No announcement yet.

Setting up VLANs

  • Filter
  • Time
  • Show
Clear All
new posts

  • Setting up VLANs

    Finally getting around to breaking up our flat network into some VLANs and have a question on what (if anything) I need to do to allow clients to use our router to access the Internet.

    Current config is a flat network, every device is on the same subnet (, and every client has our router setup as the default gateway.

    Proposed is to implement VLANs, give each VLAN it's own subnet (,, etc), and use our core Layer 3 switch to route traffic between the VLANs. Clients would use the corresponding VLAN IP of the core switch as their gateway.

    Since we have a fairly large network we plan on implementing the VLANs gradually, which means keeping the old around until all VLANs and IP changes are done. Do we need to add a something on the router or another route on the core switch?

  • #2
    Re: Setting up VLANs

    A few things I can think of off the top of my head:

    1. The switch port connected to the router should be configured as a routed port. Its ip address should be in the same subnet as the router interface that it's connected to.

    2. The switch should have its DG set to the router.

    3. The router should have a route to each VLAN via the switch ip address configured in item 1.

    4. If the clients are connected to switches downstream of the core switch then the downstream switch uplinks to the core switch should be configured as trunk ports carrying traffic for your VLAN's and vice versa on the core switch.

    Question: What's your reasoning for implementing VLAN's? Do you have specific security requirements? Is there a particular problem you're trying to solve or a particular need you're trying to meet?

    My advice is don't do anything unless you have a specific need, requirement or problem. Implementing VLAN's for the sake of implementing them or because "everyone else is doing it" or because someone told you that you should, without having a specific need, requirement or problem isn't a good reason to implement them.


    • #3
      Re: Setting up VLANs


      Thanks for the advice. I'll test it out in a lab environment first before I put into production.

      The reason I'm looking at doing VLANs for a few reasons:

      1. The network has grown quite large over the years with multiple floors and locations. Would like to organize devices better by splitting up into separate networks.

      2. One of our application vendors repeatedly has blamed "the network" for issues with their application. So, we're putting the server that runs their app and the couple workstations that use it on their own VLAN...that oughta shut 'em up! LOL (Yes, it's overkill to do this just for one app, but it's critical to our operation and been going on for sometime)

      3. Looking to improve overall network performance, if possible. We'll run statistics before, during, and after to see how we did.

      4. We're also planning on implementing virtualization to take advantage of what that has to offer and thought it was a good idea to get the network "in order" first.

      5. Lastly, in reality we're not really using the scheme I mentioned in my original post...we're using a different scheme that we really should not be using internally and needs to change (and should of been changed long ago).

      So, we've got a bunch of issues that we're trying to address with these changes.


      • #4
        Re: Setting up VLANs

        OK, let me address your items, point by point. I mean no offense by any of my following statements, I'm just giving you my two cents worth.

        1. Organization is a logical construct, not a technical one. Compartmentalizing the computers/servers by VLAN doesn't make anything any more organized. It only adds complexity, probably unneccessarily, to your network.

        2. Unless the application vendor can point to a specific problem in your network that implementing VLAN's will solve, they're blowing smoke. The key is too identify the problem and find the root cause. Implementing VLAN's because you think they'll solve the problem without knowing for sure that they will solve the problem is just adding complexity, probably unneccessarily, to your network.

        3. Saying that you want to improve performance without having any evidence that a performance problem exists and that implementing VLAN's will fix it is just adding complexity, probably unneccessarily, to your network.

        4. Implementing VLAN's doesn't improve your chance of success with virtualization. Virtualization doesn't require VLAN's. Just because your network is flat doesn't mean it's out of order. A network that uses VLAN's doesn't make it an orderly network.

        5. The fact that you're using a non RFC 1918 address space internally (which is what I'm assuming) doesn't justify implementing VLAN's. Re-addressing your network and implementing VLAN's are two distinctly separate things. I get it that you want to kill two birds with one stone. In addition, if the ip address space you're using internally has been allocated to you then there's no need to re-address just because you're using non RFC 1918 addresses. It's not incorrect to use routable ip addresses internally. Before RFC 1918 existed everybody used routable addresses internally. Using RFC 1918 addresses doesn't make your network any more secure either. The security of your network is a function of your router/firewall, not a function of your ip address space.

        Anyhoo, that's my two cents. No offense intended, I just wanted to state my opinion on this idea.


        • #5
          Re: Setting up VLANs

          I think you misunderstand the purpose of vlan's. Everyone thinks vlan = security and for the most part that is true, but the real reason for implementing vlan's is to segment your layer 2 broadcast domains. On a small network with not many clients this isn't an issue but say you had about 500 clients on a flat layer 2 network with switches spanning multiple floors in your building. With this design any broadcast from one client will go to all clients which is a huge waste of bandwidth and resources. The vlan creates layer 2 broadcast boundaries.

