Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2573
Views
5
Helpful
6
Replies

Vlan Best Practice

Go to solution
dcanady55
Level 3
Level 3

‎05-13-2021 12:32 PM

Hello,

 

I am wondering about the following scenario and if it falls under a best practice. Two locations and each location is identical in terms of equipment and purpose. Let's say location A had a vlan 100 with 172.15.5.0/24 would location B best be setup with Vlan 100 and 172.15.6.0/24 or would most use a different vlan like 101? I'm using the octets to classify the location but curious if most would also change the vlan 100. I'm inclined to keep it at 100 and just change the IP so its more consistent but from a security stand point wasn't sure if that's best.

 

thanks in advance!

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎05-13-2021 01:17 PM

You usually want one vlan with the corresponding subnet and if possible match the 3rd octed with the VLAN id. This way it is easy to remember that  subnet100 is vlan 100 and subnet 101 is vlan 101, etc...

 

Assuming 2 vlans per location

Location-A VLAN 100 subnet 172.16.100.0/24

Location-A VLAN 101 subnet 172.16.101.0/24

Location-B VLAN 102 subnet 172.16.102.0/24

Location-B VLAN 103 subnet 172.16.103.0/24

 

HTH

 

 

View solution in original post

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎05-13-2021 02:33 PM

I don't recall either approach being a "best practice".

In cases where it's possible VLANs might need to be merged on same switch(es), of course, your best approach it to insure each has a unique VLAN so this could be done.

In cases where you'll never combine such VLANs on the same switch, perhaps using the same VLAN number for a functional purpose might be the better approach.

As my last job, where we had 5,000 Enterprise network devices, spread across quite a few sites, of varying sizes (i.e. from just a couple of hosts to thousands of hosts at a site), we used the latter approach.  This because, network IP assignments come and go and it can be difficult to always have VLAN number match part of the network IP match in some way.  However, you can usually, at least, use the same VLAN number for the same "function" at different sites.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎05-13-2021 01:17 PM

You usually want one vlan with the corresponding subnet and if possible match the 3rd octed with the VLAN id. This way it is easy to remember that  subnet100 is vlan 100 and subnet 101 is vlan 101, etc...

 

Assuming 2 vlans per location

Location-A VLAN 100 subnet 172.16.100.0/24

Location-A VLAN 101 subnet 172.16.101.0/24

Location-B VLAN 102 subnet 172.16.102.0/24

Location-B VLAN 103 subnet 172.16.103.0/24

 

HTH

 

 

Go to solution
dcanady55
Level 3
Level 3
In response to Reza Sharifi

‎05-18-2021 11:56 AM

I really appreciate you taking the time to give your input thanks.

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎05-13-2021 02:33 PM

I don't recall either approach being a "best practice".

In cases where it's possible VLANs might need to be merged on same switch(es), of course, your best approach it to insure each has a unique VLAN so this could be done.

In cases where you'll never combine such VLANs on the same switch, perhaps using the same VLAN number for a functional purpose might be the better approach.

As my last job, where we had 5,000 Enterprise network devices, spread across quite a few sites, of varying sizes (i.e. from just a couple of hosts to thousands of hosts at a site), we used the latter approach.  This because, network IP assignments come and go and it can be difficult to always have VLAN number match part of the network IP match in some way.  However, you can usually, at least, use the same VLAN number for the same "function" at different sites.

0 Helpful

Go to solution
dcanady55
Level 3
Level 3
In response to Joseph W. Doherty

‎05-18-2021 12:05 PM

Thanks Joseph,

 

I think both responses are valid but do feel keeping the vlan the same across multiple sites makes the most sense to me. I don't think I mentioned it but these Vlans would be for the same thing at those sites (vlan100=voice, vlan200=data..) which further makes me think keeping the numbers the same would be best. I just wasn't sure from a security stand point if that was frowned upon.

thanks,

 

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to dcanady55

‎05-18-2021 12:38 PM

 

If the purpose is going to be the same at each site then absolutely feel free to use the same vlan ID as long as the sites are separated by L3 you will be fine. 

 

I have never heard a reason why it would be a security issue as such. 

 

Jon

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to dcanady55

‎05-18-2021 02:26 PM

Like Jon, I'm unaware of any specific security issue using the same VLAN number, for functional groups, on different switches.

BTW, both approaches are fine, also perhaps not using either approach too, but I might add, it might be more "work" to try to maintain some part of an IP address to match a VLAN number and/or functional purpose - think of the impact of various sized networks.  (I.e. what Reza showed using /24s, and their third octet, would be about the best possible case.)

Also, BTW, if something is actually a "best practice", consider whether it's really such for you too.  If something is truly a best practice, that doesn't mean you have to follow that practice, but don't just contravene it without careful consideration and good reason.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card