Utility Subnets

Terry Slattery
Principal Architect

Utility services like DNS, DHCP, NTP, AAA, and network management contribute to a smoothly running network.  I’m an advocate for designated utility subnets for these services.  Why have utility services subnets? It allows the network administrators to more easily monitor, manage, protect, and provision the services.  It becomes much easier to troubleshoot problems with the services when they are in known locations with a few well-known access paths and methods.

What size network needs utility subnets?  Are they appropriate for a small network comprised of less than ten routers and switches?  Once the network is large enough to require multiple subnets, it is appropriate to consider one or more separate services subnets.  Very small organizations may rely on a single services subnet while larger enterprises will want two or more redundant services subnets. Some organizations may want to provision services subnets per function in order to make ACL and security easier to manage for each function.

MPLS networks in particular will benefit from services subnets.  It is much easier and less expensive to consolidate services in a few places and create the appropriate VRF import lists and firewall rules to restrict undesired connectivity while still providing access to a common set of services.  In addition, as networks begin the migration to IPv6 and DNS becomes more critical to network operations, the services subnet concept becomes more important.

Where should services subnets be located?  Within an organization’s data centers makes a lot of sense, but separate from the application subnets.   Protect the services from attacks from the network clients and servers with firewall rules that only allow the desired connectivity.  It is easier to design good security around a few services subnets than when those same services are on general application subnets where a lot of different firewall rules must be concurrently implemented.



Re-posted with Permission 

NetCraftsmen would like to acknowledge Infoblox for their permission to re-post this article which originally appeared in the Applied Infrastructure blog under http://www.infoblox.com/en/communities/blogs.html


Leave a Reply


Nick Kelly

Cybersecurity Engineer, Cisco

Nick has over 20 years of experience in Security Operations and Security Sales. He is an avid student of cybersecurity and regularly engages with the Infosec community at events like BSides, RVASec, Derbycon and more. The son of an FBI forensics director, Nick holds a B.S. in Criminal Justice and is one of Cisco’s Fire Jumper Elite members. When he’s not working, he writes cyberpunk and punches aliens on his Playstation.


Virgilio “BONG” dela Cruz Jr.

CCDP, CCNA V, CCNP, Cisco IPS Express Security for AM/EE
Field Solutions Architect, Tech Data

Virgilio “Bong” has sixteen years of professional experience in IT industry from academe, technical and customer support, pre-sales, post sales, project management, training and enablement. He has worked in Cisco Technical Assistance Center (TAC) as a member of the WAN and LAN Switching team. Bong now works for Tech Data as the Field Solutions Architect with a focus on Cisco Security and holds a few Cisco certifications including Fire Jumper Elite.


John Cavanaugh

CCIE #1066, CCDE #20070002, CCAr
Chief Technology Officer, Practice Lead Security Services, NetCraftsmen

John is our CTO and the practice lead for a talented team of consultants focused on designing and delivering scalable and secure infrastructure solutions to customers across multiple industry verticals and technologies. Previously he has held several positions including Executive Director/Chief Architect for Global Network Services at JPMorgan Chase. In that capacity, he led a team managing network architecture and services.  Prior to his role at JPMorgan Chase, John was a Distinguished Engineer at Cisco working across a number of verticals including Higher Education, Finance, Retail, Government, and Health Care.

He is an expert in working with groups to identify business needs, and align technology strategies to enable business strategies, building in agility and scalability to allow for future changes. John is experienced in the architecture and design of highly available, secure, network infrastructure and data centers, and has worked on projects worldwide. He has worked in both the business and regulatory environments for the design and deployment of complex IT infrastructures.