I have several switches in my public network each connecting two or three devices on seperate networks. I thought it would be a good idea to consolidate them into one switch with a VLAN for each network with no interVLAN routing. I can't find any information that I can understand. I was wondering if anyone does this and how to make it secure.
Thanks.
Essentially you are talking about creating the vlans centrally, using VTP to propagate out the VLANs, using your existing routers to service those networks (or perhaps consolidate those as well to a central l3 switch or router). This isn't that difficult, and it depends if you are consolidating onto a catalyst or ios based switch for config references. You also would need to control 'security' at the routers. If you don't want traffic between subnets, you'll need to ensure that you aren't advertising the networks between you routers, or you have access-control lists if you are routing centrally.
My plan is to use one switch that has one VLAN to connect every pair of devices. Each pair of devices is in on a separate network. Each port will be configured as an access port e.g. switchport mode access. There will be no connections from this switch to any other switches, thus no need for trunks. I am replacing several small switches. The switch is a Catalyst switch with IOS.
Your comments will be welcomed.
Thanks
Well, you can't use one vlan to merge layer 3 networks. I guess technically you can have one vlan, and the boxes will only be able to talk to other boxes in the same layer 3 address range, but all boxes would see broadcasts, etc, and it would be very bad practice. Additionally, if you ever need to route externally, this could get very very nasty. Perhaps I misunderstood your requirements, but I would connect all boxes to the switch, create vlans for each subnet, and lets the router(s) control security via ACLs.
If this is indeed not routing anywhere else, you can look into vlan security, and use things like private vlans. Generally this is for nodes that are all in the same layer 3 network, but you want to protect them from one another and only allow communications within a group or with the gateway. Here is a link.
This is a simplified view of what I have now:
Three Seperate Networks, three separate switches:
Router1 ----- Switch1 ------ Router2
Router3 ----- Switch2 ------ Router4
Router5 ----- Switch3 ------ Router6
What I Would Like to do if it is a good idea:
Three separate networks, one switch with three vlans that do not communicate with each other..
Router1 ----- Switch1, vlan1 ------ Router2
Router3 ----- Switch1, vlan2 ------ Router4
Router5 ----- Switch1, vlan3 ------ Router6
Thus replacing three separate switches with one switch
There are no routing protocols. The routers do not know about one another.
Is this feasable? Is it secure?
Thanks
Yes, that works fine. Provided you do not have routing turned up, and there will be no connections between the vlans, and the routers will not connect to multiple vlans and advertise networks, that will work absolutely fine. No traffic will cross vlans/networks with that configuration.
Thanks for your help. I was having difficulty in describing what I wanted to do. Thanks for hanging in.
Not a problem, a diagram usually does it every time, even when its a notepad diagram :-).
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.