How to Select Subnet Sizes for VLANs
VLANs and subnets are two technologies that simply can't be easily peeled apart. Obviously, they're different from one another, but the ways each one has for moving your network's bits around are intrinsically connected. Any time you're going through subnet design, a crucial early step is to align the subnet size with the VLAN.
What is a Subnet?
Quick definition: A subnet is, simply enough, a network inside a network. Slightly more technically, a subnet or "subnetwork" is a logical subdivision of an existing internet protocol (IP) network. Subnetting allows us to send network traffic to its destination through alternate routes, along shorter distances and without using unnecessary routers.
What is a VLAN?
Quick definition: A virtual LAN (VLAN) is a logical division of a computer network, a division that's partitioned and isolated in its network at the data link layer. With a VLAN, it's possible to combine physical devices (wired and wireless) from multiple networks and combine them so that they behave like one network — but actually they're connected by logic only.
When Does a Network Need VLANs and Subnets?
VLANs and subnets are instrumental to networks because they enable more efficient routing of traffic with more logical connections between network endpoints. When planning or developing a network, it's crucial that you determine a subnet sizing strategy for your VLANs.
To best visualize the approach to planning our subnet strategy, let's imagine a medium-sized company. A one-person office would probably not be a helpful comparison, and planning a campus-sized enterprise network would take a little more than we have time for in one post. So imagine a company that has a relatively mid-sized number of employees, with all the normal departments, and the technology you'd expect to see in a company of a couple dozen employees.
Now, when most people hear subnetting, they panic. To some, it seems like a scary concept. But whether you know subnetting cold, or you've just heard the word, we're going to provide the key to subnetting. With it, you'll be ready for 98% of scenarios you'll run into in the real world.
An Overview of How to Select Subnet Sizes for VLANs [VIDEO]
In this video, Jeremy Cioara covers how to determine the proper subnet size for VLANs. He begins by correlating VLANs with subnets, then discusses how to align these two concepts effectively. He'll walk you through how to design and implement Switch VLANs in real-world settings.
How do IP Addresses Turn into Subnets?
The key to unlocking subnet strategies is to remember that every IP address has two parts. The first part of every IP address is which network the device with that address belongs to. The second part is the actual device itself on that network. What changes in all this is how long the first part is. You can't change how much data is contained in one IP address, but you can change how big the network ID is, and correspondingly, how big the device ID is.
Subnetting really means adjusting the bit boundary of your subnet mask that gets attached to every IP address. Doing that allows you to allocate how many bits are allocated to networks and hosts and create custom-size networks for your environment.
What are the Most Commonly Used Subnets?
Honestly, there are only five subnets you can expect to use all the time:
- /22 (255.255.252.0) – 1,024 IPs / 1,022 usable
- Large client subnet
- /23 (255.255.254.0) – 512 IPs / 510 usable
- Medium client subnet
- /24 (255.255.255.0) – 256 IPs / 254 usable
- Small client subnet
- /29 (255.255.255.248) – 8 IPs / 6 usable
- Redundant WAN uplinks
- /30 (255.255.255.252) – 4 IPs / 2 usable
- Point-to-point WAN uplinks
Let's start off with examining the bottom two. They don't really relate to the VLAN situation we're exploring in this post, but they're still important to understand as subnets since you do use them in VLANs that deal with wide-area networks (WANs).
What is the Most Common WAN Subnet?
The most common WAN subnet is a /30. In decimal, that's a subnet mask written 255.255.255.252. And applying that subnet to an IP network gives you increments of 4.
So if we were subnetting the 10.1.0 network, because it increments by 4, the ranges would look like this:
- … and so on
Now, every single one of those subnets has four IP addresses total. But only two of them are usable, because the first one is the network address and the last one is the broadcast address.
So, in the network 10.1.0.0-3, there are only two actually usable device addresses: 10.1.0.1 and 10.1.0.2. What would use that? Well, that's perfect if you have two routers connected together — imagine you set up your .1 router and connect it to .2: that's a point-to-point subnet.
How Does a /29 Subnet Get Used?
A /29 is similar to a /30, but rather than increments of 4 giving you two usable addresses, it increments in 8. In decimal, our /29 subnet mask has been changed to 255.255.255.248.
That means the ranges would look like this:
- et cetera
Remember that since the first and last digits are reserved for network and broadcast, a /29 subnet gives us six usable IP addresses on each one. That works really well in a redundant WAN environment.
Unlike the point-to-point we mentioned for a /30 subnet, you might have a situation where you have two routers on opposite sides, divided by a shared network. On one side of the shared network, imagine routers at .2 and .3. On the other side, imagine two routers at .5 and .6. What you often see in that environment is using a protocol called HSRP or VRRP to create a virtual IP address that connects the pairs of routers.
If we had .2 and .3 on one side, they receive a virtual IP address of .1. And on the other side of our shared network, we had .5 and .6, and they get connected by a virtual IP address of .4. Both pairs of routers respond to their own IP addresses as well as the shared address. Subnets like those are perfect for the six IP addresses that the /29 creates.
Often Used Subnets for Medium-sized Networks
But remember that at the start of this post, we wanted to explore a network environment for a medium-sized company. A 2-router or redundant WAN isn't what our network needs. We've got roughly 30 employees with all the "normal" departments we might expect to see. And they've got technology like computers, VOIP phones, WAPs, and servers.
We won't be using /29 or /30 subnets, at least not exclusively. Rather, in this hypothetical network environment maybe we have a router that's connected to multiple ISPs that feeds into our switch environment and is broken up into VLANs.
