Best practice on Network\Subnet configurations for multiple sites

  • 1
  • Question
  • Updated 4 years ago
  • Answered
I'm getting ready to stand up my secod branch office to join to my hive, and I realized I am not utilizing the HiveManager as I should be.  What I mean is for my first site, I configured the management network for 2 branches (1 for the branch and 1 for HQ where the VPN appliance is).  I then configured a /24 subnet for Voice traffic, and a separate set for client devices.  Now that I want to add a new site, I could create a new network policy, and create new subnets for each of the services there...but this seems like I am creating more work for myself.

As I understand it, Aerohive has designed the system so that I can create a parent scope of IP addresses based on the number of branches I have, and then have those subnets\IP's provisioned automatically based on the location of the equipment (or tags that I set).

What I am looking for is a best practices design on the overall network architecture for a multiple branch site deployment.

My thinking was for the management network I would create a /21 network for 8 branches.  So each site I stand up will have a single /24 subnet for management devices.  Now beyond that is where I get a little confused from a traditional networking perspective.  First of all, regardless of the subnet, if I am using the same network policy for all 8 sites, then the Management VLAN would be the same for all 8 sites?  From a networking administration perspective I don't really like this since the VLAN will not match the subnet on subsequent sites (ex: Management VLAN is 112, first sites management subnet is 192.168.112.0, second site is .113, and so on).  Is there a way to have multiple management VLANs pointing to the same network configuration but that will apply to the matching subnet?

Now when I get into the internal use subnets this complicates things even further.  I am not sure if I should create a single scope in HMOL (/20 for example) for 8 sites, where each site could be further subnetted by a L3 device (4x /24's) so I could separate services by subnet (voice, client, hosts, etc.)  Or if I want to have multiple subnets per site for varying services, should I create a network object for each service with a /24 subnet (rather than using another L3 device).  If I want that network object to span across multiple sites, then I would configure it the same as the management network with progressive subnets at each site.  Then you get into the same issue as above with the single VLAN for multiple subnets and sites.

I hope this is making sense what I am looking to do.  I want to reduce the amount of management required to stand up each site, but allow the sites to have their own sets of VLANs and multiple subnets for different services and environments within the sites.
Photo of Adam Dimopoulos

Adam Dimopoulos

  • 2 Posts
  • 0 Reply Likes

Posted 4 years ago

  • 1
Photo of Travis Kaufman

Travis Kaufman, Champ

  • 113 Posts
  • 30 Reply Likes
We created a /21 for Management    then /16 and sub allocated /24 bit subnets for each Data VLAN at each remote site. Then the same for Voice.

So Data was 172.17.0.0/16  ( Site A gets 172.17.1.0/24 ) ( Site B gets 172.17.2.0/24 )  Etc
On the Voice VLAN we created QOS as well.

Helps when we deploy a new site, takes about 15 mins to configure. 
Photo of Adam Dimopoulos

Adam Dimopoulos

  • 2 Posts
  • 0 Reply Likes
So it sounds like you go the route of creating a network object for each service.  So then is it a single VLAN per service for all sites?  Just something I would have to get used to but makes sense I suppose.  So it would look like this for example:

VLAN 120 = Data
Site1 data subnet = .121 (VLAN 120 from Aerohive Network Policy and on local switch)
Site2 data subnet = .122 (VLAN 120 from Aerohive Network Policy and on local switch)
Site3 data subnet = .123 (VLAN 120 from Aerohive Network Policy and on local switch)

VLAN 130 = Voice
Site1 voice subnet = .131 (VLAN 130 from Aerohive Network Policy and on local switch)
Site2 voice subnet = .132 (VLAN 130 from Aerohive Network Policy and on local switch)
Site3 voice subnet = .133 (VLAN 130 from Aerohive Network Policy and on local switch)
Photo of Travis Kaufman

Travis Kaufman, Champ

  • 113 Posts
  • 30 Reply Likes
You can go that route, but we use VLAN 1 for MGT, 10 for Data, 15 for Voice at each site.   Once you push that to the new Router, it takes the next available subnet for use for each VLAN and puts it on that router. If you want a certain subnet for that router, you have to create a Device Tag for that Subnet. Etc...