Joined on 12-12-2003
San Franciso, California, USA
Howdy folks,
I have a colleague who would like to partition an office network into several separate networks for security and management purposes. My understanding is that this can be accomplished with a switch that includes VLAN support.
My colleague tells me, however, that Cisco is saying that they need an upgraded Cisco router in order to create the number of VLANs they're looking at. This confuses me since I thought that the router didn't enter into creating the VLAN.
Can anyone help shed light on this subject for me? Can one create VLANs with just the right switch, or is the correct router also required?
Thanks,
Zac
Joined on 06-09-2003
Davenport, Iowa USA
If you want your data to travel between the VLAN's you will have to have a router or Layer 3 switch to move the data between the VLAN's.
If you take your network that you want to segment and say you want 4 different segments, imagine for separate switches with the equipment for each segment plugged into their individual switch. There is not any way for the traffic to flow between the segments. Same thing with VLAN's in a switch. You have just made the switch into separate switches for each VLAN with out any way to get traffic between the segments.
To get the traffic between the segments you need a router with an Ethernet port for each segment. Or a router that supports VLAN trunking (taging) where all the VLANs pass over a single 100 MB connection to the router and the router breaks the trunked VLAN into separate interfaces for each segment. (Cisco 4600 was the smallest that could do VLAN trunking several years ago) This is sometimes referred to as a "one armed router".
Now if you don't need any traffic to go between the VLAN's then you don't need the router. An example of this could be a 48 or 96 port switch that has a computer lab with 30 PC's their own Internet connection, server and Printer. You could build a VLAN with 33 ports for that lab and they would be completely isolated from the rest of your network. As soon as you want to access any of your "rest of the network" resources from the lab, you will need to route traffic there and possibly "firewall" your traffic also.
Dave
Joined on 12-12-2003
San Franciso, California, USA
Thanks so much, that really clears it up for me.