          I recommend vlans. If you have the gear to support it then use them. It won't hurt anything. It also gives you alot of control over your network. With the network segmented by vlans and usually different subnets we can filter traffic and grant access to resources differently per vlan which gives you more granular control over your network.
          CCNA, CCNA-Security, CCNP
          CCIE Security (In Progress)


          • #6
            Re: Setting up VLANs

            Auglan, while I agree with you on some points, my main point of contention is that implementing anything (VLAN's or any other technology) shouldn't be done without having clear objectives based on an identified need that needs to be filled, a requirement that needs to be met or a problem that needs to be solved. Nothing should be done "just because it can be done". The reasons stated in the OP's question seemed ill-defined (no offense jp1) and lacked any clear objective as to addressing a real need, requirement or problem. While VLAN's may be considered standard practice I disagree with implementing them "for the heck of it". They introduce complexity that in some cases is unneccessary and unwarranted.


            • #7
              Re: Setting up VLANs

              Not sure how vlan's introduce complexity? Yes, there is some planning and work involved to implement them but they don't introduce any complexity. If anything they help with network administration and with isolating issues on the network. I have created vlan's for 2 users. Why?. With a vlan for a group of users I can treat traffic differently, implement filtering, route traffic differently etc.

              With that being said, do your homework and plan this out if you decide to implement. Document your changes for others to see what you have done. There is no "ill" affects from implementing them if done properly. The bandwidth and overhead savings alone are reason enough to implement them.


              You have a flat layer 2 network with 200 users. User's complaining the network is slow (Go figure right?) Where do you start troubleshooting? You need to look at all your switches and uplinks as they are one broadcast domain. If that user was in vlan 10, and vlan 10 users where the only ones seeing network issues and vlan 10 was only confined to 1 particular switch (not trunked to other switches) you then start looking on that particular switch and looking at vlan 10 and its configuration. Granted the issue could be upstream from your switched network but it does give you a starting point to solve the issue quicker.
              Last edited by auglan; 14th March 2013, 12:37.
              CCNA, CCNA-Security, CCNP
              CCIE Security (In Progress)


              • #8
                Re: Setting up VLANs

                Don't wanna be rude or anything but I am just curious why you are so against the idea of implementing VLANs. Now I read everything you said, Joe and it still doesn't make it clear for me.

                The only part that brings something closer to logic is that new and by this i don't mean new technologies but only the implementation of something, does not always mean good, but to have a reason or a problem to implement something new, anything, especially VLANs, that's just so wrong, even more such conceptions let the same work be done by the later people who come and get under administration such situations, sometimes even more obsolete.

                If the past administrators didn't want to risk because hey, it works, that doesn't mean nobody should, and the next administrator to come might even feel in need or be forced by whatever reasons. I meet guys like you everyday and it makes my job a living hell, the funny thing is that they are pretty technical and they have the knowledge, but they are happy when nobody is messing with their daily boring routines.

                Now I am sorry if this looks like an attack to you, but it isn't just giving my two cents for a man, the one who asked for help here, who is trying to do something good for a change, but nobody there to encourage him, especially when the technical stuff is within his grasp.
                Last edited by bitpsychobyte; 14th March 2013, 16:09.


                • #9
                  Re: Setting up VLANs

                  I'm not against implementing VLAN's, I'm against implementing VLAN's unneccessarily. I didn't see any convincing reasons in the question that would warrant implementing VLAN's IMO, and I didn't see anything that would lead me to believe that implementing VLAN's would leave the OP in a better state than he is now.

                  As to adding complexity, they do add complexity. A flat network doesn't require any configuration of the switches and routers or requires very little configuration. Implementing VLAN's requires additional configuration on the switches and routers, which in turn creates complexity and potential points off failure: VLAN consistency accross switches, proper interface configuration (access or trunk, VLAN membership, MSTP/PVST, etc.), additional routing configuration, etc., etc. In most cases these configurations are simple to implement but they can get complex and they create additional failure points that need to be analyzed when there are problems.

                  All I'm saying is that I don't recommend implementing VLAN's (however "standard" they may be) without clear cut objectives that address real identified needs, requirements or problems.

                  Just because I can do something doesn't mean I should do it.


                  • #10
                    Re: Setting up VLANs

                    Thanks everyone for their candid responses to my original post. I think that I simply couldn't put into words correctly exactly what we are looking to achieve.

                    Trust me, I'm not taking on this project lightly at all and have been planning it for some time now. I'm in the process of testing the concepts, equipment, and procedures now. Also, we will have thorough documentation on the setup and configuration to avoid any confusion in the future.

                    I believe that segmenting our single broadcast domain, flat network into vlans will only benefit our situation. Yes, it will be a lot of work and that's why we are planning out the implementation as detailed as possible. Wish me luck!


                    • #11
                      Re: Setting up VLANs

                      Good luck, jp1. My answer and comments were meant only with the best intentions. It sounds like you've got a handle on everything and I'm sure this project will be successful.