Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

IP Addressing and VLAN Numbering

IP Addressing and
VLAN Numbering
A Secant Standards White Paper
Publication No.:100
Version: 11/28/11
A B O U T S TA N D A R D S
Secant is pleased to publicly release several key technology standards
for reference by our clients and their network engineers.
Over many years in business, Secant’s technical staff has worked to develop documents that we call “Secant Standards”. These are documents that
describe best practices for the design, configuration, deployment and
management of network technologies.
Secant Standards are the results of many years of real-world experience
and refinement. By employing these standards, organizations will benefit
from the combined experience of the many individuals that have
contributed to the standards over the years.
We welcome your feedback, suggestions and questions about these
standards documents at standards@secantcorp.com
Secant Standards are frequently revised and updated. The latest versions
can be downloaded from www.secantcorp.com/standards
Copyright © 2011 by Secant Technologies
This white paper may be reproduced and distributed for non-commercial purposes.
It must be reproduced in its entirety with this statement of copyright included.
IP Addressing and VLAN Numbering
Overview
This document provides a standard for the assignment of private IPv4 addresses and the numbering of
VLANs within an organization's network. This standard should be adhered to in all locations where the Secant
IP Addressing standard is already being used. For existing networks that do not currently use the Secant IP
Addressing standard, the existing IP addressing scheme should be evaluated to determine if the network can
be reconfigured to this standard. In most cases reconfiguring the network to use the Secant standard is highly
recommended and can occur with relatively minimal downtime. This IP Addressing standard scheme can also
be phased in over time in many cases depending on the existing IP addressing scheme and network
configuration.
Background
History
The IP Addressing standard was originally created in 1999 during the installation of a new WAN for a local
school district. The existing standard is the result of over 12 years of continuous refinement with input from
many Secant engineers. This IP addressing standard is now used by hundreds of different organizations.
Goals
The goals of the IP Addressing and VLAN Numbering standard are the following.
•
•
•
•
•
Provide a consistent methodology of assigning private IP addresses
Provide scalability and consistency
Reduce the likelihood of IP address conflicts
Reduce the need to maintain detailed IP address and VLAN assignment documentation
Improve the readability of network traffic and statistics by specifying ranges for device types
Base Standard
IP Address Ranges
This standard uses the 10.0.0.0/8 address block reserved for private IP addressing per RFC 1918. This is the
only class A private address range, which provides the most scalability for private IP addressing. Most
subnets in this standard use a class B, 16-bit mask, represented as subnet mask 255.255.0.0 or CIDR
notation /16. Other subnets in this standard use a class C, 24-bit mask, represented as subnet mask
255.255.255.0 or CIDR notation /24.
The Backus–Naur Form (BNF) general format of most IP addresses in this standard is:
<IP Address> ::= "10." <VLAN-LOCATION> "." <DEVICE-CODE> "." <NODE>
<VLAN-LOCATION> ::= 001 to 255
<DEVICE-CODE> ::= 001 to 254
<NODE> ::= 000 to 255
IP Addressing and VLAN Numbering ~ November 2011
1
This standard also uses the 172.16.0.0/24 address block reserved for private IP addressing per RFC 1918.
This subset of the class B private address range, is dedicated for VPN clients using a class C, 24-bit mask,
represented as subnet mask 255.255.255.0 or CIDR notation /24.
The BNF general format of these IP addresses in this standard is:
<IP Address> ::= "172.16." <VLAN-LOCATION> "." <NODE>
<VLAN-LOCATION> ::= 001 to 255
<NODE> ::= 000 to 255
VLAN-LOCATION
VLAN-LOCATION codes range from 1 to 255 are used to represent physical locations, VLANs, and subnets.
By convention the VLAN-LOCATION number in the IP address will match the layer 2 VLAN number where
VLANs are implemented. VLAN-LOCATION codes are used to segment the network into smaller broadcast
domains that are used for specific sites, functions, and traffic types.
