https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js

Subnetting IP and VLAN plan

When you install a new network one of the things that needs to be planned is how to subnet your new setup.

It has to be logical, secure, robust, future proof and it has to keep a logical layout in mind.

In this article I will show some guidelines how you can do it and what’s my philosophy about it.

Reasons for subnettings and vlans

Network stability

A lot of companys are still running flat layer 2 networks. This means that all their devices are in one big lan. This is a recipe for the disaster. A small broadcast storm can bring down the whole network.

I saw this a few times with industrial networks where they used small embedded devices. Those things don’t have the power to process all the information that comes in through the network. As a result when they experience a broadcast storm, those devices just stop working. What resulted actually in all production to be on hold. Very costly for the customer.

There is no reason that let’s say a malfunctioning printer from accounting affects the barcode scanner from your logistic department or the telephones from your reception. Splitting your network in vlans can solve those issues and help significantly with the stability of your network.

Dividing network into VLANS will reduce those issues.

Higher security

By creating different vlans, you can separate traffic. In a flat layer 2 network all devices can see each other. But if you separate them in VLANS, they can’t. Unless you allow this by layer3 routing. By putting the layer3 connectivity on a firewall or device capable of firewalling (a lot of switches can apply firewall policies too), you can control how VLANS can communicate with each other. It doesn’t have a lot of use to make your printer talk with your iphones for example or to give your employees access to security camera’s. With a firewall and good vlan design you can control all this traffic.

In a flat layer 2 network everything can connect with each other:

Devices grouped in vlans and seperated by Firewall with routing capabilities (or router with firewall capabilities), now the traffic has to apply to the firewall rules before it can pass:

Readable traffic flows and handy addressing

With a good IP plan, you can read from the IP address what kind of traffic it is and where it comes from. This can help you in troubleshooting and help in securing the network.

A good IP plan makes a logical link between location, purpous and VLAN ID. Every switch / stack / location should have a certain identifier andĀ  then the different kinds of traffic should have a identifier on their own. So you can read the traffic on every location.

In the next paragraph I will explain how to do it.

How to do it

List your types of devices or catagories. Printers, camera’s, phones… Or you can work with categories: users, building, voip, security, management, …
You probably end up with a mix. Doesn’t matter, as long as it makes sense for you.

List your locations, make a list of all your buildings and locations where you have or want network connectivity. Also list where you have different network stacks (vc) or switches. We can also use them to divide the network into more broadcast domains. Also think about growth. Even if you only have one location right now, it’s always possible that there will be new locations in the future. Also take into account expansion in the buildings or locations you currently have.

Take into account growth. Scale how much devices you have to support in each broadcast domain and in total. Check if it is sufficient in your plan.

Example

Categories

I’m going to differeniate between edge, the switches you put everywhere to connect your endusers and devices. And Datacenter, the switches you use for datacenter and WAN connectivity. The Mgmt network I will use for inband management, so it is spread all over the site. Also this is an example, your network or environment can be completely different.

Edge
  • Users – where normal users connect, it’s also possible to go for different kinds of users, however I like to control that with a Layer 7 firewall with user and group firewalling
  • Voip – your ip phones, we are going to divide those up into broadcast domains as much as possible
  • Mgmt – inband management of network devices or possibly also other devices
  • WAP – Wireless AP’s, your access points
  • Guest – Guest users
  • Printer – Printers
  • Camera – Camera security devices
  • Building/facilities – VLAN to connect building control devices
  • Badgereader – badgereaders for timeregistration or door lock controllers
Datacenter
  • Mgmt – inband management
  • Servers – internal servers
  • Pub DMZ – public DMZ
  • Private DMZ – private DMZ
  • Internet – Main internet vlan
  • Guest Internet – Guest internet vlan
  • VOIP Servers

Locations

We canĀ have different buildings or departments. Or we can have offices in different countries.

Or we can just have different floors we need to support.

On the image on the left we have one switch for everyfloor and a core switch.

On the design below we have 2 locations with different buildings or departments.

Size / growth

To make it easy to read and work with I try to stick to /24 networks. When we need more then 250 hosts for a network we can go for /23. I wouldn’t recommend going bigger. It would also be quite a big chassis to make up for 500+ ports so you probably already physically split up the network.

Design

Let’s take our first example and turn it into a IP and vlan plan

Let’s use 10.101.0.0/16 as our range to play with. If we ever get more offices, we can reuse our plan but go up in the number like: 10.102.0.0/16, 10.103.0.0/16, … and so on.

