Changed netmask to /20 and now no internet

zer0 0

@johnpoz:

If you give us some details we can help you try org your network better.. Vs you just growing larger and larger flat network..  What happens when you get over 4k devices.. Do you then move to a /19?

Thank you guys!. I have sketched a network diagram as it stands today…. basically all switches are acting as dumb switches at the moment. When we started small we just kept adding switches and plugging things into open ports.

Any advice on how i should organise this would be greatly appreciated.

Please see attached.


JKnott

When we started small we just kept adding switches and plugging things into open ports.

A suggestion, instead of chaining switches in that manner, choose one to be the root switch and connect the other switches to it.

johnpoz

What are the make of these managed switches and what port density?  Your going to need to get rid of those dumb switches unless you can leverage them all on the same network for all devices plugged into them.

What is the physical layout?  Where are these switches.  Do they sit in IDFs, or they all in the MDF or are they sitting under some guys desk?

And you have more dumb switches downstream.. Just caught that.. Wow sounds like a real mess… You have your phones running on the same broadcast domains as all your other users and computers.. Same as your wifi network even?  you do understand all your broadcast traffic is going out over your wifi network right... And its shared bandwidth... So yeah lots of noise on your wifi for no reason.

That is part of the reason you don't just connect your wifi to a /20 ;)

zer0 0

I agree it is a cluster f#@k of things.
I have 3x Linksys SRW2048 (48 ports, I knows its old but works for me), 2x Cisco Catalyst 3750G (24 port each), 1x HP Procurve 1800-24G, 1x SMC GS24C SMRT ( I mean SMART). 3x 24 port dumb switches.
The downstream switches are used for connecting 8 computers/phones to single CAT5E/CAT6 cable which is coming from the server room.
All the managed switches are sitting in the same room mounted on couple different racks.

Derelict

If that is actually a representation of how you have those physically connected the first thing I would do is take one of the better managed switches and use it as a "core" switch and run out to each switch individually. In other words, don't daisy-chain switches since one failure takes down everything downstream of that.

In order to segment that network you will either need to:

1. Be satisfied with "geographic" segmentation with a different VLAN going to each edge switch untagged.

2. Get managed switches everywhere.

ETA: Missed JKnott's reply up there. Looks like there is agreement regarding the physical topology. :)

JKnott

The downstream switches are used for connecting 8 computers/phones to single CAT5E/CAT6 cable which is coming from the server room.

I came across something like that recently.  I was installing VoIP phones in an office.  There was a PoE switch, so it should be a simple matter to unplug the cable from a computer and plug it into the phone.  Yeah, right.  I often found a small switch hidden somewhere connecting multiple computers to 1 PoE port, which makes it impossible to power more than 1 phone.  Use of those small switches in a business environment should be discouraged, given the problems they might cause.  On that job, I even came across one switch where a cable was held in place by an elastic band, because the latch tab was broken off!

zer0 0

Lets look at 1 part of this entire network, if you can help me organise this, I think I can apply the same logic to rest of the network. Please see the picture attached,
There is 1 CAT5e cable in the room that is coming from the secondary switch PORT#1 , it terminates into a switch in the room in Port#2, rest of the ports on the switch in the room are connected to IP phones, Desktop computers, and photocopier/printer/scanner. All Desktops and Printer/scanner needs access to File Server and the VMs. IP phones only need to access the PBX VM.

How would you organise this network? Also which of the switches do you think should be the "CORE" switch? I also have Extreme Networks C5K175-24, which I forgot to mention above, its just sitting around.

Thank you


JKnott

Also which of the switches do you think should be the "CORE" switch?

That would depend on the switches you have.  I don't know how they compare, but generally you'd put the one with the best performance, e.g. 1 Gb vs 100 Mb as core.  You mentioned dumb switches, those would probably be best for connecting computers, etc. to.  Are some PoE?  Use them for phones.  VLANs will require managed switches.  These are the sorts of things to consider.  Regardless, ensure you set it up in a tree structure, with a "root" switch and other switches as branches.  Also, make sure you don't create loops, unless you're certain all the switches support spanning tree.

Derelict

Also which of the switches do you think should be the "CORE" switch?

Certainly nothing wrong with a 3750G, other than being kind of old but who cares right? I have no experience with the rest.

But, honestly, if you are OK with a flat network that couldn't be firewalled in the first place, a layer 3 switch makes more sense. That way "closet" to "closet" traffic doesn't have to go through the firewall.

You will need to be careful regarding any apps/workflows that rely on broadcasts for discovery, etc.

zer0 0

Just curious if there is another way to reduce broadcast noise other than VLANs?

Thanx

johnpoz

Tell your clients to do less broadcasts ;)  Windows loves broadcasting and multicasts.. Noise creation monsters…

And out of the box not only does it do it for ipv4 it does it on ipv6 as well - so even more noise.. With some tweaking you can reduces some of the noise it puts out..

On your managed switches you can block say the multicast stuff if your not using it at the switch levels - so it won't go past where your managed switches are..

JKnott

Just curious if there is another way to reduce broadcast noise other than VLANs?

