When you install a new network one of the things that needs to be planned is how to subnet your new setup.
It has to be logical, secure, robust, future proof and it has to keep a logical layout in mind.
In this article I will show some guidelines how you can do it and what’s my philosophy about it.
Reasons for subnettings and vlans
Network stability
A lot of companys are still running flat layer 2 networks. This means that all their devices are in one big lan. This is a recipe for the disaster. A small broadcast storm can bring down the whole network.
I saw this a few times with industrial networks where they used small embedded devices. Those things don’t have the power to process all the information that comes in through the network. As a result when they experience a broadcast storm, those devices just stop working. What resulted actually in all production to be on hold. Very costly for the customer.
There is no reason that let’s say a malfunctioning printer from accounting affects the barcode scanner from your logistic department or the telephones from your reception. Splitting your network in vlans can solve those issues and help significantly with the stability of your network.
Dividing network into VLANS will reduce those issues.
Higher security
By creating different vlans, you can separate traffic. In a flat layer 2 network all devices can see each other. But if you separate them in VLANS, they can’t. Unless you allow this by layer3 routing. By putting the layer3 connectivity on a firewall or device capable of firewalling (a lot of switches can apply firewall policies too), you can control how VLANS can communicate with each other. It doesn’t have a lot of use to make your printer talk with your iphones for example or to give your employees access to security camera’s. With a firewall and good vlan design you can control all this traffic.
In a flat layer 2 network everything can connect with each other:
Devices grouped in vlans and seperated by Firewall with routing capabilities (or router with firewall capabilities), now the traffic has to apply to the firewall rules before it can pass:
Readable traffic flows and handy addressing
With a good IP plan, you can read from the IP address what kind of traffic it is and where it comes from. This can help you in troubleshooting and help in securing the network.
A good IP plan makes a logical link between location, purpous and VLAN ID. Every switch / stack / location should have a certain identifier and then the different kinds of traffic should have a identifier on their own. So you can read the traffic on every location.
In the next paragraph I will explain how to do it.
How to do it
List your types of devices or catagories. Printers, camera’s, phones… Or you can work with categories: users, building, voip, security, management, …
You probably end up with a mix. Doesn’t matter, as long as it makes sense for you.
List your locations, make a list of all your buildings and locations where you have or want network connectivity. Also list where you have different network stacks (vc) or switches. We can also use them to divide the network into more broadcast domains. Also think about growth. Even if you only have one location right now, it’s always possible that there will be new locations in the future. Also take into account expansion in the buildings or locations you currently have.
Take into account growth. Scale how much devices you have to support in each broadcast domain and in total. Check if it is sufficient in your plan.
Example
Categories
I’m going to differeniate between edge, the switches you put everywhere to connect your endusers and devices. And Datacenter, the switches you use for datacenter and WAN connectivity. The Mgmt network I will use for inband management, so it is spread all over the site. Also this is an example, your network or environment can be completely different.
Edge
- Users – where normal users connect, it’s also possible to go for different kinds of users, however I like to control that with a Layer 7 firewall with user and group firewalling
- Voip – your ip phones, we are going to divide those up into broadcast domains as much as possible
- Mgmt – inband management of network devices or possibly also other devices
- WAP – Wireless AP’s, your access points
- Guest – Guest users
- Printer – Printers
- Camera – Camera security devices
- Building/facilities – VLAN to connect building control devices
- Badgereader – badgereaders for timeregistration or door lock controllers
Datacenter
- Mgmt – inband management
- Servers – internal servers
- Pub DMZ – public DMZ
- Private DMZ – private DMZ
- Internet – Main internet vlan
- Guest Internet – Guest internet vlan
- VOIP Servers
Locations
We can have different buildings or departments. Or we can have offices in different countries.
Or we can just have different floors we need to support.
On the image on the left we have one switch for everyfloor and a core switch.
On the design below we have 2 locations with different buildings or departments.
Size / growth
To make it easy to read and work with I try to stick to /24 networks. When we need more then 250 hosts for a network we can go for /23. I wouldn’t recommend going bigger. It would also be quite a big chassis to make up for 500+ ports so you probably already physically split up the network.
Design
Let’s take our first example and turn it into a IP and vlan plan
Let’s use 10.101.0.0/16 as our range to play with. If we ever get more offices, we can reuse our plan but go up in the number like: 10.102.0.0/16, 10.103.0.0/16, … and so on.
