Using VLANs to organize your traffic
Updated: Aug 14, 2019
The second topic in this series is VLANs. Virtual LANs help separate traffic on your network to reduce congestion, collisions, and broadcasts. VLANs are setup on your switches, routers and access points. VLANs keep subnets separate even when they are using the same cabling and switch ports.
I prefer to keep VLANs separated by functional groups. (Servers, Wired Clients, Wireless Clients, Mobile Devices, Printers, Wireless Access Points, Guest Access, Security Systems, etc.) Also, I split up my Servers in to a couple of groups as well using separate VLANs for Storage, Physical Servers, and Virtual Servers. In part 1, we talked about using an IP Schema to carve up geographical sites. Now in this post, we will be going further and splitting things up by functional groups.
Let's say our Chicago Office was using 10.25.X.X as their private scheme. Each VLANs we create could be it's own class C subnet within the 10.25.0.0/16 range of addresses. For example, VLAN 1 could be 10.25.1.0/24. And VLAN 2, would be 10.25.2.0/24. Using this method we could have 255 VLANs, each with 254 IPs. This is a lot of VLANs, and you usually don't need that many. Even 16 VLANs is plenty, and you can split up each vlan into to smaller groups if you need to.
Since IP addressing is based on binary numbers, you will be creating groups using number like 8, 16, 32, 64, etc. You need to avoid making groups of tens or hundreds.
When you visually look at a subnet, it is helpful to use a grid shape of 256 numbers, in a 16 by 16 arrangement. This helps me to see the groups better. If the graphic on the right were our 3rd octet, we could keep each row a separate functional group. Let's say the top row was for routers and firewalls. 10.25.0.0/24 could be reserved for gateways and ISP connections.
10.25.1.0/24 could be for firewall interfaces. 10.25.2.0/24 could be used for switch management interfaces.
Then the second row in the picture, could be used for data center hardware. 10.25.16.0/24 could be for 10Gbps or FibreChannel switches. 10.25.17.0/24 could be for Storage Devices. 10.25.18.0/24 could be Server Hardware Management. 10.25.19.0/24 could be for ESX hosts. 10.25.20.0/24 could be for vCenter Management interfaces.
The other major groups will be for client devices. Keep wired interfaces on their own VLAN and consider extra security needs for wired connections. The majority of clients will be wireless and should be kept in their own groups. Make special accommodations for Guest wireless so that access to other parts of the network are limited.
The most important thing to remember is that like devices should be in the same vlan together. This allows switching to handle connectivity, instead of routing or firewalls. In principle, switching is faster than routing, because it is doing less packet inspection.
Once you have a good VLAN schema, you can use it at all of your locations. In the next post we will be discussing more about setting up Wireless Networking.
If you would like my help creating new VLANs for your network, please contact me today.