My first dive into VLAN with a managed switch, need advice

I

idea

Gawd
Joined
Jan 24, 2005
Messages
615
I just bought my first managed switch. It's a Zyxel 1910-24G. I understand the benefits of VLAN for performance and security, and I made a decision to make use of VLAN, but I'm having trouble wrapping my head around how I am going to implement it. It's a fairly basic design for most network admins, so if you have any advice or can link to any guides/articles, please let me know. Thanks!

This entire post is a theoretical design based on my limited networking knowledge. I have not actually started putting anything together yet. Things will get easier once my switch arrives and I start playing around with it and learning about it.

My current equipment:
  • WAN link: ASUS RT-N16 running Tomato firmware (with VLAN enabled if that helps)
  • Router: pfSense VM guests with CARP/etc, uplinked into the ASUS router
  • Switch: Zyxel 1910-24G
  • Various desktops
  • Storage system capable of NFS and iSCSI
  • Multiple ESXi servers with HA, DRS, vMotion, etc. I also want to try VSAN beta

The VLANs that I want:
  • 100 Management desktops
  • 200 Regular desktops
  • 300 VOIP traffic
  • 400 DMZ
  • 1000 Datastore IP storage traffic (NFS in this case)
  • 1100 vMotion
  • 1200 FT Logging traffic
  • 1300 VSAN traffic
  • 1400 VM guest LAN

My VMware environment is designed like this:
  • 1 Linux fileserver with 2x 1GBe NICs (I want to do teaming/LACP for 2GB/s, but that's for another thread)
  • 2 ESXi nodes with 2x 1GBe NICs (I also want to team these for 2GB/s)

In summary, the challenges before me are:
  1. Teaming multiple NICs in Linux (LACP), for fault tolerance and aggregating bandwidth
  2. Teaming multiple NICs in ESXi, for fault tolerance and aggregating bandwidth
  3. Separating traffic using VLANs, for performance and security
  4. Using virtualized software-based firewall instances (pfSense) to route between VLANs
  5. Deploying one pfSense instance on each VMWare node, and having them work together, in case one node fails
 
Seems like a lot of VLANs. How many servers and desktops are you planning on having?
 
NoOther said:
Seems like a lot of VLANs. How many servers and desktops are you planning on having?
Click to expand...

This is a home office setup, so not many

Servers: Only the 2x ESXi hosts, and maybe 20 VMs total
Desktops: Just a few
 
idea said:
This is a home office setup, so not many

Servers: Only the 2x ESXi hosts, and maybe 20 VMs total
Desktops: Just a few
Click to expand...

Are the VMs servers or desktops? What are you trying to achieve with the network?
 
The setup shouldn't be that difficult, it's usually the terminology that gets people. Tagged and Untagged will be your main concern, and how devices handle each. Consider tagged to be your trunks, your lines carrying multiple VLANs. Untagged are your devices, items that don't need to know about the VLAN setup. Yes, some devices can tag instead of setting the port to Untagged.

So setup all the VLANs are on your router/firewall and assign them to the LAN interface. On the switch port they connect to, make it a Tagged port and assign the VLANs (or on some switches you select the VLAN and then assign ports tagged or untagged). For your phones and computers, mark their ports as untagged. If you will be running computers through phones (port sharing) then mark the port tagged for both VLANs. Then on your phone should be setups for what VLAN each phone port connects to.

I can't help you on the ESX setup, but if it has VLAN rules then I assume the same rules apply. If not, you might have to use a couple Tagged switch ports for the ESX server and in the VMs, mark their NIC with VLAN tags.

For the routing between VLANs, you will have to make firewall policies between subnets/VLANs. Either use ANY rules, or lock it down and only allow the ports you want passed between VLANs.
 
ESX makes it a lot simpler. Set the ports to either trunk all or trunk the vlans you want, and set the vlan at the vswitch (it's a compatible switch internally). Problem solved. That being said - that's a LOT of vlans - you ahve a router for getting around all this?
 
