Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2356
Views
0
Helpful
4
Replies

MGMT VLAN Design Question

Go to solution
jencisco001
Level 1
Level 1

‎08-28-2020 08:27 AM

 I have a MGMT Vlan ID question. (simple design question)

We have merged companies and are replacing network equipment. As we do so, we are wanting to make the merged company into a more structured IP plan for local IP's per city. We have 8 cities. (Boston, Chicago, Birmingham, Pittsburgh, Hilton Head, Atlanta, New York, and Miami) I have decided to make each city a private IP space of the following:

 

Hilton Head Island: 10.0.X.X/16

New York City: 10.20.X.X/16

Atlanta: 10.30.X.X

Field Offices: 10.40.X.X

Birmingham: 10.50.X.X

Pittsburgh: 10.60.X.X

Chicago: 10.70.X.X

Boston: 10.80.X.X

Miami: 10.90.X.X

 

We are starting to replace firewall and switches in Birmingham as the first city. I have broken down the local subnets for Birmingham like this:

 

10.50.0.0/24 = MGMT = VLAN 1. (Network Devices like routers, firewalls, switches, access points. Also, DRAC on Servers) 10.50.10.0/24 = Server & Printers = VLAN 10 10.50.20.0/24 = Data = End User Workstations on Wired Network 10.50.30.0/23 = Wireless = End User Workstations on Wireless Network 10.50.100.0/24 = VOIP = All VOIP Phones 10.50.250.0/29 = Possible FTD to LAN EIGRP subnet However, I know that using VLAN 1 for the MGMT ID is not best practice.

 

I can't think of a number for the MGMT VLAN ID.. I want this VLAN ID to be the same in each city, like "99" or something. I know this might be a crazy question, but I want to design the MGMT VLAN ID and subnet the best possible. Should I skip the 10.50.0.0/24 and use 10.50.99.0/24 as the MGMT VLAN? I'm trying to make it simple. Any help would be appreciated.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jencisco001
Level 1
Level 1
In response to Rob Ingram

‎08-28-2020 09:38 AM

Thanks so much for this insight! I love that the subnets can be summarized. However, we have found that there are more Wireless devices.. so on our larger headquarters cities.. the Wireless is /22 which would be 10.50.4.1 - 10.50.4.254 range.

 

How about for larger cities:

 

VLAN 2: 10.50.2.0/24 MGMT

VLAN 3: 10.50.3.0/24 DRAC

VLAN 6: 10.50.6.0/22 DATA WIFI

VLAN 8: 10.50.8.0/23 DATA WIRED

VLAN 10: 10.50.10.0/24 SERVERS & PRINTERS

VLAN 11: 10.50.11.0/23 VOIP

 

Would this work for larger cities?

 

Also, why did you put DRAC on a separate VLAN? Isn't DRAC just the Management IP for Servers? I understand that DRAC needs to be on a separate VLAN than Servers, should it be moved to Management?

Best,

Jen

 

 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎08-28-2020 09:14 AM

Hi,

It's personal preference, I've found when given the opportunity it's common to map an IP network to the VLAN ID.

 

I prefer to keep the networks contigious, so in the example below....

 

VLAN 2 - 10.50.2.0/24 MGMT
VLAN 3 - 10.50.3.0/24 DRAC
VLAN 4 - 10.50.4.0/24 SERVERS
VLAN 5 - 10.50.5.0/24 DATA WIRED
VLAN 6 - 10.50.6.0/24 DATA WIFI
VLAN 7 - 10.50.7.0/24 VOIP

 

....all of those /24 networks can be summarised as 10.50.0.0/21. When using a VPN we can establish a tunnel (2 x unidirectional IPSec SA per network) for the /21 network instead of multiple IPSec SA for each /24 (14 x unidirectional IPSec SAs), this improves performance.

 

It's also a waste of the /16, the rest of that network may in future be useful.

 

HTH

 

 

0 Helpful

Go to solution
jencisco001
Level 1
Level 1
In response to Rob Ingram

‎08-28-2020 09:38 AM

Thanks so much for this insight! I love that the subnets can be summarized. However, we have found that there are more Wireless devices.. so on our larger headquarters cities.. the Wireless is /22 which would be 10.50.4.1 - 10.50.4.254 range.

 

How about for larger cities:

 

VLAN 2: 10.50.2.0/24 MGMT

VLAN 3: 10.50.3.0/24 DRAC

VLAN 6: 10.50.6.0/22 DATA WIFI

VLAN 8: 10.50.8.0/23 DATA WIRED

VLAN 10: 10.50.10.0/24 SERVERS & PRINTERS

VLAN 11: 10.50.11.0/23 VOIP

 

Would this work for larger cities?

 

Also, why did you put DRAC on a separate VLAN? Isn't DRAC just the Management IP for Servers? I understand that DRAC needs to be on a separate VLAN than Servers, should it be moved to Management?

Best,

Jen

 

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to jencisco001

‎08-28-2020 09:52 AM - edited ‎08-31-2020 08:21 AM

Same principle, just use a /20 (10.50.0.1 - 10.50.15.254) for the large cities.

 

It might be better to have 4 x /24 VLANS for wireless, generally a VLAN size = /24.

 

VLAN 4 - 10.50.4.0/24 WIFI1

VLAN 5 - 10.50.5.0/24 WIFI2

VLAN 6 - 10.50.6.0/24 WIFI3

VLAN 7 - 10.50.7.0/24 WIFI4

 

You can then pool these VLANS in your WIFI SSID configuration.

Same for data, use 2 x /24

 

VLAN 8: 10.50.8.0/24 DATA1

VLAN 9: 10.50.9.0/24 DATA2

 

No reason, it was just an example - you are right though DRAC would fit better into management VLAN, amend to meet your requirements.

0 Helpful

Go to solution
jencisco001
Level 1
Level 1
In response to Rob Ingram

‎08-31-2020 08:11 AM

Hi Rob!

 

I realized I had a typo with the /22 range - thanks for catching!

 

I am mulling over all the IP's now to see if separate /24 VLANS would be better or not.

 

Much appreciated,

Jen

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card