I’m pretty sure my question will be answered by “It all depends on….” But I’m trying to get some kind of baseline with regards to network design. I’m just trying to get some ideas and plans as examples to save and store… Or if there are some sites out there that have examples please point me there… I guess I’m looking for some kind of starting point… Something like “generally speaking you would want to…” For example in this network scenario we were do it like this, and here’s why.
I have been under the assumption of “1 vlan = 1 subnet”. I’m just curious on how professionals would config a multi site scenario. So, say we have this physical setup how would this be done?
3 separate buildings 2 separate scenarios
Not connected at all
Linked via WAN
Each building has 3 floors a core switch and an access switch on each floor
Each floor has 2 departments DetpA, DeptB, and VoIP subnets, for simplicity sake.
Same VLAN IDs in each building with Different subnets?
- Building 1
VLAN 10 - VoIP 192.168.10.0 / 24
VLAN 20 - DeptA 192.168.20.0 / 24
VLAN 30 - DeptB 192.168.30.0 / 24
- Building 2
VLAN 10 - VoIP 192.168.11.0 / 24
VLAN 20 - DeptA 192.168.21.0 / 24
VLAN 30 - DeptB 192.168.31.0 / 24
- Building 3
VLAN 10 - VoIP 192.168.12.0 / 24
VLAN 20 - DeptA 192.168.22.0 / 24
VLAN 30 - DeptB 192.168.32.0 / 24
Different VLANs in each building with Different Subnets
- Building 1
VLAN 11 - VoIP 192.168.11.0 / 24
VLAN 21 - DeptA 192.168.21.0 / 24
VLAN 31 - DeptB 192.168.31.0 / 24
- Building 2
VLAN 12 - VoIP 192.168.12.0 / 24
VLAN 22 - DeptA 192.168.22.0 / 24
VLAN 32 - DeptB 192.168.32.0 / 24
- Building 3
VLAN 13 - VoIP 192.168.13.0 / 24
VLAN 23 - DeptA 192.168.23.0 / 24
VLAN 33 - DeptB 192.168.33.0 / 24
Based on your post, here are some basic concepts that will help you out:
In almost all cases, yes it is one VLAN corresponds to one subnet. However, it is possible within the same VLAN to configure some hosts and one gateway on the 192.168.1.0/24 subnet and some hosts and another gateway on the 192.168.2.0/24 subnet. All hosts on one subnet would communicate with each other ONLY and all hosts on the other would also communicate with each other ONLY. They would each exit the VLAN via their own gateway.
Just to clarify, THIS SHOULD NEVER BE DONE! However, just for completeness, I wanted to indicate that it is possible. So yes, one VLAN should correspond to one subnet.
When interconnecting a large network, all VLAN IDs that correspond to different subnets should be unique. So, you should not have different subnets on the same VLAN IDs. This would result in the scenario described in point (1) above.
A question concerning your scenario: Is Dept A on floor 1 in building 1 part of the same Dept A on floor 2 of the same building? For example, is the sales department separated over several floors? If so, you can have the same VLAN and same subnet on separate floors, so the devices within that VLAN will have the same network characteristics (access lists blocking or allowing access to server subnets etc…)
VLANs will allow you to spread a subnet to any part of the network you like. So, you don’t need to have VLANs and subnets correspond to any geographical region (floors, buildings etc) . You should spread your VLANs and your subnets according to the needs of the departments. So, if you have the sales department, and for argument’s sake you have one employee per floor per building, you can set up VLAN 10 on one port on each access switch for those particular employees.
Thank you for the reply… with regards to your question in Point 3, yes. I guess we can say DeptA is Sales and DeptB is Customer support. So each floor will have some employees in Sales and some in Customer support… But I feel like I did another circle after reading point 4…
So if we have a sales department, and for argument’s sake I have one employee per floor per building, I can set up VLAN 10 on one port on each access switch for those particular employees per floor in separate buildings.
But wouldn’t I need to have separate subnets per building for that same VLAN? If we have 2 buildings with IP’s in the same subnet, how will the routing know which building to send to?
Please see attached… I’m assuming Scenario 1 is not correct, Scenario 2 would be…
From the diagrams you sent, it seems like the two buildings are connected via a WAN. There’s no specification as to the technology used, but the symbols used seem to indicate serial, or maybe a VPN over the Internet. Now the reason that I’m saying this is because this may determine whether you will decide to have separate subnets for the buildings or the same subnets.
