Hello, I'm about to configure the network environment for a school (150 students) by using VLAN. There are eight classrooms and they are all connected to a single 48-ports D-Link DES-3250TG switch. All computers belong to the 172.31.0.0/16 network. There is a M0n0wall firewall present as a gateway to the internet. There is a Win2003 server running AD and DNS for the computers. Since the school is an IT-school we have some clever students running Linux and they have a couple of times caused havoc with ARP-brodcast storms crippling the whole network. What I want to do is to create separate VLAN's for each classroom. I've created VLANS in the switch, assigned ports and each VLAN has access to the gateway and server ports. I have not subnetted anything. The problem is that there is no separation between the VLANs. Is that because of the firewall/router just passing the traffic along in the switch? How is the VLAN configuration most easily done? Do i need to create subnets in the VLANs like 172.31.1.0, 172.31.2.0 etc? Any tips are most welcome! Thanks.

Sounds like you didn't disable the default vlan. There should be no need to subnet ip if your vlans are working correctly. Vlans have nothing to do with routing unless this is a layer3 switch with vlan routing. Firewall/router is external to your lan so it doesn't come into play. Let's review your vlan setup. Classroom1 = vlan1 = deny all other vlans classroom2 = vlan2 = deny all other vlans Server port and gateway port have vlan 1 and 2. Are you ready for where Microsoft wants you to go today?

How do you not subnet? A vlan is just another way of saying a separate lan, how are you going to have 8 different LANs on the same subnet? Sounds to me like you need to do subnets, and if it is a layer 2 switch then you need to create subinterfaces on your router. The significant problems we have cannot be solved at the same level of thinking with which we created them.

"How do you not subnet?" and "how are you going to have 8 different LANs on the same subnet?" Easy. Let me tell you how. Yes you will have 8 different lans since each is a vlan unto itself [assuming you denied all other vlans on this vlan]. If you were going to route via vlans you would do vlan routing not ip routing. That is the whole idea. You don't want vlan1 seeing anything on vlan2 or visa versa. But you want them seeing the same servers and network resources like printers and internet gateway. But we have separate vlans. How are we going to do this? How you put this together is you put ALL the vlans on the ports connected to the server(s), printer(s) and gateway. Important to note: NO IP ROUTING REQUIRED Yet you have everyone in the same subnet but pcs on vlan1 can't communicate or see with pcs on vlan2 and visa versa. This is why you don't have to subnet with vlans. This is how you have 8 lans in one subnet. You can think of the difference between a vlan and ip as an old telephone operators board [you know, the one in old (black and white) movies where she says "one moment please while I connect you"] with lots of wires and sockets whereas ip are the people talking on the wires. Are you ready for where Microsoft wants you to go today?

You are making a big assumption that none of those devices will ever have to talk to one another on the different vlans . How do you put all the vlans onto a single printer . I have never heard of being able to trunk to a printer... The normal way is the way he suggested by subnetting /16 space into multiple /24's or whatever and use intervlan routing and if you want to control who goes where you would use ACL's to that. That way the devices can talk to each other if need be .

He would have to supply a little more info , like who is doing the routing or if he even has a device capable of doing routing . If he just has a firewall and a layer 2 switch then that becomes problematic unless the firewall itself can be setup to route the separate vlans and subnets ...

Thanks for all the replies, guys. Well It's true that I have the default VLAN still in place. I'm using static VLANs. The switch is a L2 switch. The M0n0wall (172.31.0.1) firewall doesn't have RIP or anything, I need to enter static routes, however this isn't used in production", only when there are some routing labs in a classroom with multiple subnets present. I have successfully set up 8 VLANs in a smaller Dlink switch but in a slightly different config. The goal of separating and blocking the traffic between VLANs was successful there. I will remove the default VLAN and I'll get back to you. Much appreciated!