VLAN and IP Addressing Schema

Hello

This is a good idea

I have done many installations and here is an example of what I use.  It a good idea to allow some spacing incase of growth in the future.  Also also not good bad to have the VLANs match the subnets.
It makes it easier to troubleshoot.

But basically it all boils down to the Business requirements and functions.

No VLAN 1
Example
Site 1 3 floors with dedicated Server room  Layer 2 WAN, basically extending the LAN to all buildings(PTP)

Network Management VLAN 254   10.10.254.0/24
Servers  VLAN  3      10.10.3.0/24
FL 1 Voice VLAN 10  10.10.10.0/24
FL 1 Data VLAN 12   10.10.12.0/24
FL2 Voice VLAN 14  10.10.14.0/24
FL2 Data  VLAN 16   10.10.16.0/24
FL3 Voice VLAn 18   10.10.18.0/24
FL3 Data VLAN 20    10.10.20.0/24
Site 2
FL 1 Voice VLAN 30  10.10.30.0/24
FL 1 Data VLAN 32   10.10.32.0/24
FL 2 Voice VLAN 34  10.10.34.0/24
FL 2 Data VLAN 36   10.10.36.0/24
FL 3 Voice VLAN 38  10.10.38.0/24
FL 3 Data VLAN 40   10.10.40.0/24

Hope this helps.

Thanks

Hi Steven
With your suggestion, I won't be able to summarize Site 1 Subnet to Site 2 because the second octet is same.

Lets say if I have Site 20 with VLANs 250-299, the how would you advise to number the subnet for each identification of site and vlan number.

Thanks

Hello,

Correct on the summarize.  In my example I had a Layer 2 Wan extending all sites together.

That kind of connection is between your buildings?

For th either sites I would stick with lower VLAN's and use higher VLAN's for specialty Services like DEV Servers, Citrix Load Balancers etc.

This will in the long run someone picking up after its all laid out.

Thanks

Hi,
Even if the site are connected using L3 links then I'd still prefer to keep same sequence of VLAN numbers across all sites

Example
Site 1 VLANs 1-99
Site 2 VLAN 100-199
Site 3 VLAN 200-230
Site 25 VLAN 300-340
and so on

But I'm not able to come up with numbering of subnet I was thinking do this way

Site 15 VLAN 238

Subnet : 10.152.38.0/24

Site 16 VLAN 255
Subnet : 10.162.55.0/24




I'm

Actually every floor on a each site has several departments  like marketing,financial,auditing so is it a good practice to put them in same vlan ? What about security ?

Let me boil down the concern in two points

1.
Lets I have VLAN 255 on Site 16 with a subnet 10.162.55.0/23, this vlan is dedicated for all branch users, sometime I want to restrict the user A should not talk to User 2 in same VLAN.
May be User A could be belong to Audit and User B could belong to Finance.

This is a kind of security I was talking about

2.
Also another point even I use the /23 my VLAN will vary from one location to another.

Assume Site 16 and VLAN 255 with a subnet 10.162.55.0/23. So my next VLAN at the same site will be 258 with a subnet 10.162.58./24

Hi,

So if understand this correctly.  You sometimes restrict user A fro talking user B in the same site vi ACL?
If you have wireless in the building whats to stop them from talking on wireless.  Especially since almost all people have wireless on and configured to auto connect while in the office.

If user A s audit group and B is finance.and they cannot talk to each other but do they access the same Server?   Not sure what preventing them to talk to each other is doing?

What mechanism is in place today for you to restrict this type of access?

I would use Cisco ISE or Impulse Point to better implement secure connections, isolation and auditing.

Second part  /23 is 512 addresses so this would be 10.162.55.0 to 10.162.56.254
Next would be 10.162.57 but skipping a subnet like you listed is a good idea.

Hope tis helps.

Thanks

If two users A and B are different subnet I can restrict them via ACLs but having them in same VLAN would allow user in audit group to sniff the data of Finance group, just an example only

Mostly our Corp Users are on Wired Connections.

Actually we have mix of L2 and L3 links, mostly our sites are connected with L2 Wireless Bridges. In this case same VLAN has to created on both sides.

I'd really suggest putting routers behind each wireless bridge at each end. It'll conserve bandwidth over the links by cutting out all of the unnecessary broadcast traffic. They would then serve as a distribution layer in conjunction with the L2 switch.

Our Wireless Bridge at the remote site is connected to Distribution Layer 3 Switch.


Site 1 ( HQ)--------L2 Switch -----------Wireless Point to Point Link ------L3 Switch -------- Site 16 ( Branch)

VLAN 255                                                                                              VLAN 255

10.162.55.0/29                                                                                               10.162.55.0/29

This is currently what we did do with our site.

let me know what improvement or redesign to the above design.