Site VLAN-LOCATION Codes
Each physical site is assigned a base VLAN-LOCATION code which is also called the SITE-ID. The first site,
which is typically the main office of an organization, is assigned 10. Site codes are incremented either by 5 or
10 depending on how many sites must be supported by the organization. Incrementing by 5 allows for 48 sites
and by 10 allows for 24 sites. Incrementing by 10 is preferred whenever less than 25 sites are required.
At a physical site the network may be subnetted into several VLANs to reduce the number of hosts on a single
subnet or to segregate specific traffic types. Each subnet should be limited to approximately 250 hosts to limit
the amount of broadcast traffic on the subnet. In campus networks this is often accomplished by assigning a
VLAN-LOCATION code to each wiring closet.
Additional VLAN-LOCATION codes are formed by incrementing the base VLAN-LOCATION code for the site.
If physical locations are incremented by 10, then a total of 10 VLANs may be assigned per site. If incremented
by 5, then 5 VLANs may be assigned per site. Occasionally a very large site will require more than 10 VLANs.
These large sites should be assigned two adjacent ranges of VLAN-LOCATION codes, for example 10 to 29.
Example Location Code Assignments
The following table shows the VLANs for the first available range for a network that is incrementing each
location number by 10:
IP Addressing and VLAN Numbering ~ November 2011
2
VLAN-LOCATION
Purpose
Notes
10
1st general VLAN Base VLAN for site (also referred to as SITE-ID)
11
2nd general VLAN
12
3rd general VLAN
13
4th general VLAN
14
5th general VLAN
15
6th general VLAN
16
7th general VLAN
17
Facilities Traffic
Security cameras, access control, energy management
18
Wireless Traffic
Internal wireless network
19
VoIP Traffic
IP phones
The following table shows the VLANs for the first available range for a network that is incrementing each
location number by 5:
VLAN-LOCATION
Purpose
Notes
10
1st general VLAN Base VLAN for site (also referred to as SITE-ID)
11
2nd general VLAN
12
Facilities Traffic
Security cameras, access control, energy management
13
Wireless Traffic
Internal wireless network
14
VoIP Traffic
IP phones
Function Subnets
The codes below are used to represent subnets reserved for functions rather than physical locations.
VLAN-LOCATION
Purpose
001
Switch Management
002
External Traffic
003
Misc. Class C subnets
004
unassigned
005
Notes
10.1.LOC.NODE/16
Connection from core switch to firewall
See Appendix section "Class C VLAN-LOCATION Codes"
Virtual Desktops Class C subnets See Appendix section "Class C VLAN-LOCATION Codes"
006
Servers
Servers - 1st range
007
Servers
Servers - 2nd range
008
Network Management
009
Servers
250
Ad-hoc networks
251
Reserved for future use
252
Reserved for future use
253
Point-to-multipoint WAN
IP Addressing and VLAN Numbering ~ November 2011
ILO, UPS, Environmental, KVM, Console ports
Server - 3rd range, core VoIP equipment
10.253.DESTINATION-LOC.NODE/24
3
254
Point-to-point WAN
10.254.DESTINATION-LOC.NODE/30
Device Codes
DEVICE-CODEs range from 1 to 254 are assigned based on the type of device. Typically devices are
assigned a static IP address, either by direct configuration of the device or using a DHCP reservation.
