Private VLAN's or what ?

Discussion in 'Cisco' started by raptor, Mar 4, 2005.

  1. raptor

    raptor Guest

    I've read some docs about private vlans (havent grasped the concept yet),
    but here is what i want to do.. is it possible with private-vlans or
    by any other means :


    cisco3750
    | | | | |

    on the ports are connected, say 5 class-C networks
    10.10.10.x/24 to 10.10.15.0/24 in no particular order(mixed)
    i.e. an address from a every class C net can be assigned
    on any port. (i mean there is no dfferensiation
    that 10.10.10.0/24 addresses are on port1,
    10.10.11.0/24 on port2 etc..., but they are mixed)

    As u expect when the network grows so does the arp and other
    broadcast traffic.
    What I want to do it to suppress this traffic so that it goes only
    to the its "targeted audience", in my case broadcast in 10.10.10.0/24 goes
    only to the hosts of this class-C network, but not to the others.

    Is this possible with private VLANs and if yes does it have big
    impact on the switch performance.
    Example if u can ?! will be good too..
     
    raptor, Mar 4, 2005
    #1
    1. Advertising

  2. "raptor" <> wrote in message
    news:...
    > I've read some docs about private vlans (havent grasped the concept yet),


    Concept is pretty simple: ports marked as protected can only se unproteced
    ports in same VLAN.
    Giving this, clients can no longer see eachother, but only - say uplinks -
    towards the serverfarms and/or gateway. This way you get additional
    protection for fx worms and vuln. spreading from client-to-client
    and alot more control over endusers usage of applications etc.

    > but here is what i want to do.. is it possible with private-vlans or
    > by any other means :
    >
    >
    > cisco3750
    > | | | | |
    >
    > on the ports are connected, say 5 class-C networks
    > 10.10.10.x/24 to 10.10.15.0/24 in no particular order(mixed)
    > i.e. an address from a every class C net can be assigned
    > on any port. (i mean there is no dfferensiation
    > that 10.10.10.0/24 addresses are on port1,
    > 10.10.11.0/24 on port2 etc..., but they are mixed)
    >
    > As u expect when the network grows so does the arp and other
    > broadcast traffic.
    > What I want to do it to suppress this traffic so that it goes only
    > to the its "targeted audience", in my case broadcast in 10.10.10.0/24 goes
    > only to the hosts of this class-C network, but not to the others.


    What you need is plain old goodtime VLANs, segmenting the broadcasts
    domains.
    You do not tell, if the different IP-nets needs to talk to oneanother ?
    ifso, you need some SVI or routerports.


    HTH
    Martin Bilgrav
     
    Martin Bilgrav, Mar 4, 2005
    #2
    1. Advertising

  3. raptor

    raptor Guest

    You do not tell, if the different IP-nets needs to talk to oneanother
    ?
    ]- yes they have to be able to talk to each other via layer3, but not
    via layer2
    if possible offcource and if this does not impact the switch
    performance.
    i.e. do this at line rate.

    How can I segment the boradcast domain in my situation, can u give me
    some link ? tia
     
    raptor, Mar 4, 2005
    #3
  4. raptor

    Toby Guest

    "raptor" <> wrote in message
    news:...
    > I've read some docs about private vlans (havent grasped the concept yet),
    > but here is what i want to do.. is it possible with private-vlans or
    > by any other means :
    >
    >
    > cisco3750
    > | | | | |
    >
    > on the ports are connected, say 5 class-C networks
    > 10.10.10.x/24 to 10.10.15.0/24 in no particular order(mixed)
    > i.e. an address from a every class C net can be assigned
    > on any port. (i mean there is no dfferensiation
    > that 10.10.10.0/24 addresses are on port1,
    > 10.10.11.0/24 on port2 etc..., but they are mixed)
    >
    > As u expect when the network grows so does the arp and other
    > broadcast traffic.
    > What I want to do it to suppress this traffic so that it goes only
    > to the its "targeted audience", in my case broadcast in 10.10.10.0/24 goes
    > only to the hosts of this class-C network, but not to the others.
    >
    > Is this possible with private VLANs and if yes does it have big
    > impact on the switch performance.
    > Example if u can ?! will be good too..


    Not sure what exactly you are getting at here.

    If you have 5 class C networks running through a switch without vlans and
    using the same broadcast domain and are using Cisco equipment then you must
    at present have 5 gateway routers/interfaces to route between them all at
    layer 3 (not sure without reviewing my old course notes if secondary network
    supports split horizan routing on Cisco routers!!!!, we dont use them).