First I list the categories and try to number, I also take into account if i will need more then a /24 network (users, voip):

users 0
voip 2
wap 4
badgereader 5
printer 6
camera 7
building 8
guest 9
Mgmt 90
Servers 91
Pub DMZ 92
Private DMZ 93
Internet 94
Guest Internet 95
VOIP Servers 96

Then we make a strategy:

And then we write out the complete plan:

users – 0 voip – 2 wap – 4 badgereader – 5 printer – 6 camera – 7 building – 8 guest – 9
IP address VLAN ID IP address VLAN ID IP address VLAN ID IP address VLAN ID IP address VLAN ID IP address VLAN ID IP address VLAN ID IP address VLAN ID
Location 1 Floor 0 10.101.100.0/24 100 10.101.102.0/24 102 10.101.104.0/24 104 10.101.105.0/24 105 10.101.106.0/24 106 10.101.107.0/24 107 10.101.108.0/24 108 10.101.109.0/24 109
Floor 1 10.101.110.0/24 110 10.101.112.0/24 112 10.101.114.0/24 114 10.101.115.0/24 115 10.101.116.0/24 116 10.101.117.0/24 117 10.101.118.0/24 118 10.101.119.0/24 119
Floor 2 10.101.120.0/24 120 10.101.122.0/24 122 10.101.124.0/24 124 10.101.125.0/24 125 10.101.126.0/24 126 10.101.127.0/24 127 10.101.128.0/24 128 10.101.129.0/24 129
Floor 3 10.101.130.0/24 130 10.101.132.0/24 132 10.101.134.0/24 134 10.101.135.0/24 135 10.101.136.0/24 136 10.101.137.0/24 137 10.101.138.0/24 138 10.101.139.0/24 139
MGMT Servers Pub DMZ Private DMZ Internet Guest Internet VOIP Servers
IP address VLAN ID IP address VLAN ID IP address VLAN ID IP address VLAN ID IP address VLAN ID IP address VLAN ID IP address VLAN ID
Location 1 Datacenter 10.101.90.0/24 90 10.101.91.0/24 91 10.101.92.0/24 92 10.101.93.0/24 93 10.101.94.0/24 94 10.101.95.0/24 95 10.101.96.0/24 96

Applied on the second example:

users – 0 voip – 2 wap – 4 badgereader – 5 printer – 6 camera – 7 building – 8 guest – 9
IP address VLAN ID IP address VLAN ID IP address VLAN ID IP address VLAN ID IP address VLAN ID IP address VLAN ID IP address VLAN ID IP address VLAN ID
Location A Main Building 10.101.100.0/24 100 10.101.102.0/24 102 10.101.104.0/24 104 10.101.105.0/24 105 10.101.106.0/24 106 10.101.107.0/24 107 10.101.108.0/24 108 10.101.109.0/24 109
Lab1 10.101.110.0/24 110 10.101.112.0/24 112 10.101.114.0/24 114 10.101.115.0/24 115 10.101.116.0/24 116 10.101.117.0/24 117 10.101.118.0/24 118 10.101.119.0/24 119
Lab2 10.101.120.0/24 120 10.101.122.0/24 122 10.101.124.0/24 124 10.101.125.0/24 125 10.101.126.0/24 126 10.101.127.0/24 127 10.101.128.0/24 128 10.101.129.0/24 129
users – 0 voip – 2 wap – 4 badgereader – 5 printer – 6 camera – 7 building – 8 guest – 9
IP address VLAN ID IP address VLAN ID IP address VLAN ID IP address VLAN ID IP address VLAN ID IP address VLAN ID IP address VLAN ID IP address VLAN ID
Location B Factory 10.102.100.0/24 100 10.102.102.0/24 102 10.102.104.0/24 104 10.102.105.0/24 105 10.102.106.0/24 106 10.102.107.0/24 107 10.102.108.0/24 108 10.102.109.0/24 109
HR 10.102.110.0/24 110 10.102.112.0/24 112 10.102.114.0/24 114 10.102.115.0/24 115 10.102.116.0/24 116 10.102.117.0/24 117 10.102.118.0/24 118 10.102.119.0/24 119
Accountancy 10.102.120.0/24 120 10.102.122.0/24 122 10.102.124.0/24 124 10.102.125.0/24 125 10.102.126.0/24 126 10.102.127.0/24 127 10.102.128.0/24 128 10.102.129.0/24 129
Warehouse 10.102.13.0.0/24 130 10.102.132.0/24 132 10.102.134.0/24 134 10.102.135.0/24 135 10.102.136.0/24 136 10.102.137.0/24 137 10.102.138.0/24 138 10.102.139.0/24 139

Configuration in the network

On the Core we need to configure all the vlans. So you will get a very big list of vlans to configure.

On the edge (floors) we only need to vlan applicable for the floor.

On the datacenter switch we configure the datacenter vlans.

The MGMT vlan is everywhere to to do the inband management of the switch.

Note: I would recommend to put your internet, dmz and other wan connection on a separate switch. But for the example of the IP and VLAN plan that seemed a bit irrelevant.

 

Conclusion

It does take a lot of planning and drawing out. But in the end you end up with a much better designed, more stable and more secure network.

The better you plan it the longer you can use your scheme.

Also what I provided you as example is only an example. Not all networks are the same. And maybe there are better ways to do it.

You can suggest in the comments.

Thanks for reading!

Leave a Reply