• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3207
  • Last Modified:

VLAN or VLSM?

Hey All,
Been trying to figure out how best to configure my network. I have roughly 70 machines which break down as follows: 20 servers, 15 accounting, 20 creative, 10 printers, 5 public. Everyone needs to access the servers and printers. My main reason for breaking up the network is to segment each group into their own networks.
I have VLAN aware routers and switches, but have been trying to determine whether VLANs or Variable Length Subnet Masks would be the better approach? As I see it, VLSM lets me slice and dice my subnet to fit without the need to configure my switches. VLAN gets me the same but requires the VLANs and subinterfaces on both switches and routers to be configured.
I am really leaning towards VLSM, but it seems that either scenario gets me what I need, just wondering if there is any advantage to one over the other?
Points awarded to best reasoning and logic behind your answer.
0
Ugo Mena
Asked:
Ugo Mena
  • 6
  • 2
  • 2
  • +1
4 Solutions
 
TomRScottCommented:
Is the segmentation for security reasons? If so, if you are not firewalling between them or at least creating routing restrictions, there is no point.

With VLANs you can use either standard subnets, VLSM or custom subnets.

With or without VLANs, the router would need to be set up between VLANs/subnets.

The only need for a VLAN is if you wish to have more than one subnet on the same switch. However, even if you only have one operations subnet, you may wish to have two VLANs with one for switch management, but that is usually overkill.

The main reasons for VLAN configurations are twofold: 1 - A management VLAN is desired to secure the management for only administrators to access; 2 - To conserve hardware an/or rack space.  The latter comes into play when you have switches with more ports than needed and wish to provision multiple subnets.  However, the conservation is only needed if you already have a need for more than one subnet.

Bottom line: For only  70+ hosts, including routers, etc., you do not need more than one private subnet such as 192.168.2.0 /24 (which supports up to 254 hosts). If interdepartmental security is the desire you should consider a firewall with one outside and two inside interfaces.

 - Tom
0
 
chakkoCommented:
with VLSM you will be creating different subnets.  you will still need to route between the sub-networks.

With only 70 devices why would you segment it?  Sounds like over complicating things.

I would create a VLAN for the users, a VLAN for public and a VLAN for the servers.  Then put the routing in the Layer 3 switches.

You should be using private IP address on your LAN so essentially you have like unlimited IP addresses available.  No need to slice and dice, just keep it simple and make subnet mask 255.255.255.0 for each VLAN.  No worry about running out of IP addresses.  Plus it will be easier to keep things 'sorted' in your mind - my guess.


0
 
Ugo MenaAuthor Commented:
thanks for the quick replies. I realize that this configuration could be simplified with one subnet and all 70 devices on the same broadcast domain....however roughly 30 of the devices are design workstations with very heavy bandwidth to the servers. So the main reason for segmenting is to keep the broadcasts to a minimum and maximize bandwidth for application traffic.

Interdepartmental security is another consideration for which I intend to use static routes and routing policies. I understand the need to configure the routers with static routes to each subnet.

So specifically, what is the advantage of using VLANs vs VLSM? or vice-versa, what is the advantage of VLSM vs VLAN?
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
TomRScottCommented:
One does not preclude the other. There is no either or situation here.

VLSM or custom subnetting just lets you get the most out of a limited number of IP addresses. With 70+ hosts that is not an issue for you. As long as the 70 units are in private address space, you have zero need for custom subnetting.

VLAN allows you to use the same switch for multiple subnets, each on its own VLAN. Plus, you might have a VLAN just for management of your infrastructure.

 - Tom
0
 
NetFixr-DaniCommented:
I wonder if perhaps there is some confusion as to what "VLSM" refers?  Typically this topic comes up as folks are first learning about IP networks because it relates to the change from "classful" A/B/C networks.  To be frank, VLSM is pretty much a standard now as networks don't follow the A/B/C partitioning, and CIDR has prevailed.  Really it just refers to chopping up a network into different sizes based on actual need (number of planned hosts on a network).

However, If you mean having one flat network and assigning it like this:

192.168.100.0/28: Printers
192.168.100.16/28: Public
192.168.100.32/27: Servers
192.168.100.64/27: Creative
192.168.100.96/27: Accounting

. . . then you're using VLSM.  However as mentioned by a couple other Experts here, those hosts won't be able to communicate outside their group unless you have something configured with one IP in each subnet that can route to the other subnets.  If you're going to do this *without* using VLANs (flat network using simple unmanaged switches), then we call this a "multi-netted" segment or "ships in the night" which IMO is pretty messy as you have multiple subnets on one broadcast domain.  You would need to configure a router, layer3 switch, or host to have one IP in each subnet (e.g. 192.168.100.1, .17, .33, .65, .96) on the same interface with "one-armed" routing.  One significant disadvantage to doing this is that standard DHCP (using address pools) won't work, since the DHCP server has no way of knowing which pool to assign an IP from.  If instead you're using static DHCP reservations (IP - to - MAC mapping), or statically IPing everything, the it could work out.  Again, this network is messy and not advised.

