LAN Addressing Best Practices?

Edited. Please delete.

 

My users facebook updates are likely the most sensitive data on the network - we don't handle personal information, and all other data is non-sensitive. Email is provided by Google, which is all using HTTPS.

Yes - we have a public website running from a server in the DMZ (which looks like it was made 10 years ago... because it was), and some random ports open for specific purposes (eg. PHP page hosted on internal server which is used to lookup inventory stock numbers). We have a Cisco ASA 5505 with SSLVPN licences so generally that is used if access to internal resources is required.

 

The only time I've done an IP renumber was when one of our inherited sites was using 192.168.0.x/24 for servers and was causing hell for anyone connecting into it via VPN from home networks.

If your subnets are big enough to fit everything in, you don't have IP conflicts across sites and you haven't put ~1,500 hosts into a single subnet (worked at a site that did that - the amount of broadcast traffic was hilarious) then just leave it as is.

Like others here, I follow a general rule of 10.site-id.subnet-id.host-id/24. Create a new subnet when it makes sense to group devices (VoIP phones are a good example) or if you have specific security requirements.

 

null route any host addresses that in end in .13, they are bad luck.

 

+1 To this,

Also, do not use any switchport or patch port labelled 13

 

+11eleventy

Always use port 8, label all your patch ports with the number 8, and only ever use eight port switches.

 

We do more or less the same. We have allocated device ranges too but they aren't subnetted. It used to be different but we've just renumbered as we've rolled out Cisco routers to all the "sites". Wouldn't have bothered otherwise, it was working how it was, this is just neater and it was still a pain in the arse to do.

 

All that can be ignored if you use gap filler on the last 6 ports on your 48 port switch(s).

- On topic, cheers for the info etc posted in here, I am currently looking at a similar thing.

 

DEFINITELY don't segment into VLAN's too much, as to get between them has to be routed. Either via a router or via a Layer 3 switch (which is basically a router).

This is not too bad for things like VoIP where the only traffic traversing the 2 networks is probably http management or something, but between workstations and servers, if there are large amounts of data, then it can choke up really quick.

I like the system you have now, everyone on a 10.x.0.0/16 so locally all traffic is layer2, then traffic to other sites layer3. This is how it should be =).

 

l3 inter-vlan is done in hardware at line rate, you would run out of port capacity in most cases before you hit the hardware limits.

 

Correct - a true layer 3 switch doesn't suffer any noticable performance issues like your average router would. Even multicast ghost with server and PC's on multiple VLANs is unaffected.

 

your statement may have been accurate/correct in/around the mid 1990s.

its not true of any half-decent L3 switch.

the old adage is 'route where you must, switch where you can' does still hold true, but smart network folks don't build large L2 networks.

 

It really depends on the year your in, it seams to swap back and forth slowly. You can probably thank Cisco for that.

Cisco says you should switch your network, everyone buys switches.
Everyone has switches
Cisco says you should route your network, everyone buys routers.
Everyone has routers
Cisco says you should switch your network again by which time the older switching hardware is behind the times. Rinse and repeat.

 

Cheers for the tip!
I try to use /16 or larger subnets. More zeros in the mask = less CPU load in the routers.

 

this made me laugh.
because its actually _true_.

If you did use a /16 then there are likely less 'strides' to use in a m-trie lookup algorithm, used by pretty much any networking equipment be it hardware or software.

https://www.google.com/search?q=m-trie

 

As a rule of thumb

Enterprise => 10.0.0.0 - 10.255.255.255 (10/8 prefix)
Enterprise/SMB => 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
Home/SMB = 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

 

My brain just exploded

 

That makes you a House then? What is is like being a House?

 

This is what we implemented. Each site, datacentre, customer etc, gets a 10.X.0.0 /16 subnet, with that subnet split for VLANs. Head office, for example, has Prod, ESX Mgmt, Dev, Citrix, Demo, Voice and Legacy VLANs, each having their own /24 subnet on the head office site. An edge router does inter-vlan routing, which allows us to control ACLs and vlan-vlan traffic.

Each site router then connects back into the core networks, which are 10.255.x.x/16. This /16 supernet is basically the OSPF area 0.
Having each site with its own router and 10.x.0.0 subnet allows decent route summarisation on the ABRs, so route tables around the network contain a smaller number of routes to each site.