Turn off the radio.  ;)

Move entirely to IPv6.  There'll be absolutely no broadcasts then.  IPv6 relies on multicasts, where the closest thing to a broadcast is an all hosts multicast.  Beyond that, multicasts are only received by the intended audience and in one case, solicited node multicast, only one device will receive it. Well, not exactly true.  There's a 1 in a more than 16 million, 2^24 chance that an unintended device will receive it.  As I mentioned earlier, the problem with broadcasts is not time on the wire, but that every device has to process them, whether wanted or not.  Multicasts greatly reduce or even eliminate that issue.  Beyond that, VLANs are what you need.

Gertjan

@JKnott:

Just curious if there is another way to reduce broadcast noise other than VLANs?

Turn off the radio.  ;)

Move entirely to IPv6.  ….

Yeah ! I just tried that, deactivating the IPv4 in the Network card's properties ….
Half of the devices on my local network, well, vanished (those without a dual stack) !

But, it works : I'm posting this reply using IPv6 only :)

Sorry for the out-of-subject.

johnpoz

"But, it works : I'm posting this reply using IPv6 only"

Thats fantastic… Now go to any the about a bajillion websites that are not ipv6 ;)

www.slashdot.org for example ;)

JKnott

@johnpoz:

"But, it works : I'm posting this reply using IPv6 only"

Thats fantastic… Now go to any the about a bajillion websites that are not ipv6 ;)

www.slashdot.org for example ;)

My cell phone is IPv6 only.  It uses 464XLAT to access IPv4 only sites.  Some ISPs are doing the same for regular Internet access.  Others, such as Comcast, are moving customers to IPv6, providing IPv4 via carrier grade NAT & 4in6 tunnel.

I use a browser add-in called "showip", which displays the web site address.  I'm seeing more & more sites with IPv6 addresses, including most of the biggies such as Google, Youtube, Wikipedia, Yahoo and many more.  Also, anyone running Windows HomeGroup networks is using IPv6.  The main things holding back IPv6 are ignorance and inertia.

johnpoz

I agree many sites are ipv6.. And ok sure some services like t-mobile do a gateway to ipv4 address..

Does his isp do that?  So you plan for him to go full IPv6 does his phones support that.. Do his printers, do all the other devices on his network support ipv6 only?

Your the ipv6 is better than sliced bread guy around here - are you running your network as only ipv6?

JKnott

Your the ipv6 is better than sliced bread guy around here - are you running your network as only ipv6?

I'm running dual stack.  However, it is entirely possible to run IPv6 only, provided you have a mechanism, such as described, to provided IPv4 when absolutely needed.  Certainly things like local servers can be run entirely on IPv6.  I have a couple of computers here and traffic between them is always IPv6, unless I specify IPv4.

And yes, IPv6 brings a lot of improvements, not just no broadcasts.

zer0 0

@zer0:

Lets look at 1 part of this entire network, if you can help me organise this, I think I can apply the same logic to rest of the network. Please see the picture attached,
There is 1 CAT5e cable in the room that is coming from the secondary switch PORT#1 , it terminates into a switch in the room in Port#2, rest of the ports on the switch in the room are connected to IP phones, Desktop computers, and photocopier/printer/scanner. All Desktops and Printer/scanner needs access to File Server and the VMs. IP phones only need to access the PBX VM.

How would you organise this network? Also which of the switches do you think should be the "CORE" switch? I also have Extreme Networks C5K175-24, which I forgot to mention above, its just sitting around.

Thank you

I've never implemented VLANs :-[ so I wanted to run this through this scenario if you don't mind.

Pfsense –------Core Switch------Secondary Switch (port#1)--------------------Room switch (port#2)

Room Switch (port#3)----------- Desktop1
Room Switch (Port#4)----------- Desktop2
Room Switch (port#5)-----------IP Phone
Room Switch (port#6)-----------Printer

This is how it works in my head, please feel free to correct me
Steps:
1. Create 3 VLANs on the LAN interface in pfSense (101=Desktop, 102= IP Phones, 103=Printers)
2. Configure Core Switch port where pfSense is plugged in as well as secondary switch port as "Trunk"
3. Configure Port#1 on Secondary Switch as "Trunk"
4. Configure Room Switch Port#2 as "Trunk"
5. Room Switch Port#3 and 4 assign to VLAN ID 101 (for Desktop)
6. Room Switch Port#5 assign to VLAN ID 102 (IP Phones)
7. Room Switch Port#6 assign to VLAN ID 103 (Printers)

is that all that is required to put them on separated VLANs?
Any traffic between desktops and printers can be controlled from pfSense.

Thank you

JKnott

Why are the printers on a separate VLAN from the desktop?  Since they'll generally be used by the desktop systems, there's not much point in keeping them separate.  Also, since you're using VLANs, you don't need separate ports for computers and phones.  Common practice is to pass the computer connection through the phone.  The phone is configured for it's VLAN and the computer, the native LAN.  This requires the switch port to be configured as a trunk port with the native LAN and phone VLAN on it.  However, if you're using Cisco phones with a Cisco switch, you'd just configure an access port and use CDP to detect the phone and connect the appropriate VLAN to it.

johnpoz

Printers are almost ALWAYS on their own vlan.. For starters in any secure enterprise desktops are on a private vlan and can not talk to each other.  So putting printers on such a vlan would prevent users from printing to them ;)

Putting them on their own vlan also normally limits the printer servers as the only things that can talk to the printer - this prevents users from directly printing to the printers and bypass any accounting or security print features that might be enabled via server, etc.