Techrunner
asked on
VLAN and IP Addressing Schema
Hello
I am looking for some expertise suggestion for proper IP addressing, let assume I have multiple buildings and range VLAN Numbers are assigned to the buildings, so what should be proper design.
What would be best in this situation? What numbering scheme should be used I know there are several different ways to accomplish this....just trying to find the right fit for my environment.
We want to use CLASS Addressing 10.0.0.0/8
Site 1 ( HQ) VLAN 2-199
Site 2 VLAN 200-215
Site 3 VLAN 216-222
Site 4 VLAN 223-230
Site 5 VLAN 231-240
Site 6 VLAN 241-250
Site 7 VLAN 251-258
Many thanks in advance
I am looking for some expertise suggestion for proper IP addressing, let assume I have multiple buildings and range VLAN Numbers are assigned to the buildings, so what should be proper design.
What would be best in this situation? What numbering scheme should be used I know there are several different ways to accomplish this....just trying to find the right fit for my environment.
We want to use CLASS Addressing 10.0.0.0/8
Site 1 ( HQ) VLAN 2-199
Site 2 VLAN 200-215
Site 3 VLAN 216-222
Site 4 VLAN 223-230
Site 5 VLAN 231-240
Site 6 VLAN 241-250
Site 7 VLAN 251-258
Many thanks in advance
ASKER
Hi Steven
With your suggestion, I won't be able to summarize Site 1 Subnet to Site 2 because the second octet is same.
Lets say if I have Site 20 with VLANs 250-299, the how would you advise to number the subnet for each identification of site and vlan number.
Thanks
With your suggestion, I won't be able to summarize Site 1 Subnet to Site 2 because the second octet is same.
Lets say if I have Site 20 with VLANs 250-299, the how would you advise to number the subnet for each identification of site and vlan number.
Thanks
Hello,
Correct on the summarize. In my example I had a Layer 2 Wan extending all sites together.
That kind of connection is between your buildings?
For th either sites I would stick with lower VLAN's and use higher VLAN's for specialty Services like DEV Servers, Citrix Load Balancers etc.
This will in the long run someone picking up after its all laid out.
Thanks
Correct on the summarize. In my example I had a Layer 2 Wan extending all sites together.
That kind of connection is between your buildings?
For th either sites I would stick with lower VLAN's and use higher VLAN's for specialty Services like DEV Servers, Citrix Load Balancers etc.
This will in the long run someone picking up after its all laid out.
Thanks
ASKER
Hi,
Even if the site are connected using L3 links then I'd still prefer to keep same sequence of VLAN numbers across all sites
Example
Site 1 VLANs 1-99
Site 2 VLAN 100-199
Site 3 VLAN 200-230
Site 25 VLAN 300-340
and so on
But I'm not able to come up with numbering of subnet I was thinking do this way
Site 15 VLAN 238
Subnet : 10.152.38.0/24
Site 16 VLAN 255
Subnet : 10.162.55.0/24
I'm
Even if the site are connected using L3 links then I'd still prefer to keep same sequence of VLAN numbers across all sites
Example
Site 1 VLANs 1-99
Site 2 VLAN 100-199
Site 3 VLAN 200-230
Site 25 VLAN 300-340
and so on
But I'm not able to come up with numbering of subnet I was thinking do this way
Site 15 VLAN 238
Subnet : 10.152.38.0/24
Site 16 VLAN 255
Subnet : 10.162.55.0/24
I'm
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Actually every floor on a each site has several departments like marketing,financial,auditi ng so is it a good practice to put them in same vlan ? What about security ?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Let me boil down the concern in two points
1.
Lets I have VLAN 255 on Site 16 with a subnet 10.162.55.0/23, this vlan is dedicated for all branch users, sometime I want to restrict the user A should not talk to User 2 in same VLAN.
May be User A could be belong to Audit and User B could belong to Finance.
This is a kind of security I was talking about
2.
Also another point even I use the /23 my VLAN will vary from one location to another.
Assume Site 16 and VLAN 255 with a subnet 10.162.55.0/23. So my next VLAN at the same site will be 258 with a subnet 10.162.58./24
1.
