Generic VLAN Design

Like every other blogger, I get occasional e-mails from people fishing for free consulting or second opinion (note: asking a serious technical question is a totally different story; as many people know, I always try to reply and help) and as I’m totally overloaded with OpenFlow symposium and Net Field Day these days, I decided to share one of the better ones.

It all started pretty innocently:

I am happy to find you, because I have a question about number of VLANs in a small Data center. We have about 300 PCs and about 100 servers connected to 2 Cisco Catalyst 4507R and we decided to design our infrastructure as a collapsed core (no distribution layer). How many VLANs do you recommend for us? Is more VLANs good or no?

Trying to be at least marginally helpful, I replied with some generic recipes:

No specific recommendations. Use a different VLAN for every security zone, use firewalls or L3 switches with packet filters between them; don't have more than ~100 hosts/subnet.

However, that was not what he was looking for:

Thanks for your attention, but I’m confused because we want to implement our new network with about 15 vlans, but another guy gave us a design with about 70 VLANs. Which design is better? Is 70 VLAN design very complicated or not? Which one do you prefer?

I could use “it looks like a donut to me” answer that Jeremy Stretch once used (replacing donuts with Mikado Sticks), but still tried to tell him that it’s impossible to make a recommendation based on no input data. 70 VLANs for 100 servers does sound like an overkill, but maybe they’re running a virtualized environment with 1000+ virtual machines and there’s a good reason for numerous VLANs.

It’s totally impossible to tell you which design is better without having a detailed look into what your requirements are and the review of both designs, which would require a proper consultancy engagement.

... but all he needed was a simple answer:

As I said this is a general question about VLAN planning. If we can setup a network for example with 15 VLANs and can also design the same network with 70 VLANs, which one is better?

What shall I reply?

A) Small is beautiful, go with 15 VLANs.

B) Bigger is better, use 70 VLANs.

C) More VLANs will definitely increase your job security.

D) It depends.

E) 42

F) All of the above.


  1. My vote goes for (E)! :D
  2. I would go back to him and say:

    * Cars generally have 4 wheels.
    * Trucks often have upwards of 18 wheels.
    * Having only 4 wheels gives you less tires to change but you wouldn't build a semi-trailer with just 4 wheels.
  3. D ) sure , if you don't know network requipments. you can't give advice, about how many vlans need in my network?
  4. I would go for C as a reply :-)
  5. And this guy is designing this (or any other) network? God dammit ...
  6. I think you should reply 42. After all it is the answer to the meaning of life, the universe and everything.
  7. F) All of the above.

    "Small is beautiful, go with 15 VLANs but then again, bigger is better so use 70 VLANs. More VLANs will definitely increase your job security so it really depends. 42 would be best."
    Whatever you choose we want a follow up post!! haha
  8. i would go with f! Beautiful questions deserve equally beautiful answers!
  9. G) I'll answer the question if you help me out with this: I have a friendly couple who are going to have a baby soon, should I buy something pink or blue for the baby shower?
  10. I'd say zero vlans to go flat....real flat. Also, all users should be domain admins and be given root and enable passwords to the environment for extra redundancy.
  11. I think you should reply to use 15 base vlans and then encapsulate an additional 3 q-in-q vlans in 5 of those and 4 in the remaining 10 that way you have both 15 and 70 vlans.

    70 - 15 overlay vlans = 55 needed q-in-q inside vlans
    (5 * 3) + (10 * 4) = 55

    That way you can answer yes to both of his solutions
    1. haha, thats so mean... He cant even figure out standard .1q
  12. Most assuredly E but make sure that's ALL that's in your e-mail.
  13. I would have said to implement 1 vlan per user. That way, if you have a vlan problem, it's really easy to narrow it down the device.
  14. I got the fun part of the blog post... yes I gave it a good smile and I honestly understand your point.

    Nevertheless I think you could have skipped this one (post). But hey it's your blog, posts are not always just for the readers, and guess what I (reader) read it from top to bottom and I had some fun.

