Need to clarify routing

Needing to bust the rust off my subnetting. Hopefully EE-land can help.


Setting up a 172.16.x.x network

I want the servers, routers, etc. to be in 172.16.0.1-172.16.0.254

I want the PC's, etc. to be in 172.16.1.1-172.16.3.254

Should I mask the servers with 255.255.128.0
and
Should I mask the PC's with 255.255.192.0
in order to
Cut down on broadcast/data/etc?

or do they all need to have the same subnet mask?
LVL 5
Paul WagnerFriend To Robots and RocksAsked:
Who is Participating?
 
ffleismaConnect With a Mentor Senior Network EngineerCommented:
Subnet area 1. 172.16.0.0 - 172.16.0.254
I can put servers, network gear, etc. in the first subnet on vlan 10


This is fine
subnet: 172.16.0.0/24
host range: 172.16.0.1 - 172.16.0.254

Subnet area 2. 172.16.1.0 - 172.16.3.254
I can put data in these subnets on vlan 20


This will overlap with area1

ex:
172.16.1.0/23
subnet:172.16.0.0/23
host range: 172.16.0.1 - 172.16.1.254

*this is because 172.16.1.0/23 is not the subnet but only part of the entire range. which will overlap with area1

172.16.1.0/22
subnet:172.16.0.0/22
host range: 172.16.0.1 - 172.16.3.254

*still overlaps

the next available subnet, without overlapping with area1 is as follows:

172.16.4.0/22
subnet: 172.16.4.0/22
host range: 172.16.4.1 - 172.16.7.254

now avoiding overlapping subnets this can be summarized as follows:

Area1: VLAN10: 172.16.0.0/24 (172.16.0.1 - 172.16.0.254) - 254 hosts
Area2: VLAN20: 172.16.4.0/22 (172.16.4.1 - 172.16.7.254) - 1022 hosts
Area3: VLAN30: 172.16.8.0/24 (172.16.8.1 - 172.16.8.254) - 254 host


one thing we can do is re-arrange which goes first


Subnet areaA: 172.16.0.0/22 (172.16.0.1 - 172.16.3.254)
Subnet areaB: 172.16.4.0/24 (172.16.4.1 - 172.16.4.254)
Subnet areaC: 172.16.5.0/24 (172.16.5.1 - 172.16.5.254)

did that make sense?



B. Firewall

now i'm assuming all areas are inside and behind firewall since I'm assuming it would be internal servers. in this case, they should all be able to talk to one another, without going through the firewall.

in case you need a DMZ which is protected by a firewall, usually DMZ VLAN is assigned another VLAN/subnet range. Take note, DMZ is created to place servers that are access from outside--> coming into FW --> DMZ. If server will be access by internal users only, there is no need to create a DMZ and just place all the VLANs internally (routed via network core). You can see sample diagram below.

 simple VLAN
for internal VLANs, have the default gateway at the core switch
for the DMZ VLAN, usually the default gateway is at the firewall


are you using cisco for you core and firewall? what vendor brand are you using for your network?

... I guess I'm asking, is /24 fine for what I'm doing, or do I need to narrow it down some more? (i.e. /25 or /26)

/24 is fine, servers dont usually generate much broadcast traffic. and even on a /24 which can accommodate 254 hosts/servers, I highly doubt you have more than 50 servers on it so it is fairly safe :-)

a big subnet becomes broadcast heavy if they will be lots of host in it. so a /24 with full users can generate more traffic and broadcast traffic than lets say a /22 with only a few host. It really depends on the number of host and not particular to the subnet size, do you get what I'm saying?

hope this helps, let me know if you have more questions.
0
 
ffleismaSenior Network EngineerCommented:
I want the servers, routers, etc. to be in 172.16.0.1-172.16.0.254
172.16.0.0/24
range: 172.16.0.1 - 172.16.0.253 (254 broadcast )

I want the PC's, etc. to be in 172.16.1.1-172.16.3.254

unfortunately you can't assign 172.16.1.0/23 (overlaps 172.16.0.1 - 172.16.1.254), the next available is 172.16.2.0/23 (172.16.2.1 - 172.16.3.254)

increments of subnets are

256 host - /24
512 host - /23
1024 host - /22
end so on.. (-2 actually to remove subnet and broadcast)

so if you really need 768 (256*3: 1.1-256    2.1-256    3.1-256), you'll have to jump and use a /22, that is a 172.16.4.0/22 (172.16.4.1 - 172.16.7.254).

