surfer100

Junior Member
Sep 14, 2018
10
0
11
Hi,

I want to make a new ip-plan but some things are not clear to me maybe someone has an advise.
We now have a internal network with 192.168.0.0/16 but also have ipadresses 192.100.x.x and 192.150.1.x etc. Switches, desktops, laptops & servers and other devices are in the same vlan only some seperate devices which are communicating all together servers, access points are seperate vlans. So the seperation is not exactly done with devices. We have servers which operates in more vlans so with diverse vlan networking cards.
Ip-phones are also in a seperate vlan, and the phones are providing some clients networking link so the phones are trunk ports in more vlans.

In the new ip-plan i want to make far more vlan's and the plan is to put clients, AP's, switches, servers all in different vlan's but i am doubting of this is efficient. Must the servers and clients be put in a same vlan for better easyer control? Must bridges be put in a different vlan from the AP's etc. Must the vlan;s be made for devices or for devices that communicate much togetter, how is this best done?
 

sourceninja

Diamond Member
Mar 8, 2005
8,805
65
91
That is a big ask.

First 192.100 and 192.150 and not ranges that should be used on internal networks. Second, we would need to know more about the network and the design. Are there core switches? Is the firewall doing vlan routing (router on a stick?), etc. Ideally you would segment your network for mainly two reasons:
1) Reduce broadcast traffic.
2) Security

I'll focus on two for a small business. I'd recommend scoping out a /23 or /24 for the following networks
1) Servers
2) Workstations
3) Management (switches, aps, etc)
4) Printers
5) Various non-IT controlled systems (HVAC, door locks, security cameras, etc)
 

surfer100

Junior Member
Sep 14, 2018
10
0
11
thx. What worries me is the subnetting, maybe you could give a suggestion.
Above is just an example for ipnumbers.

lets say using: 192.168.0.0/12 as the network.
choosing some vlans with 256 adresses but there are several ranges for more than 256 devices lets say for some there are more then 500 devices and for some 300 and 700 when they grow.

I can stay in the range 192.168 for those vlans, so vlan2 is 192.168.2.0/24 vlan3 is 192.168.3.0/24 and vlan4 192.168.4.0/16 (more then 500 devices) (this last vlan is goiing to occupie 192.168.4 but also .5 and maybe .6.
But there is a choice to choos": vlan 2 en vlan3 the same as above but for vlan's with more then 256 adresses choose: 192.169.1.0/16

This is the point where i do not know what to choose. Segmenting the networks with different subnets like 255.255.252.0 or stay with the simple 255.255.255.0 or 255.255.0.0 so only use 2 subnets the standard subnets /24 en /16 for the different vlans.

What is the better logiq or easyer or something like this more secure or whatever?
 

mv2devnull

Golden Member
Apr 13, 2010
1,516
153
106
Why do you use both netmask and prefix notations? That merely confuses you.

Your 192.168.4.0/16 would have subnet address 192.168.0.0 and broadcast address 192.168.255.255, i.e. it is the whole 192.168/16 and not just .4, .5, .6.

/24 covers 256 addresses. Take out network address, broadcast address and router's address and you have 253 for devices.
/23 covers 512 addresses. 509 for devices.
/22 covers 1024 addresses. 1021 for devices.
/21 covers ...

You can split the 192.168/16 into 64 /22 subnets, and each /22 subnet into two /23 or four /24 subnets.

Are 64 ~1000 address subnets enough four you? You don't have to create them all at once.
 
Last edited:
  • Like
Reactions: mxnerd

mxnerd

Diamond Member
Jul 6, 2007
6,799
1,103
126
I'll stick with simpler 255.255.252.0 subenet (up to 64 subnets) and each subent will give you 1024 addresses.
 

surfer100

Junior Member
Sep 14, 2018
10
0
11
Your 192.168.4.0/16 would have subnet address 192.168.0.0 and broadcast address 192.168.255.255, i.e. it is the whole 192.168/16 and not just .4, .5, .6.

