Solved

Need to clarify routing

Posted on 2014-02-04
8
556 Views
Last Modified: 2014-02-04
Needing to bust the rust off my subnetting. Hopefully EE-land can help.


Setting up a 172.16.x.x network

I want the servers, routers, etc. to be in 172.16.0.1-172.16.0.254

I want the PC's, etc. to be in 172.16.1.1-172.16.3.254

Should I mask the servers with 255.255.128.0
and
Should I mask the PC's with 255.255.192.0
in order to
Cut down on broadcast/data/etc?

or do they all need to have the same subnet mask?
0
Comment
Question by:Paul Wagner
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 9

Expert Comment

by:ffleisma
ID: 39834073
I want the servers, routers, etc. to be in 172.16.0.1-172.16.0.254
172.16.0.0/24
range: 172.16.0.1 - 172.16.0.253 (254 broadcast )

I want the PC's, etc. to be in 172.16.1.1-172.16.3.254

unfortunately you can't assign 172.16.1.0/23 (overlaps 172.16.0.1 - 172.16.1.254), the next available is 172.16.2.0/23 (172.16.2.1 - 172.16.3.254)

increments of subnets are

256 host - /24
512 host - /23
1024 host - /22
end so on.. (-2 actually to remove subnet and broadcast)

so if you really need 768 (256*3: 1.1-256    2.1-256    3.1-256), you'll have to jump and use a /22, that is a 172.16.4.0/22 (172.16.4.1 - 172.16.7.254).

in my opinion, keep users on /24, and assign most VLANs on a /24 to keep subnetting simple. if additional data VLAN is needed create another /24. I know i some case a /23 is needed or even a /22, but in my opinion, those subnets are too big and broadcast storms or any issue in a /23 or a /22 can impact more than 500 devices (imagine that). I usually try to separate LAN data, LAN voice, Wifi, MSC devices (printers) on their own /24 VLANs

if you like there is a free tool from solarwinds, IP subnet calculator, it is very handy, you just need to signup and its free.

http://www.solarwinds.com/products/freetools/free_subnet_calculator.aspx

subnet mask doesn't necessary need to be the same for different VLANs, it is the overlapping when switching from one mask to another which you have to look out for.
0
 
LVL 5

Author Comment

by:Paul Wagner
ID: 39834137
@ffleisma

Why wouldn't I be able to put everything in a /19 or /20 and then just put data, voice, etc. into different vlans?
Wouldn't this essentially cut out broadcast storms?

I definitely understand the /24 reasoning, but then why would I need different vlans if I'm controlling everything with blocks of /24 subnets?
0
 
LVL 9

Expert Comment

by:ffleisma
ID: 39834182
actually you can use /19 or /20 by all means, but that is just to big of a broadcast domain

by design, segments should not contain more than 20% broadcast or multicast traffic and having /19 (8190 hosts) or a /20 (4094 hosts) can create enough broadcast traffic within the segment that can impact service. Not to mention when something goes wrong in the network like a network loop, all those host will be impacted. Another example, in terms of virus or worms which sends broadcast, it can infect or to DDOS on such a big number of hosts within the LAN.

When putting each category in a VLAN (data, voice, etc) they have to be in different network segments. That is the purpose of VLANs, to segment broadcast domains which basically means putting them into different IP segments/subnet.

Also by putting everything data/voice/servers in one VLAN creates security risks. A PC user can sniff traffic and gather voice/server packets within the same broadcast domain. In terms of firewall security, putting everything in one big segment, it will be very hard to fine tune or apply permissive policies to specific users/servers/voice as everyone gets permitted when you allow the entire big subnet.

let me know your thoughts and if you have more questions. hope i can help
0
Do you have a plan for Continuity?

It's inevitable. People leave organizations creating a gap in your service. That's where Percona comes in.

See how Pepper.com relies on Percona to:
-Manage their database
-Guarantee data safety and protection
-Provide database expertise that is available for any situation

 
LVL 5

Author Comment

by:Paul Wagner
ID: 39834209
@ffleisma

Ya, this is definitely helping.

I downloaded the solar winds subnet calc.

Taking your advice, I went to the Classful Subnet Calculator tab and entered 172.16.0.0 with /24.

It gave me a view of what you're saying.

So... (correct me if I'm wrong)

A. Addressing
Subnet area 1. 172.16.0.0 - 172.16.0.254
I can put servers, network gear, etc. in the first subnet on vlan 10

Subnet area 2. 172.16.1.0 - 172.16.3.254
I can put data in these subnets on vlan 20

Subnet area 3. 172.16.4.0 - 172.16.5.254
I can put voice in these subnets on vlan 30


B. Firewall
Make sure the appropriate devices can talk  (i.e.- Subnet area 2 can talk to the DC in Subnet area 1, and Subnet area 3 can talk to Exchange [for voicemails] in Subnet area 1)

Is that right? (this is all theoretical but you're definitely helping)
0
 
LVL 5

Author Comment

by:Paul Wagner
ID: 39834517
@ffleisma

I was also thinking that if I put all of my servers in 172.16.0.0 - 172.16.0.254 with /24, then couldn't I have a big broadcast storm within that subnet alone?

