strange use of VLANs

Hi there, I have this infrastructure:

5 catalyst 2950G with 24 F.Eth. ports and 2 Gigabit ports 1 catalyst 3508G-XL 8 Gbit ports 1 router 1721 with ADSL module 1 pix 506e around 240 windows PC with a static IP like 10.155.254.0/24 there's also a old 3620 router that I can use if necessary

The five 2950 are connected to the 3508 with optic fibre calbes. The 1721 router is connected to one of the f.e. ports on one of the 2950 and "gets out" to the internet with an ADSL module (has also an internet static ip). Considered that I'm already quite confused, I did not used the pix yet ;-)

My aim is this: - to create 6 vlans to limit broadcast domains: each VLAN should include all the ports of one of the 5 switches. Except for the switch to which the router is connected, that has to be divided in 2 vlans. - to let all the PCs accessing the internet throught the router - to let all the PCs reaching any other PC on the lan (I know that this decision is quite stupid :-) )

In short, all this mess is to start segmenting a too much grown lan by using layer 3.

I should respect these bindings: - NOT to change any of the IP addresses of the connected PCs - to limit as much as possible the load on the router that is already quite busy letting all those PCs surfing on the web ;-)

I managed to accomplish only a part of the work:

1) to configure every Gbit port as a 802.1q trunk link 2) to configure the port to which is attached the router as a 802.1q trunk link 3) to assign all the ports on the first 2950 to VLAN 1 (static access) 4) to assign all the ports on the second 2950 to VLAN 2 (static access) 5) to assign all the ports on the third 2950 to VLAN 3 (static access) 6) to assign all the ports on the fourth 2950 to VLAN 4 (static access) 7) to assign the first 12 ports on the fifth 2950 to VLAN 5 (static access) 8) to assign the remaining 11 ports on the fifth 2950 to VLAN 5 (static access) [the last port is the trunk link to the router]

I have some questions: - only PCs conncted to the same switch of the router can access the internet. why? Aren't trunk link accessible by every VLAN? - how do I connect all the VLANs each other, considered that the 3508 can't (I think) do interVLAN routing and that the router isn't (I think) powerful enought to do all the routing? - if I assign to two VLANs, two IPs like 10.155.254.0/24 the catalyst puts one vlan in shutdown mode: where can I read why this is happening? - is there another way to limit broadcast domains without doing all this mess? ;-) - where do I find something to study about "routing-on-a-stick"? It seems to me that this can be useful for my case. - how much the situation grows difficult if I replace the router with the pix and I put the router "behind" the pix (the pix serves only as a basic firewall protection for the web)?

I know that these are a lot of questions and that many of them are quite dumb but please help me anyway. Thanks a lot!

blu_aqua

Reply to
blu_aqua
Loading thread data ...

When you have multiple VLANs, its just as if you had different two separate hubs or switches. The two VLANs can't talk to each other except by going through a router, and they can't talk to another LAN or VLAN with the same IP subnet unless you use NAT to translate the addresses. That is, VLAN1 could think it is 10.155.254.0/24 and VLAN 2 is 10.155.242.0/24, and VLAN3 is 10.155.243.0/24, etc. If everybody uses DNS to find the other PCs, that could be transparent, but if every PC knows every other PC's IP address, it won't work, of course. And although your 2950 could be set up as a trunk router to do the routing and address translation (I think), I doubt it would be up to the task (meaning if it was had enough power, you probably wouldn't have a problem to fix).

Since you have switches not hubs, I assume you have verified that there is enough broadcast traffic to cause a problem, if not, maybe there is not a problem. If you need to be able to add 20 more pcs, than just change to a 10.155.254.0 /23 subnet (or 10.155.252.0/22, etc).

If the problem is broadcast and you DON'T need to add PCs, just split into two subnets, 10.155.254.0/25 and 10.155.254.128/25 (after re-addressing any pc that is on 10.155.254.127 and 10.155.254.128) and route between the two subnets. You will need to set up default routes and change everybody's subnet mask at one time.

A better long range solution would be to set up several new subnets, say 10.155.240.0/24 through 10.15.245.0/24, with nobody on them. Use the 2950 (or a layer 3 switch?) to route using a trunked connection, but you will probably need a router with more power "soon". Everybody wll still be on VLAN 1. Then in logical groups (the people who most often communicate with each other) move users to new subnets on new VLANs.

Or maybe you should switch to DHCP and DNS and get rid of fixed IP addresses first, that would make future changes easier.

Reply to
sqrfolkdnc

Hi there, I have this infrastructure:

5 catalyst 2950G with 24 F.Eth. ports and 2 Gigabit ports 1 catalyst 3508G-XL 8 Gbit ports 1 router 1721 with ADSL module 1 pix 506e around 240 windows PC with a static IP like 10.155.254.0/24 there's also a old 3620 router that I can use if necessary

The five 2950 are connected to the 3508 with optic fibre calbes. The 1721 router is connected to one of the f.e. ports on one of the 2950 and "gets out" to the internet with an ADSL module (has also an internet static ip). Considered that I'm already quite confused, I did not used the pix yet ;-)

My aim is this:

- to create 6 vlans to limit broadcast domains: each VLAN should include all the ports of one of the 5 switches. Except for the switch to which the router is connected, that has to be divided in 2 vlans.

