Contact US

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

How to segment a private network

How to segment a private network

How to segment a private network

Bare with me guys. I'm new to the game and appreciate all the help. I tried a quick search and didn't see anything by my key word searchs that related to my issue. If there is a post already a link would be appreciated.

I'll get right down to it. Currently our office is a flat network. I'd like to segment it by building, floor, dynamic address. For example. I'm in building 3 on the 5th floor. 10.3.5.x

How can I get DHCP to lease addresses by how I discribed it above or am I missing something else. We have Win servers and CISCO routers and switches.

I'm all ears.

RE: How to segment a private network

set up vlans and dhcp addresses by vlan (layer 3 switch would work best)

RE: How to segment a private network

Addition to the original question.

If I create a VLAN - say 10.2.3.x but I have a static IP printer (10.1.1.x) on that same switch will those users on the VLAN have issues connecting to the printer if they are not on a Layer 3 switch? Will a router that is connected to the switch direct traffic accordingly?

I think what I have are layer3 switches (CISCO Catalyst 2950's) but I'm not certain. Just trying to cover all the bases.

RE: How to segment a private network

you will not have an issue with the way you described

RE: How to segment a private network

You guys have been a great help. I really appreciate it. I'm moving from phone administration to networking since a position opened up.(which is where I wanted to start 5 years ago) I barely got to use anything I learned back in college about networking so I feel like I'm backtracking and trying to play catch up. It would be great if I had a mentor to work with. Anyways...

I found the 2950's are only Layer2's. If I'm segmenting my network by floor ... what would be the best way to configure the switch? Do I configure each port on the switch as VLANX or can I configure the routers port it's connected to for the desired VLAN that will be on that switch? Or can I make a one time configuration change on the switch that will affect all ports?

With the above questions my concern would still be about having a static IP'd printer.  

What is the correct or considered best practice for what I'm trying to accomplish?

BTW - the reason this is being done now is we expanded drastically and we're starting to have bandwidth issues.

Thanks everyone.

RE: How to segment a private network

as long as you have a router attached to the switch you will be OK.  you can set up vlans by floor and have printers on their own vlan and have your router route to them

RE: How to segment a private network

Just want to make sure I get this straight.

So what I think your saying is that I could leave the printer ports on the default VLAN1 and configure the other ports on the switch with their new VLAN's to segment each floor? Which most likely means I'll have to configure each of the switches port's separately. The router will handle the L3 transmissions.

Which if that's the case, no big deal. Just need to know how to allocate the appropriate amount of time for the project to my dept manager.

Does any configuration need to be added to the routers or will it handle the transmissions by how the switches are configured?


RE: How to segment a private network

you may have to change the config on the router.  you may have to add static routes to appropriate vlans

RE: How to segment a private network

First, ask yourself two questions:
 - why do you need your printers on a separate VLAN?
 - Why do you need your printers to have static addresses?
Static IP addresses on printers are an ugly and archaic practice that increases your work and your risk.
Printers should use DHCP same as every other network device, which simplifies your IP address management - it's all managed in one place - the DHCP server - instead of on a manual spreadsheet on a server somewhere. If for some reason (eg, a crappy application coded with an IP address reference) you need your printers to have specific IP addresses you can give them that address by a reservation in the DHCP scope.
Secondly, it would be best-practice to design your network for multiple VLANs per floor, even if you aren't using them immediately:
 - Pick a VLAN number for each location. Based on your above example, how about Building 3, Floor 5 is VLAN35? Personally, I like the VLAN# to match the subnet#, eg = VLAN10 = VLAN35
 - Each edge switch should look like this example:
Hostname SWITCH35
   Interfaces f0/1-47
      Switchport mode access
      Switchport access VLAN35
   Interface f0/48
      Switchport trunk encap dot1q
      Switchport mode trunk
      Switchport trunk allowed VLAN 1,35
   Interface VLAN1
     IP address
   ip default gateway
 - The "Core" switch should have each interface mirroring the config of the remote port they link to - eg for the above switch (and assuming you don't have a layer-3 switch for the "core"):
   Interface f0/35
      Switchport trunk encap dot1q
      Switchport mode trunk
      Switchport trunk allowed VLAN 1,35
   Interface f0/1
      Switchport trunk encap dot1q
      Switchport mode trunk
      Switchport trunk allowed vlan all
   Interface VLAN1
      IP address
   ip default gateway
Finally, the router has a link to the core switch which reflects the core switch's uplink port:
Hostname ROUTER
   int f0/0
      no ip address
      int f0/0.1
         encapsulation dot1q 1 native
         ip address
      int f0/0.35
         encapsulation dot1q 35
         ip addr