Lets I have VLAN 255 on Site 16 with a subnet 10.162.55.0/23, this vlan is dedicated for all branch users, sometime I want to restrict the user A should not talk to User 2 in same VLAN.
May be User A could be belong to Audit and User B could belong to Finance.
This is a kind of security I was talking about
2.
Also another point even I use the /23 my VLAN will vary from one location to another.
Assume Site 16 and VLAN 255 with a subnet 10.162.55.0/23. So my next VLAN at the same site will be 258 with a subnet 10.162.58./24
Hi,
So if understand this correctly. You sometimes restrict user A fro talking user B in the same site vi ACL?
If you have wireless in the building whats to stop them from talking on wireless. Especially since almost all people have wireless on and configured to auto connect while in the office.
If user A s audit group and B is finance.and they cannot talk to each other but do they access the same Server? Not sure what preventing them to talk to each other is doing?
What mechanism is in place today for you to restrict this type of access?
I would use Cisco ISE or Impulse Point to better implement secure connections, isolation and auditing.
Second part /23 is 512 addresses so this would be 10.162.55.0 to 10.162.56.254
Next would be 10.162.57 but skipping a subnet like you listed is a good idea.
Hope tis helps.
Thanks
So if understand this correctly. You sometimes restrict user A fro talking user B in the same site vi ACL?
If you have wireless in the building whats to stop them from talking on wireless. Especially since almost all people have wireless on and configured to auto connect while in the office.
If user A s audit group and B is finance.and they cannot talk to each other but do they access the same Server? Not sure what preventing them to talk to each other is doing?
What mechanism is in place today for you to restrict this type of access?
I would use Cisco ISE or Impulse Point to better implement secure connections, isolation and auditing.
Second part /23 is 512 addresses so this would be 10.162.55.0 to 10.162.56.254
Next would be 10.162.57 but skipping a subnet like you listed is a good idea.
Hope tis helps.
Thanks
ASKER
If two users A and B are different subnet I can restrict them via ACLs but having them in same VLAN would allow user in audit group to sniff the data of Finance group, just an example only
Mostly our Corp Users are on Wired Connections.
Mostly our Corp Users are on Wired Connections.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Actually we have mix of L2 and L3 links, mostly our sites are connected with L2 Wireless Bridges. In this case same VLAN has to created on both sides.
I'd really suggest putting routers behind each wireless bridge at each end. It'll conserve bandwidth over the links by cutting out all of the unnecessary broadcast traffic. They would then serve as a distribution layer in conjunction with the L2 switch.
ASKER
Our Wireless Bridge at the remote site is connected to Distribution Layer 3 Switch.
Site 1 ( HQ)--------L2 Switch -----------Wireless Point to Point Link ------L3 Switch -------- Site 16 ( Branch)
VLAN 255 VLAN 255
10.162.55.0/29 10.162.55.0/29
This is currently what we did do with our site.
let me know what improvement or redesign to the above design.
Site 1 ( HQ)--------L2 Switch -----------Wireless Point to Point Link ------L3 Switch -------- Site 16 ( Branch)
VLAN 255 VLAN 255
10.162.55.0/29 10.162.55.0/29
This is currently what we did do with our site.
let me know what improvement or redesign to the above design.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
That looks like what you did already?
ASKER
So the remote site has a L3 switch. That's good. You can use that in a dist/access fashion. At the main site I'd put the wifi bridge on its own VLAN and do the same at the remote site, implementing a /29 so you can keep the link as clean as possible.
That will then let you use the same VLAN IDs for each site as I suggested.
Is it possible to just provide a simple diagram to get more understanding ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Awesome!
I think it will be better to keep same VLAN ID at all the sites just to change the Site Number
Site 1 VLAN 1-99 10.1.0.0/16
Site 10 VLAN 1-99 10.10.0.0/16
In in this case the Site 1 and Site connected with L2 then VLAN Id will remain same
I think it will be better to keep same VLAN ID at all the sites just to change the Site Number
Site 1 VLAN 1-99 10.1.0.0/16
Site 10 VLAN 1-99 10.10.0.0/16
In in this case the Site 1 and Site connected with L2 then VLAN Id will remain same
ASKER
If I had a VLAN 100 at the main site and I have requirement to extend the same VLAN to another site then I'd just the trunk the wireless link
Will there be any issue ?