    VLAN's are the only real option here as they will as you require reduce
    broadcast traffic and as long as your router/IOS supports Vlan and so able
    to route back on to the LAN.

    As for performance, yes VLAN operation will increase CPU load slightly but
    as less broadcast traffic would be traversing un-needed Lan segments then
    this would reduce the load on the switch greatly totally negating any extra
    function you have placed on the switch.

    Toby
     
    Toby, Mar 4, 2005
    #4
  5. raptor

    CiscoTech Guest

    This is one of the main reasons for the Vlan configuration is to prevent
    all ports from seeing the layer 2 traffic (broadcasts, etc.)

    For simplicity sake, lets use the following:

    Vlan 10 - 10.10.10.x/24
    Vlan 11 - 10.10.11.x/24
    Vlan 12 - 10.10.12.x/24
    Vlan 13 - 10.10.13.x/24
    Vlan 14 - 10.10.14.x/24
    Vlan 15 - 10.10.15.x/24


    Now with separated vlans, a router would have to be used to route the
    different vlan traffic between the vlans.

    In your cisco switch, lets say that port 1 was vlan 10, port 2 was vlan
    11, port 3 was vlan 12, etc....

    Interface Fast Ethernet 0/1
    switchport access vlan 10

    Interface Fast Ethernet 0/2
    switchport access vlan 11

    Interface Fast Ethernet 0/3
    switchport access vlan 12

    Interface Fast Ethernet 0/4
    switchport access vlan 13

    Interface Fast Ethernet 0/5
    switchport access vlan 14

    Interface Fast Ethernet 0/6
    switchport access vlan 15


    This will allow for layer 2 traffic, broadcast such as arp, etc to
    remain in the subnet it originated from since broadcast traffic will not
    be routed by the router between subnets.

    Even when adding more switches, connect the switches by trunking (802.1Q
    or ISL) the uplink ports, this allows for all packets to be "tagged"
    with the vlan membership of the packet. This way whenever the packet is
    recieved by another switch, the destination switch will know the vlan
    membership of the packet and the packet will be sent to the port(s) that
    are configured with that Vlan.

    Performance will not be impacted as long as the switch or switchports
    are overloaded, i.e. switchport utilization at 100%, the switch
    backplane trying to switch more packets than it is rated for, etc....

    We are using this type of set up to separate traffic for 4000+ nodes on
    37 vlans through 150+ switches using a Cisco 6509 core switch with the
    MSFCII layer 3 (router) card in the supervisor blade to route traffic
    between the different vlans.


    I hope this helps.....

    Curtis


    raptor wrote:
    > I've read some docs about private vlans (havent grasped the concept yet),
    > but here is what i want to do.. is it possible with private-vlans or
    > by any other means :
    >
    >
    > cisco3750
    > | | | | |
    >
    > on the ports are connected, say 5 class-C networks
    > 10.10.10.x/24 to 10.10.15.0/24 in no particular order(mixed)
    > i.e. an address from a every class C net can be assigned
    > on any port. (i mean there is no dfferensiation
    > that 10.10.10.0/24 addresses are on port1,
    > 10.10.11.0/24 on port2 etc..., but they are mixed)
    >
    > As u expect when the network grows so does the arp and other
    > broadcast traffic.
    > What I want to do it to suppress this traffic so that it goes only
    > to the its "targeted audience", in my case broadcast in 10.10.10.0/24 goes
    > only to the hosts of this class-C network, but not to the others.
    >
    > Is this possible with private VLANs and if yes does it have big
    > impact on the switch performance.
    > Example if u can ?! will be good too..
     
    CiscoTech, Mar 8, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    0
    Views:
    515
  2. HMV

    Re: How to keep your private files private

    HMV, Feb 21, 2006, in forum: Computer Support
    Replies:
    0
    Views:
    545
  3. Steve

    Re: How to keep your private files private

    Steve, Feb 21, 2006, in forum: Computer Support
    Replies:
    1
    Views:
    533
  4. John Holmes

    Re: How to keep your private files private

    John Holmes, Feb 21, 2006, in forum: Computer Support
    Replies:
    0
    Views:
    477
    John Holmes
    Feb 21, 2006
  5. Daave

    Re: How to keep your private files private

    Daave, Feb 22, 2006, in forum: Computer Support
    Replies:
    0
    Views:
    448
    Daave
    Feb 22, 2006
Loading...

Share This Page