omidshirkhan
asked on
How to subnet and and vlans into my existing IP network.
Hello Everyone - Firstly I think I understand that to route through subnets I need a router between each subnet with a unique IP address for each subnet on each router. please correct me if I'm wrong. Thirdly I think I understand that I need a router to communicate between vlans on different subnets. Please correct me if I'm wrong. And thirdly to communicate between vlans on the same subnet all I need is a layer 2 switch between vlans. Please correct me if I'm wrong.
I have a scenario that I'm hoping I can get some help with. I'll be as detailed and descriptive as I can.
This is for a business with 100 employees nodes and 100 camera nodes all needing IP internet through private addressing and public gateway.
I have a business class gateway with a private range of 12 public addresses. their modem does nothing but act as a gateway since I have disabled the firewall and DHCP.
In place of the firewall and DCHP from the modem i have installed a RV120 Firewall with VPN. When installing I replicated the IP scheme of the modem as to not disturb and disrupt the devices assigned addresses from that scheme from the modem. I did this because the owner could not have any down time or any disruption to the business operations.
The RV120 now acts as firewall , DHCP , and VPN. I'll address the subnet first. I's using 10.0.0.0/24 subnet range.
DHCP is assigning 10.1.10.50 - 10.1.10.100 the rest are static and i plan to use static DHCP with the IP and MAC assigned to each static DHCP address.
There are 100 cameras with static IP addresses in the range of 10.1.10.11 - 10.1.10.40, and 10.1.0.1.101 - 10.1.10.170.
VPN uses PPTP assigned address 10.1.10.6 - 10.1.10.10.
There are no layer 3 switches that i know of. Just a layer two that is the primary swith and ports have run out, and various out of the box switches and wireless access points connected to the primary switch.
I want to implement subnets into the network and VLANS as well on a new Layer 3 switch from cisco. Thinking 3550 from Cisco or one of the older layer 2 switches with layer three capabilities.
I also want to introduce a 192.168.0.0/24 IP range for the existing wireless network and segment the traffic from the rest of the traffic on other ranges.
I want to replace the 10.0.0.0/24 DHCP altogether and the static addresses for end user nodes on the same network, but keep that range just for camera nodes segmented.
I want to implement a NEW end user IP range and VLAN for employee/guest networks using the 172.16.0.0/24 range.
I've thought of replacing all the wireless nodes with RV120's and use VLAN. don't know if that strategy works. Need to think it through.
I want the 192.168.0.0/24 IP range communicate to with the 172.16.0.0/24 and possibly the 10.0.0.0/24 range.
Any advice on how to do this? And with as little interruption to the business operations as possible?
As a side note the next step after this is to install a server domain controller as all the computers are all stand alones in their own workgroups. It's a simultaneous project that will introduce a DCHP, WINS, DNS server.
Thanks for your help
I have a scenario that I'm hoping I can get some help with. I'll be as detailed and descriptive as I can.
This is for a business with 100 employees nodes and 100 camera nodes all needing IP internet through private addressing and public gateway.
I have a business class gateway with a private range of 12 public addresses. their modem does nothing but act as a gateway since I have disabled the firewall and DHCP.
In place of the firewall and DCHP from the modem i have installed a RV120 Firewall with VPN. When installing I replicated the IP scheme of the modem as to not disturb and disrupt the devices assigned addresses from that scheme from the modem. I did this because the owner could not have any down time or any disruption to the business operations.
The RV120 now acts as firewall , DHCP , and VPN. I'll address the subnet first. I's using 10.0.0.0/24 subnet range.
DHCP is assigning 10.1.10.50 - 10.1.10.100 the rest are static and i plan to use static DHCP with the IP and MAC assigned to each static DHCP address.
There are 100 cameras with static IP addresses in the range of 10.1.10.11 - 10.1.10.40, and 10.1.0.1.101 - 10.1.10.170.
VPN uses PPTP assigned address 10.1.10.6 - 10.1.10.10.
There are no layer 3 switches that i know of. Just a layer two that is the primary swith and ports have run out, and various out of the box switches and wireless access points connected to the primary switch.
I want to implement subnets into the network and VLANS as well on a new Layer 3 switch from cisco. Thinking 3550 from Cisco or one of the older layer 2 switches with layer three capabilities.
