Solved

Supernetting vs. VLANs

Posted on 2008-10-06
12
1,621 Views
Last Modified: 2012-05-05
I have a good understanding of networking but I'm not really able to answer this question. A current client is running out IP addresses in a /24 network. They will soon be implementing a VOIP solution, requiring more space. On top of that, there is very little structure to the current IP scheme. Up to now I've been planning on a redesign that will allow for a great deal of growth, which is quite possible over the next 24 months. I was planning on redesigning into a /22 network. This client is in one very large building. They are in only the one physical location, besides the odd sales rep working from home.
Is this the best course of action or would it be better to use VLANs to subdivide the network? Why?

Thanks
0
Comment
Question by:Broxoth
  • 4
  • 4
  • 2
  • +2
12 Comments
 
LVL 17

Expert Comment

by:Andres Perales
ID: 22654202
if you have total control of your inside network structure and you can have a block of consecutive addresses, then you can do a supernet, also remember that all your clients will have to be xp or above, because some operating systems can not use 0 or 255 as a valid ip address.
I think VLANS will give you a little bit more flexibility and if someone new in your shop comes in, it will be easier to teach them vlans than it would supernetting.
0
 
LVL 5

Expert Comment

by:ccns
ID: 22654308
What you can do on you DHCP server set a new scope with new subnet.. as you said.
255.255.252.0 that will give you so many more ip address'
This gives you x.y.0.1 - x.y.3.254 total hosts : 1,022.
0
 
LVL 5

Expert Comment

by:ccns
ID: 22654393
Its not super netting its just setting a different subnet, and all should be done via your dhcp server, which is super easy anyway. VLans can be very dificult if you are not sure how to set them up etc, this is damn simple and easy. :) any big sites I deal with I have always turned to subnetting its the only way to go really.
0
 
LVL 16

Expert Comment

by:Aaron Street
ID: 22654867
cisco and microsoft suggest that for best throughput you should keep to less than 500 devices per network segment.

larger segments than this will incress ARP and broadcast traffic to an unaccatable level.

more smaller VLANS will work much better than one large flat network and also alow for much nice trouble shooting and managment.

vlans and subnetting go hand in hand but are not the same thing. vlans seperate at layer 2 subnetting is layer 3.

now I would suggest using a seperate segment for each floor of the building (possible each wing of building itf it is very large. and a seperate network segment again for servers. this gives you a lot of control about what traffic goes where. so for instance you can restrict only the traffic you want to your servers. and make sure any broadcast traffic from the clients does not hit the servers.

put it this way you sit at a PC and ping a nother PC the first thign that happens is that it resolved the ip addres to a mac address. if you are on one flat network then ever time a pc/server/printer dose this it broadcasts to the hole network asking who owns the ip address!! so fi servers and clients are on a flat nework every device on the network has to recive this packet and then chose to ignore it. when you think if you have several hundrad devices doing this. a server can end up gettign hit with 30 or 40+ packets per second that are nothing to do with it. and if it is trying to talk to another PC / server at the time each of this packets will cause a small delay..

on a net work with many devices it is the number of packets not the volume of data that can cause the biggest slow down..

if you use routing and smaller subnets this broadcsat traffic is limited to each subnet and proformance incresses, as well as security and managment. and my favriot trouble shooting becomes much eisier as by looking at a packet capture you can easy see where data is running to and from.
0
 

Author Comment

by:Broxoth
ID: 22655621
Great responses. My question then is, what assigns a device to a particular VLAN if that VLAN is set on a router or a firewall? In my case I have a single LAN interface. That connects to several switches. If I set multiple VLANs on that LAN interface, what distinguishes that device X is on VLAN 1 as opposed to VLAN 2? It can't be IP address alone, right?

Let me explain what I'm trying to achieve. I have a firewall with multiple interfaces. All servers, workstations, printers, etc. are on the LAN interface. We are adding VOIP. I want to segment my servers, workstations and printers, phones, and network devices into their own networks.

VLANs can be setup on a switches, I know, so that certain ports will create their own separate switch. But how does this get done in my scenario where the VLAN is setup on the layer 3 device?
Thanks.
0
 
LVL 10

Assisted Solution

by:kyleb84
kyleb84 earned 50 total points
ID: 22656565
If your switch is doing your VLANs:

From a switch port, the only thing that decides what VLAN the devices hanging off that port are on is the 802.1Q VLAN TAG (Part of the Ethernet frame), or the absence of that tag all together.