... I guess I'm asking, is /24 fine for what I'm doing, or do I need to narrow it down some more? (i.e. /25 or /26)
0
 
LVL 9

Accepted Solution

by:
ffleisma earned 500 total points
ID: 39834687
Subnet area 1. 172.16.0.0 - 172.16.0.254
I can put servers, network gear, etc. in the first subnet on vlan 10


This is fine
subnet: 172.16.0.0/24
host range: 172.16.0.1 - 172.16.0.254

Subnet area 2. 172.16.1.0 - 172.16.3.254
I can put data in these subnets on vlan 20


This will overlap with area1

ex:
172.16.1.0/23
subnet:172.16.0.0/23
host range: 172.16.0.1 - 172.16.1.254

*this is because 172.16.1.0/23 is not the subnet but only part of the entire range. which will overlap with area1

172.16.1.0/22
subnet:172.16.0.0/22
host range: 172.16.0.1 - 172.16.3.254

*still overlaps

the next available subnet, without overlapping with area1 is as follows:

172.16.4.0/22
subnet: 172.16.4.0/22
host range: 172.16.4.1 - 172.16.7.254

now avoiding overlapping subnets this can be summarized as follows:

Area1: VLAN10: 172.16.0.0/24 (172.16.0.1 - 172.16.0.254) - 254 hosts
Area2: VLAN20: 172.16.4.0/22 (172.16.4.1 - 172.16.7.254) - 1022 hosts
Area3: VLAN30: 172.16.8.0/24 (172.16.8.1 - 172.16.8.254) - 254 host


one thing we can do is re-arrange which goes first


Subnet areaA: 172.16.0.0/22 (172.16.0.1 - 172.16.3.254)
Subnet areaB: 172.16.4.0/24 (172.16.4.1 - 172.16.4.254)
Subnet areaC: 172.16.5.0/24 (172.16.5.1 - 172.16.5.254)

did that make sense?



B. Firewall

now i'm assuming all areas are inside and behind firewall since I'm assuming it would be internal servers. in this case, they should all be able to talk to one another, without going through the firewall.

in case you need a DMZ which is protected by a firewall, usually DMZ VLAN is assigned another VLAN/subnet range. Take note, DMZ is created to place servers that are access from outside--> coming into FW --> DMZ. If server will be access by internal users only, there is no need to create a DMZ and just place all the VLANs internally (routed via network core). You can see sample diagram below.

 simple VLAN
for internal VLANs, have the default gateway at the core switch
for the DMZ VLAN, usually the default gateway is at the firewall


are you using cisco for you core and firewall? what vendor brand are you using for your network?

... I guess I'm asking, is /24 fine for what I'm doing, or do I need to narrow it down some more? (i.e. /25 or /26)

/24 is fine, servers dont usually generate much broadcast traffic. and even on a /24 which can accommodate 254 hosts/servers, I highly doubt you have more than 50 servers on it so it is fairly safe :-)

a big subnet becomes broadcast heavy if they will be lots of host in it. so a /24 with full users can generate more traffic and broadcast traffic than lets say a /22 with only a few host. It really depends on the number of host and not particular to the subnet size, do you get what I'm saying?

hope this helps, let me know if you have more questions.
0
 
LVL 5

Author Comment

by:Paul Wagner
ID: 39834699
That was awesome. Thanks for all the help!


Area1: VLAN10: 172.16.0.0/24 (172.16.0.1 - 172.16.0.254) - 254 hosts
Area2: VLAN20: 172.16.4.0/22 (172.16.4.1 - 172.16.7.254) - 1022 hosts
Area3: VLAN30: 172.16.8.0/24 (172.16.8.1 - 172.16.8.254) - 254 host

one thing we can do is re-arrange which goes first

Subnet areaA: 172.16.0.0/22 (172.16.0.1 - 172.16.3.254)
Subnet areaB: 172.16.4.0/24 (172.16.4.1 - 172.16.4.254)
Subnet areaC: 172.16.5.0/24 (172.16.5.1 - 172.16.5.254)

did that make sense?
Yes, that makes perfect sense. I suppose it's easier to run your bigger subnets at the beginning but it'll just feel weird to put PC's before servers.  Maybe there's something to be said for network security in that. (keeps them guessing the topology)


are you using cisco for you core and firewall? what vendor brand are you using for your network?
We are looking at current options. We have vyatta which is a VM router but we will probably migrate away from it once the network is moved over. I like Cisco for sure so I will lean heavily in that direction.

Thanks again.
0
 
LVL 9

Expert Comment

by:ffleisma
ID: 39834886
hey thanks for the points and I'm glad i could helped, maybe next time I can help out in designing later on once you migrate.

cheers!
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question