I know what you mean but my doubt is what to use for the different vlans. Let say we have vlan2 servers (100devices), vlan3 clients (600devices and also Linux machines which we want to provide another range) and vlan4 a seperate building network (600devices and other devices which we want to provide another iprange), vlan5 switches (280 devices).
Option 1
vlan2 servers are provided in 192.168.2.0/24
vlan3 192.168.5.0/24 (subnetmask of this one could be 255.255.252.0 but then subnet 192.168.6 or 192.168.7 is also used? so i cannot provide the 192.168.6 or.7 to others)
Linux: 192.168.8.0/24
Other: 192.168.9.0//24
vlan4 192.169.0.0/16 (is this smart to change the 168 in 169 for about 400 devices? can't we stay in the 192.168.X.X?)
vlan5 192.170.0.0./16

option 2
vlan 2: 192.168.2.0/24
vlan3: 192.168.5.0/16
Linux: 192.168.6.0/24
other: 192.168.7.0/24
vlan4: 192.168.80.0/16
vlan5: 192.168.99.0/16

first method we have different subnetmasks not only 255.255.255 and 255.255 but also 255.255.252.0 and maybe 255.255.248.0 (is this smart?), but we keep Always the 192.168
The second method keeps Always we change the second range.

What i do not know is what to use: different subnetmasks or different ranges within the 192.168.3 (for clients but because there are more then 256 use also 192.168.4 and sometimes .5) or make use of 192.169?

So i believe it is the subnetting what i am worried about..
 

mxnerd

Diamond Member
Jul 6, 2007
6,799
1,103
126
The Internet Assigned Numbers Authority (IANA) has reserved the
following three blocks of the IP address space for private internets:

10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

So 192.169.x.x or 192.170.x.x are not private IP addresses.

==

what's the reason not to use simpler scheme?

Use 255.255.252.0 as subnet mask (22 bits) and you will have 64 subnets

192.168.0.1-192.168.3.254 subnet 1
192.168.4.1-192.168.7.254 subnet 2
...
192.168.252.1-192.168.255.254 as subnet 64

each with 1022 devices. You don't have to use up all ip addresses in a subnet range, do you?
 
Last edited:
  • Like
Reactions: mv2devnull

mv2devnull

Golden Member
Apr 13, 2010
1,516
153
106
Thus, for example:
vlan 2: 192.168.0.0/22
vlan3: 192.168.4.0/22
Linux: 192.168.8.0/22
other: 192.168.12.0/22
vlan4: 192.168.16.0/22
vlan5: 192.168.20.0/22
 

surfer100

Junior Member
Sep 14, 2018
10
0
11
Ok thanks thats clear but one question:

When or why (pro / cons) use in stead of multiplu /22 subnets use for several vlans a 192.x.x.x in stead of 192.168.x.x/22 use 192.x.x.x/
for some bigger vlans with more then 1022 adresses or which are at a different location for example.
Then one can simpler use Always 255.255.255.0/24 and some bigger 255.255.252.0/22 and for some others 255.255.0.0/16?
Then the subnetmask can Always be 255.255 or 255.255.255.
 

mv2devnull

Golden Member
Apr 13, 2010
1,516
153
106
You have some address range (or ranges) available to you. Public or private. If public, you have what you pay for. Lets say you have private range and have chosen the 192.168/16.

You set up DHCP server(s) to configure every device in your subnets. If you absolutely need to use netmask notation, do it there. The discussion can use simpler, more intuitive prefix notation. Conversion from prefix to netmask is trivial.

You could have all your devices in single subnet, but you might desire to create subgroups for better control. By building, by department, by purpose (e.g. servers, workstations, guests), etc. The groups (subnets) can have different settings, like accessibility. Should something happen, you could quarantine one subnet, rather than everything.

Broadcasts reach everyone within a subnet. When you subdivide, you reduce broadcasts that reaches the devices. Less noise.


