Thursday, February 09, 2006

Adventures in VLANing

Until recently our network has been a flat single VLAN (well except for our public wireless). With all the new additions we were really starting to stretch at the seams. A few months ago we set about to start a multiple VLAN project. With some help from some very qualified volunteers we landed on 20 different VLANs organized into 8 super networks. The super networks are VLAN categories that are easily to mask (i.e. in blocks of 8 leaving plenty of room for growth). Below are the various super networks and VLANs (represented by bullets) we came up with.


Resources SuperNet

  • Servers
  • Printers
  • DMZ
  • External Web Hosting
  • Backup
  • iSCSI
  • Internet
  • Management

Wireless SuperNet

  • Public
  • Private

Wired SuperNet

  • Wired Office
  • Trusted Wired (private ports)
  • Public Wired (public ports)

Voice SuperNet

  • VOIP

Facilities SuperNet

  • Environmental Units / Control
  • Security

Applications SuperNet

  • Check-in Systems/Printers/Registration
  • Point of Sale

Specialty SuperNet

  • Media

VPN SuperNet

  • VPN Users


We used the following criteria in deciding when to create a new VLAN:

  • Put the problem children in their own VLAN (i.e. printers or anything subject to creating ARP storms)
  • Resources that required unique security were put on their own VLAN. For example it would be nice to limit Internet surfing from our check-in machines. If they are all on the same VLAN this is easy to accomplish on the firewall.
  • Resource intensive resources were put on their own VLAN. The best example of this is backup traffic. In our case it will not only have it's own VLAN but also it's own media.
  • Resources that require high performance were given their own VLANs. In our case we made sure that all of our iSCSI and VOIP will be on it's own VLAN.
  • Network ports that are in public areas are also mapped to their own VLAN. Again, this is for security reasons.

The core switch in this network is a Dell PowerConnect 6024F layer 3 switch. We upgraded a few of our other switches so that they all support GVRP (used to broadcast out VLAN settings).

Like any plan I'm sure we'll be tweaking this over time. So far the roll-out of this project is going very smoothly.

posted by Jon Edmiston @ 8:01 PM   0 comments links to this post

0 Comments:

Post a Comment

Links to this post:

Create a Link

<< Home