Generic VLAN Design

Like every other blogger, I get occasional e-mails from people fishing for free consulting or second opinion (note: asking a serious technical question is a totally different story; as many people know, I always try to reply and help) and as I’m totally overloaded with OpenFlow symposium and Net Field Day these days, I decided to share one of the better ones.

It all started pretty innocently:

I am happy to find you, because I have a question about number of VLANs in a small Data center. We have about 300 PCs and about 100 servers connected to 2 Cisco Catalyst 4507R and we decided to design our infrastructure as a collapsed core (no distribution layer). How many VLANs do you recommend for us? Is more VLANs good or no?

Trying to be at least marginally helpful, I replied with some generic recipes:

No specific recommendations. Use a different VLAN for every security zone, use firewalls or L3 switches with packet filters between them; don't have more than ~100 hosts/subnet.

However, that was not what he was looking for:

Thanks for your attention, but I’m confused because we want to implement our new network with about 15 vlans, but another guy gave us a design with about 70 VLANs. Which design is better? Is 70 VLAN design very complicated or not? Which one do you prefer?

I could use “it looks like a donut to me” answer that Jeremy Stretch once used (replacing donuts with Mikado Sticks), but still tried to tell him that it’s impossible to make a recommendation based on no input data. 70 VLANs for 100 servers does sound like an overkill, but maybe they’re running a virtualized environment with 1000+ virtual machines and there’s a good reason for numerous VLANs.

It’s totally impossible to tell you which design is better without having a detailed look into what your requirements are and the review of both designs, which would require a proper consultancy engagement.

... but all he needed was a simple answer:

As I said this is a general question about VLAN planning. If we can setup a network for example with 15 VLANs and can also design the same network with 70 VLANs, which one is better?

What shall I reply?

A) Small is beautiful, go with 15 VLANs.

B) Bigger is better, use 70 VLANs.

C) More VLANs will definitely increase your job security.

D) It depends.

E) 42

F) All of the above.

39 comments:

  1. Dmitri Kalintsev27 October, 2011 07:13

    My vote goes for (E)! :D

    ReplyDelete
  2. I would go back to him and say:

    * Cars generally have 4 wheels.
    * Trucks often have upwards of 18 wheels.
    * Having only 4 wheels gives you less tires to change but you wouldn't build a semi-trailer with just 4 wheels.

    ReplyDelete
  3. D ) sure , if you don't know network requipments. you can't give advice, about how many vlans need in my network?

    ReplyDelete
  4. I would go for C as a reply :-)

    ReplyDelete
  5. And this guy is designing this (or any other) network? God dammit ...

    ReplyDelete
  6. Pseudobroadcast27 October, 2011 09:48

    I think you should reply 42. After all it is the answer to the meaning of life, the universe and everything.

    ReplyDelete
  7. F) All of the above.

    "Small is beautiful, go with 15 VLANs but then again, bigger is better so use 70 VLANs. More VLANs will definitely increase your job security so it really depends. 42 would be best."
    Whatever you choose we want a follow up post!! haha

    ReplyDelete
  8. i would go with f! Beautiful questions deserve equally beautiful answers!

    ReplyDelete
  9. G) I'll answer the question if you help me out with this: I have a friendly couple who are going to have a baby soon, should I buy something pink or blue for the baby shower?

    ReplyDelete
  10. I'd say zero vlans to go flat....real flat. Also, all users should be domain admins and be given root and enable passwords to the environment for extra redundancy.

    ReplyDelete
  11. Brian Christopher Raaen27 October, 2011 13:57

    I think you should reply to use 15 base vlans and then encapsulate an additional 3 q-in-q vlans in 5 of those and 4 in the remaining 10 that way you have both 15 and 70 vlans.

    70 - 15 overlay vlans = 55 needed q-in-q inside vlans
    (5 * 3) + (10 * 4) = 55

    That way you can answer yes to both of his solutions

    ReplyDelete
    Replies
    1. haha, thats so mean... He cant even figure out standard .1q

      Delete
  12. Most assuredly E but make sure that's ALL that's in your e-mail.

    ReplyDelete
  13. I would have said to implement 1 vlan per user. That way, if you have a vlan problem, it's really easy to narrow it down the device.

    ReplyDelete
  14. I got the fun part of the blog post... yes I gave it a good smile and I honestly understand your point.

    Nevertheless I think you could have skipped this one (post). But hey it's your blog, posts are not always just for the readers, and guess what I (reader) read it from top to bottom and I had some fun.

    So here's my 2 cents reply with:

    Search and Replace VLANs, servers, switches with "chickens, rabbits and chick peas". Can't really tell you how many chick peas you need for the rabbits nor if the rabbits can dance with more than one chicken.

