New Network-Segmentation by VLans

mag01 · ‎08-13-2024

Hi all

Just a swift question. I was give the task to split one of the production Networks into smaller parts using VLan's.
I learned that there's "The golden rule": one subnet per VLAN.
My question is: WHY ?
If I'd proceed that way, we'll have to re-design the whole Network with the 16 new Sub-Nets and renumer all Hosts (baremetal and virtual), plus re-configure the FW and several Apps so they can speak with each other again. In other words: A LOT of work - and since this is the Prod Network downtimes must be consideres very carefully.
So my Idea was to leave all IP's as they are and only group them logically via VLAN's. But our Netwok-Team started yelling at me that this is not the way to do it...
We've no overlapping Networks atm
Please explain (a bit) to me

Leo Laohoo · ‎08-13-2024

@mag01 wrote:
I learned that there's "The golden rule": one subnet per VLAN.
My question is: WHY ?

So no one can take down the entire VLAN network.

If the subnet is broken up into small chunks, a mis-configuration in one subnet will not wipe out the others.

M02@rt37 · ‎08-13-2024

Hello @mag01

The "one subnet per VLAN" rule is a fundamental network design principle that ensures network efficiency, security, and manageability. VLANs are designed to isolate broadcast domains, meaning that devices within the same VLAN share the same subnet and broadcast domain. Mixing multiple subnets within a single VLAN can lead to excessive broadcast traffic, complicate routing, and make security policies harder to enforce. This setup can also increase the complexity of network management and troubleshooting, as it disrupts the straightforward correlation between VLANs and subnets.

Aligning each VLAN with a single subnet simplifies network architecture, ensuring that traffic within the VLAN is switched at Layer 2 and routed at Layer 3 when moving between VLANs, making the network more predictable and easier to manage.

Your network team's resistance to grouping IPs into VLANs without aligning them with distinct subnets stems from the potential risks and complexities this could introduce, especially in a production environment where stability is crucial. Deviating from this principle could lead to inconsistent network behavior, complicate routing decisions, and make security enforcement challenging, ultimately increasing the likelihood of network issues and downtime. While redesigning the network to adhere to this principle involves significant upfront work, such as readdressing hosts and reconfiguring firewalls and applications, it ensures long-term network reliability and security. The effort to maintain the one subnet per VLAN rule is justified by the stability, simplicity, and ease of management it brings to your network infrastructure.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

mag01 · ‎08-13-2024

Well, we're not dealing with multiple subnets At The Moment. It's (except from the DB tier) only one big net and a F5 as FW/LB.

Currently we're talking about 500 Hosts and Prod Network also means functionalyty must be mainained at any time.
So to do this we'll have to setup a subnet, swap the machines to this new, run all connection tests and hope we've not overlooked something. Plus the new sub-nets need to be "future proof" ... just in case new hosts are added.

However, I fully understand your argument about security, simplicity and management. But isn't this a bit of a departure from the idea of "saving network resources (hw/sw) by logical grouping" ?

Joseph W. Doherty · ‎08-13-2024

Hmm, never heard of one subnet per VLAN being called a "Golden Rule", but I can see why it could be.

The reason for such a rule is pretty simple, it's done so L2 bolsters some of the reasons we subnet, a principle reason being to reduce the scope/impact of broadcasts. Also, having multiple networks on a network device interface has its own "challenges".

You mention 500 hosts. That possibly is starting to push "safe" operational sizes, but conversely normally you wouldn't need to subdivide it by 16.

Agreed host readdressing isn't fun. Its pain can be mitigated by using DHCP (including for some servers) and running multiple subnets on the same VLAN might be temporarily used to transition hosts.

jamesjames41930 · ‎04-18-2025

Interesting take I came across similar subnetting advice on a networking website recently.
Totally agree that sticking to one subnet per VLAN keeps things cleaner and reduces broadcast headaches.
Using multiple subnets during transitions makes sense, especially with DHCP in play.

Richard Burts · ‎04-18-2025

It is an older discussion and I wish I had been aware of it when it was fresh. But you have brought it back and I would like to add to it.

As a starter I disagree that any golden rule would be "one subnet per VLAN". The use of secondary addressing on Cisco devices makes multiple subnets on a vlan/vlan interface easy to achieve (and it WORKS). I would suggest that a better golden rule would be "one vlan per subnet". I hope that it is obvious that if you have some subnet (perhaps 192.168.10.0/24) and you tried to put it into 2 vlans (perhaps vlan 101 and vlan 102) that if host 192.168.10.20 in vlan 101 attempts to communicate with host 192.168.10.30 in vlan 102) that the arp from 192.168.10.20 will never get to 192.168.10.30 (remembering that arp is a broadcast and that broadcasts are not forwarded outside the local vlan).

I agree that one vlan per subnet and one subnet per vlan is optimum. But there are circumstances where we can not achieve that. So if we are going to propose a "golden rule" lets make sure that it is one that would work.

HTH

Rick

Joseph W. Doherty · ‎04-18-2025

"So if we are going to propose a "golden rule" lets make sure that it is one that would work.

But Rick, by you also wrote "I agree that one vlan per subnet and one subnet per vlan is optimum.". I.e. either works.