Will there be any issue ?
In in this case the Site 1 and Site connected with L2 then VLAN Id will remain same
They'd need to have L3 between them.
You could trunk the wireless link but use a SVI at each end to route traffic. That would enable you to create a trunked VLAN to extend across the Wifi link and only create a SVI at the core.
It's not recommended though. After all, routing over the Wifi link is there to stop L2 broadcasts from taking unnecessary bandwidth. Extending a L2 over it will make that pointless.
ASKER
Sir
As per your diagram, the interfaces behind the wifi device will be access ports in vlan 255
From the branch site I can create default route pointing wifi device at main site
And to add static route at the main create i.e 10.2.0.0/16 pointing to wifi device at branch site
So here we have pure L2 link between both sites?
As per your diagram, the interfaces behind the wifi device will be access ports in vlan 255
From the branch site I can create default route pointing wifi device at main site
And to add static route at the main create i.e 10.2.0.0/16 pointing to wifi device at branch site
So here we have pure L2 link between both sites?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
What I'm saying is that VLAN 110 at HQ is not the same as VLAN 110 at the remote site. There is a L3 hop between them.
Look at it like two different companies. They could both use unmanaged switches which would effectively mean everything at each site is on VLAN 1. If we put a router between them there is no L2 between them. They use different IPs, but the same VLAN ID and it works fine.
Look at it like two different companies. They could both use unmanaged switches which would effectively mean everything at each site is on VLAN 1. If we put a router between them there is no L2 between them. They use different IPs, but the same VLAN ID and it works fine.
ASKER
In this scenario as soon I create same VLAN on brach office, the main site becomes the STP Root bridge for this VLAN ok branch site.
ASKER
I created two VLANs on both sites ( Main and Branch)
Then I ran the wireshark and capture the traffic the link connecting L3 and Wireless Bridge at the branch office.
I see the broadcast traffic was sent through the link to branch site.
Any guess ?
Then I ran the wireshark and capture the traffic the link connecting L3 and Wireless Bridge at the branch office.
I see the broadcast traffic was sent through the link to branch site.
Any guess ?
Yes, at the moment it's all L2 between the sites.
If you do L3, broadcast traffic on VLAN 255 will traverse the link but there won't be any really as there's no real hosts on that segment - it's for the Wifi bridges only. Once you do L3 at the remote site all broadcast traffic will be limited to that site only unless it needs to be converted to unicast using IP helpers.
If you do L3, broadcast traffic on VLAN 255 will traverse the link but there won't be any really as there's no real hosts on that segment - it's for the Wifi bridges only. Once you do L3 at the remote site all broadcast traffic will be limited to that site only unless it needs to be converted to unicast using IP helpers.
ASKER
Thanks
But how I can make Layer 3 with Wireless Bridge ?
But how I can make Layer 3 with Wireless Bridge ?
As I said, you already have a L3 switch at the remote site. You need to do as I showed in the diagram at the HQ side.
The Wifi bridges need to be on their own VLAN with nothing else apart from a SVI at the core and a SVI at the L3 switch. That will create L3 separation between the HQ and remote sites.
The Wifi bridges need to be on their own VLAN with nothing else apart from a SVI at the core and a SVI at the L3 switch. That will create L3 separation between the HQ and remote sites.
