VLANS and subnetting

VLANs should be thought of, from an IP perspective, as if they are separate Ethernets. Which means, if you have multiple VLANs and each one is a different IP subnet, you will need an IP router (layer 3 switch) to tie them together. Just the same as you'd do with multiple different physical Ethernet LANs (or catenets, to be precise).

So the first question is, is the box that ties you to the ISP a VLAN- aware router? Or is it just a layer 2 switch? If it's just a layer 2 switch, you will need to add a VLAN-aware router in your premises. This would be a router which undertands that the internal Ethernet connection is meant to represent multiple VLANs, and the router will then route IP packets to the correct VLAN according to its routing table.

But there's more, in this case. It sounds like you are trying to connect each end system, i.e. each host, directly to the same Ethernet? The one that incorporates multiple VLANs? Is that correct?

If so, then each host of your internal network will need to be "VLAN aware," meaning that these hosts need to understand the Ethernet header extension described in IEEE 802.1Q. Same goes for the router connected to this internal Ethernet. While layer 2 switches will often do this, I don't know how prevalent that is among end systems.

I'd consider instaling the various IP subnets you need on separate Ethernets, rather than using VLANs. Use a different layer 2 switch for every IP subnet in this inside network.

Bert

I am limited with certain constraints here. Because of the physical dimensions of the building, we are concentrating the cables into 4 different points. so lets say around 6 switches. each switch serves different applications. Like, VOIP, IPTV and data only applications. , thats why i want to create Seperate VLANS, so that I could isolate the traffic each app needs.

second thing. our ISP, in each site, configures for us a class C network. So if I were to use multiple VLANS, that means multiple subnets. So only one VLAN, that comes from the ISP would be able to communicate to outside world. May be I could make the other VLAN's communicate to outside world using the gateway of the ISP's VLAN, however, i need other Remote networks also talk to my PC's inside, which fall in to multiple subnets. Technically, the only subnet that my other networks willl be aware of is the VLAN subnet provided by the ISP..

I hope you understood the problem here.

Thanks for the quick response

Techs

snipped-for-privacy@gmail.com wrote in part:

This is excellent practice, but why the mention of VLANs? The hardware switches will isolate traffic at a lower level. VLANs are more for situations where a cluster of distant machines has to get inside into one of these switches.

A real [externally routable] class C or just the 10.*.*.* private IPs you mentioned earlier? If real, are the 254 enough for your machines? You may need some NAT.

-- Robert

Robert,

well, for 5-6 machines of single type originating from one point, i cant put a switch for each type. instead i am using 48port or 24 port switches. u get my address, right. ? its difficult to put switch for each type of application, as there are multiple concentration points.

It is private IP's, 172.x.x.x, however, they should also be externally routable, completely throughout our WAN, meaning, all other remote sites. 254 ips are more than sufficient for me. each pc of this site

Robert,

well, for 5-6 machines of single type originating from one point, i cant put a switch for each type. instead i am using 48port or 24 port switches. u get my address, right. ? its difficult to put switch for each type of application, as there are multiple concentration points.

It is private IP's, 172.x.x.x, however, they should also be externally routable, completely throughout our WAN, meaning, all other remote sites. 254 ips are more than sufficient for me. each pc of this site 172.x.A.x, should talk to every other pc in every other location 172.x.B.x., 172.x.C.x, 172.x.D.x There is no internet connectivity. its purely data./voice

Thanks

Techs

Robert,

well, for 5-6 machines of single type originating from one point, i cant put a switch for each type. instead i am using 48port or 24 port switches. u get my address, right. ? its difficult to put switch for each type of application, as there are multiple concentration points.