You have an available range. You know how many subnets you want. You know how many devices will be in each subnet.

A /16 can be split into two /17. A /17 can be split into two /18.
A /18 can be split into two /19. A /19 can be split into two /20.
A /20 can be split into two /21. A /21 can be split into two /22.
A /22 can be split into two /23. A /23 can be split into two /24.

For example, you could have two /18, four /20, eight /22, and sixteen /23 subnets within the 192.168.0.0--192.168.255.255 range simultaneously.

Your example had 6 subnets. What if: create six /19 subnets within 192.168. Each can have 8k devices, and you will still have a 16k address subrange for unforeseeable needs.


"VLAN" is semi-unrelated. VLAN is a method to build multiple subnets without separate hardware for each.
 

mxnerd

Diamond Member
Jul 6, 2007
6,799
1,103
126
VLAN is for confining broadcast domains. You can have same subnet and IP range for different dept. but they are on different VLANs and won't be able to communicate with each other.

ex.

Acct dept. IP range from 192.168.1.1 - 192.168.1.254 but on VLAN 10
Warehouse dept. IP range also 192.168.1.1 - 192.168.1.254 but on VLAN 20

They can't communicate with each other.

VLAN <> subnet, they are completely different things.

==

You can also divide a subnet into 2 or more VLANs and the PCs in different VLANs can't communicate with each other.

ex.

Acct dept 192.168.1.1 to 192.168.1.127 on VLAN 10 can't communicate with warehouse PCs in 192.168.128-192.168.1.254 on VLAN 20.
 
Last edited:

surfer100

Junior Member
Sep 14, 2018
10
0
11
You have some address range (or ranges) available to you. Public or private. If public, you have what you pay for. Lets say you have private range and have chosen the 192.168/16.

You set up DHCP server(s) to configure every device in your subnets. If you absolutely need to use netmask notation, do it there. The discussion can use simpler, more intuitive prefix notation. Conversion from prefix to netmask is trivial.

You could have all your devices in single subnet, but you might desire to create subgroups for better control. By building, by department, by purpose (e.g. servers, workstations, guests), etc. The groups (subnets) can have different settings, like accessibility. Should something happen, you could quarantine one subnet, rather than everything.

Broadcasts reach everyone within a subnet. When you subdivide, you reduce broadcasts that reaches the devices. Less noise.


You have an available range. You know how many subnets you want. You know how many devices will be in each subnet.

A /16 can be split into two /17. A /17 can be split into two /18.
A /18 can be split into two /19. A /19 can be split into two /20.
A /20 can be split into two /21. A /21 can be split into two /22.
A /22 can be split into two /23. A /23 can be split into two /24.

For example, you could have two /18, four /20, eight /22, and sixteen /23 subnets within the 192.168.0.0--192.168.255.255 range simultaneously.

Your example had 6 subnets. What if: create six /19 subnets within 192.168. Each can have 8k devices, and you will still have a 16k address subrange for unforeseeable needs.


"VLAN" is semi-unrelated. VLAN is a method to build multiple subnets without separate hardware for each.

Thats a clear tutorial! but we want to make let's say 20 vlan's and each vlan has is own range and the vlan's must communicate together. Clients communicate with servers but they are in different vlan's with their own iprange. The vlan's are not seperated because of building etc, but more on traffic.
So for me there is a connection between vlan's and subnetting, each vlan his own range thats why the example.
I still do not understand why one could choose to (not using 192.168 as an example anymore) use for all different vlan's: 10.1.x.x/16 network and vlan's 10.1.x.x/24/52 etc OR 10.2.x.x/16 and 10.3.x.x/16

What do you mean by: The discussion can use simpler, more intuitive prefix notation. Conversion from prefix to netmask is trivial.
 

mv2devnull

Golden Member
Apr 13, 2010
1,516
153
106
The prefix tells how many bits of IP address are the subnet. The rest of bits are for host identifier. That is quite simple, is it not?
Every /x is a valid prefix (if x is in 0..32). There are only 33 valid netmasks, yet you can write over four billion different x.y.z.w.
There are tools to compute netmask from prefix.

