Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Subnetting help on a 172.16.x.x network

Posted on 2014-04-23
7
Medium Priority
?
2,864 Views
Last Modified: 2014-05-19
We are building a network inside of vmware/vsphere 5.1 and need some guidance in whether we should expand the subnet mask or manage everything through a routing table.

Subnet 1
Core Devices (router, switches, servers, etc.)
172.16.0.X /24

Subnet 2
Data (PC's, printers, etc.)
172.16.1.X /24

Subnet 3
VoIP (phones, etc.)
172.16.2.X /24


Question:
Firewall (virtual network device)
We currently have a NIC on it for the core subnet. Do we/can we expand that NIC's subnet mask to say, a /16 in order to fully communicate with everything? ...
Or do we create a NIC on the firewall for each subnet and add routes in the router? ...
Could we also bind a NIC to multiple subnets?

Just not sure what the "best practice" is when everything is entirely virtual, including the router and firewall.
0
Comment
Question by:Paul Wagner
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 6

Expert Comment

by:Jon Snyderman
ID: 40018916
Definitely don't switch to a /16 subnet.   You will end up with some odd behaviors that will be difficult to track down\resolve and your security will be flawed by having that open broadcast domain.

Depending on the virtual firewall brand or vendor that you are using, if it supports VLANs, interface subsets, what your security needs are on each subnet, etc, either one of the other two solutions would be completely acceptable.   Best practice, IMO, would be separate virtual interfaces.  But it depends on the firewall capabilities and how secure your want each subnet to be from each other and how different you want the rule sets to be.   If you can provide some more details, we may be able to go a little deeper in the recommendation.  

~Jon
0
 
LVL 5

Author Comment

by:Paul Wagner
ID: 40018922
Well, two of the subnets will need specific DHCP options applied to them: One for VoIP and the other for Citrix machines.
As always, I'll need every subnet to talk to the core subnet.
The firewall is a software firewall running on a VM of Server 2008.

What other details are you looking for?
(I was already leaning to the second option and just wanted confirmation)
0
 
LVL 6

Expert Comment

by:Jon Snyderman
ID: 40018972
Yes, where you need isolated DHCP broadcasts on 2 of the 3 subnets and you will want prioritization on the VoIP NIC, I would definitely go with separate virtual NICs.   Also, you will likely want full communications between 1 and 2, and 1 and 3, but communications between 2 and 3 can and should be limited.

Good luck
~Jon
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
LVL 25

Expert Comment

by:Mohammed Khawaja
ID: 40018984
I would do the following:
1.  Expand one subnet to 172.16.1.x /22 where all your servers, printers and PCs reside as you don't want the PCs to go through router to communicate.  This will give you best performance
2.  Create a /24 subnet for network device management
3.  Create a subnet for VoIP

Enter each subnet belongs to a vlan of its own.

For VMware I will create following networks:

1.  NIC 1:  primary for management network, backup for backup network
2.  NIC 2:  primary for backup network, backup for management network
3. NIC 3 and 4:  vmotion network
4.  At least 2 NICs:  VM network and NICs configured as trunk ports. Use vmxnet 4 as adapter for VMs and configure VLAN on the NIC in OS
5.  At least two NICs configured for VLAN 100.  This is required as some VMware appliances do not allow VLAN options on the NIC in the OS.
0
 
LVL 6

Expert Comment

by:Jon Snyderman
ID: 40019009
Mohamed's solution is a very good one, but it will require re-configuring the existing devices on all three networks.   Is this an option?  The /22 will make one network out of 172.16.0.0-172.16.3.255 and all devices should be reconfigured with the new subnet.   The VoIP network will need to be moved to 172.16.4.x or something like that.    If this is an option, then I would agree with Mohamed that eliminating the routing overhead from the firewall VM would be ideal.

Another option also requiring a change, but potentially less painful, would be to use a /23 and move the devices from 172.16.2.x to 172.16.0.x.  Given most of that is DHCP, this should not be too difficult.   Then the existing 172.16.1.x network could remain in place as well as the VoIP network at 172.16.3.x.   The 172.16.2.x network is eliminated or used as your vmotion network.

~Jon
0
 
LVL 5

Author Comment

by:Paul Wagner
ID: 40020547
@Mohammed Khawaja
Are you saying to add these NICs to the Firewall?
0
 
LVL 25

Accepted Solution

by:
Mohammed Khawaja earned 2000 total points
ID: 40020603
No, what I am saying is that in your environment, you have a router.  You create the VLANs on your switches, you create a sub-interface on your router for each VLAN.  When you install VMWare, you create your networking.  It is a good practice to create networks based on VLANs for specific purpose.  As an example, I keep all my management IPs in a VLAN (lets call it VLAN1).  I have a VLAN for my DMZ (VLAN2), VLAN for PCs and servers (VLAN3), backup network (VLAN4), vMotion (VLAN5), etc.

All NICs that are in your ESXi host connected to the switch, it is a good idea to configure ports as trunk ports.  This will ensure you can you the NIC in VMware for various purposes as well as you are not traversing the router when communicating amongst systems that talk to each other quite alot (i.e. servers and workstations) as they will not cross the router.  This will also ensure that the NIC you have assigned for management can be used for backup or vmotion, etc.

If you do not have a good idea of networking or how should networks and VMware should be configured, I suggest you get some help.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

HOW TO: Upload an ISO image to a VMware datastore for use with VMware vSphere Hypervisor 6.5 (ESXi 6.5) using the vSphere Host Client, and checking its MD5 checksum signature is correct.  It's a good idea to compare checksums, because many installat…
When rebooting a vCenters 6.0 and try to connect using vSphere Client we get this issue "Invalid URL: The hostname could not parsed." When we get this error we need to do some changes in the vCenter advanced settings to fix the issue.
This video shows you how to use a vSphere client to connect to your ESX host as the root user. Demonstrates the basic connection of bypassing certification set up. Demonstrates how to access the traditional view to begin managing your virtual mac…
This video shows you how easy it is to boot from ISO images for virtual machines with the ISO images stored on a local datastore on the ESXi host.

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question