On the other hand, if you are planning on segmenting each category into VLANs (which it sounds like you want to in order to limit broadcast domains and apply security) then as mentioned by another Expert this is not mutually exclusive to whether or not you choose to use VLSM.  In that case you provision VLANs as follows:

VLAN 10: Printers
VLAN 20: Public
VLAN 30: Servers
VLAN 40: Creative
VLAN 50: Accounting

. . . you still need to choose which IPs to use on each VLAN.  You can use the same numbering scheme from earlier in my post (VLSM), or you can choose to make your life easier by using all /24's and matching one octet to VLAN number:

192.168.10.0/24: VLAN 10
192.168.20.0/24: VLAN 20
. . . etc.

This will make it simple for you to eyeball VLAN/Subnet, as well as reduce confusion and error with system administrators when devices are being numbered.  I've found that folks often make mistakes when they need to number some hosts with a 255.255.255.248 netmask, and others with 255.255.255.224, as well as having default gateways that may end in .16, .33, .65 etc.  A lot easier to just use "255.255.255.0" and a default gateway that always ends in .1.

For those who stick to a literal definition of VLSM, that scheme technically isn't, since 192.168.x.x is from the legacy "Class C" space.  If you selected 172.16.x.x or 10.x.x.x IPs and configured /24's you'd find yourself using VLANs and VLSM.

Of course, if you're using public IPs for everything, then you're definitely going to want to use VLSM, because you shouldn't be burning 255 IPs (/24) for 5 printers.

Hope that clarified ;)

- Dani
0
 
Ugo MenaAuthor Commented:
Thanks for the responses. I think this is getting closer to answering my question....

So lets say I opt for the multi-netted setup (no VLANs): I have a router in each subnet to serve as the gateway and my DHCP server has multiple DHCP scopes allowing for clients to span multiple subnets...
@Dani- what makes multiple subnets on one broadcast domain "messy"? how does this compare to one big flat network's broadcast domain?


0
 
Ugo MenaAuthor Commented:
I assume that by messy, you are referring to the number of subnets and netmask one would need to keep track of?
0
 
Ugo MenaAuthor Commented:
OK. I am almost there....
So after some testing in lab, I realize that there is not a VLAN vs VLSM either or situation (just like TomRScott stated). And with help from NetFixr-Dani's excellent breakdown, I understand the desire to use easy to remember subnet to VLAN settings and mappings.

However, what I am still having a hard time understanding is if all the workstations are setup using statically assigned IPs and each subnet gateway/rtr is connected to the same layer 3 switch, doesn't the switch immediately map the gateway interface MAC to IP with ARP table caching? And if so, what is the real need for a VLAN?

I realize that with DHCP dynamically allocated IPs, there is a storm of DHCP discovery/offer/request/ack/inform packets between client and server that can quickly use up bandwidth on the network. But with DHCP statically/manually assigned IP on the client, doesn't it just check the ARP table (assuming the subnet gateway is already listed) and get routed to the correct interface?
0
 
chakkoCommented:
MAC is layer2

I think security is an issue, can all your pc/devices reach each other now?  like PING.

What if you want to make it so that 1 group cannot access another.  Maybe Guest cannot access Server IP ranges.

0
 
Ugo MenaAuthor Commented:
Thanks chakko! I don't think security is going to be an issue. All my devices can reach their intended hosts through the static routes between subnets. Esssentially I have 3 firewalls with 4-6 Gigabit interfaces each. Each one has a single WAN connection out and either 2, 3 or 5 interfaces set to serve as LAN gateway/subnet connections to the switches. Firewall interface is serving as the gateway/route to each subnet. If I don't want them to communicate over a specific protocol (or at all) then I can block the route(s) within the firewall.

As long as the ARP lookup/caching and statically assigned DHCP client/server traffic does not overwhelm the switch with discovery packets(?), I believe I can isolate broadcasts and increase available bandwidth to each LAN subnet by providing a full GB interface connection to each subnet, instead of having just one GB interface serving the entire 192.168.0.1/24 LAN.

I realize that this is not the easiest way to get this setup.... What I am trying to avoid is having to disconnect all the CAT6 patch cords to my switches, identify each device to its cable run, assign each port to a VLAN, re-assign server IPs (many of which have been hard coded into applications) and then plug them all back in based on VLAN memberships. Right now all of the patch cables are plugged into the switch based on the closest open port and whether the cable run is on the left or right side of the rack.
0
 
Ugo MenaAuthor Commented:
Ok finally got my head around how ARP, Layer 2 and Layer 3 addressing works. YEAH!

Many thanks to all of you who took the time to reply to my questions. I have decided to split my current flat 192.168.0.1/24 network up using VLSM. I will create 8 subnets using /240, /224, and /192 masks. My 3 firewalls will serve as gateways, maintain static ARP table entries and route each subnet accordingly. I plan to use static DHCP assignments on a multi-scoped DHCP server and skip setting up VLANs on my L2/L3 switches.

I have split the points up based on the amount of information I gleaned from each post.
Best Regards!
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

  • 6
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now