VLSM Design
Lab Objectives
- Understand and design VLSM (Variable Length Subnet Mask) allocations to meet different host requirements efficiently.
- Implement the VLSM plan on a router using subinterfaces and verify connectivity and routing.
- Explain why VLSM saves address space and how to avoid common allocation mistakes.
Tip: Think of VLSM like cutting a loaf of bread into slices sized to each eater — you give big slices to those who need more and small slices to those who need less, instead of wasting identical large slices for everyone.
Base topology (use this exact diagram and IPs):
[Internet]
203.0.113.1
|
R1 (Gateway)
Gi0/0: 10.10.10.1
Gi0/1: 10.10.20.1
Gi0/2: 10.10.30.1
/ | \
R2 R3 R4
Gi0/0: 10.10.10.2 | Gi0/0: 10.10.30.2
Gi0/1: 10.10.40.1 |
/ \ |
S1 S2 S3
/ \ | /
PC1 PC2 PC3 PC4 PC5
IP networks to use (exact):
- 10.10.10.0/24 — R1-R2 link
- 10.10.20.0/24 — R1-R3 link
- 10.10.30.0/24 — R1-R4 link
- 10.10.40.0/24 — R2-S1 link
- 192.168.1.0/24 — VLAN 10 (Sales)
- 192.168.2.0/24 — VLAN 20 (Engineering)
- 192.168.3.0/24 — VLAN 30 (Management)
- 203.0.113.0/24 — Public/Internet simulation
Device Table
| Device | Interface | IP Address |
|---|---|---|
| R1 | Gi0/0 | 10.10.10.1 |
| R1 | Gi0/1 | 10.10.20.1 |
| R1 | Gi0/2 | 10.10.30.1 |
| R2 | Gi0/0 | 10.10.10.2 |
| R2 | Gi0/1 | 10.10.40.1 |
| R4 | Gi0/0 | 10.10.30.2 |
| Internet | - | 203.0.113.1 |
Lab Tasks (Try It Yourself First!)
Complete these tasks WITHOUT looking at the solution below. Use
?andshowcommands to figure it out.
Task 1: Design VLSM subnets
You have the supernet 192.168.0.0/22 available for internal VLAN addressing. Design VLSM subnets to satisfy:
- Sales needs 100 hosts
- Engineering needs 50 hosts
- Management needs 10 hosts
Provide the network address, subnet mask (both dotted decimal and prefix), and usable host range for each department.
Task 2: Configure router subinterfaces for inter-VLAN routing
On R2, configure subinterfaces on Gi0/1 (connected to S1) for VLANs 10, 20, and 30 using the gateway IPs from your VLSM plan. Ensure the physical interface is up.
Parameters:
- Physical: R2 Gi0/1 (already 10.10.40.1 on physical, keep that)
- Subinterfaces: Gi0/1.10 (VLAN 10), Gi0/1.20 (VLAN 20), Gi0/1.30 (VLAN 30)
- Encapsulation dot1Q 10/20/30
- Assign the gateway addresses you planned
Task 3: Verify routing and basic connectivity
- Verify R2 has connected routes for each VLAN.
- From R2, ping the first usable host of each subnet (assume PCs are configured with the first usable host addresses you planned).
- Verify that R1 shows the routes to the VLAN subnets via R2.
Think About It: If you allocate a bigger subnet than needed for a department (e.g., /24 for 10 hosts), what real-world consequences occur in an enterprise network?
Lab Solution
Task 1 Solution: Design VLSM subnets
What we are doing: We take 192.168.0.0/22 (which covers 192.168.0.0–192.168.3.255) and allocate subnets sized to each department, placing the largest subnets first to avoid fragmentation.