You cannot have 2 devices, hanging off one switch port, belong to 2 different VLANs, when they both do not tag packets.

Usually in a VoIP scenario, many manufacturers (Cisco, Nortel, Mitel etc...) have the ability to easily configure their IP phones to tag all Voice packets, but untag all data packets which are usually passed through from the secondary port present on many IP phones.

This then allows the IP phones to put a 802.1p value on the TAGGED frame, this 802.1p provides QoS at the switch level.

[Most] Cisco routers have the ability to accept multiple VLANs on the same port, and will also do the routing between the VLANs as well.

What is your "Layer 3" device your talking about?

and

Do you have a managed switch?



0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 16

Accepted Solution

by:
Aaron Street earned 150 total points
ID: 22657443
ok think of it like this.

you can set up mutiply VLANS on a switch. or a group of switchs. and each vlan is in effect a seperate cluster of switchs.
and as kyleb said you can assigen ports on the switch to different vlans. (the only exception to this is when you have trunking ports (connections between switchs) that can be configured to carry traffic from mutiply vlans.

so if you have vlan 1 and 2 on swithc one. and vlan 1 and 2 on switch 2. you need a trunking link between them fo devices to be able to talk toeach other. however devices on vlan 1 on one swithc will still only be able to talk to devices on vlan 1 on the second switch.

VLANS are layer 2. not layer 3!! and VLANS have nothing to do with ip addresses. (they are useed in conjunction with subnetting but dont need to be!!)

so imagen it as VLANS seperate out the network physicaly. and ip address subnet are more logical (you can run mutiply subnets on a single VLAN, but dont casue you still have one large broadcast domain!!)

so you set up the vlan on the access/edge switchs. then each switch connects back to a central router that dose all the routing between the VLANS.

I would get hold of packet tracer 4.1 (a cisco learning tool) this makes if very easy to set up some test netowrks on your PC and do some basic VLAN and subnetting to get an idea of what is going on. playing about with it your self is the best way to understand it :)
0
 

Author Comment

by:Broxoth
ID: 22659149
kyleb84:  It's a SonicWALL 2040PRO and the switches are managed. With my limited experience with VLANs, I expected VLAN tagging to have a role. I just wasn't sure to what extent.

So, please verify if I understand this correctly. I can setup each port on my managed switches to answer for multiple VLANs and, based on the tagging, that adapter will be on that separate "switch" or VLAN.

For instance: Ports 1-24 connect to a voip phone and a computer. VLAN1 is for voice and VLAN2 is for data. Based on the phone's tagging, the voice packets will be separated and be handled by VLAN1. I assume that means that I'll need to also tag the PC's adapters.

Lastly, I can still use the /22 scheme as this provides me the IP addresses that I need within the same subnet, but that subnet's broadcast domain has been cleanly segmented by the VLANs on layer 2.

Did I even come close?
0
 
LVL 16

Expert Comment

by:Aaron Street
ID: 22659679
each access port has to be in a singel defined VLAN.

if the pc and phone can tag data for a VLAN then you can set it up differently. other wise you have to assign each access port to a vlan.

now with phones and PC you can set up the ports on a switch to automaticaly switch what vlan they are in. Either by adding mac address lists. or with phones if you set up a vlan for them on the switch it will automatical add posts you plug the phones i to that vlan.

however as a rule. each port must be set to access only one vlan at a time
0
 

Author Comment

by:Broxoth
ID: 22659901
The phones in question are Mitel's which do support VLAN tagging.
So what makes logical sense then is that I can, for example, set up all ports to be VLAN1 by default for data (no tagging). When a voice packet is tagged, the voice traffic will go over VLAN2.
Sound about right?
0
 
LVL 16

Expert Comment

by:Aaron Street
ID: 22660129
yes but you have to configure the ports to accept taged packets. by default a port (at least on a cisco switch) is untagged/VLAN 1 and will not forward traffic if it is tagged to a different vlan.

you need to set the switchs up to reconlise the phone and configure them selves accordling..

serch for cisco / voip / vlan and you will fine loads about setting it up
0
 

Author Comment

by:Broxoth
ID: 22660415
Great. It sounds like the answer isn't either or but both. Works for me. Thanks for the help.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

There are times where you would like to have access to information that is only available from a different network. This network could be down the hall, or across country. If each of the network sites have access to the internet, you can create a ne…
AWS has developed and created its highly available global infrastructure allowing users to deploy and manage their estates all across the world through the use of the following geographical components   RegionsAvailability ZonesEdge Locations  Wh…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now