VLAN Assistance

Hi, me again with this subject.

I think I'm making VLANing more complicated than it needs to be. I have my VLANs planned out at this point, though, but I'm getting to the point where I need to subnet them off. That being said, our current IP schema is:

10.1.54.0 /23 which gives us 510 usable IP addresses. My question, does each VLAN network only use one IP address? I.e. could I give subet 100, 10.1.54.1, subnet 200, 10.1.54.2, 300 10.1.54.3, etc? I'm wanting to avoid going with a /22 network unless my boss gives me the go ahead and open up a public wifi network in which case I'd need the extra IP addresses the /22 comes with.

or, is the IP address you're givin the VLAN just the pool of IP addresses you want to associate with that specific VLAN?

VLANs shouldn't need an IP address. Generally each VLAN would have a different subnet but it doesn't require it. Switches aren't aware of IP addresses the only care about which VLAN each port is assigned to.

Think of VLANs more like each being its own physical network with own cabling and switches.. because that what it logically is.

So you can subnet the IP space as hard as you like on an VLan. You could even use the same IPrange on each VLAN (which makes routing a bit wired looking and hard to understand than)

L3 switches are very common and are L3 (IP) aware.

1 Like

Yes, But VLANs are layer 2

If we're talking about routing then you need an interface connected to each VLAN with an IP in the subnet used on that VLAN.

1 Like

My backbone switch is a layer 3 switch that I lm creating the routing tables on.

If you do the routing on the switch you have to assign IP addresses to the VLANs, as the hosts inside the VLAN need a gateway to send stuff for outside their network to.

what type of switch - cisco? juniper? etc
you'll have to enable 'ip routing',

create vlans

for each vlan interface
-assign an ip (1st ip in the subnet is easy to remember) & maybe a description

each interface - assign to vlan,
- have some random (not 1) native vlan
- links will need to be trunked
- & tagged with something like dot1q

HP procurve switches

What I'm thinking is doing something like giving subnet 100 (2 access points) 10.1.53.1/29, subnet 200 (10 printers) 10.1.53.15/28, etc. That's just an example of what I'm thinking. I have 4 AP VLANs total, for example.

If I go that route am I giong to need to change my network from 10.1.54.0/23 to 10.1.54.0/22 or can I utilize NAT to fix that issue?

Edit: Just realized that doing what I'm thinking of, 10.1.54.1/29 and 10.1.53.15/28 isn't going to work. It's been a while since i've had to deal with subnetting.

Any ideas?

What is the topology of your network ?

First, you need to learn to do subnetting.

You cannot assign a single /29 followed by a /28 subnet.

Follow these rules:

  • Write down how many subnets (Vlans) you need

  • Count the planned hosts in each of the Vlans

  • You can have 512, 256, 128, 64, 32, 16, 8, 4 addresses in a /23 Supernet (Usable hosts = minus 2 for Network Address and Broadcast Address)

  • Now using the first two point calculate what subnet suits your Vlans. For example - if you plan on having 3 APs, your subnet should have at least 3 host addresses, which means that a subnet with 4 addresses will not work. The closes one is a subnet with 8 addresses, which equals /29 (255.255.255.248).

  • Linking Vlan with a subnet should be done with the future in mind. If you assign a /29 for your APs today and tomorrow you decide to add 4 more APs, then you will get in trouble, because you cannot fit 7 hosts in an 8 address network ;)

So, suppose you end up with:

81 worker computers
34 administration computers
18 printers
3 APs

This means you need 1 subnet of 128 addresses for the workers, one subnet of 64 addresses for the administration, one subnet of 32 for printers and one subnet of 8 for APs.

Now how we actually do the subnetting - WE DIVIDE BY TWO, ALWAYS

Our Supernet is 192.168.100.0/24 (example) = 256 addresses

Divide by 2 we get two subnets 128 addresses each
192.168.100.0/25 - This subnet goes for workers. 192.168.100.1 is the "Gateway" for all the host
192.168.100.128/25

We continue "subnetting" the remaining subnet
192.168.100.128/25

Divide by 2:
192.168.100.128/26 - This subnet (64 addresses) goes for Administration computers
192.168.100.192/26

Continue "subnetting"
192.168.100.192/26

Divide by 2:
192.168.100.192/27 - This subnet (32 addresses) goes for the printers
192.168.100.224/27

Continue "subnetting"
192.168.100.192/27

Divide by 2:
192.168.100.224/28 - 16 addresses - now either chose this subnet if you think in the future you will go above 6 APs
192.168.100.240/28 - 16 addresses

or, divide once more to get an 8 address subnet:
192.168.100.224/28

192.168.100.224/29 - 8 addresses for the APs
192.168.100.232/29
192.168.100.240/29
192.168.100.248/29

If you have troubles understanding what I wrote - ask :)

2 Likes

Hi dark, thanks for the subnetting refresher. I was actually really good at it in school, but the problem I'm having is I never learned real world applications on how to subnet correctly, hopefully you can help me out! I realized after posting that what I was doing with the two different masks wouldn't work... i don't like to edit out stupidity though.

