VLAN / Network Design

[SteffenFreund]

Hi,
I have a client who are looking to expand the useable IP range of there network and have been looking towards using VLAN's to do it.

Currently the network is using a class C range that is full.

I have been looking at deisgn to do this and am thinking about the following...

VLAN0: 192.168.0.x - Firewall & Common Network Applicances (Traffic Compression Device, Internet Proxy)
VLAN1: 192.168.1.x - Servers and Printers
VLAN2: 192.168.2.x - Client DHCP Range

The switch is a Cisco 4500 Series Layer 3 device which will be configured with the VLAN's and will provide the routing between them.

Devices on each VLAN will point to the switch as there default gateway (ie VLAN0 192.168.0.1, VLAN1 192.168.1.1 etc) and there will be a default route on the Switch to route any non VLAN to traffic to the Firewall.

The compnay has various LAN2LAN VPN's configured which terminate at the Firewall (Cisco ASA) so the Firewall will need routes back to the switch for the VLAN's it hosts.

I was wondering if anyone has any observations about this design or recommendation about expanding the current class C range?

Thanks

Tim

 

[Tui]

If you want to increase the address space, there's nothing wrong with super-netting class C addresses. For example, if you're using 192.168.1.0/24, pull in 192.168.0.0/24 and the network will be 192.168.0.0/23 so doubling the size. In a Windows environment you'll need to exclude using what would be class C network or broadcast addresses within the range, in this case 192.168.0.255 and 192.168.1.0 - the servers will not talk to them.

If you want to split the workstation and server networks and assuming Windows, then you'll need a proper DNS/WINS setup (at least 2 servers for resilience, one primary DNS and WINS, the other secondary) for name resolution since they'll no longer be on the same broadcast domain.

The VLAN setup should be fairly simple, just one for each network. I know the ones you've shown are just examples but leave VLAN 1 for network use and use 10, 20 etc.

To simplify any static routes, divide the networks so they can be summarised. Using your diagram for example, the ASA will need a route entry for both 192.168.1.0/24 and 192.168.2.0/24, but if you've used 192.168.2.0/24 and 192.168.3.0/24, these can be summarised as 192.168.2.0/23.
For instance, I would use 192.168.0.0/24 at the ASA end, leave 1, 2 and 3 as spare and use 192.168.4.0/24 as server, leave 5 as spare and use 192.168.6.0/24 for the work stations with 7 as spare. Or if the numbers require, the workstations use 192.168.6.0/23. You would the summarise the range as 192.168.4.0/22 for a single route entry

Obviously what you use shouldn't overlap with any of the remote VPN networks.