DEVICE-CODE
1 to 10
Definition
Notes
DHCP - Workstations, laptops, mobile devices Supports 2,550 devices (10 x 255)
11 to 189
Unassigned
190 to 198
Workstations with firewall exceptions
199
Workstations - NATed
200
Technician Workstation/Laptop
201
Audio Visual - Control System
202
Audio Visual - Control Panels
203
Audio Visual - Flat Panel Display
204
Audio Visual - Projectors
205
Audio Visual - Amplifiers
206
Audio Visual - Mixers
207
Audio Visual - Switcher
208
Audio Visual - Audio Processor, DSP
209
Audio Visual - Video Equipment
210
Audio Visual - Digital Signage Player
211
Audio Visual - Reserved for future use
212
Audio Visual - Reserved for future use
213
Audio Visual - Streaming Video Encoder
214
Audio Visual - Streaming TV Player
215
Time card systems
216
Environment sensors
217
Fibre Channel Switch
218
iSCSI
219
SAN Storage Management
220
IP Clock
221
Access Control Systems and Security Alarms
222
IP KVM
223
Audio Visual Control Systems
DEPRECATED - Move to 201
224
Audio Visual Equipment
DEPRECATED - Move to 202-212
225
Network Management Console
Network polling/monitoring system, SNMP trap target
226
IP Telephony and Paging
Gateways, Fax devices, etc. Not phones
IP Addressing and VLAN Numbering ~ November 2011
Temperature, humidity, water, airflow
Clock Controllers .250 to .255
4
227
Energy management, building control
228
Web Camera, Distance Learning Equipment
229
Security Cameras and DVRs
230
Printers, Copiers, Scanners
231 to 238
Unassigned
239
IP Controlled devices
240
Servers - General
241
LOM in 240 server
242
Servers - Citrix/Terminal Services
243
LOM in 242 server
244
Servers - Site Specific
245
LOM in 244 server
246
Unassigned
247
Hypervisor - Management
248
Hypervisor - Migration (vMotion, etc.)
249
Hypervisor - Host LOM
250
UPS units, Managed power strips
251
Wireless Controllers
252
Switch - Layer 2
253
Wireless Access Points
254
Gateways (Router, firewall, layer 3 switch)
Node
NODE is in the range 1 to 255 and provides the final octet of the IP address. Typically the first device is
assigned 1 and next 2 and so on. Other strategies can be used and should be considered to organize NODE
addresses in meaningful ways where it makes sense. For example, a group of devices on the first floor of a
building might be placed in the 11-20 range, and the next group of devices on the second floor might be
placed in the 21-30 range, etc.
IP Addressing and VLAN Numbering ~ November 2011
5
Additional Specifications
Class C VLAN-LOCATION Codes
The VLAN-LOCATION codes 3 and 5 are subnetted into 256 class C networks with a subnet mask of
255.255.255.0 or /24. This provides VLANs for special functions that do not require a larger class B range.
There are many situations where it is desirable to allocate a VLAN to a small number of hosts to improve
security or to segregate network traffic.
The BNF format of a Class C IP address is:
<Class C IP Address> ::= "10." <VLAN-LOCATION> "." <SUBNET-CODE> "." <NODE>
<VLAN-LOCATION> ::= 003 | 005
<SUBNET-CODE> ::= 000 to 254
<NODE> ::= 001 to 254
Note that device codes are not available in class C networks, but since these networks are typically used for a
single type of device they are less important. By convention the default gateway or router for any class C
network is assigned the NODE value of 254. For example the gateway address for the 10.3.1.0/24 subnet will
be 10.3.1.254.
Because VLAN-LOCATION codes 3 and 5 are subnetted into 256 ranges the typical rule for assigning VLAN
numbers does not apply. VLAN numbers are based on a BASE-VLAN plus the SUBNET-CODE. The
BASE-VLAN for 3 is 300 and the BASE-VLAN for 5 is 600.
VLAN-LOCATION Code 3 Subnets
Subnet Allocation for VLAN-LOCATION Code 003
SUBNET-CODE Range
VLAN Range
Purpose
0 to 9
300 to 309
10 to 59
310 to 359
Public Wireless
60 to 79
360 to 379
iSCSI
80 to 99
380 to 399
unassigned
100 to 119
400 to 419
Microsoft NLB
120 to 254
420 to 554
Unassigned
Notes
Private DMZ or NAC 10 subnets for DMZ or NAC
50 subnets for public wireless networks
20 iSCSI subnets, Targets at 10.3.x.1 to 99, Initiators at 10.3.x.100 to 253
20 subnets for MS NLB, Virtual Service at 10.3.xxx.1
VLAN-LOCATION Code 5 Subnets
The VLAN-LOCATION code 5 has been defined to provide 255 class C networks for virtual desktops. This will
accommodate more than 64,000 virtual desktops.
