Disclaimer: When we talk about VLANs, I know the technology and theory, but I've never set one up. In other words, we're at the far edge of my understanding of networks. I'm not sure that VLANs are what you really will end up with anyway, but if you really do come to realize you need them, you'd be prudent to find yourself a networking consultant that does this for a living. That said, I'll offer some ideas that are sure to be worth at least what you paid for them.
I wasn't sure what Netgear does in their managed switches, so I downloaded the user's guide to the GSM7224 (Beta 3 software). It is a Layer 2 capable managed switch. Layer 2 and Layer 3 switches are capable of delivering data for multiple logical (i.e., virtual) networks on the same physical ports and backplane. I couldn't figure out a way to explain this without a picture, so I attached one.
First off, there's really no way that I know of to reduce the average network traffic that any given machine sees without introducing some form of isolation between groups of machines. This can be done either logically (smart switches and routers) or physically (routers and relocating equipment such that machines that converse a lot are on the same "wire"). I'll get into that in a bit. What I typical see and what I show in the picture is three different networks: 192.168.1.x, 192.168.4.x, and 192.168.33.x. (The network numbers are arbitrary.)
For network (192.168.) 33, there are machines in three different buildings, but I would like it to appear as if they were all on the same switch. Maybe these are all Windows PCs and the domain and file server is the 192.168.33.2 machine in Building 100. Let's say these are my CAD workstations and the design groups works with large files that are kept on the file server. (They design my products great, but their backup habits are atrocious, so I back up the file server with both redundant disks and tape backup that is shuttled offsite daily.) Since sharing files generates a lot of traffic, it would be nice to isolate that from the rest of the network.
I especially want to keep that traffic away from network 1, which I'll say consists of my web server, DB server, data warehouse server, and a couple app servers. It's how I sell my stuff and conduct day-to-day business. The servers also happen to be spread across the three buildings. (In practice, I'd work really hard to get those in one building or even one room, but for the sake of discussion and office politics being what they are ....) It's pretty normal for all of the servers use the DB server. It would be nice to get that traffic away from the CAD group's Windows machines as well as the Windows traffic from the server machines.
The final network, network 4, is my office network for accounts payable, the CEO, and the like. They've been known to make some interesting, but gloriously inept choices in downloading Divx movies, video teleconferencing between the buildings using their desktops, and such. These people really ought to be kept away from computers in general, but at least away from the CAD group's machines and the server machines (other than access to the apps and web site, which will be carefully controlled).
By introducing these networks, I've cut down on the amount of traffic different segments of the network will see. The enterprise servers don't see the Windows crap the design guys are generating, the Windows machines data traffic isn't contending with the DB server queries and responses, and Chuckie in accounting (a.k.a., Mr. Kazaa) is kept away from everything important.
Okay. So now the question is what role does the managed Layer 2 switch play? What an L2 switch enables is a couple things. First, traffic from different logical, virtual networks can be sent through the same physical wire/fiber. (One Layer 2 switch by itself really doesn't let you take advantage of this as we'll get into later.) Secondly, the L2 switch will look at the network address portion of the traffic arriving at any port and decide which (if any) of the other ports it will send the traffic out on. It may not need to send it out on any if it knows that the sender and receiver are on the same port. Conversely, it may need to deliver the data to more than one port. In the picture, if the 192.168.33.2 machine in bldg 100 broadcasts a network message to the entire 33 network, the L2 switch will deliver it to both the port heading to the 300 bldg and the port heading to the 750 bldg. If the message is intended just for 192.168.33.15 machine, the switch really only needs to send it to the port that goes to bldg 750. I believe some L2 switches will discover this mapping over time and others have to be explicitly configured. In this way, the L2 switch cuts down on some of the traffic within the VLAN. It's still best to have machines that have large amounts of traffic among them on the same physical LAN, but VLANs make this work. The ports that only have machines with 192.168.1.x and 192.168.4.x hosts on them will never see any of this traffic. (The dashed lines in the L2 switch on the diagram represent a notional connection of the ports inside the switch.)
On the flip side, what can't the L2 switch do? Well, for starters, it's designed to keep traffic from different networks from interfering or seeing with one another even across the same physical wire. For example, if I put a second L2 switch in bldg 750, I can run a single very-high speed channel between the two buildings (rather than the three fiber links to three switches as shown.) Traffic for all three networks is present on that one physical medium, but the switches are multiplexing/de-multiplexing it on either side and deliver traffic to only to the other ports on the same virtual network that need it. This sounds great, right!? Well, what about the access to the apps servers from the sales guys who need to see how many widgets we have in stock? They're on network 4 and the apps / database servers are on 33. The L2 switch will never send traffic from one virtual network to another. How about anyone and everyone in the company browsing the Internet? Same story.
In order for these things to occur, you need a router. I've added a router with multiple Ethernet interfaces in one chassis on the diagram (because it fit, mostly). This would be a sophisticated router where each port can be configured to be a different network. You'd need at least four configurable/routable Ethernet ports for the three internal networks and one going to the Internet. These tend to be pretty pricey though, so you may opt to daisy chain several cheaper SOHO routers. The first router that daisy chains to three other routers - one for each network. The WAN side of those three routers (and the one from the Internet) form yet another network. (Let's say 192.168.0.x). It would look like:
Code:
+-(192.168.0.2)--Router network 192.168.1.x
|
Internet----Firewall router (192.168.0.1)---+-(192.168.0.3)--Router network 192.168.4.x
|
+-(192.168.0.4)--Router network 192.168.33.x
You'd need to add some static routes to the Firewall router to let it know how/where to send data coming from one internal network to another internal network. Be sure to get a router that lets you do that. (Personally, I'd do this by using a Linux box with 4 network cards in it. The routing capabilities in Linux are really very nice. But there's that whole Linux learning curve thing.)
Could you keep everything on one network and use just the L2 switch and avoid this whole router thing? Well, you'd still need some (small) router to get to the Internet, but otherwise, it's possible. If you did this, would you gain anything? If your switch is smart enough on its port management and if you relocate machines that exchange a lot of traffic with each other to be on the same L2 Switch port, you could cut down the overall network traffic. Of course, relocating machines is probably just what you were hoping to avoid. And when the topography changes in the future, you'd be forced to move them again. Another stickler is the Windows traffic. While it's gotten better, Windows still likes to generate a pathetic amount of traffic. Don't ever let a shared printer get turned off or run out of paper.
Where I would expect to see you headed is one or more internal networks feeding through the L2 switch into some sort of router or set of routers. The router takes care of routing messages from the Internet to the internal networks and from one internal network to another and hands the traffic back to the L2 switch. The L2 switch decides which port or ports the rerouted traffic has to be delivered to. With some careful planning on what machines make up an internal LAN and passing it through the L2 switch to "virtualize" and minimize the destination ports, you should be able to reduce the overall traffic significantly. As your networks reshapes itself over time as they all do, you just add or move virtual/logical segments from one port to another. It should be pretty flexible. Quite frankly though, if this were my network, I'd still rent a real networking consultant for at least a day to do a sanity check on what I was thinking if nothing else. Networking 70 PCs isn't your Dad's home network. You're starting to move over into the realm of a "real" network where you have to start considering cable lengths, repeaters, and such (but if you're running fiber maybe you've got that under control).
I'm going to bed now.
