VLAN-Subnets 1:1?

Question

I often hear people saying that each VLAN is a subnet (or is associated with a subnet) but is that really true? Assume I have 10 big offices. I will have a subnet for each office but only 2 VLANs grouping some computers, e.g. finance workers to be separated. Is that correct or I really should have subnets and VLANs in 1:1?

Every subnet should have its own vlan, assuming the subnet is connected to an ethernet switch — Mike Pennington, Apr 28 '14 at 16:00
Often it is said that VLAN can contain more than one subnet (http://networkengineering.stackexchange.com/questions/1029/difference-between-subnet-and-vlan) or that VLAN can span across multiple subnets (e.g. group by MAC). Which is would I would do in the example I mentioned. — Pietros, Apr 28 '14 at 16:03
@MikePennington The problem I have is that some (Cisco forum) say it is not possible for two hosts to be on different subnets and same VLANs. However in books I read otherwise. — Pietros, Apr 28 '14 at 16:09
In most cases, there is no good reason to put multiple subnets in one vlan; just because you can doesn't mean you should — Mike Pennington, Apr 28 '14 at 16:14
@MikePennington Ok, that answers something, thank you. And what about the statement that VLAN cannot be set over multiple subnets? I see contradictions here. — Pietros, Apr 28 '14 at 16:15
https://learningnetwork.cisco.com/thread/34441 Response no.8. — Pietros, Apr 28 '14 at 16:20
The quote you're referencing assumes no gateway for each subnet in that same vlan. If you provide routed gateways for each subnet in the vlan, it is possible. This is commonly called a "router on a stick" topology — Mike Pennington, Apr 28 '14 at 16:25
@MikePennington I wonder why you do not put that as an answer? It does answer the question. Thank you — Pietros, Apr 28 '14 at 16:27
Answers are more work than comments... If nobody else answers, I will post an answer after work. — Mike Pennington, Apr 28 '14 at 16:32
"Assume I have 10 big offices. I will have a subnet for each office but only 2 VLANs grouping some computers, e.g. finance workers to be separated.". Why do you want to create subnet for each office and then grouping users using 2 VLAN? Are you by any chance talking about trunking, not actually VLAN? Because somehow, I can't see the point of creating subnet for each office and then you group users to only 2 VLAN. What actually do you want to achieve that created this question? — Ron Vince, Apr 28 '14 at 16:38
@Ron Vince: just to separate the network to smaller chunks. VLANs would be for specific users sitting in various offices. I do not even know if that is possible as there is just one main router and then switches in each floor and each office. I just started learning this.. — Pietros, Apr 28 '14 at 16:53
As expected. This is actually about trunking. Trunking requires router-on-stick to be configured on the router's interface connected to switch, if the switches do not support L3. You can read about trunking for more details. In short, trunking (or trunk link) is using 1 physical link for many virtual links, of course one virtual link per VLAN. — Ron Vince, Apr 28 '14 at 17:05
Don't worry. What you imagine can be solved by using VLAN, trunking and router-on-stick. Anyway, router-on-stick is only needed when you have no L3 switch. Router-on-stick is to teach you the concept of a VLAN as a broadcast domain and it requires L3/routing device to communicate between different broadcast domain. Broadcast domain=subnet. In real life, L3 switch has become cheap that it is not worth it to use router-on-stick due to performance. — Ron Vince, Apr 28 '14 at 17:33
@MikePennington, there are cases for using multiple subnets per VLAN. One site I have been at recently issues PI IP addresses directly to user workstations. Leaving aside the NAT/PI discussion, in this environment, they use a second non-routable subnet in each VLAN for printers, copiers and other devices that may be discoverable on the local VLAN but don't require the use of a "real" IP address. — YLearn, Apr 28 '14 at 21:14
@ylearn I did qualify my one subnet per vlan statement with "in most cases" — Mike Pennington, Apr 28 '14 at 21:16
Did any answer help you? If so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you can post and accept your own answer. — Ron Maupin, Jan 04 '21 at 23:02

score 6 · Answer 1 · answered Apr 28 '14 at 20:11

There is generally a 1:1 mapping between subnets and VLANs because there isn't a very good reason not to. You could have a big network with 1 VLAN, but why have a huge broadcast domain where all hosts see every broadcast when you can just separate each subnet with a VLAN? It's a waste of resources.

Subnets/VLANs are, more often than not, focused around similar uses (i.e. printer VLANs, workstation VLANs, etc.) and allowing for a single entry/exit point makes policy much easier to enforce on the VLAN/subnet as a whole. There are also security implications that sprout up in shared layer 2 domains, so you would stand to benefit from segmenting traffic as much as possible.

And there are other Layer-3 protocols besides IP. (even v4 vs v6) There are places in the world where IPX still exists. (and appletalk and DECnet for that matter, but I'd say those are *very* rare, indeed.) — Ricky, Apr 28 '14 at 21:59

score 1 · Answer 2 · answered Jul 03 '15 at 14:19

Technically there is not a direct link between VLAN and Subnet.

"Assume I have 10 big offices."

I think this may be the confusion.

When you have offices connected with routers, the traffic flows through a L3 device.

Two network's on different sides of a L3 device is on different VLAN's(Physical) networks.

They may have the same vlan ID but they are not the same vlan.

If this was not the case every vlan in every company in the world would be the same vlan if they had the same vlan ID.

VLAN-Subnets 1:1?

2 Answers2

Technically there is not a direct link between VLAN and Subnet.

Linked

Related