I was wondering that myself, but I suppose that he was planning setting up those vLANs in pfSense and doing a router on a stick.
 
NoOther said:
Are the VMs servers or desktops? What are you trying to achieve with the network?
Click to expand...

#1 priority is to learn. Secondary priorities are speed and security within my home lab

firedrow said:
The setup shouldn't be that difficult, it's usually the terminology that gets people. Tagged and Untagged will be your main concern, and how devices handle each. Consider tagged to be your trunks, your lines carrying multiple VLANs. Untagged are your devices, items that don't need to know about the VLAN setup. Yes, some devices can tag instead of setting the port to Untagged.

So setup all the VLANs are on your router/firewall and assign them to the LAN interface. On the switch port they connect to, make it a Tagged port and assign the VLANs (or on some switches you select the VLAN and then assign ports tagged or untagged). For your phones and computers, mark their ports as untagged. If you will be running computers through phones (port sharing) then mark the port tagged for both VLANs. Then on your phone should be setups for what VLAN each phone port connects to.

I can't help you on the ESX setup, but if it has VLAN rules then I assume the same rules apply. If not, you might have to use a couple Tagged switch ports for the ESX server and in the VMs, mark their NIC with VLAN tags.

For the routing between VLANs, you will have to make firewall policies between subnets/VLANs. Either use ANY rules, or lock it down and only allow the ports you want passed between VLANs.
Click to expand...

Much appreciated. I know my post was overwhelming, thank you for taking the time to write that up. I will refer to it when my switch arrives
 
lopoetve said:
ESX makes it a lot simpler. Set the ports to either trunk all or trunk the vlans you want, and set the vlan at the vswitch (it's a compatible switch internally). Problem solved. That being said - that's a LOT of vlans - you ahve a router for getting around all this?
Click to expand...

Nate7311 said:
I was wondering that myself, but I suppose that he was planning setting up those vLANs in pfSense and doing a router on a stick.
Click to expand...

Most of those VLANs don't need routing. However, yes, I am going to have multiple virtualized software-based firewalls do the routing. I chose pfSense because I have experience with it.
 
idea said:
The VLANs that I want:
  • 100 Management desktops
  • 200 Regular desktops
  • 300 VOIP traffic
  • 400 DMZ
  • 1000 Datastore IP storage traffic (NFS in this case)
  • 1100 vMotion
  • 1200 FT Logging traffic
  • 1300 VSAN traffic
  • 1400 VM guest LAN
Click to expand...

This is a good layout. If you want to go even further you could do something like:

250 - Secured desktops (802.1x secured network)
500 - Trusted wireless clients
600 - Untrusted wireless clients
700 - Wireless VOIP
800 - Captive network
900 - Low security devices (printers, timeclocks, etc)

A lot of network printers support 802.1x these days however it is not the standard so I throw those devices on their own 'low security' network and PVLAN it so they can't talk to each other.

Etc

In the real world of enterprise networks, your layout isn't too far from current practices with exception to VLAN 300. With soft clients becoming more prevalent and using the very same subnet as your desktop/laptop, you end up relying on DSCP/QoS to properly queue traffic ahead of your workstations.
 
shade91 said:
This is a good layout. If you want to go even further you could do something like:

250 - Secured desktops (802.1x secured network)
500 - Trusted wireless clients
600 - Untrusted wireless clients
700 - Wireless VOIP
800 - Captive network
900 - Low security devices (printers, timeclocks, etc)

A lot of network printers support 802.1x these days however it is not the standard so I throw those devices on their own 'low security' network and PVLAN it so they can't talk to each other.

Etc

In the real world of enterprise networks, your layout isn't too far from current practices with exception to VLAN 300. With soft clients becoming more prevalent and using the very same subnet as your desktop/laptop, you end up relying on DSCP/QoS to properly queue traffic ahead of your workstations.
Click to expand...

Awesome, you see where I'm coming from, I'm trying to mimic enterprise networks :cool: I will certainly consider those extra VLANs.
 
You must log in or register to reply here.
Back
Top