Help Picking Subnets and Vlans

AllDaySentry
AllDaySentry used Ask the Experts™
on
I have a two part question related to subnetting.

First part:

I need help in picking subnets. I need to pick four subnets with an approximate number of hosts in each one: 30, 220,160, 275.  Each subnet will go in its own vlan.

Our default equipment comes with a 10.45.X.X IP and 255.255.0.0 subnet.  Our current customer has stated this will not work since it is not defined enough.

I need to narrow down the subnet but I would still like to use a 10.45.X.X scheme if possible.  I am not very great with the design part so any help would be appreciated.




Second part:

Our network is going to be joining the customers network through their firewall.  Their firewall will be doing the routing and vlan administration. We will also use part of the customers network for connecting a few workstations in their offices.


As mentioned above, the hardware comes default with a 255.255.0.0 subnet. For maintenance purposes, it would be best to leave it on the default and not switch the subnet.

Customer thinks it is possible to leave our equipment on the 255.255.0.0 subnet but connect to their firewall using a subnet like 255.255.255.0.  Does this make sense?  Does it make sense if the equipment also needs to use part of their network to connect the office workstations?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
1) Here are the number of hosts for each subnet mask:
255.255.255.252 (/30): 2 hosts (2^2 - 2)
255.255.255.248 (/29): 6 hosts (2^3 - 2)
255.255.255.240 (/28): 14 hosts (2^4 - 2)
255.255.255.224 (/27): 30 hosts (2^5 - 2)
255.255.255.192 (/26): 62 hosts (2^6 - 2)
255.255.255.128 (/25): 126 hosts (2^7 - 2)
255.255.255.0 (/24): 254 hosts (2^8 - 2)
255.255.254.0 (/23): 510 hosts (2^9 - 2)

Note that the number of hosts have to cater for future growth, and at least one IP will be required by the default gateway of the subnet (the firewall or router interface).  It is also easier to manage if all the subnet masks are the same.  So I would suggest to use the /24 subnet mask.  So, you can use the following:
Vlan 1: 10.45.1.0/24
Vlan 2: 10.45.2.0/24
Vlan 3: 10.45.3.0/24
Vlan 4: 10.45.4.0/24
 (Note that the VLAN number follow the 3rd octet, also for easier management)
I would also advise that you reserve a couple of IP addresses for network infrastructure (.1 for the default gateway, .2 and .3 for HSRP, if you want to implement gateway redundancy, perhaps some IP's for other devices), and start assigning host IP's only from something like .10.

2)  It is not advised to run overlapping subnets like the customer suggests.  Although you will be able to get it to work, your equipment (using the 255.255.0.0 subnet mask) will not be able to reach any IP in the customer's VLANs (in the 255.255.255.0 subnets), unless you configure Proxy-ARP on the firewall.  But it is best advisable to change the subnet mask on your equipment to match the subnet on the firewall (255.255.255.0).  This surely should not affect your equipment that much?

Author

Commented:
Regarding your answer to part 1, I thought you couldn't (or shouldn't) have the same subnet across multiple Vlans?  How could you use the /24 subnet mask for all four Vlans?




Regarding part 2, the reason for wishing to keep the 255.255.0.0 subnet mask is because some of the equipment is hardware/firmware boards.  You can change the IP address of each board by turning some dials on the board.  If you change the default subnet, you now have to go in with a computer and software tool.

Customer was telling me I could keep my server with 255.255.0.0 subnet and have his firewall as 255.255.255.0 subnet and they could communicate but I dont see how thats possible?

Only our server needs to communicate on his network, not the other hardware.  Could I just keep my server on 255.255.0.0 and then add an alternate IP on the 255.255.255.0 just to communicate with his firewall?
Commented:
Regarding part 1:  There is a diference between a subnet and a subnet mask.  The subnet is defined by the network address of the subnet plus the indication of the mask used (like 10.45.1.0/24), and you should not use the same subnet on multiple vlans.  There is no reason (technical or strategic) to use different subnet masks for different vlans. On the contrary, it makes life much easier if you use different subnets, but the same mask for similar applications (like a number of user vlans, as in this case).

The hardware issue makes it a bit difficult:  I would recommend changing the subnet (to something like 10.46.0.0/16) if you do not want to change the subnet mask.  However, if only the server will connect outside the subnet, and if all the hardware fits into one /24 subnet, it might make sense to implement it as the customer wants:  Leave the server and the hardware with the default configs using the 10.45.0.0/16 subnet (mask of 255.255.0.0), and the firewall interface with a 255.255.255.0 (/24) mask.  But the firewall, the server and the hardware will have to be in the same /24 subnet:  If your server has a default IP of 10.45.254.26 (for example), the firewall IP has to be in the 10.45.254.0/24 subnet.

