Recommended Subnet Strategies by Sam C. Chan

First Published: Nov 5, 2009
Last updated: Jan 27, 2018

5-Zone Allocation (BTC standard since May 2015)

  1. WAN - Internet (ISP line)
  2. LAN - private corporate network (incl. wifi), authorized nodes only
  3. Restricted - no Internet
    • 1-way managed from LAN, but NOT to LAN
    • e.g: SMBv1 legacy printers/scanners/servers/clients, POS (on-prem)
    • OPTIONAL: segmented VLAN
  4. IoT - Cloud-only, opposite of #3
    • SIP phone sys, surveillance cam, door bell, timeclock (hosted)
    • full Internet access for devices
    • OPTIONAL: isolated/segmented VLAN
  5. Public - Internet, completely independent from other zones
    • OPTIONAL: isolated VLAN
    • guest wifi & conference room ethernet
    • outbound-only, zero inbound/fwd
Optional: Zone ZERO
  • topologically in front of perimeter router, as peer
    • require subscription $$$ for a block of static public IPs
    • or be granted concurrent DHCP global addresses ($$?/legacy plan)
    • unless you have DIA (business class fiber service)
  • suitable for multi-tenant scenarios (within business suite/campus
    • e.g. independent attorney leasing cubical from CPA firm, temp contract workers, etc.
    • they require unfettered inbound access at their full-control, hence
    • #5 above is unacceptable

LAN Restricted IoT Public
Outbound Internet full none throttled censored
Inbound Internet fwd & VPN none DMZ none
Manage from LAN yes yes no
Access LAN Nodes full none none none
Cross-Zone traffic selected none none none
DHCP reserved static policy? yes
VLAN (optional) no segmented segmented isolated
Authorization staff+ legacy/special @provision wpa/@conf

3-Zone Allocation
(practical minimum)
  1. WAN - Internet
  2. LAN - private corporate network, authorized nodes only
  3. DMZ - all non-LAN
    • web/ftp servers
    • IoT, SIP VoIP, sec cam
    • Guest wifi, conf rm Ethernet
2-Zone Allocation (unacceptable)
  1. WAN - Internet
  2. LAN - everything
NOTE: This is equally applicable to pfSense, OPNsense, SWX, Cisco, etc.


Copyright @2005-2018   Bravo Technology Center  *  Bravo:GO  *  Contact Us