Subnet Allocation for VLAN-LOCATION Code 005
SUBNET-CODE Range
VLAN Range
0 to 255
600 to 859
Purpose
Notes
Virtual desktops 255 subnets for virtual desktops
IP Addressing and VLAN Numbering ~ November 2011
6
External VLAN Numbering
VLAN numbers from 900 to 999 are used for external VLANs that are not routed to internal VLANs. For
example a common use is to provide a layer-2 tunnel through a network to carry external traffic to the
firewall's outside interface. The IP addresses on these VLANs will typically be public IPs or IP address ranges
assigned by a third party.
External VLAN Numbers
VLAN-LOCATION
Purpose
900
Primary ISP connection
901 to 909
Secondary ISP connections
910 to 999
Connections to other entities
Switch Management IP Addresses
VLAN-LOCATION code 1 is reserved for network management. It is used to assign switch and other network
management IP addresses. This isolates the management interface of the device from other network traffic.
Network security can be enhanced by configuring an ACLs on the network's layer 3 routing devices to limit
access to the management VLAN.
The BNF format of a switch management IP address is:
<SWITCH-MANAGEMENT-IP> ::= "10.1." <VLAN-LOCATION> "." <SWITCH-NUMBER>
<VLAN-LOCATION> ::= general VLAN for wiring closet where switch is installed
<SWITCH-NUMBER> ::= 10 to 19 for first closet, 20 to 29 for second closet, etc.
VPN Client IP Addressing
Clients connecting to a network using a VPN connection are assigned an IP address from a pool defined in
the firewall. The private class B IP range 172.16.0.0/16 is used for this purpose. Each site specific VPN pool
is assigned a /24 (class C) subnet from this range. The use of this unique range makes VPN user traffic easily
distinguishable from internal network traffic during network analysis.
The BNF format of a VPN client IP address is:
<VPN-CLIENT-ADDRESS> ::= "172.16." <SITE-ID> "." <NODE>
<SITE ID> ::= first VLAN number for site where firewall is installed
<NODE> ::= 000 to 255
IP Addressing and VLAN Numbering ~ November 2011
7
Additional VPN Pools
Additional pools of VPN IP Addresses may be assigned to a site by incrementing the SITE-ID. For example
third party contractors that VPN into site 10 may use the pool 172.16.11.0/24. Where the base SITE-ID of 10
has been incremented to 11.
Sample Network Diagram
This network diagram illustrates the use of the IP Addressing and VLAN Numbering standard on a small
multisite network.
IP Addressing and VLAN Numbering ~ November 2011
8
VPN Workstations
172.16.10.X/24
Internet
PSTN
Building 1
TC-A
VLAN 10
10
WLAN
10.18.X.X/16
IP Phones
10.19.X.X/16
19
Printer
10.10.230.1/16
10
Workstations
10.10.X.X/16
10
2
310
6
Wireless AP
10.1.18.1/16
8
Layer 3 Switch
All VLANs Route Here
10.X.254.1/16
X: VLAN ID
T
360
8
IP Camera
10.17.229.1/16
17
8
UPS
10.17.250.1/16
T
T
Switch
10.1.10.1/16
9
17
Temp Sensor
10.17.216.1/16
SAN
10.8.219.1/16
iSCSI: 10.3.60.1/24
8
360
19
VOIP
10.19.X.X/16
Server
10.6.240.1/16
ILO: 10.8.241.1/16
iSCSI: 10.3.60.100/24
9
18
GUEST
10.3.10.X/24
Voice Gateway
10.9.254.2/16
Firewall
Outside - ISP
Inside-10.2.254.2/16
17
Wireless Controller
10.1.251.1/16
T
19
T
1
10
IP Phones
10.19.X.X/16
VLAN 11
Call Server
10.9.240.1/16
Switch
10.1.10.2/16
Access Control System
10.17.221.1/16
TC-B
Hypervisor
10.8.247.1/16
vMotion: 10.8.248.1/16
T
17
VLAN Table
VLAN Name
Management-VLAN
Pass-Thru-DMZ-VLAN
Server-VLAN
Server_Management-VLAN
Core_VOIP-VLAN
Bldg1_TC-A_Data-VLAN
Bldg1_TC-B_Data-VLAN
Bldg1_Facilities-VLAN
Bldg1_WLAN-VLAN
Bldg1_VOIP-VLAN
VLAN #
1
2
6
8
9
10
11
17
18
19
Switch
10.1.11.2/16
11
Switch
10.1.11.1/16
17
Printer
10.11.230.1/16
11
Workstations
10.11.X.X/16
17
IP Camera
10.17.229.21/16
Nodes are incremented by
20 per closet for Facilities
VLAN to organize nodes in
groups and to allow up to
20 devices per closet.
