How to segment a private network 1

[jimbob21]

Bare with me guys. I'm new to the game and appreciate all the help. I tried a quick search and didn't see anything by my key word searchs that related to my issue. If there is a post already a link would be appreciated.

I'll get right down to it. Currently our office is a flat network. I'd like to segment it by building, floor, dynamic address. For example. I'm in building 3 on the 5th floor. 10.3.5.x

How can I get DHCP to lease addresses by how I discribed it above or am I missing something else. We have Win servers and CISCO routers and switches.

I'm all ears.

 

[North323]

set up vlans and dhcp addresses by vlan (layer 3 switch would work best)

 

[jimbob21]

Addition to the original question.

If I create a VLAN - say 10.2.3.x but I have a static IP printer (10.1.1.x) on that same switch will those users on the VLAN have issues connecting to the printer if they are not on a Layer 3 switch? Will a router that is connected to the switch direct traffic accordingly?

I think what I have are layer3 switches (CISCO Catalyst 2950's) but I'm not certain. Just trying to cover all the bases.

 

[North323]

you will not have an issue with the way you described

 

[jimbob21]

You guys have been a great help. I really appreciate it. I'm moving from phone administration to networking since a position opened up.(which is where I wanted to start 5 years ago) I barely got to use anything I learned back in college about networking so I feel like I'm backtracking and trying to play catch up. It would be great if I had a mentor to work with. Anyways...

I found the 2950's are only Layer2's. If I'm segmenting my network by floor ... what would be the best way to configure the switch? Do I configure each port on the switch as VLANX or can I configure the routers port it's connected to for the desired VLAN that will be on that switch? Or can I make a one time configuration change on the switch that will affect all ports?

With the above questions my concern would still be about having a static IP'd printer.

What is the correct or considered best practice for what I'm trying to accomplish?

BTW - the reason this is being done now is we expanded drastically and we're starting to have bandwidth issues.

Thanks everyone.

 

[North323]

as long as you have a router attached to the switch you will be OK. you can set up vlans by floor and have printers on their own vlan and have your router route to them

 

[jimbob21]

Just want to make sure I get this straight.

So what I think your saying is that I could leave the printer ports on the default VLAN1 and configure the other ports on the switch with their new VLAN's to segment each floor? Which most likely means I'll have to configure each of the switches port's separately. The router will handle the L3 transmissions.

Which if that's the case, no big deal. Just need to know how to allocate the appropriate amount of time for the project to my dept manager.

Does any configuration need to be added to the routers or will it handle the transmissions by how the switches are configured?

 

[North323]

you may have to change the config on the router. you may have to add static routes to appropriate vlans

 

[VinceWhirlwind]

First, ask yourself two questions:
- why do you need your printers on a separate VLAN?
- Why do you need your printers to have static addresses?

Static IP addresses on printers are an ugly and archaic practice that increases your work and your risk.
Printers should use DHCP same as every other network device, which simplifies your IP address management - it's all managed in one place - the DHCP server - instead of on a manual spreadsheet on a server somewhere. If for some reason (eg, a crappy application coded with an IP address reference) you need your printers to have specific IP addresses you can give them that address by a reservation in the DHCP scope.

Secondly, it would be best-practice to design your network for multiple VLANs per floor, even if you aren't using them immediately:

- Pick a VLAN number for each location. Based on your above example, how about Building 3, Floor 5 is VLAN35? Personally, I like the VLAN# to match the subnet#, eg
10.1.10.0 = VLAN10
10.1.35.0 = VLAN35
etc...

- Each edge switch should look like this example:
Hostname SWITCH35
Interfaces f0/1-47
Switchport mode access
Switchport access VLAN35
Interface f0/48
DESCRIPTION UPLINK TO CORE
Switchport trunk encap dot1q
Switchport mode trunk
Switchport trunk allowed VLAN 1,35
Interface VLAN1
IP address 10.1.1.35 255.255.255.0
ip default gateway 10.1.1.254

- The "Core" switch should have each interface mirroring the config of the remote port they link to - eg for the above switch (and assuming you don't have a layer-3 switch for the "core"):

Hostname CORE_SWITCH
Interface f0/35
DESCRIPTION LINK TO SWITCH 35
Switchport trunk encap dot1q
Switchport mode trunk
Switchport trunk allowed VLAN 1,35
Interface f0/1
DESCRIPTION UPLINK TO ROUTER
Switchport trunk encap dot1q
Switchport mode trunk
Switchport trunk allowed vlan all
Interface VLAN1
IP address 10.1.1.1 255.255.255.0
ip default gateway 10.1.1.254

Finally, the router has a link to the core switch which reflects the core switch's uplink port:

Hostname ROUTER
int f0/0
no ip address
int f0/0.1
encapsulation dot1q 1 native
ip address 10.10.1.254 255.255.255.0
int f0/0.35
encapsulation dot1q 35
ip addr 10.10.35.254 255.255.255.0

 

[jimbob21]

That was excellent post for sure.