Calculation summary (largest to smallest):
- Sales: needs 100 hosts → next power-of-two host block is 128 addresses → /25 (128 addresses, 126 usable)
- Engineering: needs 50 hosts → next is 64 addresses → /26 (64 addresses, 62 usable)
- Management: needs 10 hosts → next is 16 addresses → /28 (16 addresses, 14 usable)
Allocate sequentially from 192.168.0.0 upward:
-
Sales: 192.168.0.0/25
- Mask: 255.255.255.128
- Usable: 192.168.0.1 – 192.168.0.126
- Broadcast: 192.168.0.127
-
Engineering: 192.168.0.128/26
- Mask: 255.255.255.192
- Usable: 192.168.0.129 – 192.168.0.190
- Broadcast: 192.168.0.191
-
Management: 192.168.0.192/28
- Mask: 255.255.255.240
- Usable: 192.168.0.193 – 192.168.0.206
- Broadcast: 192.168.0.207
Why this order matters: Always allocate the largest subnets first. If you start with small subnets, you may fragment address space and be unable to place larger subnets later.
Task 2 Solution: Configure router subinterfaces for inter-VLAN routing
What we are doing: Create subinterfaces on R2 Gi0/1 so that R2 routes between the VLANs. Each subinterface will act as the default gateway for its VLAN. We use the first usable IP in each subnet as the gateway for clarity.
Commands:
R2# configure terminal
R2(config)# interface GigabitEthernet0/1
R2(config-if)# no shutdown
R2(config-if)# exit
R2(config)# interface GigabitEthernet0/1.10
R2(config-subif)# encapsulation dot1Q 10
R2(config-subif)# ip address 192.168.0.1 255.255.255.128
R2(config-subif)# exit
R2(config)# interface GigabitEthernet0/1.20
R2(config-subif)# encapsulation dot1Q 20
R2(config-subif)# ip address 192.168.0.129 255.255.255.192
R2(config-subif)# exit
R2(config)# interface GigabitEthernet0/1.30
R2(config-subif)# encapsulation dot1Q 30
R2(config-subif)# ip address 192.168.0.193 255.255.255.240
R2(config-subif)# exit
R2(config)# end
R2# write memory
What each command does and WHY it matters:
interface GigabitEthernet0/1/no shutdown: Ensures the physical interface is up — subinterfaces depend on the parent being operational.interface GigabitEthernet0/1.10(subinterface): Creates a logical interface that carries traffic for VLAN 10.encapsulation dot1Q 10: Sets 802.1Q tagging for VLAN 10 — this tells the router how to identify VLAN traffic on the trunk.ip address 192.168.0.1 255.255.255.128: Assigns the gateway address for Sales (first usable). Choosing the first usable is conventional and easy to document.- Repeated for VLANs 20 and 30 with their allocated subnets.
Verify:
R2# show ip interface brief
Expected output (relevant lines only):
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 10.10.10.2 YES manual up up
GigabitEthernet0/1 10.10.40.1 YES manual up up
GigabitEthernet0/1.10 192.168.0.1 YES manual up up
GigabitEthernet0/1.20 192.168.0.129 YES manual up up
GigabitEthernet0/1.30 192.168.0.193 YES manual up up
Explaination of verification:
- Seeing each subinterface "up up" indicates the router recognizes the subinterfaces and their IPs. On a live lab, the VLAN trunk from the switch must carry VLAN tags for each to reach hosts.
Task 3 Solution: Verify routing and basic connectivity
What we are doing: Confirm R2 has the connected routes and can reach hosts in each subnet, and confirm R1 learns those routes (via static/connected routing).
