pstonge
(pstonge)
1
Hey everyone, I need help with something I am not sure if I have done this right.
Ok so we have a small network. With Printers, wi-fi, agents, supervisors, and all.
To break down the IPs needed I listed the devices or total number of IP addresses each Department (VLAN) needs, which is as follows:
10.0.0.0/24 is my private address. So from lets say FA0/1 on the router will have the first subnet following. For instance 10.0.0.1 /30.
10.0.0.0 - 3 /30 for the link from my Router to switch. (2 IPs needed)
10.0.0.4 - 11 /29 for the Management department (6 IPs needed)
10.0.0.12 - 19 /29 for the IT Department (6 IPs needed)
10.0.0.20 - 27 /29 for the Printers ( 6 IPs needed)
10.0.0.28 - 43 /28 for the Servers (10 IPs needed)
10.0.0.44 - 59 /28 for the Supervisors (10 IPs needed)
10.0.0.60 - 123 /26 for the Wi-Fi (50 IPs needed)
10.0.0.124 - 251 /25 for the Agents (100 IPs needed)
VLANS Setup
VLAN10 (Agents)
VLAN20 (Supervisors)
VLAN30 (Mgt)
VLAN40 (IT Dept)
VLAN50 (Servers)
VLAN60 (Wi-Fi)
How do I set this up so that the VLANS can get to the R1 FA0/1 interface which is technically on a different network. It would be in the 10.0.0.0 network.
My main question is, did I subnet this correctly?
Logically speaking, I would put a switch inside each department which would be connected to the main L3 Switch.
So lets say that S1 is in the IT lab. I would run a cable from port 1 on S1 to lets say port 12 on the L3 Switch. Then on the L3 switch I would configure port 12 as VLAN40? Is that correct.
IF so,
What DHCP Settings would I configure for VLAN40 as the default gateway, would it be 10.0.0.1 or would it be an IP address from the IT Subnet. For example 10.0.0.13? because up above IT Dept is in the 10.0.0.12 - 19 range.
@Cisco
7 Spice ups
Why are you only about to use a /24? All of /8 should be available to you. Seems like that limitation is really cutting it close and not leaving any room for expanding without messing up your VLANs later. If you can, I’d just give each type a /24 of its own. Really though, do you need VLANs at all? Is there any reason people need to be separated, or is one environment fine? It might just be easier to have a single LAN.
You should expand on what exactly you’re trying to do and why.
4 Spice ups
pstonge
(pstonge)
3
This is what I am trying to do, just something to simple that has all the areas covered. So that I can take what I learn here, and expand it in a real environment.
There is no expansion in this case, its an example fake Company i am designing so I can learn how to do a real one if needed. All I would have to do is expand the IP range like you said. But in this case the IP range works.
pstonge
(pstonge)
4
I am mostly concerned with the way that I have subnetted, and then the VLAN question in my original post.
I don’t know if it’s actually best practice or not but I like to start with the largest subnets first and then move on to the smaller ones. Also, I would have to agree with leaving room for expansion as that is best practice. Maybe start with a /16 subnet instead of a /24 and then allow some extra room for additional hosts in each subnet.
EDIT: The gateway would be the IP of the router interface that everything is going to be funneled through to the ISP. As far as the VLANs go, I’m not much help above L2 VLANs. If you are using Cisco switches, I would set up the L3 switch as a VTP server and the rest of your switches as clients. Use that to propagate your VLANS and then assign switchports etc. afterwards. Don’t take my word on this though. I’m still in school and don’t have very much real-world experience with switched networks.
pstonge
(pstonge)
6
I know that its should be subnetted from highest to lowest, but does it really matter. I am not too sure, which is why I am here. I am just used to seeing my gateway as the 0.1 IP add.
And sorry but please no more comments about the IP expansion, I know that. THis is just a simulated real world setting. There actually is room to grow. In my notes I have:
Agents only 100 IPs, but gave them 126.
IT only 4 IPs, but gave them 6.
Management only 2 IPs, I gave them 6.
Supervisors only 10 IPs, I gave 14.
Servers only 10 IPs, I gave them 14.
and so on.
So I did already account for some growth.
Like i am asking, how do I in a basic sense configure the VLANS so that DHCP can assign them accordingly?
Thank you, and I am not trying to sound rude in anyway, but I already account for the growth. This is just like I said a lot for a small network, but then I can take the same knowledge and apply it to a big network, just add more IP in the mix.
pbp
(RoguePacket)
7
Using subnets and VLANs in this manner is an unnecessary duplication of effort.
Using eight subnets and nine switches when one subnet and one switch is adequate? Not a way to continue your employment.
4 Spice ups
pstonge
(pstonge)
8
OK so then If I take out the subnetting, and just put everything on as few switches as I need. 1 IP per Port, so lets say I have 150 IPs in total, I have 24 port switches. I can just connect all the devices to 6 (any where from $200.00 - $600.00 each) switches. Then have a router connected to 1 of the ports on 1 of the switches?
I am not sure how I would switch/route this plan, which is why I am asking it in a real world state.
And for the VLANS, can I configure based on “port” in what IP range that device is getting through DHCP?
I am not that much of a newb, I just have to much text book knowledge, so I am trying to put it in real world terms.
But thanks for the reply’s already everyone.
I would suggest that VLANs will only really be of value once you get over 150 users.
The way that you are planning to set it up will give you very little room for any changes in future and possibly cause you a lot of issues
As far as I can see, it would be easier to setup and manage to use the third octet as your dept identifier with class B subnet (/16) e.g
10.0.0.x - for the link from my Router to switch.
10.0.1.x - for the Management department
10.0.2.x - for the IT Department
10.0.3.x - for the Printers
10.0.4.x - for the Servers
10.0.5.x - for the Supervisors
10.0.6.x - for the Wi-Fi
10.0.7.x - for the Agents
That would work well and be far easier to manager; and I’ll bet that you could remember the specific address configuration far easier
4 Spice ups
Ok in a cisco world;
Lets assume that you have a layer 3 switch that is the vtp server, make the other layer 2 switches vtp clients and this way all vlans will be updated to the vtp server.
On the layer 3 switch set each vlan with ip address and issue the ip-helper command to your dhcp server. Also enter the default gateway which points to your router.
I,e – 192.168.2.1 255.255.255.0
Ip helper-addresss 192.168.0.1 (dhcp server)
Ip default-gateway 192.168.0.252
Now on your dhcp server configure a new scope for each vlan and set the router address as the ip of the vlan.
I,e – VLAN 2 – start 192.168.2.11 end 192.168.2.20, router address 192.168.2.1
This is how I have configured this many times to route between vlans and assign dhcp using AD and DHCP.
4 Spice ups
maxsec
(maxsec)
11
the basic description is patching /L3 switching is right
At that amount of users I really wouldnt bother, unless you see a massive growth. The routing issues/costs to setup would kill you compared to a normal business risk value of the value of the data.
You can do more buy spending money on securing the end-points with full disk encryption, user education, better web-filtering etc.
se89
(Stephen_UK)
12
Although others have pointed out that you are probably over complicating your network somewhat (I am currently planning re-IP addressing all ours and have decided to keep it simple), the subnetting should be done largest first to smallest last - as far as I am aware, it isn’t only best practice but it is the only way your network will work.
e.g. 10.0.0.4 is not a valid network address with a /29 mask - once you go small at the beginning, you have to miss out bits of the range to get another address
If you had been assigned public addresses, then subnetting to the nth degree would be required, but since it is in private, there really isn’t any great need to conserve addresses as much - it is taught in likes of Cisco courses as part of CCNA, but in reality, unless you have a very large network, you won’t be running out of addresses anytime soon
1 Spice up
jaseruk
(Jason7612)
13
Real world scenario;
Your MD walks up to your desk and informs you a new team is starting tomorrow. There will be a two managers, 4 supervisors, 35 agents. They require 3 printers and a new dedicated file server. Everyone in the team will also be using a tablet that requires WiFi access.
Where are you getting your IPs from?
What about when he does the same thing 6 months down the line?
And bear in mind on top of the panicking about the IPs you’ve still got to source PCs, mice, keyboards etc etc
And yes, you will be given the entirety of a days notice, I promise you that. 
Don’t over engineer it, a huge empty subnet is not generating extra traffic, only as much traffic as there are hosts attached to it.
edit Bear/Bare, corrected!
1 Spice up
I’ve done something similar recently with a layer 3 switch and subnetting ‘logical’ depts off that L3 switch
given each Vlan a default ip and thats the gateway to that subnet
you may get problems with multicast - I had to manually add ARP table entries for our exchange CAS on the L3 Switch even though i turned on an configured the multicast routing side of things
Isn’t the point of having vlans to avoid having to have everything on their own separate physical network, to where you can just have a vtag on devices
pstonge
(pstonge)
16
Ok so I have changed the IP Scheme, I am using 172.16.X.X.
One question tho
If I have lets say 150 Agents meaning, 150 IP address / Ports. What would be the best way to connect them to switches?
Do I need 7, 24 port switches just for the 1 VLAN, and then have each of the 7 switches wired to 1 layer 3 switch?.
Dont mean to sound so newbish, but I just having a hard time putting this in real terms.
Thanks for all the help again everyone.
7 switches connected to a layer 3 switch would probably work. Personally, I would make sure to interconnect some of the L2 switches also to eliminate some of the workload on the L3 switch. It doesn’t need to be messing with all the intranet communication on top of all the stuff going outside the LAN if it doesn’t have to.
EDIT: The other thing I would recommend is to get your hands on Packet Tracer and set this all up in there. Then you can see a visual representation of the topology and maybe get some more ideas on how to make it better.
1 Spice up
jaseruk
(Jason7612)
18
That’s six to one, half a dozen to another, really makes no odds.
You will need physically as many ports as you have devices to connect to, but I’d recommend looking at 48 port switches over 24, back to the simplicity again, don’t use more hardware than you have to. If you’re looking at VLANs then physical segmentation of the subnet isn’t required, but try where possible to keep all ports belonging to one VLAN on one physical switch to ensure optimal switching of said subnet.
Do management really need a seperate subnet to users? What are you protecting them from? Usually it’s a case of agents can’t access certain files that management can, but this is controlled via NTFS permissions, not by running 2 file servers on seperate LANs and securing with ACLs. In fact you could ask the same of all the splits you have mentioned, is it really necessary?
The Cisco model says you have 3 layers of switching, a Core layer, a Distribution layer, and an Access layer. Given your organizational size, you could combine the distribution roles into your core and save some $$.
I would do two or three core switches with high backplane speed and low switching latency, possibly even stacking them. Tthen I would do either 8 24 port access switches (an extra for backup) or 4-5 48 port switches. Creating a full mesh connecting access to core should be pretty easy assuming you have enough cables to support it.
I know Cisco and Dell PowerConnect and Dell Force10 hardware fairly well, so if any of those are on your radar in terms of purchasing let me know.
Ditto on the Packet Tracer!
