2 cents, for what it's worth.

JamesBarnett
  • 1,129
  • 8
  • 12