I also want to introduce a 192.168.0.0/24 IP range for the existing wireless network and segment the traffic from the rest of the traffic on other ranges.
I want to replace the 10.0.0.0/24 DHCP altogether and the static addresses for end user nodes on the same network, but keep that range just for camera nodes segmented.
I want to implement a NEW end user IP range and VLAN for employee/guest networks using the 172.16.0.0/24 range.
I've thought of replacing all the wireless nodes with RV120's and use VLAN. don't know if that strategy works. Need to think it through.
I want the 192.168.0.0/24 IP range communicate to with the 172.16.0.0/24 and possibly the 10.0.0.0/24 range.
Any advice on how to do this? And with as little interruption to the business operations as possible?
As a side note the next step after this is to install a server domain controller as all the computers are all stand alones in their own workgroups. It's a simultaneous project that will introduce a DCHP, WINS, DNS server.
Thanks for your help
And the easiest way of doing this without interruption is to run the old system along with this and then migrate client by client (net by net).
If you want more help it would really help with a quick sketch image of how you want the topology to look, it's a lot of information to interpret above.
Good luck!
If you want more help it would really help with a quick sketch image of how you want the topology to look, it's a lot of information to interpret above.
Good luck!
ASKER
Not totally confident.. 80%.
I have some basic ideas though and a lab will intelligently design this network. However I do have a open window to buy hardware now and want it purchased and then lab created then stood up when its all working.
Yes there are reasons for the static addresses. I'm only using 6 for the VPN since there are only two users, myself and the company owner who VPN in. It's smart to think ahead though and /24 is a good idea.
So to make sure I understand one layer 3 switch will suffice to route the VLANS for all the subnets I want to implement? I thought the routes needed something at layer 3 for the subnets?
This is a massive building with out of the box switches on walls everywhere and no closets to speak of. So there are locations and it only makes sense to put a router at each location for the subnet then VLAN it.
Another thing is since the current router is from the provider and I'm running video feeds I want the router that supports video nicely through the uploads so that's being replaced.
I am gung ho about this.
Your Thoughts?
I have some basic ideas though and a lab will intelligently design this network. However I do have a open window to buy hardware now and want it purchased and then lab created then stood up when its all working.
Yes there are reasons for the static addresses. I'm only using 6 for the VPN since there are only two users, myself and the company owner who VPN in. It's smart to think ahead though and /24 is a good idea.
So to make sure I understand one layer 3 switch will suffice to route the VLANS for all the subnets I want to implement? I thought the routes needed something at layer 3 for the subnets?
This is a massive building with out of the box switches on walls everywhere and no closets to speak of. So there are locations and it only makes sense to put a router at each location for the subnet then VLAN it.
Another thing is since the current router is from the provider and I'm running video feeds I want the router that supports video nicely through the uploads so that's being replaced.
I am gung ho about this.
Your Thoughts?
ASKER
I do have sketch on paper. I will get it in here tonight or tomorrow once it's in a format I can upload.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Picture:
Red = old 10.0.0.0/24 net
Green = RV120 gateway
blue = new switch
Orange = client
Purple = cameras
Sorry for the ugly drawing, using my iPad :-)
image.jpg
Red = old 10.0.0.0/24 net
Green = RV120 gateway
blue = new switch
Orange = client
Purple = cameras
Sorry for the ugly drawing, using my iPad :-)
image.jpg
ASKER
Hey there.
The drawing is great ! It helps.
I am looking for a "nice" switch and want to spend my budget on one $6000 - $7000 switch.
Someone recommended a Cisco SG500 48 port. It's under $1000. Ever heard of it?
What's your recommendation for a nice budget friendly switch?
The drawing is great ! It helps.
I am looking for a "nice" switch and want to spend my budget on one $6000 - $7000 switch.
Someone recommended a Cisco SG500 48 port. It's under $1000. Ever heard of it?
What's your recommendation for a nice budget friendly switch?
Hi,
Do you need 48 ports or is it just going to be "distribution switches"?
If you don't need that many ports I would look for an HP-switch with layer 3 and some nice backplane speed.
Then I would also look at the different distribution switches to make sure you have quality all the way to the client.
Like I said before - it doesnt matter how nice core-switch you got if the rest is crap :-)
Do you need 48 ports or is it just going to be "distribution switches"?
