Solved

Need to change our LAN subnet class. How to properly subnet an 80 person office if you could start fresh?

Posted on 2014-02-03
3
603 Views
Last Modified: 2014-02-18
So the LAN office network I inherited was one giant class A subnet (255.0.0.0) . We have a few VPN tunnels to other sites, and a new VPN tunnel we need, cannot currently be setup yet, due to their side running a 10.x.x.x LAN. I'll list some key info and concerns I have below.

This is an all Windows network. Also all TCP/IP v4.
We have a DHCP pool for workstations and portable devices.
We have about a dozen large networked Ricoh printers, all using static IP's.
We have dozens of servers old & new, all using static IP's.
We have a handful of older Netgear and SMC 1 gigabit switches, using static IP's. No VLAN's going on within the environment.
We have one single gateway assigned to every workstation and server at the moment, a Sonicwall NSA 2400 security/firewall appliance.

While I've setup plenty of small LAN's in my day, this would be the biggest environment that I'm basically going to to "start fresh" and re-do. I am familiar with all the equipment and know how & where to change IP info, subnet info, gateway, etc.

I guess my question really is... what is the best way to subnet this environment out ? I'd like to do whatever possible to keep or improve network performance, reduce / cut network broadcast traffic, and maintain flexibility for adding further subnets in the future. I also do not want to put too heavy of a load on the Sonicwall NSA 2400 firewall; that should really only be getting hit for internet & VPN traffic.

Several small class C subnets ? A larger class B ?

Thanks for all help & advice. Please let me know if you have questions and/or need more details, and I'd be happy to post!
0
Comment
Question by:hfcadmins
3 Comments
 
LVL 9

Assisted Solution

by:ffleisma
ffleisma earned 250 total points
ID: 39830720
Basic example we can do the following subnet template

I'll try to design a high level IP addressing which is mostly tied up to VLAN assignment.

Usually I design using /24 for most subnets as it is easy to range and it avoids complicated subnetting calculations.
If not necessary to maximize IP address space use /24 for each individual VLAN assignments.
Using /24 will also serve useful in VLAN assignment as I'll show later on.
Also, using a /24 give an adequate subnet without over-sizing the broadcast domain. Broadcast storms on a single /23 or /22 can impact a whole lot of devices.

In terms of default gateway, it is best design practice to keep it at the core switch (unless for DMZ's which usually have DG on the FW). FW-Core link to be on a dedicated VLAN /30 point to point. This avoids multiple sub-interfaces or VLANs termating on the firewall and the FW is left to handle the routing.

Network Equipment (Management IP)

 
Don't use VLAN1 as much as possible, as VLAN 1 is most vulnerable in terms of L2 security.
VLAN 1 is not tagged, and most common attacks on VLAN hopping, Traffic snooping can be done towards VLAN1.
assign separate VLAN/subnet for device management IP
use loopback interfaces on L3 devices (routers/L3 device) with /32 address distributed via dynamic routing protocol. this is useful in saving IP address space, as well as device logging/monitoring/administration can be reference on the loopback interface instead of L3 device interface.
for firewall or other network appliance with mgt interface, utilize management interface for device administration access if possible.


Create server VLAN for basic requirement
DMZ Server VLAN100
DMZ Server VLAN101
.
.
Internal Server VLAN200
Internal Server VLAN201
.
.
Server VLAN can also be separated in terms of server ILO interface and NIC interface.
Place Server ILO VLAN separate from server NIC interface VLAN

General Host VLANs

Have separate voice and data VLAN
(sample, use odd VLAN for data, even VLAN for voice)

1st floor -  VLAN011_01F_Data01
                   VLAN012_01F_Voice01
                 
                 VLAN013_01F_Data02
                 VLAN014_01F_Voice02
                 
2nd floor - VLAN021_02F_Data01
                   VLAN022_02F_Voice01
                 
               VLAN023_02F_Data02
                 VLAN024_02F_Voice02      

by utilizing /24 we can take advantage of this in terms of VLAN assignment.
VLAN011_01F_Data01            192.168.11.x/24
VLAN012_01F_Voice01            192.168.12.x/24

VLAN013_01F_Data02            192.168.13.x/24
VLAN014_01F_Voice02            192.168.14.x/24

Notice that the 3rd octet is the VLAN number?
Now this is much more intuitive.
automatically for a VLAN 23,
you can guess from the top of your head and IP subnet of 192.168.23.x
and it is a data VLAN for second floor

In terms of Subnet scope, we can reserve .1-.10 and .240-.253. DHCP scope for host is .11-.239 (228 hosts, fairly enough for normal office size)
This gives us enough IP address to assign as default gateway (HRSP/standby IP core1=.2 core2=.3 virtual interface=.1), reserved static IP device (can also be used for printers/multifinction device) or NATing functions.

General MSC devices (Printers, Scanners, TV Display, Smart TV), can all be placed on a single VLAN if needed, with no DHCP, all multifunction devices, configured with static IP.
If requirements states separation from individual multifunction device, it can be divided into multiple VLANs as well.

VLAN 5
1st floor devices - .10-.19
2nd floor devices - .20-.29
.
.
.

A separate individual /24 VLAN/subnet for each VPN pool shall also be assigned. Each pool assigned a /24 subnet/VLAN so as policy handling can be done and applied to each VPN pool.

Inter-device links (L3 links) can use /30 addresses, saving IP address in this case as assigning a /24 for L3 links is just wasteful of a /24 subnet.
Inter-device links can be as follows:
Firewall-Core
Firewall-service provider router
Core-router

I know this covers a lot of points, let me know if you need me to elaborate on certain points and or maybe we come to a network diagram highlighting the designs. Would you wish to segregate internal users to per Department/Function/Floor-Location?
0
 
LVL 25

Accepted Solution

by:
Fred Marshall earned 250 total points
ID: 39831406
With only 80 people there would appear to be no strong reason to use more than a /24 subnet.  If you want to get fancier than that then by all means.  But starting with simplicity at that size seems a good idea.

So you might choose something like 10.10.8.0/24.
I chose the "8" in the 3rd octet so you could readily go to /23 and /22 if ever needed AND you could add 10.10.9.0/24 within the /23 .. and so forth.  Just thinking ahead.

Then, within the 10.10.8.0/24 subnet, you could assign blocks to various uses if you want.  e.g. DHCP, servers and printers, managers, non-managers, etc. which could come in handy when setting up web filters, etc. depending on your firewall.

I would go no further than that for starters.  You can always introduce VLANs as may seem appropriate later on.
0
 

Author Closing Comment

by:hfcadmins
ID: 39868466
Sorry for the long delay in my response... I did appreciate your comments to get my brain thinking about how & what I wanted to do.

I deiced to go ahead with a class B and subnet of /22 (255.255.252.0) .

This allowed me to use the following:

172.16.200.x - Servers
172.16.201.x - DHCP
172.16.202.x - Admin
172.16.203.x - Printers

Thanks!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

If you are thinking of adopting cloud services, or just curious as to what ‘the cloud’ can offer then the leader according to Gartner for Infrastructure as a Service (IaaS) is Amazon Web Services (AWS).  When I started using AWS I was completely new…
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now