need help in designing VLANS for 20 dept

Unanswered Question
Jun 7th, 2009

I have 1000 nodes for which i am planning a Campus wide network , with 1 Layer three switch, some 15 L2 switches . I have some 20 different departments and need different ip schemes for all of them. I need this with security enabled so that the departments resources are safe. Please do suggest me how can i go for it . . .

Do suggest what IP scheme i can allot , if one dept is having 60 users and another is having 490 users .

Thanks in Advance,

Max

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jimmysands73_2 Sun, 06/07/2009 - 07:18

Max,

Your a network engineer and your asking a semester II subnetting question...anyways.

I suggest Cisco Press or Lammles book.

But for now, you have 20 different departments, but one dept has 60 users and another is having 490, what about the other 18 departments?

Giuseppe Larosa Sun, 06/07/2009 - 11:54

Hello Sai Krishna,

first of all you need a classless routing protocol like RIPV2, EIGRP or OSPF so that you can use different subnet masks as needed without wasting ip addresses.

Then you need to create an address plan that fits all your needs and leave space to grow.

Likely you will be using private ip addresses as described in RFC 1918.

For example you can use:

172.20.0.0/20

first you divide this space in /23 subnets that are good to host 490 users

172.20.0.0/23

172.20.2.0/23

...

172.20.14.0/23

for vlans with 60 users it is wise to leave space for additional hosts if needed in the future so I would use a /25 for them

let's take

172.20.12.0/23 further subnetting this with a /25 means moving to the right of two bits and gives four subnets:

172.20.12.0/25

172.20.12.128/25

172.20.13.0/25

172.20.13.128/25

this can accomodate 4 subnets/departments.

I wouldn't use subnets bigger then a /23 because otherwise the broadcast overhead becomes very great.

Having a multilayer switch you can also think to put the 490 users in two vlans/subnets.

About the security this depends on the security levels you want to build:

complete segregation of departments can be achieved with VRF lite (actullay different routing tables for each department).

Some level of control can be achieved by using ACLs applied on the SVI logical vlans interfaces on the L3 switch.

Hope to help

Giuseppe

hasmurizal Wed, 07/01/2009 - 00:54

Hi,

i do aggree with Giuseppe, because most of the time, companies might setup servers/system at several places. either full switch setup, with one core switch, or multi smaller routers as each department gateway and one big core router/core switch for main routing&switching.

my suggestion is to get a cisco vendor which can tailor made your company needs. you only need to prepare your requirement list, and company pays for it. less headache...

Leo Laohoo Wed, 07/01/2009 - 15:10

Max,

There are three ways to complete a project: cheap, right and fast. CHOOSE TWO.

Firstly, you need someone to verify your network architecture. From the sound of your description, you're first biggest hurdle would be to get 20 different heads together and talk about what they have, what they want, and what your project will achieve.

You'll undoubtedly come across a number of department saying that they have a home-grown 286 machine that may require a 10Gb link (ha ha ha!).

Next, your budget. How much (laughable) it will be, you then need to choose the appropriate appliance: switches, routers, Firewalls, etc.

Hope this helps.

Joseph W. Doherty Thu, 07/02/2009 - 10:52

Divide your physical subnets such that there are none larger than /25 or /24, allocate those subnets, for each department, out of its own /20 address block. Assign unique VLAN to each physical subnet.

You might also want to split dept. user subnets from dept. server subnets and common resource subnets.

[edit]

With a L3 switch for routing, no real need to worry about placing logically related hosts in the same VLAN. Allocating physical subnets out of a dept. address block, will ease defined ACLs, if needed, between logical groups (i.e. depts.).

So, for your dept. with 60 users vs. 490 users, both would be defined from their own /20 block for ACL purposes, but the 60 users would be in one /25 or /24 subnet and VLAN while the 490 would use several.

Actions

This Discussion