That's where the top three subnets in our earlier list come into play. The /24 is the most common subnet in the world. It's popular because it gives you 256 addresses, but don't forget that's only 254 usable addresses. A /24 subnet's ranges look like this:
The reason the /24 subnet is so popular is that it's really easy to use. Many people recognize and understand the 192.168 address.
/24 is also right-sized for a small business. If you're looking at about 30 employees, you can probably guess you won't be approaching 200 or so managed devices or IP phones. That said, even with only 30 employees, you should maybe get a little nervous using a /24 subnet for a guest or Bring-Your-Own-Device (BYOD) LAN.
That's because of the sheer number of devices that people bring in. On many BYOD networks, there are so many devices around the office that look for access to a guest network that a /24 can run out of room. In those cases, a /23 or /22 subnet may be more appropriate.
The decimal subnet mask for a /23 is 255.255.254.0. With it, you can get a single VLAN with 512 IP addresses. The decimal subnet mask for a /22 is 255.255.252.0 and that'll give you 1,024 IP addresses.
It's interesting to note that there was a time people thought both of those were just too big. Their thinking was that there would be so many broadcasts that processors wouldn't be able to keep up. But "there was a time" means about 20 years ago. Our processors have evolved a smidge since then. These days, there's no issue with keeping up with that magnitude and frequency of broadcasts in contemporary networks.
Using a subnet mask of /23 would give you an increment of 2 in your third octet. Let's take a look at the ranges that would give us if we apply that again to our 10.1.0.0 network.
Note that it's a common mistake to think the network's range would be 10.1.0.0-10.1.1.0. But remember that the last IP address before we go up to 10.1.2.0 is 10.1.1.255. That's what gives you the 512 IP addresses: 10.1.0.0-10.1.0.255 & 10.1.1.0-10.1.1.255, plus removing network and broadcast.
And we see the same with the /22:
The /22 gives you a large subnet of 1,024 IP addresses because it covers three increments in the third octet.
How to Select the Right Subnet Size for VLANs
Now that we've refreshed ourselves on the number of available IP addresses that a given subnet mask affords, let's take that knowledge and line it up with a hypothetical network's VLAN. We won't spend time in this post talking about which IP addresses we want to use. Look for that in a future post. Instead, we just want to determine what size of network we're going to use.
For our hypothetical network, let's imagine that there are five VLANs we want to establish. First, for our printers and servers. One for our Voice Over IP (VOIP). One for our guest or BYOD network. One for internal network. And last, a flex network.
We won't be using VLAN 1 as a security best practice. So, we'll start our network off at VLAN 10: this will be the server and printer VLAN. This will be our VLAN for server and static IP addresses. Anything with a static IP address, including WAP management, switch management, router management, server management belongs on this VLAN. For our organization, this will be a /24. With 30 employees, if you've got more than 200-odd servers on a network, something has gone wrong!
Our Voice over IP VLAN will be VLAN 20, and we can make the same determination: /24. Because usually you'll have one phone per employee, at least for the people that stay in the office all the time. With 30 employees, there's no way we're going to approach 200 phones.
Now, VLAN 30 is the guest network, or the BYOD. Our best bet is to put a /22 on it. You may think that's overkill, but in the world of private IP addresses, you might be crazy not to. On the other hand, some of you might be wondering what happens if you have a larger network than one office. You might be worried about losing IP addresses because you can't reuse them.
But, in fact, BYOD devices or guest devices aren't allowed to use corporate network resources. While BYOD devices are on the VLAN, we may provide them internet access, but we block them from getting to the rest. So whatever subnet you use for the guest network, you can safely reuse it at every office that you have in this network environment.
For example, say you've got 1000 offices around the world. You can reuse that same /22 network on each one: because they'll never see each other. You'll never route that guest network across the worldwide net.
VLAN 40 is the network we're going to want to set up for internal network or managed device VLAN. And we're also going to put a /22 on it. This one might be surprising to you. You may think that with 30 employees, why bother throwing 1,022 usable IP addresses at them?
Well, part of the rationale behind that decision comes from knowing that in the end there will be a lot more than 1 managed device per user. Not only that, there are other network resources that end up in an internal or managed client VLAN.
But the biggest reason for choosing a /22 for the internal network is actually a fairly complicated one. It's not necessarily the number of devices in this case. Instead, it has to do with the scalability of our IP addressing and the subnetting & summarization that we've used when we've chosen the size of subnet to use for the office as a whole.
Like we said, that's a complicated topic. Don't feel bad if that doesn't make sense right away. Stay tuned for a future post on that very topic. Although we're not going to dive fully into enterprise IP addressing strategy, you should be equipped with at least the big picture concept to recognize what's going on broadly — because it's important to grasp.
The last VLAN we need to choose a subnet for is our flex VLAN: VLAN 50. Depending on your use case, and who you're setting the network up for, this might be for labs and clients, or a staging ground for setting up devices before deploying them on-site. Or you might need a flex network to effectively separate your networks and the work that you do on one. And so the size of it we'll leave entirely up to you as a practice run.
That brings us to the end of the first step in determining subnetting strategies for your VLANs. Figuring out what size of subnet you'll need is crucial, because that decision feeds into the requirements of what subnet and IP addressing you'll end up needing. If you're struggling with subnetting, your best bet is to learn it from the ground up. And for that, look no further than CBT Nuggets' TCP/IP IPv4 training.