Improve company productivity with a Business Account.Sign Up


Need to change our LAN subnet class. How to properly subnet an 80 person office if you could start fresh?

Posted on 2014-02-03
Medium Priority
Last Modified: 2014-02-18
So the LAN office network I inherited was one giant class A subnet ( . We have a few VPN tunnels to other sites, and a new VPN tunnel we need, cannot currently be setup yet, due to their side running a 10.x.x.x LAN. I'll list some key info and concerns I have below.

This is an all Windows network. Also all TCP/IP v4.
We have a DHCP pool for workstations and portable devices.
We have about a dozen large networked Ricoh printers, all using static IP's.
We have dozens of servers old & new, all using static IP's.
We have a handful of older Netgear and SMC 1 gigabit switches, using static IP's. No VLAN's going on within the environment.
We have one single gateway assigned to every workstation and server at the moment, a Sonicwall NSA 2400 security/firewall appliance.

While I've setup plenty of small LAN's in my day, this would be the biggest environment that I'm basically going to to "start fresh" and re-do. I am familiar with all the equipment and know how & where to change IP info, subnet info, gateway, etc.

I guess my question really is... what is the best way to subnet this environment out ? I'd like to do whatever possible to keep or improve network performance, reduce / cut network broadcast traffic, and maintain flexibility for adding further subnets in the future. I also do not want to put too heavy of a load on the Sonicwall NSA 2400 firewall; that should really only be getting hit for internet & VPN traffic.

Several small class C subnets ? A larger class B ?

Thanks for all help & advice. Please let me know if you have questions and/or need more details, and I'd be happy to post!
Question by:hfcadmins

Assisted Solution

ffleisma earned 750 total points
ID: 39830720
Basic example we can do the following subnet template

I'll try to design a high level IP addressing which is mostly tied up to VLAN assignment.

Usually I design using /24 for most subnets as it is easy to range and it avoids complicated subnetting calculations.
If not necessary to maximize IP address space use /24 for each individual VLAN assignments.
Using /24 will also serve useful in VLAN assignment as I'll show later on.
Also, using a /24 give an adequate subnet without over-sizing the broadcast domain. Broadcast storms on a single /23 or /22 can impact a whole lot of devices.

In terms of default gateway, it is best design practice to keep it at the core switch (unless for DMZ's which usually have DG on the FW). FW-Core link to be on a dedicated VLAN /30 point to point. This avoids multiple sub-interfaces or VLANs termating on the firewall and the FW is left to handle the routing.

Network Equipment (Management IP)

Don't use VLAN1 as much as possible, as VLAN 1 is most vulnerable in terms of L2 security.
VLAN 1 is not tagged, and most common attacks on VLAN hopping, Traffic snooping can be done towards VLAN1.
assign separate VLAN/subnet for device management IP
use loopback interfaces on L3 devices (routers/L3 device) with /32 address distributed via dynamic routing protocol. this is useful in saving IP address space, as well as device logging/monitoring/administration can be reference on the loopback interface instead of L3 device interface.
for firewall or other network appliance with mgt interface, utilize management interface for device administration access if possible.

Create server VLAN for basic requirement
DMZ Server VLAN100
DMZ Server VLAN101
Internal Server VLAN200
Internal Server VLAN201
Server VLAN can also be separated in terms of server ILO interface and NIC interface.
Place Server ILO VLAN separate from server NIC interface VLAN

General Host VLANs

Have separate voice and data VLAN
(sample, use odd VLAN for data, even VLAN for voice)

1st floor -  VLAN011_01F_Data01
2nd floor - VLAN021_02F_Data01

by utilizing /24 we can take advantage of this in terms of VLAN assignment.
VLAN011_01F_Data01            192.168.11.x/24
VLAN012_01F_Voice01            192.168.12.x/24

VLAN013_01F_Data02            192.168.13.x/24
VLAN014_01F_Voice02            192.168.14.x/24

Notice that the 3rd octet is the VLAN number?
Now this is much more intuitive.
automatically for a VLAN 23,
you can guess from the top of your head and IP subnet of 192.168.23.x
and it is a data VLAN for second floor

In terms of Subnet scope, we can reserve .1-.10 and .240-.253. DHCP scope for host is .11-.239 (228 hosts, fairly enough for normal office size)
This gives us enough IP address to assign as default gateway (HRSP/standby IP core1=.2 core2=.3 virtual interface=.1), reserved static IP device (can also be used for printers/multifinction device) or NATing functions.

General MSC devices (Printers, Scanners, TV Display, Smart TV), can all be placed on a single VLAN if needed, with no DHCP, all multifunction devices, configured with static IP.
If requirements states separation from individual multifunction device, it can be divided into multiple VLANs as well.

1st floor devices - .10-.19
2nd floor devices - .20-.29

A separate individual /24 VLAN/subnet for each VPN pool shall also be assigned. Each pool assigned a /24 subnet/VLAN so as policy handling can be done and applied to each VPN pool.

Inter-device links (L3 links) can use /30 addresses, saving IP address in this case as assigning a /24 for L3 links is just wasteful of a /24 subnet.
Inter-device links can be as follows:
Firewall-service provider router

I know this covers a lot of points, let me know if you need me to elaborate on certain points and or maybe we come to a network diagram highlighting the designs. Would you wish to segregate internal users to per Department/Function/Floor-Location?
LVL 27

Accepted Solution

Fred Marshall earned 750 total points
ID: 39831406
With only 80 people there would appear to be no strong reason to use more than a /24 subnet.  If you want to get fancier than that then by all means.  But starting with simplicity at that size seems a good idea.

So you might choose something like
I chose the "8" in the 3rd octet so you could readily go to /23 and /22 if ever needed AND you could add within the /23 .. and so forth.  Just thinking ahead.

Then, within the subnet, you could assign blocks to various uses if you want.  e.g. DHCP, servers and printers, managers, non-managers, etc. which could come in handy when setting up web filters, etc. depending on your firewall.

I would go no further than that for starters.  You can always introduce VLANs as may seem appropriate later on.

Author Closing Comment

ID: 39868466
Sorry for the long delay in my response... I did appreciate your comments to get my brain thinking about how & what I wanted to do.

I deiced to go ahead with a class B and subnet of /22 ( .

This allowed me to use the following:

172.16.200.x - Servers
172.16.201.x - DHCP
172.16.202.x - Admin
172.16.203.x - Printers


Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor ( Top Charts is a view in which you can set seve…

584 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question