What is your go-to addressing scheme for your installs, particularly those with vlans?

I’m wondering when you do a new install, what addressing scheme do you prefer, and most importantly, why?

I have heard(I’m pretty sure in Tom’s vids) that it’s generally not a great idea to stick with the or schemes - I just don’t understand why. Another popular one is 10.1.x.

Anything wrong with:

VLAN10 =
VLAN20 =

and so forth?

The main consideration is whether you need to connect multiple sites, in which case it’s probably easier for them to use different address ranges.
Otherwise the method you have noted is probably widely used.

I personally do weird numbers like 10.10.53.x, only because sometimes we connect multiple sites OR to a service that has a standard IP range that can’t be changed. One of the cloud platforms we use is 10.10.10.x, so I try to avoid standard ones to save myself time in the long run.
I often put corporate networks on 10. ranges, and guest networks on 192 ranges, for no particular reason, just preference.

The reason why you avoid using 192.168.[0,1].x is because nearly every single network device on the planet that has a static address is in one of those two ranges. This means that most routers are 0.1 or 0.254 / 1.1 1.254. So if you are connecting a remote worker to the office via a VPN you need to be using a different range so that the client device knows where to route the packets. If the local network and remote are both 192.168.1.x then routing doesn’t work.

That said… there are some devices that use 172.16.0.x and 10.0.0.x as well so I always tend to avoid the low numbers.

For a “normal” office (for me that’s < 50 employees) I would block off 16 /24 subnets per physical site and setup a vlan on each of the 16. Document this… then when you add a new site to the same customer you can use the next 16 in the list. So using (kinda) my company for example I have;

QCT Networks

  • - - My home address
  • - - My Office
  • - - Amazon Cloud
  • - - Second office

Then under "My Office"

  • 172.16.16.x/24 - Main LAN
  • 172.16.17.x/24 - Printers
  • 172.16.18.x/24 - Guest Wifi
  • 172.16.19.x/24 - CCTV
  • 172.16.20.x/24 - IoT crap
  • 172.16.30.x/24 - WAN2
  • 172.16.31.x/24 - WAN1

255 address per vlan is more than enough for me but if I needed to I could allocate two (or more) adjacent blocks within the site’s allowance and change the subnet mask. For example when I work on events we often need to account for 10K + devices so the above scheme does not quite work!. This does also mean that the printers vlan/subnet with 1 IP used by the router and 2 IP’s used by printers is a bit of overkill but it keeps things simple. Similarly, there is only 1 of the 16 subnets being used in the AWS block which is a bit of overkill but should I need them, they are there.

Once I’ve got my subnets mapped out I allocate vlan’s. This is another place that ignoring 0 and 1 come in handy… vlan0 is invalid, vlan1 is the default and you don’t want to use that for anything. Using slightly higher numbers means you can just use the “subnet bit” of the address as the vlan ID. so 172.16.18.x is on vlan 18, again, keeps things simple and easy to remember without needing to look stuff up.

Also, make sure that YOUR office is not using the same range as a customer as you will almost certanly want to VPN to a customer at some point and access services on the other end. I also VLAN my WAN at the end of the range so I know where they are and if I need to give a device direct access to the router / internet I can without too much hassle.


Also, don’t conflate subnets and vlans… they are different things. If it often the case that you would only have one subnet per vlan (or vlan per subnet) but not always.

Have encountered this issue of having the same address range at home as at the airport wifi.

I found it’s handy to have a couple of openvpn servers running which connect to different vlans on different subnets.

Pretty sure I’m doing this.

VLANS are like different physical switches. They break up L2 / Broadcast traffic
Subnets are L3 and allow for routing

Now, some things, most notably DHCP provide L3 information (IP address’, gatways, etc) but work using L2. You can’t have a DHCP server for 2 different subnets on the same vlan but you absolutely could have 2 (or more) different subnets living on the same vlan as long as only 1 of them needs to use DHCP.
You could also have one subnet be available on multiple VLANS, although I’m not entirely sure why you would and you would need to be very careful you dons create any logical loops…

I really need to study this topic more. Honestly, subnetting has always been my weak point.

I’m still digesting this btw lol. Looks like it’s time to break out my networking book and start reading. Thank you for this in depth write up as well! Excellent reference material for me. I just realized today that I didn’t know the difference between Class A/B/C networks. womp womp.

You are quite welcome. I often find that an actual real world example is a whole lot more useful than all of the theory you would need to create it but without a good example.

I don’t really bother thinking about them as A/B/C anymore because we have CIDR notation so you are not limited to those classes. Make sure you use the private address ranges for sure (unless you have public IP’s to play with) .

If you stick to subnet masks of only 255 or 0’s then it’s fairly straight forward.
You have the network part of the address (where the 255’s are) and the host part (where the 0’s are)
As long as all the devices you want on the same “network” all have the same network part and a unique host part then you are golden.

given an IP address a.b.c.d makes a.b.c your network address and .d your host address’ makes a.b your netwok address and c.d your host address’ makes, you guessed it, a your network address and .b.c.d your host address’
(you can also have and but don’t think about that it’ll make your brain hurt) can also be written as /24 is /16 is /8
Count the number of bits being used (hint, 0-255 is an 8 bit number), remember that each part of an IP address is called an Octet and remember that the subnet mask tells you which bits of the IP represent the subnet.

Then the class bit tells you which address you can use internally. - 10.x.y.z are available - 192.168.x.y are available
so you can say ( then anything that starts with 10.7 (the first 16 bits) are on the same network.
172.16. is a tiny bit more complicated because it uses part of the second octet but not all of it. That’s when you have to start looking at “proper” subnetting to take full advantage but you can use /16 through or, for example

I hope that kinda makes sense, I’m a techie not an educator!!!

1 Like

Thanks again! I’m going to re-read this a few times. This might actually click for me. I’ve watched so many videos but I’ve got a raging case of ADHD and I learn sort of spatially. Most videos would make sense to most people, but I don’t fit that mold. Very hard to conceptualize. Once I conceptualize something, I’m in, and I can solve countless problems.

Has mentioned by some above, the 192.168.x.y/24 scheme is used by many home network devices by default. Over the fact that your network might get “confused” if it connects to an other outside network if the way your connect isn’t done properly, but it mostly allow anyone to easily guess the network range and find devices on it.
I personally try to avoid 192.168.x.y/16 and 172.16.w.z/12 addressing scheme just because of the latitude 10.x.y.z/8 offers in every aspect of networking. And since every modern L3 devices support CIDR, there is no reason not to use it (imo of course).

Also, from a laziness point of view, typing a 10.x.x.x is much faster and less error prone than any of the 2 private network address schemes :stuck_out_tongue_winking_eye:

The base of or are way overused by default devices so we avoid those. We would got for a for each class C subnet. Same thing goes for for class B. It is a bit overused. If you want a 172 class B, you can pick anything up to so something like might be a good choice.

++++1 for this. I can’t tell you how many times I’ve had to go in and re-engineer an IP space because the client later decided they wanted to have employees be able to VPN in to the office and couldn’t understand why their 192.168.1.x office network didn’t play well with their employees’ 192.168.1.x home networks. I’m on a personal mission to convert all of our clients to distinct subnets.

And all of my VLAN IDs match the 3rd octet of the IP address for exactly these reasons. One look at the IP and I know which VLAN I’m in / on.

It’s one of the first jobs on the list when I take a new customer on. There is always a bit of pain when a printer you didn’t know existed stops working but that also works nicely to help find things.