Our printers are static due to applications that run critical jobs on our system. Wish I could get around that.

I had a similar plan as far as the VLAN arrangement.
10.building.floor-switch.node or 10.2.32.xx.
The reason is we have up 2-3 switches on each floor.
I also planned to match the VLAN to the IP addy. VLAN232

Do you agree this is a workable option?

As for our devices in place they are all old and 95% are end of sale. They are (12-14)CISCO Catalyst 295048 G (4) 355012 G's, and (4) CISCO 1720's. We are planning over the course of the next 3 years of updating all of them as either they fail or budget allows. Currently they are working just fine.

I feel like a bonehead for asking but how would one determine which is the core switch?

 

[jimbob21]

I wanted to add. Thanks to both. I'm learning a lot and appreciate it.

 

[jimbob21]

Another add on question that I just ran into.

My current subnet mask is 255.255.0.0

What are the negative affects of changing in the DHCP the subnet from the above to 255.252.0.0 or even 255.0.0.0 to allow for the 2nd digit to denote the floor in the range I'm planning for. 10.0.0.1 - 10.3.255.254

Is it worth the effort? Or do you have a better suggestion using the previous information above?

 

[VinceWhirlwind]

The 2950s were an excellent switch. I never liked the 3500 much, but it does offer routing if required.

The "core" switch needs to accept all the uplinks from the floors. You need to identify all the upinks and make a list of them, eg:
- 5x ethernet links and 22x multimode fibre links.
For these numbers I would suggest a stack consisting of
1x 3750G-24
2x 3750G-12S

Alternatively, you could use a bunch of your existing 3550s together with a big pile of media converters.

I like your VLAN/subnet plan, but when you started talking about subnet masks you went right off the rails - all I can say is HUH?HUH?
The subnet mask needs to *separate* your subnets that are on separate VLANs, not include them. I reckon the biggest subnet mask that would fit into your plan would be 255.255.248.0, but why complicate things? Just assign a C-class subnet at each switch and keep it all simple!

 

[jimbob21]

I saw the HUH?HUH? and started cackling..

In the DHCP it's set to exclude outside specific ranges.
So when I tried to add a new inclusion for testing it denied me because it was outside the current subnet range. So then I googled the error to determine what I could do to correct it for my plan. From what I read I need to increase the subnet range.

 

[VinceWhirlwind]

You need to create one new scope for *each* VLAN.

so one scope each for
10.1.1.0 255.255.255.0
10.1.2.0 255.255.255.0
10.1.3.0 255.255.255.0
10.2.1.0 255.255.255.0
10.2.2.0 255.255.255.0
etc...

And to allow the DHCP requests from every VLAN to reach the DHCP server, you need to configure "IP Helper" on each VLAN interface on the router.

 

[jimbob21]

Vince, you the man.

This may be too nitpicky but I'd rather know how to do it right from wrong.

Since what I'm using is 48 and 24 port switches and dividing the VLAN's (like we discussed above) by switch would you agree that using a subnet of 255.255.255.192 or .224 is better than using a .0? I'm thinking more for security purposes than anything. But really, what do I know.

What would the logical reason for doing something like that be? What could the drawbacks be?

 

[VinceWhirlwind]

Using tighter subnets is necessary if you are *limited* in the number of addresses you have to use.
(Or if you want to be amazingly anal and make it much harder for your boss to find a replacement for you

As you are unlimited in the number of addresses to use, you can keep it simple, waste a few IP addresses, and it doesn't matter.
Using the same subnet size on every switch makes it *much* easier to manage:
- EVERY default gateway is 10.x.y.254 (or .1)
- EVERY subnet mask is 255.255.255.0

Each subnet, eg, 10.1.2.0, applies to just ONE switch, and no others, meaning each broadcast segment is limited to just that one switch.