    ReplyDelete
  15. I loved answer E - 42 and Brian Raaen's QinQ one. Excellent....
    My cheapo answer - flatten it out and put it all on one 10Base-T HUB. LOL.

    ReplyDelete
  16. Juan Tarrio Brocade27 October, 2011 21:32

    42 is always the right answer

    ReplyDelete
  17. Seconded! Though I wouldn't be surprised if the answer would be: 'Why 42?'

    ReplyDelete
  18. Alex White-Robinson28 October, 2011 02:46

    Use EEM scripting to add and remove vlans as needed. Dynamically.

    ReplyDelete
  19. Ivan, I recommend option G) Use VXLANs instead of VLANs...

    Kidding, couldn't help myself here :-)

    ReplyDelete
  20. Christophe Lemaire28 October, 2011 08:47

    Quit networking?

    Or 42...

    ReplyDelete
  21. And you could reply "Because it's the truncated arithmetic mean of 15 and 70. It's the fundamental networking design principle..." :-D
    Great article!

    ReplyDelete
  22. A) Small is beautiful, go with 15 VLANs.

    ReplyDelete
  23. Ivan,

    Even though this post is specifically about you being irked by people asking for design advice for free...I just have to ask - are we really still just limiting 100 hosts to a segment? Have I taken bad advice from the Cisco/VMWare VCE design team in planning upgrading from /25s to /22s? So sorry if this post is offensive because of the original topic.

    ReplyDelete
  24. Obviously 13 Vlans.

    ReplyDelete
  25. “it looks like a donut to me” - LOL

    ReplyDelete
  26. Will, it's actually about people asking me to do their job for free. Asking for a specific advice after you did your homework is perfectly fine. Has always been and will always be.

    /22 is not bad, but I try to be on the safe side. If I don't have to have big subnets, I try to avoid them.

    Remember that one subnet = one security zone (unless you have VM-level firewall like VSG or vShield App). If you have 1000 hosts in one security zone, then /22 might fit the bill, otherwise it's a waste of addresses.

    Makes sense?
    Ivan

    ReplyDelete
  27. I think we should paint the bike shed orange.

    ReplyDelete
  28. For the answer with the most wisdom I will turn to Solomon and say split the baby.

    The answer is E .. + .5. The median of 15 and 70 is 42.5.

    42.5 VLANs

    ReplyDelete
  29. I think we have a winner

    ReplyDelete
  30. I think you should just point him to this post (which he has probably seen already anyway) and tell him to derive his answer from the collective wisdom of the group. If that doesn't work, send him an invoice for a few hours consulting and see if he pays it, then help out. Or, send him to a recruiter and recommend he hire a network guy.

    By the way, we have a similar environment (about 100 physical servers (lots of VM) and 300 desktops) and we run about 35 vlans. Of course, that is based on our needs and security zones.... :-)

    ReplyDelete
  31. I dunno. I think it's you who acted like an ass. You could simply ignore him yet you decided to troll and then make one more post for the blog which is a mere platform of your paid webinars.

    People actually used to help each other on the internet. Did you ever ask questions during your career? Do you feel bad for not paying for replies? Can I ridicule you for double standards?

    You're too greedy and elitist for a network plumber.

    ReplyDelete
  32. Well, since you didn't offer "use OpenFlow" as an option, I would have to go with "42."

    Omar

    ReplyDelete
  33. Ivan Pepelnjak04 April, 2012 12:55

    Dear Guest,

    * I have no problem if you criticize me, my work, or my opinions, but do have the guts to use your name. Otherwise you're just one of many trolls out there.
    * If you'd be interested in my work more than just to write a snarky comment, you'd know how many questions I answer in public.
    * You have no idea how many additional questions I answer via e-mail.
    * You also have no idea how many e-mails I get where it's clearly obvious that people are trying to get me to do their job for free. I even answer many of them if it/s obvious that the person asking the question did at least the basic research;
    * I publish a few articles each week that one or two people find somewhat useful. What have you contributed to other network plumbers so far?
    * Anyone who writes technical articles can probably appreciate how much time is spent writing them. Do your math.

    Finally, yes, I do charge for some of my services. Do you have a problem with that?

    ReplyDelete
  34. Well-put, Ivan.

    Anyone who has been in this community for any length of time knows how much free information and advice you put out. This site is a prime example.

    To humbly ask for some advice is one thing, but to ask you to do all of the work to frame the question properly is asking too much.

    Thank you for everything you do to contribute to our geeky little community of network professionals.

    ReplyDelete
  35. Sounds like Chris Jones

    ReplyDelete
  36. Ivan Pepelnjak04 April, 2012 13:37

    Don't even start!

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.