This is my first post as a lurker, and have learned many things from all you pros out there.
Hope someone can help me with a problem I have with redesigning my network.
Basically, my setup is... basic. No VLANs at all, so it's time to make some changes due the noise that's occurring within the LAN. I've got about 50 servers, some are outside the firewall, some are within. I've got three different subnets of IPs assigned by the datacenter, and all servers are configured to use the datacenters' gateways.
My question is how would I go abouts implementing VLANs? I've got a 3Com Layer2/3 switch which can do routing for VLANs, and a bunch of 3Com Layer2 switches which are being used right now. The Layer2/3 switches are currently just functioning as Layer2.
I've read so much about VLANs but now am quite confused! How do I implement the VLAN subnets when I have IPs from a subnet being used inside and outside the firewall? Kinda lost right now, so hoping some gurus could share some knowledge on this.
How many routers do you have?
You may also post a schema of your actual network.
The ip addresses for your equipment, set in the vlans should be configured on the router.
The link from router to core switches should be set in a 802.1q trunk.
The switches where servers/equipment is connected, should support 802.1q vlans, be managed, and given ports set in the specific vlans.
It`s not quite easy to design this, with no idea about how does things run now.
My opinion is that sometimes basic is good :-) No point adding complexity unless you really have too.
Is that firewll actually routing or just bridging? I'm guessing it's bridging as you're using the same IPs on both sides of the firewall?
If you're really concerned then it may be worth connecting up a network monitor, like WireShark, and have a look see just how much broadcast traffic there is. Depending what the servers are running you might not find that much.
SysAdminMan - Asterisk PBX hosting - FreePBX, A2Billing and Elastix
Thanks for the reply! Well, there's is quite a bit of broadcast packets flying around. For the example I actually toned down the number of servers that I have in the datacenter (I thought it would make it less confusing). But real figures would be more than 200 servers on the LAN, so definitely quite a bit of broadcasts going around. I thought I could keep it simple, but I believe the current requirements have long outgrown the original concept of KISS.
Have basic knowledge of VLANs, but not really in depth. Have read alot on it, but that has served to get me a bit more confused than before. Basically I know that if I separate into VLANs, I will need a router or a Layer3 to do the routing. But my questions are would it be possible to implement VLANs into the current setup that I have? The firewall is running in transparent mode, to answer your Q.
If it is possible to implement VLANs, how do I route between the VLANs inside and outside of the firewall?
Thanks to all for taking the time to help. Merry Christmas to all, and Happy holidays!
What is this network doing? It's quite hard to understand what you're trying to achieve / suggest alternatives without knowing this.
The simple answer is no, you can't do it in your current configuration. There's two ways you can introduce segementation, the first is that you will need to put your firewall into L3 mode - i.e. you will have to have one netblock on the outside, one on the inside. You can then, if you wish, further segment these two zones into vLan's with L3 switches.
I would suggest connecting your firewall directly to the provider uplink and then creating two zones on the firewall, one for your public servers, and one for your private. This will also give you the ability to apply firewall rules to your public servers (which I'm assuming you can't do now).
Most importantly though, if your network is being killed by broadcast traffic with so few servers you should be looking at the source of the problem - i.e. configuration - rather than just trying to create vLans...
█ Dan Kitchen | Technical Director | Razorblue
█ ddi: (+44) (0)1748 900 680 | e: [email protected]
█ UK Intensive Managed Hosting, Clusters and Colocation.
█ HP Servers, Cisco/Juniper Powered BGP Network (AS15692).