LANs. Subnets.

What connects two subnets? A router. The router forwards traffic from one subnet to an another. The router dictates who can communicate with whom. You can have more than one router.

Lets say you have two groups: Accounting and Warehouse. Two subnets. One router as link between those two and WAN.
Each group knows (is told by DHCP) that the route to outside of subnet is via the router. They can connect to Anandtech.
Well, they can, unless the router blocks them. The router probably blocks access from WAN to either group. The router can block or allow traffic between the groups.

That is the logical part. Then there is physical part.

The router could have a port for each subnet that it is connected to. Each group/subnet would have their own switch(es) and wiring. All the hardware could get expensive.

Take 2:
There is common switch that both groups are connected. The switch has been configured to have VLANS. Some ports belong to VLAN 10, some to VLAN 20, and one to both. That one port connects to one port on the router, that also has VLAN 10 and VLAN 20 configured on its port. The traffic of both subnets uses the same wire (trunk) but they are kept separate with VLAN tags.

Logically, router sees two distinct subnets. Physically, just one port/cable.

You can chain switches to extend the VLAN trunk further. You obviously have to lock up the network devices, or someone could plug into neighbours subnet.


Acct dept. IP range from 192.168.1.1 - 192.168.1.254 but on VLAN 10
Warehouse dept. IP range also 192.168.1.1 - 192.168.1.254 but on VLAN 20

They can't communicate with each other.
That is ... a router cannot route between these two, for (L3) routing looks at IP addresses and those two subnets are indistinguishable.
Some platforms support "network namespaces" to keep distinct logical subnets separate despite address range clashes.

10.1.x.x/16 network and vlan's 10.1.x.x/24/52 etc OR 10.2.x.x/16 and 10.3.x.x/16
10.1.x.x/16, 10.2.x.x/16 and 10.3.x.x/16 are three separate address ranges. Of course they can be used as subnets.

Every 10.1.x.x/y address range (where y>16) is a subset of the 10.1.x.x/16 address range. It would be an error to use both any of them and the 10.1.x.x/16 for subnets.

Note though:
RouterA---RouterB---subnets
RouterB has "all" 10.1.x/24 subnets. The RouterA is told that "to 10.1/16 via RouterB"; the RouterA does not need every subnet listed separately, because the broader route covers them all.
(Private ranges, such as 10/8 are not routable on the public internet, but your internal subnets could have multiple routers.)


I want to make a new ip-plan but some things are not clear to me
Have you considered buying the plan from a local professional? You definitely do not want to base a network on uncertainty.
 
  • Like
Reactions: mxnerd

mxnerd

Diamond Member
Jul 6, 2007
6,799
1,103
126
OP keeps confusing VLAN with subnet. VLAN usually is a number from 1 to 4096 (cheaper switches only support up to 1024). Not a IP address or IP range.

VLAN creates a virtual / logical LAN in a physical LAN. Even if two PCs in the same room connect to the same switch, in the same subnet but in different VLAN, they can't talk with each other.

To these PCs, they think they are on separate, non-connected physical switches. Different PCs on different physical switches but in the same VLAN and same subnet can talk to each other, since they are in the same broadcast domain, however.
 
Last edited:

surfer100

Junior Member
Sep 14, 2018
10
0
11
I believe to understand the difference between vlans and subnets but for me there is a link (do correct me again when i am wrong...):
for example:
network internally: 10.1.0.0/16
vlan 1 not in use default vlan
vlan 2: 10.1.1.0/24
vlan 3: 10.1.2.0/24
vlan 3: 10.1.3.0/22
vlan 4: 10.1.7.0/22
vlan 5: 10.1.11.0/22
vlan 6: 10.1.15.0/24
vlan 7: 10.1.16.0/24
and so on

I would like a plan that gives every vlan a different subnet, the most vlan's that we will create will have less then 1024 devices, for the most 256 will sufficient but some must be bigger.
So with this in mind that every sort of hardware will be put in a vlan with each his own subnet..