That looks like what you did already?

So the remote site has a L3 switch. That's good. You can use that in a dist/access fashion. At the main site I'd put the wifi bridge on its own VLAN and do the same at the remote site, implementing a /29 so you can keep the link as clean as possible.

That will then let you use the same VLAN IDs for each site as I suggested.

Is it possible to just provide a simple diagram to get more understanding  ?

Awesome!

I think it will be better to keep same VLAN ID at all the sites just to change the Site Number

Site 1 VLAN 1-99 10.1.0.0/16
Site 10 VLAN 1-99 10.10.0.0/16

In in this case  the Site 1 and Site connected with L2 then VLAN Id will remain same

If I had a VLAN 100 at the main site and I have requirement to extend the same VLAN to another site then I'd just the trunk the wireless link
Will there be any issue ?

In in this case  the Site 1 and Site connected with L2 then VLAN Id will remain same

They'd need to have L3 between them.

You could trunk the wireless link but use a SVI at each end to route traffic.  That would enable you to create a trunked VLAN to extend across the Wifi link and only create a SVI at the core.

It's not recommended though.  After all, routing over the Wifi link is there to stop L2 broadcasts from taking unnecessary bandwidth.  Extending a L2 over it will make that pointless.

Sir
As per your diagram, the interfaces behind the wifi device will be access ports in vlan 255
From the branch site I can create default route pointing wifi device at main site
And to add static route at the main create i.e 10.2.0.0/16 pointing to wifi device at branch site

So here we have pure L2 link between both sites?

What I'm saying is that VLAN 110 at HQ is not the same as VLAN 110 at the remote site.  There is a L3 hop between them.

Look at it like two different companies.  They could both use unmanaged switches which would effectively mean everything at each site is on VLAN 1.  If we put a router between them there is no L2 between them.  They use different IPs, but the same VLAN ID and it works fine.

In this scenario as soon I create same VLAN on brach office, the main site becomes the STP Root bridge for this VLAN ok branch site.

I created two VLANs on both sites ( Main and Branch)

Then I ran the wireshark and capture the traffic the link connecting L3 and Wireless Bridge at the branch office.

I see the broadcast traffic was sent through the link to branch site.

Any guess ?

Yes, at the moment it's all L2 between the sites.

If you do L3, broadcast traffic on VLAN 255 will traverse the link but there won't be any really as there's no real hosts on that segment - it's for the Wifi bridges only.  Once you do L3 at the remote site all broadcast traffic will be limited to that site only unless it needs to be converted to unicast using IP helpers.

Thanks
But how I can make Layer 3 with Wireless Bridge ?

As I said, you already have a L3 switch at the remote site.  You need to do as I showed in the diagram at the HQ side.

The Wifi bridges need to be on their own VLAN with nothing else apart from a SVI at the core and a SVI at the L3 switch.  That will create L3 separation between the HQ and remote sites.

hi,
as per the diagram this would be my configuration

Main Site ( Core Switch)

Creating VLAN
vlan 225
name WirelessP2P-Site16

Create SVI

int vlan 225
10.1.225.1 255.255.255.248

L2 Switch ( Main Site)

int gi0/48
switchport access vlan 225
description < Link to Site 16 Wireless Bridge >

Distribution SW ( Branch Site)

vlan 225
name WirelessP2P-Main Site

int vlan 225
ip add 10.1.225.2 255.255.255.248

Int gi0/48
switchport access vlan 225
description < Link to Wireless Bridge >

Wireless Bridge at Main Site IP : 10.1.225.3/29
Wireless Bridge at Branch Site IP : 10.1.225.4/29

Is that fine Sir ?

Looks perfect, Samir!

Thanks
But I see there is 1 caveat, that if I create another VLAN on Branch Site L3 Switch with same VLAN ID that is already existing on Main Site L2 Switch then broadcast from the main site is reaching to branch office hosts also

Its very clear now.

If I don't the create the SVI for VLAN 225 on Branch Site and just create on Main Site, then this link becomes L2 link.

Just a very last query on IP addressing.

We have decided to go with same VLAN ID no all the site, just we'll change octet matching to site number.

For example

Site 1 : 10.1.0.0/16
Site 2 : 10.2.0./ 16 and so on.

I just to clear the confusion for IP addressing on Point to Point to links like in our previous scenario.
Shall we follow the seperate scheme for those links

10.40.23.0/29 Site 1 ------- Site 2
10.40.24.0/29 Site 1 --------Site 3
10.40.25.0/29 Site 1 -------- Site 4

Thanking for clearing this last confusion.