Network segmentation

info.datanet · ‎03-01-2020

Greetings,

I am trying do to network segmentation.

Each section is about to make arrangements so that they don't any interconnect. But, The IP address of our end users is no mess. For example: The following 2 users are one team (10.22.1.3, 10.22.1.75). How can I solve this without changing the address in cisco switch?. Example: How is it better to create Vlan's?. In general, What is the best practice for network segmentation?

Marlon AJ · ‎03-02-2020

Hi @info.datanet ,

In my opinion depends on your requirements. Lets create a scenario:

Case 1:

Lets say that we have 3 sections or departments in our company, one for Researchers (With 5 hosts), one for Production (With 120 hosts) and another for Marketing (With 35 hosts). And we want them in different network segments (because we don't want them to be interconnected), the company it's not going to grow in a while so we have assume that the number of host are not going to grow.

From this we can say that we have:

3 Network segments

-Researchers: 5 hosts

-Production: 120 hosts

-Marketing: 35 hosts

First, we have to choose a private network segment from these ranges:

Class A 10.0.0.0 - 10.255.255.255 (16,777,216 IP addresses available)

Class B 172.16.0.0 - 172.31.255.255 (1,048,576 IP addresses available)

Class C 192.168.0.0 - 192.168.255.255 (65,536 IP addresses available)

As a good practice we will use VLSM which is for a optimal network segmentation and we will choose a Class A network segment:

10.0.0.0

But the first question that you should have is which prefix should I use? /10 /20 /30. Well, it depends on our requirements. Lets start with the network segment for the Research section. For this we will consider the following:

A subneted network can be separated like this:

Network bits (N)

Subnet bits (S)

Host bits (H)

A Class A does have 8 network bits, a class B does have 16 network bits and a class C does have 24 network bits. So, in our case we have 8 network bits.

8 Network bits (N)

? Subnet bits (S)

? Host bits (H)

But, how can we determine the number of bits for the host part? Based on our requirements and with the formula:

2^H-2

Where:

H is the number of bits for the host part

2 is reserved for the Subnet ID (The first IP) and the Broadcast IP (The last IP).

For example, lets say that we give only 2 bits for the host part. The formula will be:

2^2-2 = 4-2 = 2

2 is less than our required number of host which is five, so, lets try with 3 bits:

2^3-2 = 8-2 = 6

6 is more than 5 so it fits what we want! but what about if we use 4 bits? them:

2^4-2 = 16-2 = 14

14 is more than 5, also fits what we want, but as you can see, our section is not going to grow more. So in this scenario we are wasting 9 IPs while in the last case (The 3 bits case) we were wasting only one IP. For this reason we are going to choose to work with 3 host bits.

Now we have the following:

8 Network bits

? Subnet bits

3 Host Bits

An IPV4 address is conformed by 32 bits. With this information we can calculate the number of bits for the subnet:

8 Network bits

32-8-3= 21 Subnet bits

3 Host Bits

The prefix is the sum of the Network bits and the Subnet bits:

Prefix = Network bits + Subnet bits = 8 + 21 = 29

Now we have our subnet which is in compliance with one of our requirements and with the minimum waste of IPs:

10.0.0.0/29

Subnet ID = 10.0.0.0 (The first IP of the range)

Subnet broadcast address = 10.0.0.7 (The last IP of the range)

First Valid IP = 10.0.0.1

Last Valid IP = 10.0.0.6

Now, lets work with the switch and the hosts:

Remember that a VLAN is a broadcast domain, you have to connect hosts with ip addresses within the same subnet.

For example (using our recently created subnet):

Host	IP	VLAN	Interface
PC-Researcher 1	10.0.0.1/29	50	Fastethernet0/1
PC-Researcher 2	10.0.0.2/29	50	Fastethernet0/2
PC-Researcher 3	10.0.0.3/29	50	Fastethernet0/3
PC-Researcher 4	10.0.0.4/29	50	Fastethernet0/4
PC-Researcher 5	10.0.0.5/29	50	Fastethernet0/5
PC-Researcher 6	10.0.0.6/29	50	Fastethernet0/6

The switch configuration could be:

sw>enable

sw#configure terminal

sw(config)#int ran f0/1-6

sw(config)#sw mode access

sw(config)#sw acc vl 50

Based on this we can say that for our production department we can use the subnet:

10.0.0.128/25

And for our Marketing department we can use the subnet:

10.0.0.64/26

Now, for your case. It is based on the number of host you are working with, the prefix can change. For example:

Network	Prefix	Number of hosts available
10.22.1.0	/24	254 hosts
10.22.1.0	/25	126 hosts
10.22.1.0	/26	62 hosts
10.22.1.0	/27	30 hosts
10.22.1.0	/28	14 hosts

In your case of having two hosts with IP 10.22.1.3 and another with IP 10.22.1.75, it depends. You require the subnet to be in the same subnet or in a different subnet?

Same subnet case using 10.22.1.0/25 (126 hosts)

Subnet ID = 10.22.1.0 (The first IP of the range)

Subnet broadcast address = 10.22.1.127 (The last IP of the range)

First Valid IP = 1022.1.1

Last Valid IP = 10.22.1.126

Different subnet case using 10.22.1.0/26 and 10.22.1.64/26 (62 hosts)

This subnet for the host with the IP 10.22.1.3

Subnet ID = 10.22.1.0 (The first IP of the range)

Subnet broadcast address = 10.22.1.63 (The last IP of the range)

First Valid IP = 1022.1.1

Last Valid IP = 10.22.1.62

This subnet for the host with the IP 10.22.1.75

Subnet ID = 10.22.1.64 (The first IP of the range)

Subnet broadcast address = 10.22.1.127 (The last IP of the range)

First Valid IP = 1022.1.65

Last Valid IP = 10.22.1.126

As you can see it depends on your requirements.

Regards.

Mark Malone · ‎03-02-2020

original post does not state if they are in the same subnet or not, that would be useful to know , if they are already in different subnets , vlans using acls at svi or vrfs can be used to segment to prevent them accessing each other , if in the same subnet/vlan you can use , protected ports, pvlans or vacls or pacls