Segmenting our Class A network into VLANS / Subnets

Hello all,
I am looking to upgrade our company's server from SBS to 2xServer 2012 R2 in Hyper-V.
This will be quite a major move forward both in capacity and cost, so I am reviewing the current internal IP addressing structure whilst we are in the process.

Currently we have a single subnet of 10.25.0.0 / 20 (255.255.240.0)
I understand this is far too big and shouldn't be in a single subnet ideally. We only have around 40 devices on the network currently, so broadcasts probably not yet an issue though.
With the view that the company will possibly be going international, with branch offices / servers, I have looked at splitting our existing head-office network into 4 subnets.
This would also make cost effective use of our router+switches which support VLANs and max of 4 LAN's on the router. (Draytek Vigor 3200, Netgear GS724TS).
I believe I would then setup each port on the switch to assign VLAN "tag", and relevant settings on the router to match the ID, or could it be setup with all 4 subnets on the same physical network without the use of VLANs? (I think this might defeat the object).

The idea I had for our head office was to use:
10.25.0.0 / 23 - Network devices+servers
10.25.2.0 / 23 - Printers
10.25.4.0 / 23 - DHCP clients
10.25.6.0 / 23 - VPN clients
(255.255.254.0)

If we were to take out a branch office, I would possibly use 10.26.0.0, 10.27.0.0 etc...

Bearing in mind I would rather not totally change the class and addresses of every existing static device on the network (printers, servers, etc), what would your recommendation be to achieve this with minimal disruption? I'm hoping that changing just the subnet mask on servers / devices would be less of a job than a total IP address change on DNS/DHCP/WINS/Exchange etc.

We are not at the stage of having IPV6 public address yet, and a couple of devices on the network apparently don't support it either. This was another thought...

Thanks in advance.
LVL 8
chrismanncalgavinAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Soulja53 6F 75 6C 6A 61 Commented:
So what is your question?
0
chrismanncalgavinAuthor Commented:
I'm looking for review of my plan and an educated opinion of pros/cons. There is no one word answer really. Is the plan along right tracks or am i misinformed? Reasons either way.
Hope that makes sense.
0
Rick_O_ShayCommented:
If you only have 40 devices to deal with then I would say there is no need to go through the exercise of splitting the network out into separate VLANs and subnets unless there is a valid reason like controlling the isolation of users from things they don’t need to see like payroll servers, HR files, etc.

You will have to change addressing all the way around and you would most likely take a small hit on performance going across the router/L3 device compared to just switching within the same VLAN.

Management would get more complex as well. For example you would not be able to just plug anything in anywhere you would have to remember to first put the ports in the right VLAN etc.

If you wanted to do it to make for a smaller subnet but with all devices still in the single VLAN it could make sense for freeing up some of that address space for future needs for new networks.
0
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

chrismanncalgavinAuthor Commented:
Thanks for the reply. Interesting...
So do you mean to keep only a single VLAN due to management complexity?
I agree this would make patching connections to switches more difficult without very careful labelling, coloured cabling!

What sort of size subnet / addessing scheme would you suggest if we were just to make it smaller?
In terms of expansion from the 40 devices currently, we are likely to double that in the next 4 years in the main office.
Am I right that broadcasts really become a problem after 500 hosts per subnet? (some say 254).

If this is the case, maybe it would be wise just to stick with what we have currently?
0
skullnobrainsCommented:
there are (at least) 3 reasons why you would want routing

there are too many hosts on the same LAN and the whole thing is turning into an ARP shoutcast mess --> given the fact you have 40 hosts, this does not apply. having lots of addresses does not harm or even change a thing.

the hosts are in different locations and you cannot (or would not) interconnect them using level 2 --> might apply later but you have no reason to bother before that happens

the hosts have different roles and should not be allowed to inter-connect freely for security reasons. --> it does not seem like this is your concern ?

and you'd only want vlans in a site if you needed to enforce some kind of security restriction. remember that setting 2 VLANS and route between them does not add much security appart from internal man in the middle arp attacks. basically this is useless unless you actually have setup ACL restrictions on the router or firewall that joins the vlans together.

if you want to experience speedup or at least prevent speeddown :
- not having hundreds of hosts on the same network segments helps, but 40 is ok
- interconnecting far away locations in level2 is usually a bad idea and often impossible
- using VLANs everywhere does not speedup anything, it adds to the cost in a neglectible way most of the times and quite a lot in some specific situations. if you interconnect 2 sites, you can setup a vlan for that link only or forbid arp traffic forwarding over that link somehow which will effectively isolate both sites without going into the hassle of using vlans everywhere. if the sites are interconnected through some kind of point-to-point connection such as a VPN or PPP links, this will be the case out-of-the-box.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
masnrockCommented:
Give what you've cited, I would make the head office just one network... either a class A or a 23 bit subnet like you've mentioned. But you do not have nearly enough of a cause to have 4 different LANs. But it is good that you're trying to think ahead.
0
chrismanncalgavinAuthor Commented:
Thanks skullnobrains and masnrock.
So far i'm getting the impression that it's best to stick with what we have for now, save for unnecessary expense. When the network grows to around 200 hosts or more I would probably look towards subnetting into several 23bit subnets like mentioned, or even IPV6 by then maybe.

In hindsight I wouldn't have used such a huge subnet to begin with, (hindsight is a dangerous thing!).
But at least it wasn't too small I suppose.
Thanks fot the useful comments.
0
masnrockCommented:
No problem at all. At least you did not use a class A or B network. But yes, keeping the status quo is ideal for now. It should be a good while before you have to worry about capacity planning at the home office in terms of addresses.
0
skullnobrainsCommented:
i believe it is your best choice.

200 hosts on a single entwork is not that bad on enterprise-class gibabit switches. even if they are all microsoft, the shoutcast should be acceptable if the link between switches are perfomant enough.

assuming security is out of the discussion, basically think of subnetting when your topology produces a situation in which you have lots of machines on either side of a link and the ARP and broadcast traffic starts to eat up the bandwidth.

having big subnets does not harm. using a /16 or bigger for each site is not that bad a setup. people like me who like dealing with /16 and /24 as much as they can usually eat up lots of addresses. it complicates network scans which are mostly used for aggressive reasons and does not change how the rest operates.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.