If you don't need that many ports I would look for an HP-switch with layer 3 and some nice backplane speed.
Then I would also look at the different distribution switches to make sure you have quality all the way to the client.
Like I said before - it doesnt matter how nice core-switch you got if the rest is crap :-)
ASKER
I need 48 ports. The current Cisco SF100-24 has all ports used.
Honestly I've never heard the term distribution switch.
The SF100 has end user nodes and is the core switch.
The rest of the switches are attached to it.
I'm actually doing an inventory of all those attached switches and AP's now.
This is going to be fun. The building is in Massachusetts. I am in Virginia.
I'll have to setup the lab here in VA and ship all the equipment to the site to move the existing network and stand it up.
Honestly I've never heard the term distribution switch.
The SF100 has end user nodes and is the core switch.
The rest of the switches are attached to it.
I'm actually doing an inventory of all those attached switches and AP's now.
This is going to be fun. The building is in Massachusetts. I am in Virginia.
I'll have to setup the lab here in VA and ship all the equipment to the site to move the existing network and stand it up.
Well - I call it distribution switch because it is the switches that is distributing the network to the end nodes.
In other terms - it's the switches which clients connect to, and then the switch connect to the core switch or at least further up the chain towards the core switch.
Yea I know the problematic way of doing so, and I can guarantee that you will save money by going there and connecting it by yourself rather than spending 24 hours on the phone with someone who is going to do it for you ;-)
The below switch should be quite nice since you can also expand it further if necessary and without any disruption since the modules are hot swap.
http://www.dustin.se/product/5010312915/hp-4204-44g-4sfp-vl-switch/
In Sweden you have lifetime warranty as well with "on-site service next day" if necessary.
It would take about half your budget and you would get 44 gigabit ports with a 79Gbit/s backplane which should be enough as I doubt your clients would need more.
The next step would be something like this, but thats the max of your budget, but it's a fantastic switch.
http://www.dustin.se/product/5010587670/hp-5406-44g-poe-4g-v2-zl-switch-w-prm-sw/
In other terms - it's the switches which clients connect to, and then the switch connect to the core switch or at least further up the chain towards the core switch.
Yea I know the problematic way of doing so, and I can guarantee that you will save money by going there and connecting it by yourself rather than spending 24 hours on the phone with someone who is going to do it for you ;-)
The below switch should be quite nice since you can also expand it further if necessary and without any disruption since the modules are hot swap.
http://www.dustin.se/product/5010312915/hp-4204-44g-4sfp-vl-switch/
In Sweden you have lifetime warranty as well with "on-site service next day" if necessary.
It would take about half your budget and you would get 44 gigabit ports with a 79Gbit/s backplane which should be enough as I doubt your clients would need more.
The next step would be something like this, but thats the max of your budget, but it's a fantastic switch.
http://www.dustin.se/product/5010587670/hp-5406-44g-poe-4g-v2-zl-switch-w-prm-sw/
But hey - make the inventory first and look at what you must change in terms of the other switches.
Maybe you can convince them to upgrade the budget a little bit as well if you can give them a good reason?
Maybe you can convince them to upgrade the budget a little bit as well if you can give them a good reason?
ASKER
I can work to increase the budget if the reasons are good and the network is self sustaining with as little administrative overhead as possible.
Here's a sketch.
Here's a sketch.
ASKER
I think I may go with the SG series layer 3 switches for this environment. They come in 10, 20, 26, 28, 52 port configurations. Just get 15 of them and replace all the little out of box switches there now. That's $6000.00
That does sound like a good idea. Just make sure that the core switch has a good backplane and you should be fine. I don't know much about the SG series but everything Cisco does seem to work quite well so I assume that these do too :-)
However, to be honest I wouldn't want to administrate 50 static client ip addresses but I assume you have your reasons.
Also - are you sure 6 IP-addresses is enough for client VPN? I would make that a whole /24 network to be on the safe side.
A layer 3 switch normally routes everything, so you must use access-lists to prevent networks from reaching each other. Easiest thing would be to make a default list that blocks everything and use specific rules where traffic is allowed between VLANS.
I kind of get the feeling that you are not 100% confident with this. Therefore I recommend that you purchase a layer 3 switch and setup a lab where you accomplish the above before trying to implement it.