Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2089
Views
10
Helpful
9
Replies

Best practice for VLAN et IP addressing management

Go to solution
Daguerre101
Level 1
Level 1

‎05-21-2019 09:00 AM

Hello everyone,

We have an IT company that is managing our network and we have had a lot of network problem. I have the feeling that part of the explanation is that the IT company do not follow best practices.

That is why I would need your help today to guide me with questions about vlan and IP addressing management.

 

My first question is to know if there is an existing best practice ISO or any other known system that could be applied for managing our network. I have found a few interesting documents in the Cisco website but I did not found one that specifies how to adress IP addresses vs VLAN.

 

That brings me to my second question: I will present you a sample of the network setup of one of our buildings

 

 Administration VLANCDVI Vlan
Ip range192.168.0.53-192.168.0.127192.168.0.50- 192.168.0.127
subnet/25/24
Range Fixed IP address

192.168.0.0 - 52

192.168.0.128 - 254

192.168.0.0 - 49

192.168.0.128-254

Actual fixed IP address

192.168.0.1

192.168.0.50

192.168.0.51

192.168.0.52

192.168.0.1

 

As you can see both vlan are using the same address range. If I remember correctly my CCNA that I have done 10 years ago (and have'nt touched since), we should never have two vlan with the same ip range. Am I right?

 

When I asked this question to the IT guy, he said to me that he needs to do that since the CDVI system needs to work in his own VLAN but since some computer from the administrative vlan needs to access it, he have do to that. Is that a good answer? 

 

Actually, we cannot use the CDVI on the network because when we plug it in with an network cable, it just goes wild and stops working. When we unplug it, it works fine altough we have to access it physically. We've changed the main board and the problem persist.

Do you think that this could be related to the present config of our network?  I need your help to help me figure this one out!

 

Thanks in advance for your help

Dag

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎05-21-2019 09:25 AM - edited ‎05-21-2019 09:27 AM

Hello Dag,

the best design rule is to have a one to one corrispondence one IP subnet one Vlan.

In many cases I have seen abuse of IP secondary  addresses mapping multiple IP subnets to the same Vlan.

This is technically possible but not recommended if thousands of hosts will be in the same Vlan.

 

Coming to your network and your note:

 

The CVDI Vlan should have a different IP subnet.

I don't know why your IT partner has configured it this way.

 

There are two ways to deal / support duplicated IP address subnets:

 

a) Using NAT the CVDI subnet may be translated to something when accessing your network . NAT is supported only on routers, firewalls or high end multilayer switches like C6500.

 

b) using a VRF : that is a separate , dedicated IP routing table. This can be helpful if the CVDI network needs to be isolated and does not need to communicate with the rest of the network.

 

c) >> When I asked this question to the IT guy, he said to me that he needs to do that since the CDVI system needs to work in his own VLAN but since some computer from the administrative vlan needs to access it, he have do to that. Is that a good answer? 

I would say incomplete without NAT users in administrative Vlan cannot access the CDVI as they are almost in the same IP subnet. Also this is  a case of IP address overlapping. You cannot configure on the same network device two SVI interfaces like the yours unless using a VRF.

 

d)

>> Actually, we cannot use the CDVI on the network because when we plug it in with an network cable, it just goes wild and stops working. When we unplug it, it works fine altough we have to access it physically. We've changed the main board and the problem persist.

Do you think that this could be related to the present config of our network?

 

Yes, it is related to the fact of the partial overlapping between 192.168.0.0/25 and CDVI 192.168.0.0/24 if you connect with a cable between the two Vlans can create problems.

The easy move you can do , because I see only one device in CDVI Vlan is to change the IP subnet in CDVI Vlan to 192.168.0.128/25  You can give 192.168.0.129 or greater to the CDVI host/server.

This would solve almost all your issues

 

Hope to help

Giuseppe

 

 

View solution in original post

0 Helpful
9 Replies 9

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎05-21-2019 09:11 AM - edited ‎05-21-2019 09:12 AM

Its big topic, here is cut down version as per your requirement.

 

Just follow some simple rules

- Identify the different network devices and different department in the company

- create each one in different VLAN, so any issue with that VLAN only that services go down, and easy to diagnossis

- make sub-net of your IP address space for each VLAN depeds on address requirement

- if required create an ACL whom can talk to whome and restrict them as best practice

- make high level network diagram post to community so we can suggest better

- what is your exiting network and how you want to be future based on the above consideration.

- what is the exiting infrastructure, and what will be future upgrade infrastructure.

 

make sense ?

 

1.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Daguerre101
Level 1
Level 1
In response to balaji.bandi

‎05-21-2019 09:25 AM

HI BB,

 

Thanks for your fast reply! Indeed it does make sense although your answer is best practice on the long run. On the short term, I need to understand if the actual vlan and IP addressing could be the reason why the CDVI crashes when we plug it on the network.

Is it possible to validate that with the info you have in hand?

