Link to home
Start Free TrialLog in
Avatar of AllDaySentry
AllDaySentry

asked on

Help Picking Subnets and Vlans

I have a two part question related to subnetting.

First part:

I need help in picking subnets. I need to pick four subnets with an approximate number of hosts in each one: 30, 220,160, 275.  Each subnet will go in its own vlan.

Our default equipment comes with a 10.45.X.X IP and 255.255.0.0 subnet.  Our current customer has stated this will not work since it is not defined enough.

I need to narrow down the subnet but I would still like to use a 10.45.X.X scheme if possible.  I am not very great with the design part so any help would be appreciated.




Second part:

Our network is going to be joining the customers network through their firewall.  Their firewall will be doing the routing and vlan administration. We will also use part of the customers network for connecting a few workstations in their offices.


As mentioned above, the hardware comes default with a 255.255.0.0 subnet. For maintenance purposes, it would be best to leave it on the default and not switch the subnet.

Customer thinks it is possible to leave our equipment on the 255.255.0.0 subnet but connect to their firewall using a subnet like 255.255.255.0.  Does this make sense?  Does it make sense if the equipment also needs to use part of their network to connect the office workstations?
Avatar of Otto_N
Otto_N
Flag of South Africa image

1) Here are the number of hosts for each subnet mask:
255.255.255.252 (/30): 2 hosts (2^2 - 2)
255.255.255.248 (/29): 6 hosts (2^3 - 2)
255.255.255.240 (/28): 14 hosts (2^4 - 2)
255.255.255.224 (/27): 30 hosts (2^5 - 2)
255.255.255.192 (/26): 62 hosts (2^6 - 2)
255.255.255.128 (/25): 126 hosts (2^7 - 2)
255.255.255.0 (/24): 254 hosts (2^8 - 2)
255.255.254.0 (/23): 510 hosts (2^9 - 2)

Note that the number of hosts have to cater for future growth, and at least one IP will be required by the default gateway of the subnet (the firewall or router interface).  It is also easier to manage if all the subnet masks are the same.  So I would suggest to use the /24 subnet mask.  So, you can use the following:
Vlan 1: 10.45.1.0/24
Vlan 2: 10.45.2.0/24
Vlan 3: 10.45.3.0/24
Vlan 4: 10.45.4.0/24
 (Note that the VLAN number follow the 3rd octet, also for easier management)
I would also advise that you reserve a couple of IP addresses for network infrastructure (.1 for the default gateway, .2 and .3 for HSRP, if you want to implement gateway redundancy, perhaps some IP's for other devices), and start assigning host IP's only from something like .10.

2)  It is not advised to run overlapping subnets like the customer suggests.  Although you will be able to get it to work, your equipment (using the 255.255.0.0 subnet mask) will not be able to reach any IP in the customer's VLANs (in the 255.255.255.0 subnets), unless you configure Proxy-ARP on the firewall.  But it is best advisable to change the subnet mask on your equipment to match the subnet on the firewall (255.255.255.0).  This surely should not affect your equipment that much?
Avatar of AllDaySentry
AllDaySentry

ASKER

Regarding your answer to part 1, I thought you couldn't (or shouldn't) have the same subnet across multiple Vlans?  How could you use the /24 subnet mask for all four Vlans?




Regarding part 2, the reason for wishing to keep the 255.255.0.0 subnet mask is because some of the equipment is hardware/firmware boards.  You can change the IP address of each board by turning some dials on the board.  If you change the default subnet, you now have to go in with a computer and software tool.

Customer was telling me I could keep my server with 255.255.0.0 subnet and have his firewall as 255.255.255.0 subnet and they could communicate but I dont see how thats possible?

Only our server needs to communicate on his network, not the other hardware.  Could I just keep my server on 255.255.0.0 and then add an alternate IP on the 255.255.255.0 just to communicate with his firewall?
ASKER CERTIFIED SOLUTION
Avatar of Otto_N
Otto_N
Flag of South Africa image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hello,.

Don't look any further. Otto N's aswer will solve your problem. He is correct.
Otto_N, thanks for the really great response.

Here is what I am saying:


VLAN 600 – 10.45.0.0\16  - Main Hardware Server

VLAN 610 – 10.46.0.0\16 – Remaining Servers

VLAN 632 – 10.47.0.0\16 – Management Devices, Switches, UPS devices

VLAN 650 – 10.48.0.0\16 – Misc. field equipment


Note that field equipment and main server must be on same subnet/mask otherwise default gateway would need to be set in field equipment.  This would defeat purpose of not having to re-program all device configurations.

Each VLAN will require its own firewall interface with a 255.255.255.0 (/24) mask.  Firewall will also have to be configured to allow access between each VLAN and internet access as necessary and may require things like Proxy-ARP or ICMP redirect disabled.  




Hope what I said makes sense!
If you allocate /16 subnets, why would you configure /24 subnets on the firwewall?  Rather configure the firewall with a 255.255.0.0 subnet as well.

If the customer wants the network sizes smaller, change vlan 610, 632 and 650 to 255.255.255.0 masks.  But the subnet that contains the main server should be the same as the hardware contained in it (255.255.0.0).
I just now re-read your post, and something does not make sense:  Do you mean to say that the main Hardware server (VLAN 600) and the Misc Fireld Equipment (VLAN650) must be on the same subnet?  You will not accomplish this if you put them in seperate VLANs (at least, not the way Cisco implements VLANs, it might be possible on other equipment using port-based VLANs).

I would suggest that you put the server and field equipment in the same VLAN (=same subnet), and use a subnet with a 255.255.0.0 mask.  The rest of the VLANs can then be addressed in /24 subnets.

As a rule of thumb, always use the same subnet (and mask) across the entire VLAN, including the firewall interface.  As I've indicated, it is possible to make it work if yoiu do not adhere to this rule, but it is definitely not recommended.
Sorry to confuse you.  We are putting the server that connects to the field equipment and the actual field equipment on the same VLAN.

We are then going to put the remaining VLANs on a /24 subnet.


Appreciate the help.  You helped me figure this all out!