    So here's my 2 cents reply with:

    Search and Replace VLANs, servers, switches with "chickens, rabbits and chick peas". Can't really tell you how many chick peas you need for the rabbits nor if the rabbits can dance with more than one chicken.
  15. I loved answer E - 42 and Brian Raaen's QinQ one. Excellent....
    My cheapo answer - flatten it out and put it all on one 10Base-T HUB. LOL.
  16. 42 is always the right answer
  17. Seconded! Though I wouldn't be surprised if the answer would be: 'Why 42?'
  18. Use EEM scripting to add and remove vlans as needed. Dynamically.
  19. Ivan, I recommend option G) Use VXLANs instead of VLANs...

    Kidding, couldn't help myself here :-)
  20. Quit networking?

    Or 42...
  21. And you could reply "Because it's the truncated arithmetic mean of 15 and 70. It's the fundamental networking design principle..." :-D
    Great article!
  22. A) Small is beautiful, go with 15 VLANs.
  23. Ivan,

    Even though this post is specifically about you being irked by people asking for design advice for free...I just have to ask - are we really still just limiting 100 hosts to a segment? Have I taken bad advice from the Cisco/VMWare VCE design team in planning upgrading from /25s to /22s? So sorry if this post is offensive because of the original topic.
  24. Obviously 13 Vlans.
  25. “it looks like a donut to me” - LOL
  26. Will, it's actually about people asking me to do their job for free. Asking for a specific advice after you did your homework is perfectly fine. Has always been and will always be.

    /22 is not bad, but I try to be on the safe side. If I don't have to have big subnets, I try to avoid them.

    Remember that one subnet = one security zone (unless you have VM-level firewall like VSG or vShield App). If you have 1000 hosts in one security zone, then /22 might fit the bill, otherwise it's a waste of addresses.

    Makes sense?
  27. I think we should paint the bike shed orange.
  28. For the answer with the most wisdom I will turn to Solomon and say split the baby.

    The answer is E .. + .5. The median of 15 and 70 is 42.5.

    42.5 VLANs
  29. I think we have a winner
  30. I think you should just point him to this post (which he has probably seen already anyway) and tell him to derive his answer from the collective wisdom of the group. If that doesn't work, send him an invoice for a few hours consulting and see if he pays it, then help out. Or, send him to a recruiter and recommend he hire a network guy.

    By the way, we have a similar environment (about 100 physical servers (lots of VM) and 300 desktops) and we run about 35 vlans. Of course, that is based on our needs and security zones.... :-)
  31. I dunno. I think it's you who acted like an ass. You could simply ignore him yet you decided to troll and then make one more post for the blog which is a mere platform of your paid webinars.

    People actually used to help each other on the internet. Did you ever ask questions during your career? Do you feel bad for not paying for replies? Can I ridicule you for double standards?

    You're too greedy and elitist for a network plumber.
  32. Well, since you didn't offer "use OpenFlow" as an option, I would have to go with "42."

  33. Dear Guest,

    * I have no problem if you criticize me, my work, or my opinions, but do have the guts to use your name. Otherwise you're just one of many trolls out there.
    * If you'd be interested in my work more than just to write a snarky comment, you'd know how many questions I answer in public.
    * You have no idea how many additional questions I answer via e-mail.
    * You also have no idea how many e-mails I get where it's clearly obvious that people are trying to get me to do their job for free. I even answer many of them if it/s obvious that the person asking the question did at least the basic research;
    * I publish a few articles each week that one or two people find somewhat useful. What have you contributed to other network plumbers so far?
    * Anyone who writes technical articles can probably appreciate how much time is spent writing them. Do your math.

    Finally, yes, I do charge for some of my services. Do you have a problem with that?
  34. Well-put, Ivan.

    Anyone who has been in this community for any length of time knows how much free information and advice you put out. This site is a prime example.

    To humbly ask for some advice is one thing, but to ask you to do all of the work to frame the question properly is asking too much.

    Thank you for everything you do to contribute to our geeky little community of network professionals.
  35. Sounds like Chris Jones
Add comment