Re: New Network-Segmentation by VLans - Page 2

mag01 · ‎08-13-2024

Hi all

Just a swift question. I was give the task to split one of the production Networks into smaller parts using VLan's.
I learned that there's "The golden rule": one subnet per VLAN.
My question is: WHY ?
If I'd proceed that way, we'll have to re-design the whole Network with the 16 new Sub-Nets and renumer all Hosts (baremetal and virtual), plus re-configure the FW and several Apps so they can speak with each other again. In other words: A LOT of work - and since this is the Prod Network downtimes must be consideres very carefully.
So my Idea was to leave all IP's as they are and only group them logically via VLAN's. But our Netwok-Team started yelling at me that this is not the way to do it...
We've no overlapping Networks atm
Please explain (a bit) to me

Joseph W. Doherty · ‎04-19-2025

@Richard Burts wrote:

As I think about this discussion, I believe that part of it is a matter of semantics. You and I would prefer to discuss what are Best Practices and what are Optimum Solutions, and don't want to discuss a set of "rules". The OP is the one who focused on "rule".

Agreed!

Many "rules" are really best practice recommendations. If you don't follow them, you're more likely to bump into an issue, but just blindly following them also doesn't guaranteed you won't bump into an issue.

@Richard Burts wrote:

If something is a rule (Golden or otherwise) if you do not follow it there should be negative outcomes.

I partially agree. I don't see breaking all rules as suffering a negative outcome, just more likely to have a negative outcome; a subtle difference.

As an aside, I'm also a certified scuba diver. Lots of "rules" for "safe" diving, but whether you follow them, or not, doesn't guarantee a good or bad outcome, but does increase the probability of a particular outcome. (Oh, and some of those rules, very much concern your odds of dying, so they're not frivolous.)

@Richard Burts wrote:

The only one of these scenarios with a negative outcome is one subnet with multiple vlans.

Agree, but it's almost a guaranteed negative outcome.

Rick, also consider, phrases like "rules are meant to be broken", which makes no sense, if breaking a rule guarantees a negative outcome. Or, an "ironclad rule", which is a way of saying, that particular rule, probably does guarantee a negative outcome.

Again, from your prior reply, I fully understand your point, where you consider breaking a rule should cause a negative outcome. But, I think rules come in shades of grey, laugh. Some are for general guidance, for those who don't have a deep understanding of the subject, i.e. they try to avoid negative outcomes, for those that don't know there's a limit or where it's at. And, there are rules, that if violated, are almost guaranteed to cause a negative outcome.

So, back to "multiple subnets per VLAN". Would that be 2, 20, 200, 2,000, etc.? I.e. number of subnets doesn't matter? Those with enough knowledge, probably can safely have multiple subnets on a single VLAN, but just having one subnet per VLAN avoids having too many, right? Or course, it doesn't help, alone, having issues if you only go by that "rule".

Again:

@Richard Burts wrote:

You and I would prefer to discuss what are Best Practices and what are Optimum Solutions, and don't want to discuss a set of "rules".

Yea, in my case though, I agree because, again, "rules" importance, varies.

For example: your "one VLAN per subnet" (or subnets) - important!!!

For example: your "one subnet per VLAN" - common/best practice - good/valid reasons to violate

Finally, laugh, I wouldn't say your viewpoint is "wrong", but I, and others (possibly) don't hold such a rigid definition for a "rule". I certainly agree, a "rule" should have a reason, and it also implies probably it's not the best thing to violate it (without good reason).

Rick, thank you for your responses. I found them very interesting. Hopefully, others will too.

Richard Burts · ‎04-19-2025

Joseph

Thank you. Our discussion ultimately has been about semantics and your dictionary definition of golden rule (something that we ASPIRE to) was quite helpful. I admit that my traditional understanding of rule is that if you do not adhere to the rule that there is a negative consequence. And there is (according to my interpretation) a rule involved here and it is one vlan per subnet. I thought that the OP had reversed it and reacted to that.

So going back to the OP it says "split one of the production Networks into smaller parts using VLan's." You can certainly split the network using vlans, but that also requires implementing/changing subnetting of the network.

HTH

Rick

Joseph W. Doherty · ‎04-19-2025

@Richard Burts wrote:

Looking at your other recent post I have these comments. Your 1 is exactly what the OP stated was a rule. I agree that one subnet per vlan is possible (and is in fact the most common implementation) and it works. But if it is a rule then there should be problems if it is not followed, and your 2 is also quite valid and contradicts 1. I think that both of these are acceptable practices and that neither of them is a "rule".