But it is also possible to make the network: 10.0.0.0/10
vlan 1 not in use default vlan
vlan 2: 10.1.1.0/24
vlan 3: 10.1.2.0/24
vlan 3: 10.2.1.0/22
vlan 4: 10.2.5.0/22
vlan 5: 10.3.1.0/22
vlan 6: 10.3.5.0/24
and so on

After your explenations i believe it is best to choose the first one..
 

mv2devnull

Golden Member
Apr 13, 2010
1,516
153
106
ipcalc, like http://jodies.de/ipcalc could help in the network definitions.

For example:
network A: 10.1.0.0/22
network B: 10.1.4.0/22
network C: 10.1.8.0/22
network D: 10.1.12.0/24
network E: 10.1.13.0/24
network F: 10.1.14.0/24
network G: 10.1.15.0/24
and so on

You can assign a VLAN ID for each network, if needed.
 

mxnerd

Diamond Member
Jul 6, 2007
6,799
1,103
126
I believe to understand the difference between vlans and subnets but for me there is a link (do correct me again when i am wrong...):
for example:
network internally: 10.1.0.0/16
vlan 1 not in use default vlan
vlan 2: 10.1.1.0/24
vlan 3: 10.1.2.0/24
vlan 3: 10.1.3.0/22
vlan 4: 10.1.7.0/22
vlan 5: 10.1.11.0/22
vlan 6: 10.1.15.0/24
vlan 7: 10.1.16.0/24
and so on

I would like a plan that gives every vlan a different subnet, the most vlan's that we will create will have less then 1024 devices, for the most 256 will sufficient but some must be bigger.
So with this in mind that every sort of hardware will be put in a vlan with each his own subnet..


IP 10.1.3.0/22 covers 10.1.0.1 - 10.1.3.254 , overlaps 10.1.1.0/24 & 10.1.2.0/24, not a good design.

IP 10.1.7.0/22 covers 10.1.4.1 - 10.1.7.254

IP 10.1.11.0/22 covers 10.1.8.1 - 10.1.11.254

You have to do something like what mv2devnull had shown you.

or use this VLSM CIDR tool

https://ccnav6.com/CIDR-VLSM-Calculator.html

You enter a network id with mask bits notation and how many hosts you need for each subnet:


29mxf8y.png


It also show exactly what mv2devnull had recommended.
 
Last edited:

mv2devnull

Golden Member
Apr 13, 2010
1,516
153
106
That's a nice calculator.

Alternatively, one could "keep it simple" (if 254 subnets is enough):
subnet X == address range: 10.X.0.0/16 == VLAN ID: X (where 1 < X < 256)
 

surfer100

Junior Member
Sep 14, 2018
10
0
11
IP 10.1.3.0/22 covers 10.1.0.1 - 10.1.3.254 , overlaps 10.1.1.0/24 & 10.1.2.0/24, not a good design.

IP 10.1.7.0/22 covers 10.1.4.1 - 10.1.7.254

IP 10.1.11.0/22 covers 10.1.8.1 - 10.1.11.254

You have to do something like what mv2devnull had shown you.

or use this VLSM CIDR tool

https://ccnav6.com/CIDR-VLSM-Calculator.html

You enter a network id with mask bits notation and how many hosts you need for each subnet:


29mxf8y.png


It also show exactly what mv2devnull had recommended.



If above is the design then this is not correcet or i am confused:
IP 10.1.3.0/22 covers 10.1.0.1 - 10.1.3.254 , overlaps 10.1.1.0/24 & 10.1.2.0/24, not a good design.
In the sheet above: 10.1.3.0/22 covers 10.1.3.0 10.1.4.0 10.1.5 and 10.1.6?