Router
1 - 10.10.254.2/16
2 - 10.254.30.1/30
11
UPS
10.17.250.21/16
2
T
PSTN
Building 2
Building 3
TC-A
VLAN 20
29
WLAN
10.28.X.X/16
Switch
10.1.20.1/16
28
320
Wireless AP
10.1.28.1/16
VLAN 30
IP Phones
10.29.X.X/16
20
Router/Voice Gateway
1.30 - 10.30.254.1/16
1.37 - 10.37.254.1/16
1.39 - 10.39.254.1/16
2 - 10.254.30.2/30
20
27
27
Workstations
10.20.X.X/16
27
IP Phones
10.39.X.X/16
Workstations
10.30.X.X/16
T
30
29
VOIP
10.29.X.X/16
Since VLAN 1
is not routed,
management
addresses are
in Data VLAN
Printer
10.20.230.1/16
Access Control System
10.27.221.1/16
IP Camera
10.27.229.1/16
UPS
10.27.250.1/16
VLAN #
20
27
28
29
30
39
1
GUEST
10.3.20.X/24
T
20
2
TC-A
WLAN
10.30.X.X/16
VLAN Table
VLAN Name
Bldg2_TC-A_Data-VLAN
Bldg2_Facilities-VLAN
Bldg2_WLAN-VLAN
Bldg2_VOIP-VLAN
VLAN #
30
37
39
Switch
10.30.252.1/16
30
30
30
Printer
10.30.230.1/16
37
Wireless AP
10.30.253.1/16
IP Camera
10.37.229.1/16
VLAN Table
VLAN Name
Bldg3_TC-A_Data-VLAN
Bldg3_Facilities-VLAN
Bldg3_VOIP-VLAN
Version: 11/28/2011
Legend
General
Device
Server
Router/
Firewall
VLAN #
Trunk
10
T
Wireless
Network
Outside
Network
100bT
Connection
1000bT
Connection
Wireless AP
Wireless
Connection
IP Phone
Circuit
Connection
6395 Technology Avenue
Kalamazoo, Michigan 49009
269-375-8996
800-875-4222
269-375-4222 fax
www.secantcorp.com
While every precaution has been
taken to ensure accuracy and
completeness in this literature,
Secant Technologies assumes no
responsibility, and disclaims all
liability for damages resulting from
use of this information or for any
errors or omissions.
©2011 Secant Technologies.
All rights reserved throughout the
known universe. Specifications
subject to change without notice.
Related documents
Creating VLANs and Assigning Ports to VLANs on CAT 1900 and
Creating VLANs and Assigning Ports to VLANs on CAT 1900 and
Mini GPON ONT
Mini GPON ONT
Screen Tour - Hetnet Software
Screen Tour - Hetnet Software
PT Activity 3.5.2: Challenge VLAN Configuration
PT Activity 3.5.2: Challenge VLAN Configuration
Procedural Lab Template, Student Version, Required Components
Procedural Lab Template, Student Version, Required Components
GL Announces Enhanced PC based Ethernet/IP Test Tool Welcome
GL Announces Enhanced PC based Ethernet/IP Test Tool Welcome
PPT-2 - Convergence Technology Center
PPT-2 - Convergence Technology Center
Networking
Networking
Packet Tracer 4.0 Activity: VLAN Trunking Objective Connect hosts
Packet Tracer 4.0 Activity: VLAN Trunking Objective Connect hosts
Document
Document
Download