Generic VLAN Design
Like every other blogger, I get occasional e-mails from people fishing for free consulting or second opinion (note: asking a serious technical question is a totally different story; as many people know, I always try to reply and help) and as I’m totally overloaded with OpenFlow symposium and Net Field Day these days, I decided to share one of the better ones.
It all started pretty innocently:
I am happy to find you, because I have a question about number of VLANs in a small Data center. We have about 300 PCs and about 100 servers connected to 2 Cisco Catalyst 4507R and we decided to design our infrastructure as a collapsed core (no distribution layer). How many VLANs do you recommend for us? Is more VLANs good or no?
Trying to be at least marginally helpful, I replied with some generic recipes:
No specific recommendations. Use a different VLAN for every security zone, use firewalls or L3 switches with packet filters between them; don't have more than ~100 hosts/subnet.
However, that was not what he was looking for:
Thanks for your attention, but I’m confused because we want to implement our new network with about 15 vlans, but another guy gave us a design with about 70 VLANs. Which design is better? Is 70 VLAN design very complicated or not? Which one do you prefer?
I could use “it looks like a donut to me” answer that Jeremy Stretch once used (replacing donuts with Mikado Sticks), but still tried to tell him that it’s impossible to make a recommendation based on no input data. 70 VLANs for 100 servers does sound like an overkill, but maybe they’re running a virtualized environment with 1000+ virtual machines and there’s a good reason for numerous VLANs.
It’s totally impossible to tell you which design is better without having a detailed look into what your requirements are and the review of both designs, which would require a proper consultancy engagement.
... but all he needed was a simple answer:
As I said this is a general question about VLAN planning. If we can setup a network for example with 15 VLANs and can also design the same network with 70 VLANs, which one is better?
What shall I reply?
A) Small is beautiful, go with 15 VLANs.
B) Bigger is better, use 70 VLANs.
C) More VLANs will definitely increase your job security.
D) It depends.
E) 42
F) All of the above.
* Cars generally have 4 wheels.
* Trucks often have upwards of 18 wheels.
* Having only 4 wheels gives you less tires to change but you wouldn't build a semi-trailer with just 4 wheels.
"Small is beautiful, go with 15 VLANs but then again, bigger is better so use 70 VLANs. More VLANs will definitely increase your job security so it really depends. 42 would be best."
Whatever you choose we want a follow up post!! haha
70 - 15 overlay vlans = 55 needed q-in-q inside vlans
(5 * 3) + (10 * 4) = 55
That way you can answer yes to both of his solutions
Nevertheless I think you could have skipped this one (post). But hey it's your blog, posts are not always just for the readers, and guess what I (reader) read it from top to bottom and I had some fun.
So here's my 2 cents reply with:
Search and Replace VLANs, servers, switches with "chickens, rabbits and chick peas". Can't really tell you how many chick peas you need for the rabbits nor if the rabbits can dance with more than one chicken.
My cheapo answer - flatten it out and put it all on one 10Base-T HUB. LOL.
Kidding, couldn't help myself here :-)
Or 42...
Great article!
Even though this post is specifically about you being irked by people asking for design advice for free...I just have to ask - are we really still just limiting 100 hosts to a segment? Have I taken bad advice from the Cisco/VMWare VCE design team in planning upgrading from /25s to /22s? So sorry if this post is offensive because of the original topic.
/22 is not bad, but I try to be on the safe side. If I don't have to have big subnets, I try to avoid them.
Remember that one subnet = one security zone (unless you have VM-level firewall like VSG or vShield App). If you have 1000 hosts in one security zone, then /22 might fit the bill, otherwise it's a waste of addresses.
Makes sense?
Ivan
The answer is E .. + .5. The median of 15 and 70 is 42.5.
42.5 VLANs
By the way, we have a similar environment (about 100 physical servers (lots of VM) and 300 desktops) and we run about 35 vlans. Of course, that is based on our needs and security zones.... :-)
People actually used to help each other on the internet. Did you ever ask questions during your career? Do you feel bad for not paying for replies? Can I ridicule you for double standards?
You're too greedy and elitist for a network plumber.
Omar
* I have no problem if you criticize me, my work, or my opinions, but do have the guts to use your name. Otherwise you're just one of many trolls out there.
* If you'd be interested in my work more than just to write a snarky comment, you'd know how many questions I answer in public.
* You have no idea how many additional questions I answer via e-mail.
* You also have no idea how many e-mails I get where it's clearly obvious that people are trying to get me to do their job for free. I even answer many of them if it/s obvious that the person asking the question did at least the basic research;
* I publish a few articles each week that one or two people find somewhat useful. What have you contributed to other network plumbers so far?
* Anyone who writes technical articles can probably appreciate how much time is spent writing them. Do your math.
Finally, yes, I do charge for some of my services. Do you have a problem with that?
Anyone who has been in this community for any length of time knows how much free information and advice you put out. This site is a prime example.
To humbly ask for some advice is one thing, but to ask you to do all of the work to frame the question properly is asking too much.
Thank you for everything you do to contribute to our geeky little community of network professionals.