It is private IP's, 172.x.x.x, however, they should also be externally routable, completely throughout our WAN, meaning, all other remote sites. 254 ips are more than sufficient for me. each pc of this site 172.x.A.x, should talk to every other pc in every other location 172.x.B.x., 172.x.C.x, 172.x.D.x There is no internet connectivity. its purely data./voice

snipped-for-privacy@gmail.com wrote in part:

That's fine, but the general idea is to try to keep most traffic local to the switch and minimize the "uplink". Servers and apps/users should be on the same switch. Multiple servers/apps on the same switch are fine. Try to avoid putting the servers all on one switch and the apps/users on others (although this is often done and can explain poor performance).

Yes, that is done with VLANs. Again, try to keep sources and sinks close. At least for the majority of traffic. VLAN is only a Virtual LAN, it is not a real one. Bandwidth may be a problem, and latency almost certainly is.

-- Robert

Okay so far. Hosts are not typically VLAN-aware, So assuming that each switch can be configured to assign its end host ports to a particular VLAN, and the router/NAT port configured to be the VLAN-aware "trunk link," you can partition the internal network traffic as you describe, and assign priorities differently for each VLAN.

However, to make this short, if you're saying that each PC may have to belong to multiple VLANs (e.g. a given PC may need to use VoIP and IPTV, along with text or file transfers), then I'd probably scrap the VLAN idea entirely.

Sure, if you get one /24 net and you must create multiple /26 or /28 nets, or what have you, you'll need physically separate Ethernets or VLANs. And since you mentioned the private IP addresses used inside, you'll need a NAT before these internal hosts can communicate with the outside. The NAT will have to be VLAN-aware, or the NAT can be connected to a VLAN-aware router behind the NAT.

If each PC might need to belong to, say, the text, VoIP, and IPTV VLANs, then it makes more sense to just use one LAN inside. At most, you might use the priority options of 802.1Q, to differentiate between traffic categories, assuming these hosts can decode the extended Ethernet header. So that would sort of provide some idea of QoS differentiation for the different types of traffic within the office. Personally, I'd just over-provision the internal network. I have to believe the WAN link is the bottleneck, not the internal LAN. These VLANs will only segregate the traffic internally.

The only case where VLANs would make sense is if you're trying too keep the individual PCs on separate IP subnets. As in, IPTV PCs must be separate from VoIP PCs. Or accounting PCs must be kept separate from engineering PCs. If this isn't your goal, then simplify by not creating separate VLANs, or separate IP subnets, inside. That would be my approach.

Bert

By the way, I also am not sure I understand this part. If the ISP configures you as a single /24 IP subnet, it must mean that he assigns you 254 public IP addresses, right?

If that's the case, then there is no need to use private IP addresses inside your premises. In principle, you can subnet that ISP /24 net in any way you like, use an internal router, and perhaps use DHCP internally to assign public IP addresses to each PC.

So whether you do want to use separate VLANs and separate IP subnets, or just make the internal network a single /24 subnet, you would never need to bother with a NAT. Just take the ISP's addresses and subnet them. You'll lose a few host IDs, but it sounds like 254 is plenty anyway. Or just use the addresses as is, in a single subnet. Not sure I understand why not.

Bert

The switching within the 3560s / 2960s will isolate the traffic for you, and minimise "spill" between devices.

Routing adds more complications and structure, and sometimes you dont need vlans, routing etc to get the job done.

Unless you need to ring fence parts of yours for specific reasons you havent explained yet - it doesnt sound like you need VLANs or multiple subnets.

Maybe this has come from some recommendation, or device assumption? eg many IP phone setups assume you have the phone traffic in 1 VLAN and a cascaded device like a PC in another.

Anyhow - the 3560s are layer 3 switches, and can do routing internally - so you have router(s) available to you.

You can dice the 10.x or whatever block you have with a router - that isnt a problem (although each resultant bit is a power of 2 size, and subnetting will mean you waste some of that address space).

once you do that ideally you would alter each attached device ip config to have the correct subnet mask and default gateway for the specific subnet it is in - you can spoof your way around this, but that may make for complications and confusion later.

not really - i would see if "no subnets" is the correct response 1st....