I would suggest that the only one of the statements that qualifies as a rule is 3. And that trying to implement 4 will (for certain) create problems.

Ah, using that interpretation of "rule" I now fully understand your point of view.

@Richard Burts wrote:

I agree that one subnet per vlan is possible (and is in fact the most common implementation) and it works. But if it is a rule then there should be problems if it is not followed, and your 2 is also quite valid and contradicts 1. I think that both of these are acceptable practices and that neither of them is a "rule".

Wouldn't you agree, though, that having multiple subnets per VLAN is more likely to lead to problems?

Somewhat similar to "rules" recommending limiting number of hosts per subnet, or number of routers per OSPF area?

Wouldn't you also agree that even if just "one subnet per VLAN", that alone doesn't guarantee avoidance of issues?

More in my reply to your more recent reply . . .

Joseph W. Doherty · ‎04-19-2025

There is certainly some misunderstanding. The OP had this "The golden rule": one subnet per VLAN". I suggest that this is wrong. Are you suggesting that this is correct?

Well, if you read my first reply, I wrote I never heard of it as a golden rule, but could see why it was called that. I too am not keen on calling it such, but could see why it was called that, so I don't see it as "wrong". I'm going to also reply to your latest reply, and try explaining it a different way why I disagree with you based on my understanding of what you wrote.

Richard Burts · ‎04-19-2025

Joseph

How do you reconcile the statement of one subnet per vlan with the implementation of secondary addressing, which quite clearly puts multiple subnets on a vlan?

HTH

Rick

Joseph W. Doherty · ‎04-19-2025

@Richard Burts wrote:

Joseph

How do you reconcile the statement of one subnet per vlan with the implementation of secondary addressing, which quite clearly puts multiple subnets on a vlan?

Unsure/unclear what's to reconcile.

Don't believe anyone has been saying you can only have one subnet per VLAN. Just that it's "better".

Again, it seems you're taking the "golden rule" as an absolute, i.e. you can only have one subnet per VLAN. Of course, that's not the case.

golden rule

noun

The ethical principle that one should behave toward others as one would have others behave toward oneself.
An expression of this principle, especially the words of Jesus in the New Testament verses Matthew 7:12 and Luke 6:31.
A fundamental principle to be followed in order to ensure success in general or in a particular undertaking.
the golden rule of investing.

from The American Heritage® Dictionary of the English Language, 5th Edition. More at Wordnik

If you go by the #1, using "should", we're saying you should only use one subnet per VLAN, NOT saying you cannot have multiple subnets per VLAN.

Or are you saying you consider multiple subnets per VLAN on an equal design footing of one subnet per VLAN?

I doubt you do. If not, then I would not call "one subnet per VLAN" "wrong", as a possible "golden rule". However, again, I'm not keen on this usage.

Also again, I don't object to calling "one VLAN per subnet" a golden rule either, although, also again, not keen on doing so.

Mostly I disagree that calling "one subnet per VLAN" is wrong, as a "golden rule". Or, if you really need to just call just "one subnet per VLAN" vs. "one VLAN per subnet" a golden rule, I lean toward the former, because you can chose to design with "one subnet per VLAN" or "multiple subnets per VLAN" and have a workable network in either case.

In an earlier reply, I added the term an "ironclad rule".

ironclad

/ī′ərn-klăd″/

adjective

Sheathed with iron plates for protection.
Rigid; fixed.
an ironclad rule.

from The American Heritage® Dictionary of the English Language, 5th Edition. More at Wordnik

Using #2, I wouldn't consider "one subnet per VLAN" such a rule, but would consider "one VLAN per subnet" such a rule.

Rick, perhaps we're at an impasse. You seem to consider "one subnet per VLAN" wrong (as least for being called a golden rule) because you can have "multiple subnets per VLAN". Again, it's unclear why you consider this "wrong", as no one, I believe, has argued that you cannot have "multiple subnets per VLAN".

I can only assume, your interpretation of usage of a "golden rule" totally prohibits doing anything else, rather than recommending what should be done. If that's the interpretation of usage of "golden rule", then I would agree with you, but it's not my interpretation of the meaning of "golden rule", for a network rule.

As "golden rule" has shades of meaning not being used for a network rule, is one of the reasons I'm not keen on using the term.