ASKER
hi,
as per the diagram this would be my configuration
Main Site ( Core Switch)
Creating VLAN
vlan 225
name WirelessP2P-Site16
Create SVI
int vlan 225
10.1.225.1 255.255.255.248
L2 Switch ( Main Site)
int gi0/48
switchport access vlan 225
description < Link to Site 16 Wireless Bridge >
Distribution SW ( Branch Site)
vlan 225
name WirelessP2P-Main Site
int vlan 225
ip add 10.1.225.2 255.255.255.248
Int gi0/48
switchport access vlan 225
description < Link to Wireless Bridge >
Wireless Bridge at Main Site IP : 10.1.225.3/29
Wireless Bridge at Branch Site IP : 10.1.225.4/29
Is that fine Sir ?
as per the diagram this would be my configuration
Main Site ( Core Switch)
Creating VLAN
vlan 225
name WirelessP2P-Site16
Create SVI
int vlan 225
10.1.225.1 255.255.255.248
L2 Switch ( Main Site)
int gi0/48
switchport access vlan 225
description < Link to Site 16 Wireless Bridge >
Distribution SW ( Branch Site)
vlan 225
name WirelessP2P-Main Site
int vlan 225
ip add 10.1.225.2 255.255.255.248
Int gi0/48
switchport access vlan 225
description < Link to Wireless Bridge >
Wireless Bridge at Main Site IP : 10.1.225.3/29
Wireless Bridge at Branch Site IP : 10.1.225.4/29
Is that fine Sir ?
Looks perfect, Samir!
ASKER
Thanks
But I see there is 1 caveat, that if I create another VLAN on Branch Site L3 Switch with same VLAN ID that is already existing on Main Site L2 Switch then broadcast from the main site is reaching to branch office hosts also
But I see there is 1 caveat, that if I create another VLAN on Branch Site L3 Switch with same VLAN ID that is already existing on Main Site L2 Switch then broadcast from the main site is reaching to branch office hosts also
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Its very clear now.
If I don't the create the SVI for VLAN 225 on Branch Site and just create on Main Site, then this link becomes L2 link.
Just a very last query on IP addressing.
We have decided to go with same VLAN ID no all the site, just we'll change octet matching to site number.
For example
Site 1 : 10.1.0.0/16
Site 2 : 10.2.0./ 16 and so on.
I just to clear the confusion for IP addressing on Point to Point to links like in our previous scenario.
Shall we follow the seperate scheme for those links
10.40.23.0/29 Site 1 ------- Site 2
10.40.24.0/29 Site 1 --------Site 3
10.40.25.0/29 Site 1 -------- Site 4
Thanking for clearing this last confusion.
If I don't the create the SVI for VLAN 225 on Branch Site and just create on Main Site, then this link becomes L2 link.
Just a very last query on IP addressing.
We have decided to go with same VLAN ID no all the site, just we'll change octet matching to site number.
For example
Site 1 : 10.1.0.0/16
Site 2 : 10.2.0./ 16 and so on.
I just to clear the confusion for IP addressing on Point to Point to links like in our previous scenario.
Shall we follow the seperate scheme for those links
10.40.23.0/29 Site 1 ------- Site 2
10.40.24.0/29 Site 1 --------Site 3
10.40.25.0/29 Site 1 -------- Site 4
Thanking for clearing this last confusion.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This is a good idea
I have done many installations and here is an example of what I use. It a good idea to allow some spacing incase of growth in the future. Also also not good bad to have the VLANs match the subnets.
It makes it easier to troubleshoot.
But basically it all boils down to the Business requirements and functions.
No VLAN 1
Example
Site 1 3 floors with dedicated Server room Layer 2 WAN, basically extending the LAN to all buildings(PTP)
Network Management VLAN 254 10.10.254.0/24
Servers VLAN 3 10.10.3.0/24
FL 1 Voice VLAN 10 10.10.10.0/24
FL 1 Data VLAN 12 10.10.12.0/24
FL2 Voice VLAN 14 10.10.14.0/24
FL2 Data VLAN 16 10.10.16.0/24
FL3 Voice VLAn 18 10.10.18.0/24
FL3 Data VLAN 20 10.10.20.0/24
Site 2
FL 1 Voice VLAN 30 10.10.30.0/24
FL 1 Data VLAN 32 10.10.32.0/24
FL 2 Voice VLAN 34 10.10.34.0/24
FL 2 Data VLAN 36 10.10.36.0/24
FL 3 Voice VLAN 38 10.10.38.0/24
FL 3 Data VLAN 40 10.10.40.0/24
Hope this helps.
Thanks