Solved

Need to clarify routing

Posted on 2014-02-04
8
510 Views
Last Modified: 2014-02-04
Needing to bust the rust off my subnetting. Hopefully EE-land can help.


Setting up a 172.16.x.x network

I want the servers, routers, etc. to be in 172.16.0.1-172.16.0.254

I want the PC's, etc. to be in 172.16.1.1-172.16.3.254

Should I mask the servers with 255.255.128.0
and
Should I mask the PC's with 255.255.192.0
in order to
Cut down on broadcast/data/etc?

or do they all need to have the same subnet mask?
0
Comment
Question by:Paul Wagner
  • 4
  • 4
8 Comments
 
LVL 9

Expert Comment

by:ffleisma
ID: 39834073
I want the servers, routers, etc. to be in 172.16.0.1-172.16.0.254
172.16.0.0/24
range: 172.16.0.1 - 172.16.0.253 (254 broadcast )

I want the PC's, etc. to be in 172.16.1.1-172.16.3.254

unfortunately you can't assign 172.16.1.0/23 (overlaps 172.16.0.1 - 172.16.1.254), the next available is 172.16.2.0/23 (172.16.2.1 - 172.16.3.254)

increments of subnets are

256 host - /24
512 host - /23
1024 host - /22
end so on.. (-2 actually to remove subnet and broadcast)

so if you really need 768 (256*3: 1.1-256    2.1-256    3.1-256), you'll have to jump and use a /22, that is a 172.16.4.0/22 (172.16.4.1 - 172.16.7.254).

in my opinion, keep users on /24, and assign most VLANs on a /24 to keep subnetting simple. if additional data VLAN is needed create another /24. I know i some case a /23 is needed or even a /22, but in my opinion, those subnets are too big and broadcast storms or any issue in a /23 or a /22 can impact more than 500 devices (imagine that). I usually try to separate LAN data, LAN voice, Wifi, MSC devices (printers) on their own /24 VLANs

if you like there is a free tool from solarwinds, IP subnet calculator, it is very handy, you just need to signup and its free.

http://www.solarwinds.com/products/freetools/free_subnet_calculator.aspx

subnet mask doesn't necessary need to be the same for different VLANs, it is the overlapping when switching from one mask to another which you have to look out for.
0
 
LVL 3

Author Comment

by:Paul Wagner
ID: 39834137
@ffleisma

Why wouldn't I be able to put everything in a /19 or /20 and then just put data, voice, etc. into different vlans?
Wouldn't this essentially cut out broadcast storms?

I definitely understand the /24 reasoning, but then why would I need different vlans if I'm controlling everything with blocks of /24 subnets?
0
 
LVL 9

Expert Comment

by:ffleisma
ID: 39834182
actually you can use /19 or /20 by all means, but that is just to big of a broadcast domain

by design, segments should not contain more than 20% broadcast or multicast traffic and having /19 (8190 hosts) or a /20 (4094 hosts) can create enough broadcast traffic within the segment that can impact service. Not to mention when something goes wrong in the network like a network loop, all those host will be impacted. Another example, in terms of virus or worms which sends broadcast, it can infect or to DDOS on such a big number of hosts within the LAN.

When putting each category in a VLAN (data, voice, etc) they have to be in different network segments. That is the purpose of VLANs, to segment broadcast domains which basically means putting them into different IP segments/subnet.

Also by putting everything data/voice/servers in one VLAN creates security risks. A PC user can sniff traffic and gather voice/server packets within the same broadcast domain. In terms of firewall security, putting everything in one big segment, it will be very hard to fine tune or apply permissive policies to specific users/servers/voice as everyone gets permitted when you allow the entire big subnet.

let me know your thoughts and if you have more questions. hope i can help
0
 
LVL 3

Author Comment

by:Paul Wagner
ID: 39834209
@ffleisma

Ya, this is definitely helping.

I downloaded the solar winds subnet calc.

Taking your advice, I went to the Classful Subnet Calculator tab and entered 172.16.0.0 with /24.

It gave me a view of what you're saying.

So... (correct me if I'm wrong)

A. Addressing
Subnet area 1. 172.16.0.0 - 172.16.0.254
I can put servers, network gear, etc. in the first subnet on vlan 10

Subnet area 2. 172.16.1.0 - 172.16.3.254
I can put data in these subnets on vlan 20

Subnet area 3. 172.16.4.0 - 172.16.5.254
I can put voice in these subnets on vlan 30


B. Firewall
Make sure the appropriate devices can talk  (i.e.- Subnet area 2 can talk to the DC in Subnet area 1, and Subnet area 3 can talk to Exchange [for voicemails] in Subnet area 1)

Is that right? (this is all theoretical but you're definitely helping)
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 3

Author Comment

by:Paul Wagner
ID: 39834517
@ffleisma

I was also thinking that if I put all of my servers in 172.16.0.0 - 172.16.0.254 with /24, then couldn't I have a big broadcast storm within that subnet alone?

