• 0. Always (for all three questions). 800 devices in one collision domain, this is [censored] and a complete stupor.
  
• 1. Yes. But no. Everything on the same subnet is nonsense and makes no sense.
  
• 2. Non-routable Internet addresses (bogon networks) . I would subnet to 172.16. But this is a matter of taste.
  
• 3. There is no difference, no complication at all. There is no standard here either.
  
• 4. Each subnet to its own VLAN. For nefig.
  
• 5. Servers on separate subnets. And not just one. What should a video surveillance server do in the accounting subnet?
  
• 6. Build a diagram based on traffic flows, and not on some mystical intuition.
  
• 7. Not telephony, but some switches have special work with VoiceVLAN. yes, only economy of ports. If it doesn't work, then don't get in touch. Then you experiment.
  
• 8. According to security requirements, the video surveillance network should generally be physically separated from the user network, if possible. Separate switches and cable lines. Yes, and they generate traffic - they can clog channels, is it necessary? The same with the lines of security and fire alarms - but here strictly, no "if possible".
  
• 9. Print server. And yes - he and the printers are in a separate VLAN.
  

We put an L3 switch that will drive the flow, we add it as a gateway.

I will describe my working scheme, it is simple and logical and very easy to scale.
1. org. is taken as a basis. the structure of the organization and the principle of paranoia (accountants faint if they see a computer of personnel officers in a network environment or, God forbid, mere mortals).
That is, the number of subnets = the number of org. divisions.
2. the principle of distribution of networks and vlan. VLAN ID N contains a network like 192.168.nx/24. n in the range from 2 to 130 (yes, I have a lot of subnets, each with a conditional dimension of 2 to 200 devices).
With subnets other than /24, sudden problems can arise - some devices cannot accept a different mask over DHCP the first time (my network printers and Windows 95 were buggy). The network may be 10.xyz - this is a matter of taste, the integrator tried to impose a scheme on me where the digits are the floor and the switch number, but this would be logical for a homogeneous residential building, but not for an organization where one structural unit can occupy premises on different floors and connected to different switches.
3. If network printers are assigned to subdivisions and are located in the same office with them, then the printer falls into the same subnet as its subdivision.
4. servers sit in their own separate multi-subnet, BUT if it is a bookkeeping server, then an interface with accounting vlan and ip is added to it in order to minimize traffic through the router and yes, the common file server has 130 vlan and ip.
When a database of several gigabytes flies over the network at a speed of 800-900 megabits, severe collisions are possible, especially if it flies from one subnet to another through a router.
5. I have more than 700 voip phones in my network and an exception is made for them - in their vlan subnet /22
6. the access control system and video cameras are generally placed on separate switches.
Video cameras and, for example, audio / video conferencing systems sometimes have mechanisms that use broadcasts / multicasts, and this can become a very big problem - it is controlled by fine-tuning the switches.
7. computer via phone - only with a shortage of sockets. The scheme is working if the switch supports macauthorization to the address (there is an option for the port, then it will not work correctly). In general, it's best not to.
8. I also have a guest subnet, where guests who are not included in the structure get.
9. Wi-Fi access points are strong in the managed network, but broadcast BSSID with a guest vlan and the ability to authorize by poppy with the ability to bind to vkan.
10. I have an enterprise level network on huawei s5700 hardware and it is fashionable to implement it on s2700 + network management server (radius with specific settings) + dhcp + dns. It is better to do DHCP on a separate computer, and not on a switch (switches are sometimes buggy, limited in functionality and it is better not to load them with unnecessary load). I have a router on Linux with the same problem - the switch had restrictions on the number of rules (ACL), and on Linux you could do anything. Also in the management network there is a tftp server for storing and distributing switch configs.
That's how it is. And I strongly advise you to read the documentation and consult with senior comrades. Each element has a huge number of non-obvious nuances.

The 10.0.0.0 network is used because it is convenient to make networks > /24, and in the second octet you can encrypt the geography (office number, region code, area of ​​responsibility, etc., for example, 10.77.XX - the address range for Moscow ).
Of course, you need a bunch of vlans, you will be surprised, but you will have much more of them than you wrote. For example, there will be a management vlan right away (where the network equipment will be managed), a server management vlan (iLo, IPMI, iDRAC or whatever you have), a vlan with "public" IP addresses (will there be Internet in the office?), a server vlan for users (file shares), vlans for technology servers (all sorts of syslogs, zabbixes), sooner or later two vlans for Wi-Fi (guest and internal), vlans for docking networks (from L3 switch to router, between L3 switches, etc.). d.).
The main economic characteristic of the switch is the price per port. As a rule, ports with PoE are used for telephony, they cost 2.5 times more than ports without PoE. With the money saved, it is better to buy spare parts for phones.
Sometime later you will come to setting up QoS for telephony, at least on links from aggregation. This is easiest to do when the phones are allocated to a separate vlan.
For video surveillance, again, as a rule, ports with PoE are used. Cameras, of course, are better in a separate vlan, which is put into a separate port. The traffic from the cameras is capacious, but at the same time does not cause a strong user negative, it will easily beat 1GE.