- to let all the PCs accessing the internet throught the router

- to let all the PCs reaching any other PC on the lan (I know that this decision is quite stupid :-) )

In short, all this mess is to start segmenting a too much grown lan by using layer 3.

I should respect these bindings:

- NOT to change any of the IP addresses of the connected PCs

- to limit as much as possible the load on the router that is already quite busy letting all those PCs surfing on the web ;-)

I managed to accomplish only a part of the work:

1) to configure every Gbit port as a 802.1q trunk link 2) to configure the port to which is attached the router as a 802.1q trunk link 3) to assign all the ports on the first 2950 to VLAN 1 (static access) 4) to assign all the ports on the second 2950 to VLAN 2 (static access) 5) to assign all the ports on the third 2950 to VLAN 3 (static access) 6) to assign all the ports on the fourth 2950 to VLAN 4 (static access) 7) to assign the first 12 ports on the fifth 2950 to VLAN 5 (static access) 8) to assign the remaining 11 ports on the fifth 2950 to VLAN 5 (static access) [the last port is the trunk link to the router]

I have some questions:

- only PCs conncted to VLAN 1 can access the internet. why? Isn't trunk links accessible by every VLAN?

- how do I connect all the VLANs each other, considered that the 3508 can't (I think) do interVLAN routing and that the router isn't (I think) powerful enought to do all the routing?

- if I assign to two VLANs, two IPs like 10.155.254.0/24 the catalyst puts one vlan in shutdown mode: where can I read why this is happening?

- is there another way to limit broadcast domains without doing all this mess? ;-)

- where do I find something to study about "routing-on-a-stick"? It seems to me that this can be useful for my case.

- how much the situation grows difficult if I replace the router with the pix and I put the router "behind" the pix (the pix serves only as a basic firewall protection for the web)?

I know that these are a lot of questions and that many of them are quite dumb but please help me anyway. Thanks a lot!

blu_aqua

Reply to
blu_aqua

My problem with this decision is you are going to increase the routing load at the 172 (unless the 3508 can add routing) ... and not decrease broadcast burdens except at each of the 2950's.

Some switches do double-duty as a switch and a layer 3 router. You end up assigning a cirtual IP address to the router module in each VLAN. This provides a routing interface (which is your default gateway in each VLAN).

I think Routing on a stick is usually used to describe a trunked connection to a router (trunked ethernet to your 1721). But if you think the 1721 can't handle routing to the internet, how's it going to handle routing to the internet AND intranet routing between the new subnets?

If the 1721 can't handle routing to your internet dsl it probably never will- until you figure out what is really wrong.

If internet browsing is slow and everything else fast then likely it is Internet link saturation either from legal traffic or illegal traffic (worms, viruses, spyware).

IF broadcasts are really an issue, you may have a physical loop (spanning tree issue) or even a router misconfig that is looping broadcasts(a storm). I've seen entire building drowning in 15Mbps of pure broadcast from one router. If you run WIndows 9X PCs, make sure you remove all protocols but TCP/IP. Every protocol you add to the network configuration increases the size of broadcasts. WINdows 9X PC would setup MS NetBEUI & Netware IPX/SPX when most people should have only used TCP/IP. XP/2000 didn't do this. Can't recall if NT was dumb like that. IF you are runnign Netbeui on win9x, you'll need to make sure TCP/IP is using NETBIOS over TCP/IP and using DNS for name lookups. If you've got WINS running this shouldn't be an issue.

You may also have out-of-control clients or servers. Worms and trojans can install network scanners that will keep you network very busy, especially if you get a couple installed. An experienced person with a sniffer could be more specific, but I understand you are limited in your situation.

Excessive broadcast domains is a popular scapegoat amongst professionals to throw their collective hands up and say nothing can be done until you segment your traffic. This is also a great way to sell excessive equipment. Typically I see corporations with 10x-50x the firepower they need for the projected future. And all too often the 10x-50x excess power is eaten up by bad configs, poor management policies and errors. I'm working with a large client whose dual-core with multiple dual-distribution, dual-fiber'd, UPS-everywhere gigabit network costing more than $2.5 million just 32 months ago can't handle

60mbps across the core routers. they are maxxed out at 100% CPU. Every problem in existence has been blamed on the old-style giant subnets. While these are a problem--they are far from the only one here, and no Cisco tech or CCIE that has been on site has solved or improved the other issues that I'm trying to clean up.

"blu_aqua" wrote:

DiGiTAL_ViNYL (no email)

Reply to
DigitalVinyl

"sqrfolkdnc" ha scritto nel messaggio news: snipped-for-privacy@g14g2000cwa.googlegroups.com...