... I guess I'm asking, is /24 fine for what I'm doing, or do I need to narrow it down some more? (i.e. /25 or /26)
0
 
LVL 9

Accepted Solution

by:
ffleisma earned 500 total points
ID: 39834687
Subnet area 1. 172.16.0.0 - 172.16.0.254
I can put servers, network gear, etc. in the first subnet on vlan 10


This is fine
subnet: 172.16.0.0/24
host range: 172.16.0.1 - 172.16.0.254

Subnet area 2. 172.16.1.0 - 172.16.3.254
I can put data in these subnets on vlan 20


This will overlap with area1

ex:
172.16.1.0/23
subnet:172.16.0.0/23
host range: 172.16.0.1 - 172.16.1.254

*this is because 172.16.1.0/23 is not the subnet but only part of the entire range. which will overlap with area1

172.16.1.0/22
subnet:172.16.0.0/22
host range: 172.16.0.1 - 172.16.3.254

*still overlaps

the next available subnet, without overlapping with area1 is as follows:

172.16.4.0/22
subnet: 172.16.4.0/22
host range: 172.16.4.1 - 172.16.7.254

now avoiding overlapping subnets this can be summarized as follows:

Area1: VLAN10: 172.16.0.0/24 (172.16.0.1 - 172.16.0.254) - 254 hosts
Area2: VLAN20: 172.16.4.0/22 (172.16.4.1 - 172.16.7.254) - 1022 hosts
Area3: VLAN30: 172.16.8.0/24 (172.16.8.1 - 172.16.8.254) - 254 host


one thing we can do is re-arrange which goes first


Subnet areaA: 172.16.0.0/22 (172.16.0.1 - 172.16.3.254)
Subnet areaB: 172.16.4.0/24 (172.16.4.1 - 172.16.4.254)
Subnet areaC: 172.16.5.0/24 (172.16.5.1 - 172.16.5.254)

did that make sense?



B. Firewall

now i'm assuming all areas are inside and behind firewall since I'm assuming it would be internal servers. in this case, they should all be able to talk to one another, without going through the firewall.

in case you need a DMZ which is protected by a firewall, usually DMZ VLAN is assigned another VLAN/subnet range. Take note, DMZ is created to place servers that are access from outside--> coming into FW --> DMZ. If server will be access by internal users only, there is no need to create a DMZ and just place all the VLANs internally (routed via network core). You can see sample diagram below.

 simple VLAN
for internal VLANs, have the default gateway at the core switch
for the DMZ VLAN, usually the default gateway is at the firewall


are you using cisco for you core and firewall? what vendor brand are you using for your network?

... I guess I'm asking, is /24 fine for what I'm doing, or do I need to narrow it down some more? (i.e. /25 or /26)

/24 is fine, servers dont usually generate much broadcast traffic. and even on a /24 which can accommodate 254 hosts/servers, I highly doubt you have more than 50 servers on it so it is fairly safe :-)

a big subnet becomes broadcast heavy if they will be lots of host in it. so a /24 with full users can generate more traffic and broadcast traffic than lets say a /22 with only a few host. It really depends on the number of host and not particular to the subnet size, do you get what I'm saying?

hope this helps, let me know if you have more questions.
0
 
LVL 3

Author Comment

by:Paul Wagner
ID: 39834699
That was awesome. Thanks for all the help!


Area1: VLAN10: 172.16.0.0/24 (172.16.0.1 - 172.16.0.254) - 254 hosts
Area2: VLAN20: 172.16.4.0/22 (172.16.4.1 - 172.16.7.254) - 1022 hosts
Area3: VLAN30: 172.16.8.0/24 (172.16.8.1 - 172.16.8.254) - 254 host

one thing we can do is re-arrange which goes first

Subnet areaA: 172.16.0.0/22 (172.16.0.1 - 172.16.3.254)
Subnet areaB: 172.16.4.0/24 (172.16.4.1 - 172.16.4.254)
Subnet areaC: 172.16.5.0/24 (172.16.5.1 - 172.16.5.254)

did that make sense?
Yes, that makes perfect sense. I suppose it's easier to run your bigger subnets at the beginning but it'll just feel weird to put PC's before servers.  Maybe there's something to be said for network security in that. (keeps them guessing the topology)


are you using cisco for you core and firewall? what vendor brand are you using for your network?
We are looking at current options. We have vyatta which is a VM router but we will probably migrate away from it once the network is moved over. I like Cisco for sure so I will lean heavily in that direction.

Thanks again.
0
 
LVL 9

Expert Comment

by:ffleisma
ID: 39834886
hey thanks for the points and I'm glad i could helped, maybe next time I can help out in designing later on once you migrate.

cheers!
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now