Vlan Questions

[NuroMancer]

I've done some research, but I just wanted to check with some of the guys/gals here that know way more then me.

When doing port based VLans can you set the port to be in more then one VLan?

Apparently, VLan 7 is a generic one which everyone can talk to/see, but I don't see this as a solution. This doesn't solve the problem of broadcast domains correct?

Is the only way with cisco switches (without making it insanely difficult or requiring more hardware) to use mac-address based VLans to have a server for example in more then one vlan?

Thanks!!

 

[nweaver]

what you need is a "router" so then you can route traffic from all vlans to your server...

 

[spidey07]

You cannot have an access port in more than one vlan.

If you want a port to be in more than one vlan then it is a trunk.

If you want your vlans to be able to communicate you will need a router, or perform the routing on the switch itself if it supports it.

 

[nweaver]

This is a copy/paste of my reply to a PM...just so that it's here for Spidey to correct me


VLAN's are virtual Layer2 networks (Switches), Isolated from each other, and (usually) seperate layer3 network.

Example: Vlan 1 is 192.168.0.X/24 network, VLAN 2 is 192.168.1.X/24, VLAN 3 is 192.168.3.X/24

How would you normally get these to talk? You would install a router to route the traffic between the different segments, and the router has to have an interface on each of these segements.



That last sentence doesn't mean physical interfaces, you could "Router on a stick" and you setup a Trunk between the switch and router, and define subinterfaces on the router. So you trunk fa0/1 on the switch to fa0/1 on the router, and then define fa0/1.0 as 192.168.0.1 in vlan1, fa0/1.2 as 192.168.1.1 in vlan2, etc.


Then you turn routes on, and it starts routing, this is a "Router on a stick" and we use it sometimes to route between vlans. There is also an option to use L3 switches, which is our normal route. Either way, your are routing between VLANS.

Not sure on this, but some ethernet cards support dot1q trunking protocols, so you might be able to trunk to the server and give it IP's on each vlan.

If all VLANS are the same L3 network, then why are you vlaning them?

 

[skrewler2]

Originally posted by: NuroMancer
I've done some research, but I just wanted to check with some of the guys/gals here that know way more then me.

When doing port based VLans can you set the port to be in more then one VLan?

Apparently, VLan 7 is a generic one which everyone can talk to/see, but I don't see this as a solution. This doesn't solve the problem of broadcast domains correct?

Is the only way with cisco switches (without making it insanely difficult or requiring more hardware) to use mac-address based VLans to have a server for example in more then one vlan?

Thanks!!

your "port based" vlans are whats called "untagged" vlanning, this only supports one vlan per port


What you're looking for is TAGGED vlans. this supports multiple vlans

 

[NuroMancer]

Originally posted by: spidey07
You cannot have an access port in more than one vlan.

If you want a port to be in more than one vlan then it is a trunk.

If you want your vlans to be able to communicate you will need a router, or perform the routing on the switch itself if it supports it.

So in theory if i had vlan 1 for group1 and vlan2 for group 2. If I wanted to have a server in both vlans, I could set the port that it is connected to trunk and set it in both vlan 1 and 2?

Or

Could I have the majority of the ports on the switch set to vlan 1 for the first group, and then have some set to vlan 2, then use mac based vlaning for the "servers" which have to be in both?

Also isn't setting the port to trunk have something to do with allowing to only setup you vlans in one switch and have them filter down to the others?

 

[spidey07]

What model of switch? You may just be able to do layer3 switching (routing)

Otherwise you could do a trunk from the switch to the server to support different VLANs provided the NIC can support it. Nmweaver pretty much has it spelled out for you.

However the bigger question remains...why do you need separate VLANs? If you can't answer that then they aren't necessary. In other words - "what are you really trying to accomplish?" There may be much easier means.

 

[NuroMancer]

Originally posted by: nweaver
This is a copy/paste of my reply to a PM...just so that it's here for Spidey to correct me


VLAN's are virtual Layer2 networks (Switches), Isolated from each other, and (usually) seperate layer3 network.

Example: Vlan 1 is 192.168.0.X/24 network, VLAN 2 is 192.168.1.X/24, VLAN 3 is 192.168.3.X/24

How would you normally get these to talk? You would install a router to route the traffic between the different segments, and the router has to have an interface on each of these segements.



That last sentence doesn't mean physical interfaces, you could "Router on a stick" and you setup a Trunk between the switch and router, and define subinterfaces on the router. So you trunk fa0/1 on the switch to fa0/1 on the router, and then define fa0/1.0 as 192.168.0.1 in vlan1, fa0/1.2 as 192.168.1.1 in vlan2, etc.


Then you turn routes on, and it starts routing, this is a "Router on a stick" and we use it sometimes to route between vlans. There is also an option to use L3 switches, which is our normal route. Either way, your are routing between VLANS.

Not sure on this, but some ethernet cards support dot1q trunking protocols, so you might be able to trunk to the server and give it IP's on each vlan.

If all VLANS are the same L3 network, then why are you vlaning them?

Ok, so I replied to spideys first cause I got what he was saying.
Maybe its just to early in the morning, but It took like 3 reads of the router on a stick reference to understand it .


What your saying is one set the switch port to trunk, and the networking card if it supports dot1q, I could do the same sort of thing. Have it in 2 vlans?

OR

It is just easier if I HAVE to have the server in both vlans, to use mac based vlaning for just the 2 servers?