Verification 1 — connected routes:
R2# show ip route connected
Expected output (extract):
C 10.10.10.0/24 is directly connected, GigabitEthernet0/0
C 10.10.40.0/24 is directly connected, GigabitEthernet0/1
C 192.168.0.0/25 is directly connected, GigabitEthernet0/1.10
C 192.168.0.128/26 is directly connected, GigabitEthernet0/1.20
C 192.168.0.192/28 is directly connected, GigabitEthernet0/1.30
Verification 2 — ping first usable host of each VLAN (assuming PCs are assigned first usable addresses):
R2# ping 192.168.0.2
R2# ping 192.168.0.130
R2# ping 192.168.0.194
Expected output (one example):
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/5 ms
Verification 3 — show R1 route table to confirm forwarding towards R2:
R1# show ip route
Expected excerpt (relevant learned or connected routes):
Gateway of last resort is not set
C 10.10.10.0/24 is directly connected, GigabitEthernet0/0
C 10.10.20.0/24 is directly connected, GigabitEthernet0/1
C 10.10.30.0/24 is directly connected, GigabitEthernet0/2
S 192.168.0.0/25 [1/0] via 10.10.10.2
S 192.168.0.128/26 [1/0] via 10.10.10.2
S 192.168.0.192/28 [1/0] via 10.10.10.2
Note: If static routes are required on R1, configure on R1:
R1(config)# ip route 192.168.0.0 255.255.255.128 10.10.10.2
R1(config)# ip route 192.168.0.128 255.255.255.192 10.10.10.2
R1(config)# ip route 192.168.0.192 255.255.255.240 10.10.10.2
Each ip route command sets a route on R1 so traffic destined for the VLSM subnets is sent to R2 (10.10.10.2). This matters because without R1 knowing how to reach those subnets, traffic from other networks (like the Internet simulation) would not reach internal VLANs.
Troubleshooting Scenario
Scenario: Subnet overlap causes connectivity failures
Symptom: Ping from PC in Sales (192.168.0.2) to Engineering (192.168.0.130) times out. R2 shows both subinterfaces up.
Your task: Find and fix the issue.
Hint: Check the subnet masks on the subinterfaces — an incorrect mask can cause overlap so R2 thinks both addresses are in the same network.
Solution:
- Show the interface details:
R2# show running-config interface GigabitEthernet0/1.20
If output shows ip address 192.168.0.129 255.255.255.128 (wrong mask), fix it:
R2# configure terminal
R2(config)# interface GigabitEthernet0/1.20
R2(config-subif)# ip address 192.168.0.129 255.255.255.192
R2(config-subif)# end
R2# write memory
Why this fixes it: Using a /25 instead of /26 for the engineering subinterface made R2 treat engineering and sales addresses as overlapping, so R2 did not route between them properly. Correct masks ensure distinct networks and proper routing.
Verification Checklist
- VLSM plan documented with network, mask, usable range for each VLAN.
- R2 subinterfaces created with correct encapsulation and IP addresses.
- R2 shows connected routes for each VLAN subnet.
- R1 has routes to the VLAN subnets (static or via a routing protocol).
- Pings between VLAN gateways and sample hosts succeed.
Common Mistakes
| Symptom | Cause | Fix |
|---|---|---|
| Subinterfaces show administratively down | Parent interface is shutdown | interface Gi0/1 -> no shutdown |
| Pings to hosts fail but subinterfaces are up | Switch trunk missing VLAN tags or switch not trunking | Configure switch port as trunk, allow VLANs 10/20/30 |
| Routing from R1 to VLANs missing | No routes on R1 | Add static routes pointing to R2 (10.10.10.2) or run a routing protocol |
| Overlapping networks | Wrong subnet mask on one subinterface | Correct the mask to the intended prefix (e.g., /26 instead of /25) |
Challenge Task
Extend the VLSM plan to support two additional remote branch offices. Each branch needs:
- Branch A: 40 hosts
- Branch B: 20 hosts
Without step-by-step guidance, design subnets from the remaining 192.168.0.0/22 space (after the allocations in this lab), assign gateway addresses, and configure static routes on R1 pointing to the appropriate next-hops. Verify end-to-end connectivity from Internet (203.0.113.1) to a host in each branch.
Real-world context: In production networks, VLSM saves public/private address space and lets you plan growth. Choosing correct masks and reserving contiguous blocks simplifies route summarization in larger deployments.