 

Have agreat day

0 Helpful

Go to solution
Daguerre101
Level 1
Level 1
In response to balaji.bandi

‎05-22-2019 04:59 AM

Thanks BB, when you talk about the ACL, you specify to do it as best practice. Do you know where I can find a file that shows that kind of information?
Thanks
0 Helpful

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎05-21-2019 09:25 AM - edited ‎05-21-2019 09:27 AM

Hello Dag,

the best design rule is to have a one to one corrispondence one IP subnet one Vlan.

In many cases I have seen abuse of IP secondary  addresses mapping multiple IP subnets to the same Vlan.

This is technically possible but not recommended if thousands of hosts will be in the same Vlan.

 

Coming to your network and your note:

 

The CVDI Vlan should have a different IP subnet.

I don't know why your IT partner has configured it this way.

 

There are two ways to deal / support duplicated IP address subnets:

 

a) Using NAT the CVDI subnet may be translated to something when accessing your network . NAT is supported only on routers, firewalls or high end multilayer switches like C6500.

 

b) using a VRF : that is a separate , dedicated IP routing table. This can be helpful if the CVDI network needs to be isolated and does not need to communicate with the rest of the network.

 

c) >> When I asked this question to the IT guy, he said to me that he needs to do that since the CDVI system needs to work in his own VLAN but since some computer from the administrative vlan needs to access it, he have do to that. Is that a good answer? 

I would say incomplete without NAT users in administrative Vlan cannot access the CDVI as they are almost in the same IP subnet. Also this is  a case of IP address overlapping. You cannot configure on the same network device two SVI interfaces like the yours unless using a VRF.

 

d)

>> Actually, we cannot use the CDVI on the network because when we plug it in with an network cable, it just goes wild and stops working. When we unplug it, it works fine altough we have to access it physically. We've changed the main board and the problem persist.

Do you think that this could be related to the present config of our network?

 

Yes, it is related to the fact of the partial overlapping between 192.168.0.0/25 and CDVI 192.168.0.0/24 if you connect with a cable between the two Vlans can create problems.

The easy move you can do , because I see only one device in CDVI Vlan is to change the IP subnet in CDVI Vlan to 192.168.0.128/25  You can give 192.168.0.129 or greater to the CDVI host/server.

This would solve almost all your issues

 

Hope to help

Giuseppe

 

 

0 Helpful

Go to solution
Daguerre101
Level 1
Level 1
In response to Giuseppe Larosa

‎05-21-2019 01:15 PM

Thank you for this complete answer Giuseppe!

 

So if I understand correctly it is possible to manage duplicate IP addresses with NAT or virtual routing altough the simplest solution is  to use a different range of IP addresses for each VLAN so that no IP duplication could occur.

 

Now let say that this is done, We have two vlan with each their own separate range of IP addresses.

So let say that a computer from the administration VLAN wants to reach the CVDI device located in the CVDI VLAN. Since the CVDI is in another network the administration VLAN computer will need to use the gateway. Is the "system" able to find to good vlan by itself or I need to create a ACL list or else?

 

thanks again for your help

Have a great day  

 

 

0 Helpful

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to Daguerre101

‎05-21-2019 01:23 PM

Hello Dag,

>> Since the CVDI is in another network the administration VLAN computer will need to use the gateway. Is the "system" able to find to good vlan by itself or I need to create a ACL list or else?

 

You will need a L3 link between your network and the other network.

For example 1010.12.0/30

10.10.12.1 on the other side and 101.10.12.2 on your side

 

ip route 192.168.0.128 255.255.128.0 10.10.12.1

 

on the other network

ip route 192.168.0.0 255.255.128.0 10.10.12.2

 

Hope to help

Giuseppe

 

Go to solution
Daguerre101
Level 1
Level 1
In response to Giuseppe Larosa

‎05-21-2019 05:19 PM

Hi Giuseppe

 

yes I recall those commands that I've used a long time ago. I will have to make some tests but I think I will be fine now. Thanks for your help.

 

last question: Do you know if there is any kind of cisco document that presents the best pratice to manage a network? I've found a few interesting ones but I did not find one that clearly states the best practices of IP addressing between VLANs.

 

 

0 Helpful

Go to solution
dennishyde
Level 1
Level 1

‎05-21-2019 02:30 PM

Dag,

  The Admin Network is broken into 2 parts because of the subnet mask /25.  It makes one network the lower part of the range and the other is the upper part of the range.  If devices (workstations, etc) have a /25 address, they will only see other devices in their same half of the range.

 

  The CDVI network takes up the whole range since it is /24.  192.168.0.1 is definitely conflicting with the device that has the same IP on the Admin network. 

 

  I would change the CDVI network to be 192.168.1.x and then put something in between the two to do the routing between them.  This can be a full blown router (expensive and probably over kill) or a switch that can do layer 3 routing or a workstation that can bridge two networks. Either of these options can let all data flow between the two networks or restrict data or machines from either direction.

 

  You have some options but depends on how comfortable you are setting these up or how much you want to rely on your IT support. 

 

Dennis

Go to solution
Daguerre101
Level 1
Level 1
In response to dennishyde

‎05-21-2019 05:24 PM

OK thanks Dennis!

 

What you are saying confirms what I was thinking. 

 

I think I have all the info I need to present a solution to our partner.

 

have a great day

Dag

0 Helpful
Customers Also Viewed These Support Documents