Why VLANs

wagnerbm

I need some expert advice. I am trying to convince my supervisor that we need to vlan. I get it in my brain why to vlan but to actually spit it out is another story. Can anyone give me a good explanation of why we should implement VLANs? We have about 400 pc's on 1 network. We could break it down to about 15 groups but my boss seems to think it will be too much overhead.

Thanks for your help.

Brenda

xwesleyxwillisx

Cisco recommends no more than 500 or some hosts for a VLAN before broadcast traffic cripples the network. However, in practice you should sanction a VLAN for every 200 or so hosts. This works nicely for a Class C mask /24.

What is your current IP scheme? It is important to remember VLANs and subnets are a 1for1 correlation. In other words, each VLAN is its own IP subnet.

A huge benefit to VLANs is QoS and better administrative control over the network. It sounds like your network is too small for QoS to be an issue (unless you are running VOIP or video) but administrative control is still a strong consideration.

So in short, there are clear cut benefits to VLANs. However, without knowing more about your network it isn't easy to tell how much of a benefit you will see.

dynamik

Here's a link that goes into detail: http://www.tech-faq.com/vlan.shtml

You'd probably benefit from vlans with that many hosts, but splitting that down to 15 groups seems to be overkill. Maybe someone with more vlan experience can chime in.

[edit]
Or maybe that person will chime in before I even finish my post

wagnerbm

We are currently using the 172.16 network with a /21 mask. Because of Hippa and state stuff we really need to scale it down to maybe at max 10 VLANs. We are getting ready to implement VoIP. We also have some Video.

Thanks again for your help.

APA

Main reasons for implemening VLAN's

1) Segmentation
2) Abilty for Network Security
2) Restricting Broadcast traffic

If your looking at implementing Voice and Video infrastructure it will be a definite benefit to start restricting as much broadcast traffic as possible 500 clients in the one broadcast domain is a bit much..... Before you start estimating how many VLAN's you need, sit down and theoretically write down all the departments in your company don't forget to include remote users and the IT dept in there as well.

Now + 1 to this list and you should have a pretty precise idea of how many VLAN's you will need as a minimum... I ask to +1 as this new VLAN can now become your network management vlan... for any OoB management(Out of Band) eg.. Purely for the administration of network devices and remote management of devices.

You might want to stress the network security aspect and the aspects of how broadcast traffic is probably hampering your current design due to everyone being part of the 1 broadcast domain to your manager as I'm sure you are aware if you want to break up into VLAN's you are going to need a few more L3 devices to perform the inter-vlan routing.....Which means your Boss will need to spend some more dosh... As I am assuming going by your current setup you will have just the one router???

All though if all areas link to back to the same router and the model of router is capable then it should be able to perform inter-vlan routing.....

Netstudent

What model switches are you currently using?

I noticed you said your network was a 172.16.x.x/21

By the sounds of things, you want to implement VLANs at a single site that is on one of those subnets correct?

When you say your about to get on VoIP, does that mean you are going to have VoIP internally or your PBX will interface with a gateway that will send your packetized voice data straight across a PRI or the like? Thats 2 differnet things. I don't think there would be a need for QoS for voice unless your mangement systems (CME, unity, ect..) were in house.

So if you do implement vlans, then you will have to

1: have the gear(high end switches) with private vlan capabilities so that you don't have to change your IP scheme. You could put these departments into secondary community vlans.

OR

2: VLSM the current major subnet so that each dept. has its own subnet. Then each dept. would have it's own primary VLAN. So now you have to think about all the things that would change if you add more internal subnets. Like your routes, possible summarization of these new subnets, DCHP, DNS, firewall policies, the list could go on and on.

So I could understand where your boss is coming from. I don't have tons of experience in network design, but I would think that a network that implements VLANS would have to be a network that was preplanned to use VLANS. If it's not, then you are talking about a complete internal overhaul. I could be wrong, but those are my thoughts.

On the other hand, if you really are experiencing performance degradation from broadcasts, then it may be time to revamp your network.

xwesleyxwillisx

Netstudent is absolutely correct when he says implementing VLANs on a network you have described is a complete internal overhaul.

Where you and your boss are going to have to reach an understanding is this. As currently implemented you have a flat (layer 2, no VLANs) network. This is completely unfit to scale as the company grows (you mentioned implementing voice and video soon).

Where you can improve network performance and gain scalability is by segmenting the network with VLANs. This requires a complete IP redesign from the top down.

Assuming your network is a branch site as Netstudent described and you have a 172.16.X.X /21 space to work with, here is what I can recommend. (If you are not a branch site but a standalone network, you can do whatever you want with your IP scheme because you have no external routing issues to worry about)

The /21 mask gives us 1 network with 2048 addresses (2046 usable due to the network and broadcast addresses). This is a huge waste of addresses for 400 hosts. What we can do is break it down into 8 manageable subnets with 256 addresses each (254 usable) that is an ideal size for management.

For demonstrative purposes I will say your network is 172.16.8.0 /21.

We now have 8 manageable subnets:
172.16.8.0 /24
172.16.9.0 /24
172.16.10.0 /24
172.16.11.0 /24
172.16.12.0 /24
172.16.13.0 /24
172.16.14.0 /24
172.16.15.0 /24

Depending on how your routing is set up, this can be advertised as a summary route (172.16.8.0 /21) and the rest of the enterprise network will continue to see you solely as 1 route 172.16.8.0.

What I typically see in customer networks is a management VLAN (soley for management of network devices), a data VLAN for each department, and a voice VLAN for their VOIP system.

With this IP design described you could easily handle this scalable model.

To reiterate Netstudent's point, this may be complete overkill for your network's needs. This may be the very reason your boss doesn't want to implement VLANs until they are absolutely needed.

Just as a complete guess based on what you have described from a growth standpoint, this is what you will be faced with when implementing VOIP and video and as your company grows in size.

Best of luck.

wagnerbm

My boss is worried about overhead. We are going to setup a VoIP system (cisco) next to our pbx and eventually get rid of the pbx. We do have video already on the network. Right now we have a 6513 that we are going to replace with 2 6509's (January) and then start to deploy more closet switches. We have to get the 6509's in place before the VoIP starts (February). So, since the back bone is already going to be overhauled anyways, why not now? That is my thought.

Netstudent

Well overhead is just part of the game. Anytime you add complexity, the tradeoff is administrative overhead. Sometimes that needs to get done regardless of the overhead. If you are going to be replacing switches and getting ready for an inhouse VoIP system, then now might be a justifiable time. Most of the overhead will be changing the network. Once that part is stable, I don't really think overhead will be that big of an issue as long as there is the skill and documentation there to manage it.

You may want to start bringing to the picture that if you do not separate your voice and data traffic, you could run into unacceptable delay and jitter.

By the sounds of it, your network is already approaching an oversized L2 network. You start adding voice traffic without any separation, you might be in for more overhead in the long run.

What model are your access layer switches?

But dang, that amount of work just seems unfathomable. A new core, a new VoIP system, new vlans, new subnets, new routes. Yikes...

Only bad thing is what if you get the VoIP in place and the L2 traffic is just too much. Then your going to have to go back and reintegrate the VoIP system into vlans. Yikes...Good luck.

APA

Like netstudent said.... Your bos is probably worried about how much time it is going to take to re-design the network and complete inplmentation.

By no means is this an easy feat...... but you will certain reap the benefits once completed.

I don't know about you guys but doing everything right the first time always sounds better then having to revisit things time and time again because you took the easy path.

KGhaleon

I would LOVE to help an overhaul like that. Count your blessing, TC.
Just want to watch how you go about convincing your manager to agree to this.