If you have two buildings and they are connected via a high speed connection (I will explain further what I mean), then you have more flexibility as to what you can do. This will allow you to have VLANs and subnets that can span multiple buildings and you can use a common VLAN ID scheme. If you have technologies such as a fibre link between the two buildings on the same campus or Metro Ethernet to connect two buildings in the same city, then this scenario would be possible, and it would actually be desirable since it gives you more flexibility. In general, if the technology connecting the two buildings is a “LAN-type” technology such as Ethernet (and not a more traditional, and slower WAN technology) then this is possible.
On the other hand, if you have a a serial connection, or a connection over DSL using a VPN, then you are somewhat more restricted. Although the above scenario can be used, it is preferable to separate the two buildings into separate subnets (and thus VLANs) in order to restrict and limit broadcast traffic over the WAN. In this case you would not be able to have the same subnets at both buildings. As for the VLAN IDs, they could actually be the same since the two VLAN domains would be completely separate. That is, VLAN tags from building 1 would never actually be transmitted over the WAN connection to building 2, so VLAN 10 in building 1 for example will correspond to a completely different subnet even though it is using the same ID.
Having said all that, and seeing your scenarios, I am leaning more towards a “separate subnet per building and per VLAN” solution, just because I get the feeling the link connecting the two buildings is a slower speed technology. So, yes, I would go with scenario 2 as long as it is clear that VLAN 10 sales in building 1 is not the same as VLAN 10 sales in building 2. You will actually need routing to get from one to the other.
This has been extremely helpful… I think I’m on the same page as you, and I really appreciate the thoroughness.
I was wondering if you could expand a bit more on the below piece from your reply? Can we assume, for argumentative sakes, say both buildings are connected via some high speed connection. Either a Metro Ethernet Fibre. How would we config VLANS and subnets to span multiple buildings?
I’m glad I could be of help! As for your question, take a look at this diagram:
First of all let me say that this network does have several design flaws, so this is not an example to be followed. However, it will serve for the purpose of explaining your question. In this diagram, all of the switches on each floor are layer 2 switches as is the distribution switch in building 2. Routing occurs only at the Core L3 switch. Let’s say that create the following subnets:
192.168.10.0/24 for VLAN 10
192.168.20.0/24 for VLAN 20
We can create a couple of SVIs (switched virtual interfaces) at the Core L3 switch so that it will function as the default gateway of both of these subnets. Since we have trunks connecting all the switches, by manipulating the allowed VLANs on the trunks, we can create access ports that belong to VLAN 10 or 20 on any switch. This would also mean that the subnets that correspond to those VLANs would be available on any of those access ports.
Note that this would mean that any communication of a device that requires it to connect to another VLAN will require it to go through the Core L3 switch for routing. So, a PC on VLAN 10 on the 3rd floor of building 1 that wants to communicate with a PC on VLAN 20 in the same location will have to go via the Core L3 switch.
Now it is important also to note that although this setup is possible, it is not always desirable. If you get very large networks, it is a good idea to try to keep VLANs as localised as possible in order to avoid needlessly burdening core layer links with broadcast traffic. This consideration however should be taken into account only for very large networks with large amounts of traffic at the core approaching 60 or 70% of the bandwidth available. Anyway, it is unlikely that you would have a department that is physically spread out over all the floors of multiple buildings where you would be required to include a VLAN at multiple ports throughout a campus.
As you can see there are always exceptions to rules. These are more like guidelines that should be reasonably followed unless there is a good reason to do otherwise. This is where network architecture begins to approach an art rather than a science, although I believe that both are characteristics of the discipline.
Again as with the other post this is also very helpful. Combining the 2 questions I think I’m now able to explain this to myself, or someone else. Which is what I was looking for.
I was struggling with the L2 and L3 beginning and ending points (Even though I “know” from my reading). But as I’m limited in “real world” network design / Implementation it was still a but foggy for me…
I do agree with your comment that this at some point becomes a art / science mix… Very intriguing…
I agree. I work at a large university and we do not allow vlans/subnets to span buildings. Each building has multiple 4500 chassis (L2 only) that aggregate up to a 3850 L3 switch that then goes off to distribution. Vlans are only significant in each building. That way we can also use vtp per building, mstp per building, snmp v3 credentials per building, etc. And also have a layer 3 boundary at the access layer.