Thanks for your answer. Maybe this question is dumb :-) but... Why do I need NAT to connect two VLANs with the same IP subnet? If I keep IPs unique and I connect the VLANs using a trunk link...aren't things going to be as if I am connecting two hubs with an "uplink" cable? In case NAT is mandatory: who should (and is able to) care about it? the

2950? the 3508?

What if I use an old 3620 to do the routing and the NATing?

I probably will do so...is PIX 506e able to act as a DHCP server? If yes, I'll use it as a DHCP to assign all the PC new addresses in a larger subnet. And care not about brodcasting that, in the end, is not such a big issue :-) Follows output from "sh int"... do you agree that broadcast traffic is not excessive?

--------------------------- FastEthernet0 is up, line protocol is up Hardware is PQUICC_FEC, address is 0011.204c.7444 (bia 0011.204c.7444) Description: $FW_INSIDE$$ETH-LAN$toLan Internet address is 10.155.254.1/24 MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive not set Full-duplex, 100Mb/s, 100BaseTX/FX ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:12, output 02:08:02, output hang never Last clearing of "show interface" counters never Input queue: 0/600/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 50474581 packets input, 1080727964 bytes Received 856447 broadcasts, 0 runts, 0 giants, 0 throttles 7905 input errors, 0 CRC, 0 frame, 7905 overrun, 0 ignored 0 watchdog 0 input packets with dribble condition detected 15823715 packets output, 771427585 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out

---------------------------

If the router is "behind" the firewall I will not be able to use it as a DHCP server..isn't it?

Thanks

blu_aqua

Reply to
blu_aqua

that link is VERY idle when you were looking at it. The broadcast level is about two percent of traffic which over time sounds reasonable. Percentages can be tricky though, cause offices are idle 66% of the day, but broadcast level continue as long as a device is left on. You could also have network based backup and syncronization which will create massive loads of unicast traffic skewing percentages. but I wouldn't think you had too serious a broadcast problem from that one number.

If you want to be certain, audit each of your switches. Clear the counters, wait 15 minutes, then note any ports that have much higher multicast/broadcast received (that is broadcasts the switch RECEIVES from the connected device). Servers, routers and crossovers will always have higher numbers. (services are broadcast, so more services on a server/router, the more broadcast).

Just so you have a ballpark idea, some service broadcast/multicasts typically go out every 15, 30, 45 or 60 seconds. Those are typically heartbeat-styles. But onle one packet. More common broadcasts only get sent out once every 5-15 minutes! To give you a metric, my WIndows XP PC put out 18 broadcasts in 15 minutes, most of which were vain attempts to find a domain controller and share that don't exist on this network. Misconfigurations generate a higher than normal broadcast level from a pc.

A multi-city network with 55 users locally and 100 users online worldwide, using 2 protocols (one of which had broadcasts bridged globally) produced a network-wide high of about 7 broadcasts per second.

DiGiTAL_ViNYL (no email)

Reply to
DigitalVinyl

Some confusino here...

if your VLANs are

10.155.242.0/24 10.155.243.0/24 10.155.254.0/24

No NAT is needed, they are independent and routable. They must be NAT'd to access the Internet because 10.0.0.0/8 is not routable across the net. Your internet router is doing this already.

If your VLANs were mistakenly configured to use default subnets...

10.155.242.0/8 10.155.243.0/8 10.155.254.0/8

Then you would need NATs, cause each VLAN uses the same overlapping address space.

Now because TCP/IP-based broadcast do not propigate to the other vlan's PCs won't see eachother, unless you have an architecture that bridges the networks to allow them to know of eachother's addresses and very existence. WINS, ADS, and DNS serve this purpose.

A PC in VLAN1 will hear all the VLAN1 PCs chattering through broadcasts and know about them through any common protocol. But it woun't know about the existence of VLAN2 or VLAN, what PCs or servers are there or what IP addresses they use. If you run a micorosfot domain with Wins, AD or dynamic DNS, each PC will be browsable by contacting your WINS server. Basically the WINS/ADS server knows about everybody and you talk to wins/ads to browse all avaailbale PC/servers.

If you lack that structure, you must populat DNS *AND* the LMHOSTS file of every PC with the NAME/IP address of every remote server otherwise PCs can't get to them.

The firewall would have to act as a DHCP HELPER, basically forwarding DHCP requests to the next network. If you firewall can't do this, MS Windows servers can, so if you have any server in that network it can acts as a DHCP forwarder(helper). I can't recall if the pix does this, never had need for it. If it helps, any windows NT/2000/2003 server can act as a DHCP server and would be better at it that the router. DHCP on windows allows for static assignments(called reservations) very easily (where a MAC of a specific nic would always get the same DHCP lease). This avoids hard coding IP addresses in printers and PC and allows IP managemnt from a single server when done right.

DiGiTAL_ViNYL (no email)

Reply to
DigitalVinyl

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.