On the server you will also have to configure the firewall as the default gateway, if you want to reach anything with an IP outside the 10.45.* range.  The firewall will also have to be configured with proxy ARP, then it will work fine, should you wish to communicate to any other 10.45-address in the user's subnet.

Proxy-ARP is the reason all your hardware and server must be in one /24 subnet, even if the subnet mask is /16.  Proxy-ARP will allow the firewall to respond to ARP-requests with its own MAC address for IP's outside the interface's subnet.  So, if your server (with IP 10.45.254.26, let's say) wants to talk to a server in VLAN 1 (10.45.1.0/24), the server will think that it is in the same subnet, and will send an ARP request.  The firewall will identify that it is outside it's configured subnet (10.45.254.0/24) and will respond to the ARP request with it's own MAC address, and traffic will flow between your server and the IP in VLAN 1.

However, if your hardware is also outside the 10.45.254.0/24 subnet (let's say 10.45.100.25), and the server want to send an IP packet to it, it will also send out an ARP request.  However, both the hardware and the firewall will respond to the ARP request:  The hardware because it actually owns the IP, and the firewall because it sees 10.45.100.25 as being outside it's configured subnet of 10.45.254.0/24.  Now it depends which ARP response reaches the server last, as that entry will be entered into the ARP cache (I think, but it depends on the server ARP implementation).  So you have a 50-50 change of it being the correct ARP.

If you change the subnet mask on the firewall to /16 (255.255.0.0), you will not be able to communicate with any of the user's VLANs in the 10.45.8 range, as the firewall will not respond to ARP requests for it, and the server will not forward traffic to the default gateway (the firewall interface) as the server thinks all the IP's starting with 10.45 is in it's connected subnet, and will send an ARP request for it (and not get a reply).

It is possible to get it to work configuring the server with a /24 mask and the firewall and hardware with a /16, but then you have to ensure that the hardware addresses does not fall within the user subnet space, because if it does, the firewall will route a packet from the server to this subnet to the user VLAN, rather that the server/hardware vlan.  The firewall should also have ICMP redirect disabled, I think.

However, these complications should be more than enough motivation to change the IP addressing scheme to something that does not overlap:  The 10-range is huge, there has to be some spare subnets you could use?
Announcing the Winners!

The results are in for the 15th Annual Expert Awards! Congratulations to the winners, and thank you to everyone who participated in the nominations. We are so grateful for the valuable contributions experts make on a daily basis. Click to read more about this year’s recipients!

Commented:
Hello,.

Don't look any further. Otto N's aswer will solve your problem. He is correct.

Author

Commented:
Otto_N, thanks for the really great response.

Here is what I am saying:


VLAN 600 – 10.45.0.0\16  - Main Hardware Server

VLAN 610 – 10.46.0.0\16 – Remaining Servers

VLAN 632 – 10.47.0.0\16 – Management Devices, Switches, UPS devices

VLAN 650 – 10.48.0.0\16 – Misc. field equipment


Note that field equipment and main server must be on same subnet/mask otherwise default gateway would need to be set in field equipment.  This would defeat purpose of not having to re-program all device configurations.

Each VLAN will require its own firewall interface with a 255.255.255.0 (/24) mask.  Firewall will also have to be configured to allow access between each VLAN and internet access as necessary and may require things like Proxy-ARP or ICMP redirect disabled.  




Hope what I said makes sense!

Commented:
If you allocate /16 subnets, why would you configure /24 subnets on the firwewall?  Rather configure the firewall with a 255.255.0.0 subnet as well.

If the customer wants the network sizes smaller, change vlan 610, 632 and 650 to 255.255.255.0 masks.  But the subnet that contains the main server should be the same as the hardware contained in it (255.255.0.0).

Commented:
I just now re-read your post, and something does not make sense:  Do you mean to say that the main Hardware server (VLAN 600) and the Misc Fireld Equipment (VLAN650) must be on the same subnet?  You will not accomplish this if you put them in seperate VLANs (at least, not the way Cisco implements VLANs, it might be possible on other equipment using port-based VLANs).

I would suggest that you put the server and field equipment in the same VLAN (=same subnet), and use a subnet with a 255.255.0.0 mask.  The rest of the VLANs can then be addressed in /24 subnets.

As a rule of thumb, always use the same subnet (and mask) across the entire VLAN, including the firewall interface.  As I've indicated, it is possible to make it work if yoiu do not adhere to this rule, but it is definitely not recommended.

Author

Commented:
Sorry to confuse you.  We are putting the server that connects to the field equipment and the actual field equipment on the same VLAN.

We are then going to put the remaining VLANs on a /24 subnet.


Appreciate the help.  You helped me figure this all out!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial