https://community.cisco.com/t5/network-security/mgmt-vlan-design-question/m-p/4143144#M1073457 <P>Hi,</P> <P>It's personal preference, I've found when given the opportunity it's common to map an IP network to the VLAN ID.</P> <P>&nbsp;</P> <P>I prefer to keep the networks contigious, so in the example below....</P> <P>&nbsp;</P> <P>VLAN <STRONG>2</STRONG> - 10.50.<STRONG>2</STRONG>.0/24 MGMT<BR />VLAN <STRONG>3</STRONG> - 10.50.<STRONG>3</STRONG>.0/24 DRAC<BR />VLAN <STRONG>4</STRONG> - 10.50.<STRONG>4</STRONG>.0/24 SERVERS<BR />VLAN <STRONG>5</STRONG> - 10.50.<STRONG>5</STRONG>.0/24 DATA WIRED<BR />VLAN <STRONG>6</STRONG> - 10.50.<STRONG>6</STRONG>.0/24 DATA WIFI<BR />VLAN <STRONG>7</STRONG> - 10.50.<STRONG>7</STRONG>.0/24 VOIP</P> <P>&nbsp;</P> <P>....all of those /24 networks can be summarised as 10.50.0.0/21. When using a VPN we can establish a tunnel (2 x unidirectional IPSec SA per network) for the /21 network instead of multiple IPSec SA for each /24 (14 x unidirectional IPSec SAs), this improves performance.</P> <P>&nbsp;</P> <P>It's also a waste of the /16, the rest of that network may in future be useful.</P> <P>&nbsp;</P> <P>HTH</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 28 Aug 2020 16:14:21 GMT Rob Ingram 2020-08-28T16:14:21Z https://community.cisco.com/t5/network-security/mgmt-vlan-design-question/m-p/4143117#M1073455 <P><SPAN>&nbsp;I have a MGMT Vlan ID question. (simple design question) </SPAN></P><P><SPAN>We have merged companies and are replacing network equipment. As we do so, we are wanting to make the merged company into a more structured IP plan for local IP's per city. We have 8 cities. (Boston, Chicago, Birmingham, Pittsburgh, Hilton Head, Atlanta, New York, and Miami) I have decided to make each city a private IP space of the following: </SPAN></P><P>&nbsp;</P><P><SPAN>Hilton Head Island: 10.0.X.X/16 </SPAN></P><P><SPAN>New York City: 10.20.X.X/16 </SPAN></P><P><SPAN>Atlanta: 10.30.X.X </SPAN></P><P><SPAN>Field Offices: 10.40.X.X </SPAN></P><P><SPAN>Birmingham: 10.50.X.X </SPAN></P><P><SPAN>Pittsburgh: 10.60.X.X </SPAN></P><P><SPAN>Chicago: 10.70.X.X </SPAN></P><P><SPAN>Boston: 10.80.X.X </SPAN></P><P><SPAN>Miami: 10.90.X.X </SPAN></P><P>&nbsp;</P><P><SPAN>We are starting to replace firewall and switches in Birmingham as the first city. I have broken down the local subnets for Birmingham like this: </SPAN></P><P>&nbsp;</P><P><SPAN>10.50.0.0/24 = MGMT = VLAN 1. (Network Devices like routers, firewalls, switches, access points. Also, DRAC on Servers) 10.50.10.0/24 = Server &amp; Printers = VLAN 10 10.50.20.0/24 = Data = End User Workstations on Wired Network 10.50.30.0/23 = Wireless = End User Workstations on Wireless Network 10.50.100.0/24 = VOIP = All VOIP Phones 10.50.250.0/29 = Possible FTD to LAN EIGRP subnet However, I know that using VLAN 1 for the MGMT ID is not best practice. </SPAN></P><P>&nbsp;</P><P><SPAN>I can't think of a number for the MGMT VLAN ID.. I want this VLAN ID to be the same in each city, like "99" or something. I know this might be a crazy question, but I want to design the MGMT VLAN ID and subnet the best possible. Should I skip the 10.50.0.0/24 and use 10.50.99.0/24 as the MGMT VLAN? I'm trying to make it simple. Any help would be appreciated. </SPAN></P> Fri, 28 Aug 2020 15:27:30 GMT https://community.cisco.com/t5/network-security/mgmt-vlan-design-question/m-p/4143117#M1073455 jencisco001 2020-08-28T15:27:30Z https://community.cisco.com/t5/network-security/mgmt-vlan-design-question/m-p/4143144#M1073457 <P>Hi,</P> <P>It's personal preference, I've found when given the opportunity it's common to map an IP network to the VLAN ID.</P> <P>&nbsp;</P> <P>I prefer to keep the networks contigious, so in the example below....</P> <P>&nbsp;</P> <P>VLAN <STRONG>2</STRONG> - 10.50.<STRONG>2</STRONG>.0/24 MGMT<BR />VLAN <STRONG>3</STRONG> - 10.50.<STRONG>3</STRONG>.0/24 DRAC<BR />VLAN <STRONG>4</STRONG> - 10.50.<STRONG>4</STRONG>.0/24 SERVERS<BR />VLAN <STRONG>5</STRONG> - 10.50.<STRONG>5</STRONG>.0/24 DATA WIRED<BR />VLAN <STRONG>6</STRONG> - 10.50.<STRONG>6</STRONG>.0/24 DATA WIFI<BR />VLAN <STRONG>7</STRONG> - 10.50.<STRONG>7</STRONG>.0/24 VOIP</P> <P>&nbsp;</P> <P>....all of those /24 networks can be summarised as 10.50.0.0/21. When using a VPN we can establish a tunnel (2 x unidirectional IPSec SA per network) for the /21 network instead of multiple IPSec SA for each /24 (14 x unidirectional IPSec SAs), this improves performance.</P> <P>&nbsp;</P> <P>It's also a waste of the /16, the rest of that network may in future be useful.</P> <P>&nbsp;</P> <P>HTH</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 28 Aug 2020 16:14:21 GMT https://community.cisco.com/t5/network-security/mgmt-vlan-design-question/m-p/4143144#M1073457 Rob Ingram 2020-08-28T16:14:21Z https://community.cisco.com/t5/network-security/mgmt-vlan-design-question/m-p/4143153#M1073458 <P>Thanks so much for this insight! I love that the subnets can be summarized. However, we have found that there are more Wireless devices.. so on our larger headquarters cities.. the Wireless is /22 which would be 10.50.4.1 - 10.50.4.254 range.</P><P>&nbsp;</P><P>How about for larger cities:</P><P>&nbsp;</P><P>VLAN 2: 10.50.2.0/24 MGMT</P><P>VLAN 3: 10.50.3.0/24 DRAC</P><P>VLAN 6: 10.50.6.0/22 DATA WIFI</P><P>VLAN 8: 10.50.8.0/23 DATA WIRED</P><P>VLAN 10: 10.50.10.0/24 SERVERS &amp; PRINTERS</P><P>VLAN 11: 10.50.11.0/23 VOIP</P><P>&nbsp;</P><P>Would this work for larger cities?</P><P>&nbsp;</P><P>Also, why did you put DRAC on a separate VLAN? Isn't DRAC just the Management IP for Servers? I understand that DRAC needs to be on a separate VLAN than Servers, should it be moved to Management?</P><P>Best,</P><P>Jen</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 28 Aug 2020 16:38:29 GMT https://community.cisco.com/t5/network-security/mgmt-vlan-design-question/m-p/4143153#M1073458 jencisco001 2020-08-28T16:38:29Z https://community.cisco.com/t5/network-security/mgmt-vlan-design-question/m-p/4143167#M1073459 <P>Same principle, just use a /20 (10.50.0.1 - 10.50.15.254) for the large cities.</P> <P>&nbsp;</P> <P>It might be better to have 4 x /24 VLANS for wireless, generally a VLAN size = /24.</P> <P>&nbsp;</P> <P>VLAN 4 - 10.50.4.0/24 WIFI1</P> <P>VLAN 5 - 10.50.5.0/24 WIFI2</P> <P>VLAN 6 - 10.50.6.0/24 WIFI3</P> <P>VLAN 7 - 10.50.7.0/24 WIFI4</P> <P>&nbsp;</P> <P>You can then pool these VLANS in your WIFI SSID configuration.</P> <P>Same for data, use 2 x /24</P> <P>&nbsp;</P> <P>VLAN 8: 10.50.8.0/24 DATA1</P> <P>VLAN 9: 10.50.9.0/24 DATA2</P> <P>&nbsp;</P> <P>No reason, it was just an example - you are right though DRAC would fit better into management VLAN, amend to meet your requirements.</P> Mon, 31 Aug 2020 15:21:42 GMT https://community.cisco.com/t5/network-security/mgmt-vlan-design-question/m-p/4143167#M1073459 Rob Ingram 2020-08-31T15:21:42Z https://community.cisco.com/t5/network-security/mgmt-vlan-design-question/m-p/4143980#M1073491 <P>Hi Rob!</P><P>&nbsp;</P><P>I realized I had a typo with the /22 range - thanks for catching!</P><P>&nbsp;</P><P>I am mulling over all the IP's now to see if separate /24 VLANS would be better or not.</P><P>&nbsp;</P><P>Much appreciated,</P><P>Jen</P> Mon, 31 Aug 2020 15:11:52 GMT https://community.cisco.com/t5/network-security/mgmt-vlan-design-question/m-p/4143980#M1073491 jencisco001 2020-08-31T15:11:52Z