0. Yes
1. Yes
2. Yes. Only 192.168.111.0 - will not work for mask 22. You need to tighten up the theory on IP addressing.
3. There are no classic / non-classic options. Google "gray IP addresses", you will find out that the 10.0.0.0/8 subnet is quite a "classic" gray subnet. Usually they use the 10th subnet where there are a lot of computers on the network - several thousand.
4. Usually, VLAN0 is used for the "general" vlan, it is also the default vlan. In switches, usually, this VLAN already exists and all ports are included in it as not tagged, and, in my opinion, this cannot be changed.
5. Doesn't matter. Look at the fact. For example, for some reason you have a group of computers in your VLAN or your subnet and it needs its own server,
Keep in mind that placing servers on different subnets will require routing between subnets. This can often be due to additional traffic forwarding that can be avoided by placing the servers on the same subnet as the users.
In general, external factors often play here, for example, additional security requirements for some servers, etc.
6. same as 5.
7. IP telephony, like cameras, also generates network traffic, if there is too much of it, it can interfere with the normal operation of the network. Stupid network overload, additional load on the switch, large lags, etc. By the way - and vice versa, the same is true - if the load on the network increases, then you may encounter the fact that it will become difficult to talk on the phone. And in general, in the event of an emergency on the network, it’s good when at least the phones work. And you know - the failure of the network adapter in any PC, it starts to flood packets into the network and the phones stop working the same - a local apocalypse.
8. Yes.
9. I doubt that there are any recommendations. I have always placed the printer on the same subnet and vlan as its users. Naturally, a separate sub-range of addresses is allocated for the printer, which is not distributed to users via DHCP. If you have a centralized print server, it may be more convenient to allocate the printer to a separate subnet / vlan. In my opinion, if there are no additional requirements / wishes, then there is no point in complicating the scheme.

0. Not only from outside, but also outside
1. It is not necessary to shove all PCs into one segment, especially if users are engaged in very diverse tasks.
2. 192.168.x.x is considered bad manners by some due to the fact that most equipment defaults to these addresses, and if you plug a conditional Tupolink into the network without preparation, it is believed that it will cause more problems than if it were plugged into 10.х.х.х, and also if you have to build VPN networks to remote workers, routing collisions with their dumb links may occur
3. Read the theory of ip addressing - 10 can be divided into smaller subnets, in fact, like 192.168. on /25+ subnets - for what and as described in theory, as well as the pros / cons of these solutions.
4. Bestpractice - each pool has a vlan - in reality, it usually turns out that way. it usually does not make sense to shove several subnets into a vlan (if not ultra-low-price equipment)
5. Depending on the purpose, IB policy,
etc.
and no prospects - a computer through the phone. If the workplace has only 2 sockets - a printer via a phone, if there are enough sockets and ports on the switches - ideally, each device is separate, and phones are by poe. Otherwise: nothing works for me, because I forgot to plug the phone into the socket.
8. Separate switches and routers, including those with partitions along the perimeters, otherwise the network and information security may be bad
9. By location and requirements

There is already a lot of things, they wrote, but just a cry from the heart: never use the 192.168.0.0/16 subband in corporate networks! As soon as you need to make VPN connections to "home" computers, remember. Not that there is something unsolvable, but why the extra problems? The 172nd and 10th are great, the second is more convenient in terms of remembering subnets or wilans.
It’s bad to turn on computers through phones: firstly, phones tend to freeze (rarely, but it happens), and secondly, there is often 100Mbps and not gigabit, and then it’s more convenient to monitor all devices through managed switches - one network card - one port.
Video surveillance I would take out in a separate physical network. Many cameras are hemorrhoids to set up, besides, the traffic there can be very sickly. And most importantly - through the camera you can get physical access to the grid, especially if there are external cameras.
By the way, another security issue: you don’t need to connect to the network via Wi-Fi, even if you really want to. For Wi-Fi - a separate network or weed, but it is better to use it in general only for accessing the Internet.

https://linkmeup.ru/blog/1188/