RE: How to segment a private network

That was excellent post for sure.

Our printers are static due to applications that run critical jobs on our system. Wish I could get around that.

I had a similar plan as far as the VLAN arrangement.
10.building.floor-switch.node or 10.2.32.xx.
The reason is we have up 2-3 switches on each floor.
I also planned to match the VLAN to the IP addy. VLAN232

Do you agree this is a workable option?

As for our devices in place they are all old and 95% are end of sale. They are (12-14)CISCO Catalyst 295048 G (4) 355012 G's, and (4) CISCO 1720's. We are planning over the course of the next 3 years of updating all of them as either they fail or budget allows. Currently they are working just fine.

I feel like a bonehead for asking but how would one determine which is the core switch?

RE: How to segment a private network

I wanted to add. Thanks to both. I'm learning a lot and appreciate it.

RE: How to segment a private network

Another add on question that I just ran into.
My current subnet mask is

What are the negative affects of changing in the DHCP the subnet from the above to or even to allow for the 2nd digit to denote the floor in the range I'm planning for. -

Is it worth the effort? Or do you have a better suggestion using the previous information above?

RE: How to segment a private network

The 2950s were an excellent switch. I never liked the 3500 much, but it does offer routing if required.
The "core" switch needs to accept all the uplinks from the floors. You need to identify all the upinks and make a list of them, eg:
 - 5x ethernet links and 22x multimode fibre links.
For these numbers I would suggest a stack consisting of
1x 3750G-24
2x 3750G-12S
Alternatively, you could use a bunch of your existing 3550s together with a big pile of media converters.
I like your VLAN/subnet plan, but when you started talking about subnet masks you went right off the rails - all I can say is HUH?HUH?
The subnet mask needs to *separate* your subnets that are on separate VLANs, not include them. I reckon the biggest subnet mask that would fit into your plan would be, but why complicate things? Just assign a C-class subnet at each switch and keep it all simple!

RE: How to segment a private network

I saw the HUH?HUH? and started cackling..

In the DHCP it's set to exclude outside specific ranges.
So when I tried to add a new inclusion for testing it denied me because it was outside the current subnet range. So then I googled the error to determine what I could do to correct it for my plan. From what I read I need to increase the subnet range.


RE: How to segment a private network

You need to create one new scope for *each* VLAN.
so one scope each for

And to allow the DHCP requests from every VLAN to reach the DHCP server, you need to configure "IP Helper" on each VLAN interface on the router.

RE: How to segment a private network

Vince, you the man.

This may be too nitpicky but I'd rather know how to do it right from wrong.

Since what I'm using is 48 and 24 port switches and dividing the VLAN's (like we discussed above) by switch would you agree that using a subnet of or .224 is better than using a .0? I'm thinking more for security purposes than anything. But really, what do I know.

What would the logical reason for doing something like that be? What could the drawbacks be?

RE: How to segment a private network

Using tighter subnets is necessary if you are *limited* in the number of addresses you have to use.
(Or if you want to be amazingly anal and make it much harder for your boss to find a replacement for you ;)
As you are unlimited in the number of addresses to use, you can keep it simple, waste a few IP addresses, and it doesn't matter.
Using the same subnet size on every switch makes it *much* easier to manage:
 - EVERY default gateway is 10.x.y.254 (or .1)
 - EVERY subnet mask is
Each subnet, eg,, applies to just ONE switch, and no others, meaning each broadcast segment is limited to just that one switch.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close