This is for an assignment, and instead of just doing what everyone else seems to be doing and working off an assignment from last year, I want to understand why I am doing what. The assignment says, "There are to be two seperate logical networks - student and faculty/staff. The servers are to be in both networks. All devices in the department and network administration offices and a faculty/staff workstation in each lab are to be in the faculty/staff network. All student workstations and printer are to be in the student network.

 

[NuroMancer]

Originally posted by: spidey07
What model of switch? You may just be able to do layer3 switching (routing)

Otherwise you could do a trunk from the switch to the server to support different VLANs provided the NIC can support it. Nmweaver pretty much has it spelled out for you.

However the bigger question remains...why do you need separate VLANs? If you can't answer that then they aren't necessary. In other words - "what are you really trying to accomplish?" There may be much easier means.

Well for the "labs" I was using 1 C2960-48-TT-L , for the server room, 2 C3560G-24TS.

I have to have segregation logically between the student and "teacher" networks.

Not only to reduct broadcast domains, but also for security of traffic.

 

[spidey07]

I don't understand what you mean by "mac based vlanning". Never heard of it.

now you CAN assign ports to a particular vlan depending on the mac address, but the port can still only operate in a single vlan. in the assignment posed it is already understood and stated that the servers are in both vlans.

This can mean only two things - the servers have two network cards, one in each vlan or it has a single network card operating as a trunk carrying both vlans.

eitherway, you're making this WAY more difficult than it needs to be.

 

[NuroMancer]

Originally posted by: spidey07
I don't understand what you mean by "mac based vlanning". Never heard of it.

now you CAN assign ports to a particular vlan depending on the mac address, but the port can still only operate in a single vlan. in the assignment posed it is already understood and stated that the servers are in both vlans.

This can mean only two things - the servers have two network cards, one in each vlan or it has a single network card operating as a trunk carrying both vlans.

eitherway, you're making this WAY more difficult than it needs to be.

Sounds like something I might do . So for example, if I had the Cisco ONS 15454 SDH which supports vlaning, I'm golden?

Also, if the server in question was the dhcp server, can the dhcp server listen on both nics for broadcasts and then give out addresses from the correct dhcp pool?

Thanks so much for the help spidey!

 

[NuroMancer]

Also the mac based vlaning was something my instructor mentioned.

http://en.wikipedia.org/wiki/VLAN
I found some info about it here.

MAC-based: VLAN membership is based on the MAC address of the workstation. The switch has a table listing of the MAC address of each machine, along with the VLAN to which it belongs.

 

[spidey07]

Originally posted by: NuroMancer
Sounds like something I might do . So for example, if I had the Cisco ONS 15454 SDH which supports vlaning, I'm golden?

Also, if the server in question was the dhcp server, can the dhcp server listen on both nics for broadcasts and then give out addresses from the correct dhcp pool?

Thanks so much for the help spidey!

LOL, a 15k doesn't know the first thing about vlans. It's an optical switch, not a lan switch.

*chuckle*
<---points to nuromancer and chuckles some more.



oh, and your instructors "mac based vlanning" is called "mac based vlan assignment"
also one should note that wikipedia is the last place to go for authoritative information. there are so many errors in the document it's deplorable.

 

[NuroMancer]

Originally posted by: spidey07

Originally posted by: NuroMancer
Sounds like something I might do . So for example, if I had the Cisco ONS 15454 SDH which supports vlaning, I'm golden?

Also, if the server in question was the dhcp server, can the dhcp server listen on both nics for broadcasts and then give out addresses from the correct dhcp pool?

Thanks so much for the help spidey!

LOL, a 15k doesn't know the first thing about vlans. It's an optical switch, not a lan switch.

*chuckle*
<---points to nuromancer and chuckles some more.



oh, and your instructors "mac based vlanning" is called "mac based vlan assignment"
also one should note that wikipedia is the last place to go for authoritative information. there are so many errors in the document it's deplorable.

Hey Ignorance is bliss, really. But could one achieve the same ends with mac based vlan assignment?

 

[spidey07]

not really.

mac based vlan assignment does just what it sounds like. if the switch learns a mac it looks to a table (or a database) to tell it what vlan to place this port in. The port is still in one vlan only, which single vlan the port is operating in just depends on what mac address is learned on the port.

The only way for a port to operate in more than one vlan/broadcast domain is for it to be a trunk. No other way.

 

[NuroMancer]

Two network cards it is!
Thanks for the help man
I really appreciate it.

Unless off the top of your head you can recommend one of these network cards that are trunk capible. The noob can't find them on ciscos site.

 

[spidey07]

Originally posted by: NuroMancer
Two network cards it is!
Thanks for the help man
I really appreciate it.

Unless off the top of your head you can recommend one of these network cards that are trunk capible. The noob can't find them on ciscos site.

any of the intel server line of cards support etherchannel, LAG and 802.1q vlans.

I would most likely do two network cards, although I hate putting more than one interface on a server - it just gets messy, than deal with potential performance problems of one NIC into more than one vlan.

 

[NuroMancer]

So whats it gonna cost me? 20% of my mark ?

 

[nweaver]

dhcp shouldn't be dual homed to serve 2 scopes.

Use the ip helper command to show other segments where the dhcp server is, then setup scopes based on that. The DHCP server (at least the MS one) is smart enough to see the request and send an IP from the right scope.