in my opinion, keep users on /24, and assign most VLANs on a /24 to keep subnetting simple. if additional data VLAN is needed create another /24. I know i some case a /23 is needed or even a /22, but in my opinion, those subnets are too big and broadcast storms or any issue in a /23 or a /22 can impact more than 500 devices (imagine that). I usually try to separate LAN data, LAN voice, Wifi, MSC devices (printers) on their own /24 VLANs

if you like there is a free tool from solarwinds, IP subnet calculator, it is very handy, you just need to signup and its free.

http://www.solarwinds.com/products/freetools/free_subnet_calculator.aspx

subnet mask doesn't necessary need to be the same for different VLANs, it is the overlapping when switching from one mask to another which you have to look out for.
0
 
Paul WagnerFriend To Robots and RocksAuthor Commented:
@ffleisma

Why wouldn't I be able to put everything in a /19 or /20 and then just put data, voice, etc. into different vlans?
Wouldn't this essentially cut out broadcast storms?

I definitely understand the /24 reasoning, but then why would I need different vlans if I'm controlling everything with blocks of /24 subnets?
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
ffleismaSenior Network EngineerCommented:
actually you can use /19 or /20 by all means, but that is just to big of a broadcast domain

by design, segments should not contain more than 20% broadcast or multicast traffic and having /19 (8190 hosts) or a /20 (4094 hosts) can create enough broadcast traffic within the segment that can impact service. Not to mention when something goes wrong in the network like a network loop, all those host will be impacted. Another example, in terms of virus or worms which sends broadcast, it can infect or to DDOS on such a big number of hosts within the LAN.

When putting each category in a VLAN (data, voice, etc) they have to be in different network segments. That is the purpose of VLANs, to segment broadcast domains which basically means putting them into different IP segments/subnet.

Also by putting everything data/voice/servers in one VLAN creates security risks. A PC user can sniff traffic and gather voice/server packets within the same broadcast domain. In terms of firewall security, putting everything in one big segment, it will be very hard to fine tune or apply permissive policies to specific users/servers/voice as everyone gets permitted when you allow the entire big subnet.

let me know your thoughts and if you have more questions. hope i can help
0
 
Paul WagnerFriend To Robots and RocksAuthor Commented:
@ffleisma

Ya, this is definitely helping.

I downloaded the solar winds subnet calc.

Taking your advice, I went to the Classful Subnet Calculator tab and entered 172.16.0.0 with /24.

It gave me a view of what you're saying.

So... (correct me if I'm wrong)

A. Addressing
Subnet area 1. 172.16.0.0 - 172.16.0.254
I can put servers, network gear, etc. in the first subnet on vlan 10

Subnet area 2. 172.16.1.0 - 172.16.3.254
I can put data in these subnets on vlan 20

Subnet area 3. 172.16.4.0 - 172.16.5.254
I can put voice in these subnets on vlan 30


B. Firewall
Make sure the appropriate devices can talk  (i.e.- Subnet area 2 can talk to the DC in Subnet area 1, and Subnet area 3 can talk to Exchange [for voicemails] in Subnet area 1)

Is that right? (this is all theoretical but you're definitely helping)
0
 
Paul WagnerFriend To Robots and RocksAuthor Commented:
@ffleisma

I was also thinking that if I put all of my servers in 172.16.0.0 - 172.16.0.254 with /24, then couldn't I have a big broadcast storm within that subnet alone?

... I guess I'm asking, is /24 fine for what I'm doing, or do I need to narrow it down some more? (i.e. /25 or /26)
0
 
Paul WagnerFriend To Robots and RocksAuthor Commented:
That was awesome. Thanks for all the help!


Area1: VLAN10: 172.16.0.0/24 (172.16.0.1 - 172.16.0.254) - 254 hosts
Area2: VLAN20: 172.16.4.0/22 (172.16.4.1 - 172.16.7.254) - 1022 hosts
Area3: VLAN30: 172.16.8.0/24 (172.16.8.1 - 172.16.8.254) - 254 host

one thing we can do is re-arrange which goes first

Subnet areaA: 172.16.0.0/22 (172.16.0.1 - 172.16.3.254)
Subnet areaB: 172.16.4.0/24 (172.16.4.1 - 172.16.4.254)
Subnet areaC: 172.16.5.0/24 (172.16.5.1 - 172.16.5.254)

did that make sense?
Yes, that makes perfect sense. I suppose it's easier to run your bigger subnets at the beginning but it'll just feel weird to put PC's before servers.  Maybe there's something to be said for network security in that. (keeps them guessing the topology)


are you using cisco for you core and firewall? what vendor brand are you using for your network?
We are looking at current options. We have vyatta which is a VM router but we will probably migrate away from it once the network is moved over. I like Cisco for sure so I will lean heavily in that direction.

Thanks again.
0
 
ffleismaSenior Network EngineerCommented:
hey thanks for the points and I'm glad i could helped, maybe next time I can help out in designing later on once you migrate.

cheers!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.