DisclaimerThe Author of this

fodmidoid · ‎02-17-2015

We just got in two new 4510R+E switches to replace our single 4510R. I'm in the process of redesigning our network and could use an outsider's perspective.

As of now, all routing is done on the firewall, which will be done entirely on the new switches, once they are in place and active. We currently have two VLANs. One for Data (PCs, Servers, etc.) and one for VoIP. I am planning to separate traffic by department, each on its own VLAN. We currently have approx 90 users and 34 virtual servers, with expected growth to only be around 110 users in the next 5-10 years.

Current IP config is similar to this:

30.0.0.0 (/24) - Data

30.0.2.0 (/24) - VoIP

The design example below, incorporates Variable Length Subnet Masking (VLSM). I am wondering if using VLSM is a waste of time and effort, since this is all done using private addressing, and should I just keep it simple and create eleven or so /24 subnets, one for each of the VLANs? Could I run into possible performance issues doing that, though?

VLAN Assignment:

VLAN ID	VLAN Name	Description
VLAN 1:	Management	Server/Printer	(Native)
VLAN 10:	VoIP	Voice Traffic
VLAN 20:	Test Lab	Dev/Test
VLAN 30:	Dept 1	DATA
VLAN 40:	Dept 2	DATA
VLAN 50:	Dept 3	DATA
VLAN 60:	Dept 4	DATA
VLAN 70:	Dept 5	DATA
VLAN 80:	Dept 6	DATA
VLAN 90:	DMZ	Demilitarized Zone
VLAN 100:	P2P Link	Point to Point

IP Assignment:

Subnet Name	Hosts
VoIP	254
Management	126
Test Lab	126
Dept 1	62
Dept 2	62
Dept 3	62
Dept 4	62
Dept 5	62
Dept 6	62
DMZ	30
P2P	2

Thank you very much. I look forward to your ideas and opinions.

Jon Marshall · ‎02-17-2015

By the way a few other recommendations -

1) don't use vlan 1 for anything. That includes any end devices, switch management, or the native vlan.

2) make the native vlan an unused vlan (we used vlan 999). Do not create an SVI for this vlan as you do not need to route the native vlan.

3) use a separate vlan for switch IP addresses and don't put any end devices into this vlan.

Jon

fodmidoid · ‎02-18-2015

Thanks. I was wondering about that, myself, and whether I should move the management vlan to something else. I will follow your advice and omit vlan 1 (even from management), as well as change the native vlan to something else (such as your example above).

Jon Marshall · ‎02-17-2015

I am wondering if using VLSM is a waste of time and effort, since this is all done using private addressing, and should I just keep it simple and create eleven or so /24 subnets, one for each of the VLANs? Could I run into possible performance issues doing that, though?

Keep it simple is my advice but your design is fairly straightforward.

Certainly there should be no performance issue in terms of the switch. If you mean broadcasts/multicasts then a /24 is usually considered fine unless you have applications that used a lot of broadcasts.

I standardised and used /24s or even /25s for data and voice vlans which includes server vlans but then there were a lot more users in our buildings.

DMZs I used to use smaller subnets sometimes but not for any particular reason other than they were always going to be limited in the number of devices.

And for point to points yes use a /30, not a /24 as there is never going to be a need for any more IPs in that subnet.

Whether you use VLSM or not the two key things to always bear in mind -

1) always leave some growth in your subnets. Nothing worse than running out of IPs in a subnet when you need them although you can always just create a new vlan/IP subnet.

2) whatever you use in your LAN make sure it is summarisable and that includes all IP subnets not just the data vlans. It may not be important now but it becomes very useful if you then connect to a WAN with multiple sites.

Summarisation within the LAN is not so important unless you are using L3 from the access layer switches in which case it may be worth it but to be honest with the amount of users you have there would be no real benefit.

So with the amount of users you have you and are anticipating the future you could use VLSM as you have outlined or just create smaller IP subnets with a standard subnet mask.

It really is a matter of preference and it's not going to make much difference one way or the other.

Jon

fodmidoid · ‎02-18-2015

Those are terrific comments. Thank you for your advice.

So, if I create a whole bunch of /24 subnets, each of them having 254 available IPs, and only reduce the Point-to-Point to a /30, possibly the DMZ to something like a /19, I'll potentially be looking at 9,248 or more available IP addresses on my network while only needing around 250 total IPs at max.That design is okay?

If so, keeping track of and navigating to devices on different VLANs would be much simpler, I'd say, and the use of VLSM is reserved solely for subnetting public IPs.

Many thanks.

Jon Marshall · ‎02-18-2015

No problem.

Not sure where you get 9.248 ie. you have 9 vlans apart from the DMZ and point to points which doesn't add up to that.

It doesn't really matter because it is private addressing but like I say your proposed design is fine as well.

I might be inclined to use /25s but it's not going to make much difference and like you say keeping track is made easier when you standardise especially with things like acls etc.

Jon

fodmidoid · ‎02-18-2015

Wow, I don't even know how I came to type that number in...lol. It should be 2,318 IP addresses.

Thanks again for the input. While the VLSM schema I came up with looks nice on paper and should hold up nicely, even with quite a bit of growth, it seems unnecessary.

Now I just need to decide whether to use a /25, which would be more than enough, or go with a /24 for simplicity.

Jon Marshall · ‎02-18-2015

No problem, my maths isn't the greatest to be honest so I can't criticise :-)

Whichever you feel more comfortable with is the simple answer.

Jon

Joseph W. Doherty · ‎02-18-2015

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

If your equipment is new enough, you can also use a /31 for p2p.

Regarding performance, size of the subnet doesn't matter as much as the number of hosts on the subnet, and the kind and quantity of traffic they generate (as Jon noted, broadcasts are the usual limiter. As Jon also noted, /24s usually work well, and if you're don't expect to need the logical address space you're "wasting", there's no reason not to use them.

fodmidoid · ‎02-18-2015

Using a /31 would be interesting. These are brand-new 4510R+E switches here at the main site, so they should be able, but I don't know about at the DR site on the other end of the p2p.

Thanks for the suggestion, Joseph.

VLAN and IP Design Question