First I list the categories and try to number, I also take into account if i will need more then a /24 network (users, voip):
| users | 0 |
| voip | 2 |
| wap | 4 |
| badgereader | 5 |
| printer | 6 |
| camera | 7 |
| building | 8 |
| guest | 9 |
| Mgmt | 90 |
| Servers | 91 |
| Pub DMZ | 92 |
| Private DMZ | 93 |
| Internet | 94 |
| Guest Internet | 95 |
| VOIP Servers | 96 |
Then we make a strategy:
And then we write out the complete plan:
| users – 0 | voip – 2 | wap – 4 | badgereader – 5 | printer – 6 | camera – 7 | building – 8 | guest – 9 | ||||||||||
| IP address | VLAN ID | IP address | VLAN ID | IP address | VLAN ID | IP address | VLAN ID | IP address | VLAN ID | IP address | VLAN ID | IP address | VLAN ID | IP address | VLAN ID | ||
| Location 1 | Floor 0 | 10.101.100.0/24 | 100 | 10.101.102.0/24 | 102 | 10.101.104.0/24 | 104 | 10.101.105.0/24 | 105 | 10.101.106.0/24 | 106 | 10.101.107.0/24 | 107 | 10.101.108.0/24 | 108 | 10.101.109.0/24 | 109 |
| Floor 1 | 10.101.110.0/24 | 110 | 10.101.112.0/24 | 112 | 10.101.114.0/24 | 114 | 10.101.115.0/24 | 115 | 10.101.116.0/24 | 116 | 10.101.117.0/24 | 117 | 10.101.118.0/24 | 118 | 10.101.119.0/24 | 119 | |
| Floor 2 | 10.101.120.0/24 | 120 | 10.101.122.0/24 | 122 | 10.101.124.0/24 | 124 | 10.101.125.0/24 | 125 | 10.101.126.0/24 | 126 | 10.101.127.0/24 | 127 | 10.101.128.0/24 | 128 | 10.101.129.0/24 | 129 | |
| Floor 3 | 10.101.130.0/24 | 130 | 10.101.132.0/24 | 132 | 10.101.134.0/24 | 134 | 10.101.135.0/24 | 135 | 10.101.136.0/24 | 136 | 10.101.137.0/24 | 137 | 10.101.138.0/24 | 138 | 10.101.139.0/24 | 139 | |
| MGMT | Servers | Pub DMZ | Private DMZ | Internet | Guest Internet | VOIP Servers | |||||||||||
| IP address | VLAN ID | IP address | VLAN ID | IP address | VLAN ID | IP address | VLAN ID | IP address | VLAN ID | IP address | VLAN ID | IP address | VLAN ID | ||||
| Location 1 | Datacenter | 10.101.90.0/24 | 90 | 10.101.91.0/24 | 91 | 10.101.92.0/24 | 92 | 10.101.93.0/24 | 93 | 10.101.94.0/24 | 94 | 10.101.95.0/24 | 95 | 10.101.96.0/24 | 96 | ||
Applied on the second example:
| users – 0 | voip – 2 | wap – 4 | badgereader – 5 | printer – 6 | camera – 7 | building – 8 | guest – 9 | ||||||||||
| IP address | VLAN ID | IP address | VLAN ID | IP address | VLAN ID | IP address | VLAN ID | IP address | VLAN ID | IP address | VLAN ID | IP address | VLAN ID | IP address | VLAN ID | ||
| Location A | Main Building | 10.101.100.0/24 | 100 | 10.101.102.0/24 | 102 | 10.101.104.0/24 | 104 | 10.101.105.0/24 | 105 | 10.101.106.0/24 | 106 | 10.101.107.0/24 | 107 | 10.101.108.0/24 | 108 | 10.101.109.0/24 | 109 |
| Lab1 | 10.101.110.0/24 | 110 | 10.101.112.0/24 | 112 | 10.101.114.0/24 | 114 | 10.101.115.0/24 | 115 | 10.101.116.0/24 | 116 | 10.101.117.0/24 | 117 | 10.101.118.0/24 | 118 | 10.101.119.0/24 | 119 | |
| Lab2 | 10.101.120.0/24 | 120 | 10.101.122.0/24 | 122 | 10.101.124.0/24 | 124 | 10.101.125.0/24 | 125 | 10.101.126.0/24 | 126 | 10.101.127.0/24 | 127 | 10.101.128.0/24 | 128 | 10.101.129.0/24 | 129 | |
| users – 0 | voip – 2 | wap – 4 | badgereader – 5 | printer – 6 | camera – 7 | building – 8 | guest – 9 | ||||||||||
| IP address | VLAN ID | IP address | VLAN ID | IP address | VLAN ID | IP address | VLAN ID | IP address | VLAN ID | IP address | VLAN ID | IP address | VLAN ID | IP address | VLAN ID | ||
| Location B | Factory | 10.102.100.0/24 | 100 | 10.102.102.0/24 | 102 | 10.102.104.0/24 | 104 | 10.102.105.0/24 | 105 | 10.102.106.0/24 | 106 | 10.102.107.0/24 | 107 | 10.102.108.0/24 | 108 | 10.102.109.0/24 | 109 |
| HR | 10.102.110.0/24 | 110 | 10.102.112.0/24 | 112 | 10.102.114.0/24 | 114 | 10.102.115.0/24 | 115 | 10.102.116.0/24 | 116 | 10.102.117.0/24 | 117 | 10.102.118.0/24 | 118 | 10.102.119.0/24 | 119 | |
| Accountancy | 10.102.120.0/24 | 120 | 10.102.122.0/24 | 122 | 10.102.124.0/24 | 124 | 10.102.125.0/24 | 125 | 10.102.126.0/24 | 126 | 10.102.127.0/24 | 127 | 10.102.128.0/24 | 128 | 10.102.129.0/24 | 129 | |
| Warehouse | 10.102.13.0.0/24 | 130 | 10.102.132.0/24 | 132 | 10.102.134.0/24 | 134 | 10.102.135.0/24 | 135 | 10.102.136.0/24 | 136 | 10.102.137.0/24 | 137 | 10.102.138.0/24 | 138 | 10.102.139.0/24 | 139 | |
Configuration in the network
On the Core we need to configure all the vlans. So you will get a very big list of vlans to configure.
On the edge (floors) we only need to vlan applicable for the floor.
On the datacenter switch we configure the datacenter vlans.
The MGMT vlan is everywhere to to do the inband management of the switch.
Note: I would recommend to put your internet, dmz and other wan connection on a separate switch. But for the example of the IP and VLAN plan that seemed a bit irrelevant.
Conclusion
It does take a lot of planning and drawing out. But in the end you end up with a much better designed, more stable and more secure network.
The better you plan it the longer you can use your scheme.
Also what I provided you as example is only an example. Not all networks are the same. And maybe there are better ways to do it.
You can suggest in the comments.
Thanks for reading!