As stated my network is running 10.1.54.0/23 which gives me a usable range of 10.1.54.1-10.1.55.254. I need 12 subnets created out of this, but I'm not sure how to accomplish that. What's your thoughts?

Edit: More details.

I have 3 floors, with 1 managed switch each and the server room with a managed switch. I have dumb switches on each floor as well so here's what I'm wanting to do:

Vlan 100: 1'st floor dummy switch (with all LAN computers minus app server 2)
Vlan 125: 1st floor access points, (4)
Vlan 150: 1st floor printers (15)
Vlan 175: App server 2 computers

Vlan 200: 2nd floor dummy switch with all LAN computers
Vlan 225: 2nd floor access points (3)
Vlan 250: 2nd floor printers (10)

Vlan 400: 4th floor dummy switch(s) with all LAN computers
Vlan 425: 4th floor access points (5)
Vlan 450: 4th floor printers (20)

-Server Room-
Vlan 500: Server room app/sql servers
Vlan 525: E-Fax machines
Vlan 175 App server 2 VLAN

I have all the trunks and VLAN setup, I just need to figure out how to subnet this up to associate each vlan to a subnet.

VLAN tagging via encapsulation

Why do you separate each floor with Vlans? Should the floors not be able to cummunicate without routing/firewall?

Are the access points on each floor serving different networks? e.g. accounting and production? Are your access points VLan aware?

What subnetting do you still need? I mean each VLan is its own entity. So for going in between them you need routing (done by the switch on layer 3 or dedicated router(s))

None of my devices need to talk to each other for the most part, the only exception being the IT subnet which will be incorporated into the Application subnet (vlan 500). Everyone needs access to VLAN 500 and that'll be handled with vlan tagging.

My access points are all VLAN aware, and, again, don't need to talk to each other, just the application servers.

My layer 3 switch will handle the routing requirements, and is trunked to the managed switches on the 1st/2nd floor so routing (and firewall duties) are handled. I just need to set it up. The subnetting issues I'm having troubles with it getting the network segmented on my current IP schema (10.1.54.0/23).

What recommendation do yall have on an IP schema? Could I just give each subnet a different second octate? I.e.:

Vlan 100: 10.2.54.0/25
Vlan 125: 10.3.54.0/25
etc?

you should also remember to sketch up a network topology diagram in visio and post it here and any other masks

I can draw up something, but I am giving subnet masks, I"m giving you 10.1.54.0/23 (current) and that's 255.255.254.0 subnet.

Your approach is incorrect @HelloMrOwl

All Access Points should be in one VLAN, as well as all Printers. Eventually you will get a wireless controller and better APs and they all need to be in one VLAN. Same goes for printers, if you decide to implement a Print Server in your network.

The idea of dividing networks is to segregate networks by usage, not by location (floors, etc). This way the network stays clean and troubleshooting is a lot easier. So, you do not need 12 VLANs but just 3, 4 or 5, depending on the usage.

Do revise your plan and reduce the number of VLANs accordingly. There is also a unwritten law that says - no more than 100 hosts in a VLAN, so that the Broadcast traffic does not become a burden for the network.

It is best to group hosts that are doing the same work, i.e. a department in the company in one VLAN. That way in the future, when you decide to introduce proper security in the Network, you can enforce rules based on properly assigned VLANs (user groups).

The managed switch in your server room is "The CORE switch" with the managed switches on each floor - "Access Switches". The CORE has to be Layer 3 capable, so that it can perform routing between the VLANs, and, the CORE should be configured as a Gateway for each VLAN, meaning - it will have Interface VLANs configured with an IP Address.

The recommendation for the IP schema is rather simple - assign the third octet the same as the VLAN ID, as in:

VLAN 100 - Network 10.2.100.0/24
VLAN 200 - Network 10.2.200.0/24

Even if you have just 5 APs that does not mean that they cannot reside in a /24 network :)

Come up with a solid design decision and post it here, I will do the subnetting for you.

2 Likes

+1 for a wireless controller.

good post.

Thanks for the insight. My original idea for subnetting only included 3 subnets, actually. I started thinking about subnetting off the individual floors since the way our Electronic Medical Records work I could just VLAN tag everyone to that group and not have any problems. So lets do this:

VLAN 100: Access points (all clinical computers run on access points so that'll VLAN off a 'department' as well)
VLAN 200: Printers
VLAN 300: LAN hosts
VLAN 400: Public WiFi (we're considering implementing that)

I -cannot- change the 10.1.54.0/23 network to, as you say, 10.2.100.0/24. The reason is because we have some extremely complicated imaging software applications that are IP reliant and require calling it GE to make any network changes on it. That's why I was wanting to do 10.1.54.0/24, 10.2.54.0/24, 10.3.54.0/24 etc, because I could keep all items that require their 10.1.54.* address to keep that. We could do 10.1.54.0/24, 10.1.55.0/24, etc.

Once my facility is 100% cisco APs we're going to purchase the controller. Until that time I'm stuck doing it the hard way.