You also note, that multiple subnets per VLANs work, multiple VLANs per subnet does not.

Given the above, you suggest one VLAN per subnet is the better "golden rule", but I don't agree because the "golden rule" is sort of the biblical version of a "best practice", i.e. it should be done, but it doesn't have to be done, it's a choice. For "one VLAN per subnet" it's not a choice. Perhaps it would be better described as an "ironclad rule".

Richard Burts · ‎04-18-2025

Joseph

My ending " So if we are going to propose a "golden rule" let's make sure that it is one that would work." was a reference to the beginning of my post which commented on the original post in the discussion which suggested a "golden rule" that was not correct. Do you see a problem with that? Or not agree with that?

I did suggest a better practice "one vlan per subnet" and did refer to it as a better "golden rule" and in retrospect wish that I had avoided referring to it as a rule. Because on this topic I am not sure that there is really any golden rule.

As for "golden rule" or "ironclad rule" I don't really care. The original post used the term golden rule and I used it. And when I suggested what we should do I called it "optimum" and avoided calling it any kind of rule.

HTH

Rick

Joseph W. Doherty · ‎04-18-2025

Rick,

My ending " So if we are going to propose a "golden rule" let's make sure that it is one that would work." was a reference to the beginning of my post which commented on the original post in the discussion which suggested a "golden rule" that was not correct.

"Do you see a problem with that?"

Yes.

"Or not agree with that?"

Yes.

My prior reply already tried to explain why I answered yes to your above questions, but either I misunderstood what you wrote, or you misunderstood what I wrote, or we both misunderstood.

Richard Burts · ‎04-18-2025

Joseph

There is certainly some misunderstanding. The OP had this "The golden rule": one subnet per VLAN". I suggest that this is wrong. Are you suggesting that this is correct?

HTH

Rick

Richard Burts · ‎04-18-2025

Joseph

I note that 3 well respected fellow VIP participated in this discussion. I wonder why all of you seem to accept the assertion that there is "golden rule" about "The golden rule": one subnet per VLAN".

My first point was that this is false. Do you not agree?

HTH

Rick

Joseph W. Doherty · ‎04-19-2025

I note that 3 well respected fellow VIP participated in this discussion. I wonder why all of you seem to accept the assertion that there is "golden rule" about "The golden rule": one subnet per VLAN".

My first point was that this is false. Do you not agree?

Yes, I do not agree.

Let's break this down into four statements.

1) one subnet per VLAN

2) multiple subnets per VLAN

3) one VLAN per subnet

4) multiple VLANs per subnet

1 and 2 are a pair as are also 3 and 4, i.e. singular vs. plural.

Between those pairs, you noted 4 doesn't work. Agreed. I believe you also implied 1 is better than 2 but there are valid reasons to use 2, and it's easy to do. Agreed.

If I understand your argument, 3 is always correct but 1 is not always the case. Therefore, 1 is "wrong" to be considered a "golden rule" but as 3 is always (or should be) the case, it's the most optimal or the better "golden rule".

Rick, is that an accurate rewording of your case?

If so, why I don't agree is because I consider a "golden rule" what should be, but isn't always done. Or, perhaps as I wrote earlier, a "best practice".

With 3, 4 is not an alternative choice. Between 3 and 4 you cannot do 4. (Yes, you can configure it, but it's likely going to very problematic, immediately.)

Possibility, our difference is you consider a "golden rule" also implies the alternative is "bad", even "evil", and that's not the case for 2, but is for 4. So, 3 is a better "golden rule", if we're going to define such for subnet and VLAN combinations.

However, again, I at least consider a "golden rule" a choice, for something I can do now, and not immediately be harmed by or regret.

Cannot say how or why our peers consider 1 a "golden rule" but it may go along with my reasoning.

Also again, I'm not keen on using "golden rule" at all, and if I correctly understood your argument, it's very good one. (I think it comes down to how we interpret what a golden rule means in this context.)

Actually as a rule for validity, we would have: (1 or 2) and 3.

Subjectively, I believe 1 is better than 3 for calling one of those two rules a golden rule. But, possibility, can both be considered golden rules? Or, possibly even better, neither so called?

Richard Burts · ‎04-19-2025

Joseph

Looking at your other recent post I have these comments. Your 1 is exactly what the OP stated was a rule. I agree that one subnet per vlan is possible (and is in fact the most common implementation) and it works. But if it is a rule then there should be problems if it is not followed, and your 2 is also quite valid and contradicts 1. I think that both of these are acceptable practices and that neither of them is a "rule".

I would suggest that the only one of the statements that qualifies as a rule is 3. And that trying to implement 4 will (for certain) create problems.

HTH

Rick

Richard Burts · ‎04-19-2025

Joseph

As I think about this discussion, I believe that part of it is a matter of semantics. You and I would prefer to discuss what are Best Practices and what are Optimum Solutions, and don't want to discuss a set of "rules". The OP is the one who focused on "rule". If something is a rule (Golden or otherwise) if you do not follow it there should be negative outcomes. The only one of these scenarios with a negative outcome is one subnet with multiple vlans.

HTH

Rick