IP 10.1.7.0/22 covers 10.1.4.1 - 10.1.7.254

IP 10.1.11.0/22 covers 10.1.8.1 - 10.1.11.254
 

mv2devnull

Golden Member
Apr 13, 2010
1,516
153
106
If above is the design then this is not correcet or i am confused:
In the sheet above: 10.1.3.0/22 covers 10.1.3.0 10.1.4.0 10.1.5 and 10.1.6?
What sheet? Where?

Code:
Address:   10.1.3.0              00001010.00000001.000000 11.00000000
Netmask:   255.255.252.0 = 22    11111111.11111111.111111 00.00000000
Wildcard:  0.0.3.255             00000000.00000000.000000 11.11111111
=>
Network:   10.1.0.0/22           00001010.00000001.000000 00.00000000
Broadcast: 10.1.3.255            00001010.00000001.000000 11.11111111
HostMin:   10.1.0.1              00001010.00000001.000000 00.00000001
HostMax:   10.1.3.254            00001010.00000001.000000 11.11111110
Hosts/Net: 1022                  (Private Internet)
 

surfer100

Junior Member
Sep 14, 2018
10
0
11
IP 10.1.3.0/22 covers 10.1.0.1 - 10.1.3.254 , overlaps 10.1.1.0/24 & 10.1.2.0/24, not a good design.

IP 10.1.7.0/22 covers 10.1.4.1 - 10.1.7.254

IP 10.1.11.0/22 covers 10.1.8.1 - 10.1.11.254

Above states that 10.1.3.0/22 covers 10.1.0.1 - 10.1.3.254 but isn't it so that this covers 10.1.3.1 - 10.1.7.254?
What is wrong here?
In the CIDR calculator says: 10.1.4.0 covers 10.1.4.1 - 10.1.7.254?
 

mxnerd

Diamond Member
Jul 6, 2007
6,799
1,103
126
If above is the design then this is not correcet or i am confused:
In the sheet above: 10.1.3.0/22 covers 10.1.3.0 10.1.4.0 10.1.5 and 10.1.6?
No. As you can see in the first row of sheet, it's 10.1.0.1-10.1.3.254.

if you choose 10.1.0.0/22, 10.1.1.0/22 or 10.1.2.0/22, they all fall into the same range.

when you use /22, that means you need 1024 addresses, then you can't start with 10.1.1, 10.1.2 or 10.1.3.

You have to start with 10.1.0 and end with 10.1.3.

If you choose 10.1.4.0/22, 10.1.5.0/22, 10.1.6 .0/22 or 10.1.7.0/22, then it must be from 10.1.4.1 to 10.1.7.254

10.1.4.0 is the network id to identify this subnet / network

10.1.4.1 - 10.1.4.255 -- 255 devices
10.1.5.0 - 10.1.5.255 -- 256 devices.
10.1.6.0 - 10.1.6.255 -- 256 devices
10.1.7.0 - 10.1.7.254 -- 255 devices, so that's 1022 devices in total

10.1.7.255 is the broadcast IP for the subent / network.

There is nothing wrong.

When subnetting, you can't randomly choose a network where to start and where to end. You have to use mask bits binary calculation.

There are a lot of subnetting totorials on Youtube.
 
Last edited:

mv2devnull

Golden Member
Apr 13, 2010
1,516
153
106
For example, 10.1.9.42 is 00001010.00000001.00001001.00101010 in binary.
Lets say that prefix is 21. 21 first digits (bits) in the binary are the network address. The remaining 11 bits are for hosts.

The 00001010.00000001.00001 is thus the network part.
Fill the remaining 11 bits with 0s to get the first (network's) address in the range.
It is: 00001010.00000001.00001000.00000000
In decimal that is: 10.1.8.0

Fill the remaining 11 bits with 1s to get the last (broadcast) address in the range.
It is: 00001010.00000001.00001111.11111111
In decimal that is: 10.1.15.255

There is no reason to use some random address within the range, for that merely confuses.
It is best to show this subnet / address range with: 10.1.8.0/21