1. OCAU Merchandise is available! Check out our 20th Anniversary Mugs, Classic Logo Shirts and much more! Discussion in this thread.
    Dismiss Notice

LAN Addressing Best Practices?

Discussion in 'Networking, Telephony & Internet' started by ewok85, Jul 22, 2012.

  1. plasticbastard

    plasticbastard Member

    Joined:
    Jul 30, 2003
    Messages:
    4,004
    Location:
    Sector ZZ9 Plural Z Alpha
    Edited. Please delete.
     
  2. OP
    OP
    ewok85

    ewok85 Member

    Joined:
    Jul 4, 2002
    Messages:
    8,097
    Location:
    Tokyo, Japan
    My users facebook updates are likely the most sensitive data on the network - we don't handle personal information, and all other data is non-sensitive. Email is provided by Google, which is all using HTTPS.

    Yes - we have a public website running from a server in the DMZ (which looks like it was made 10 years ago... because it was), and some random ports open for specific purposes (eg. PHP page hosted on internal server which is used to lookup inventory stock numbers). We have a Cisco ASA 5505 with SSLVPN licences so generally that is used if access to internal resources is required.
     
  3. Gecko

    Gecko Member

    Joined:
    Jul 3, 2004
    Messages:
    2,715
    Location:
    Sydney
    The only time I've done an IP renumber was when one of our inherited sites was using 192.168.0.x/24 for servers and was causing hell for anyone connecting into it via VPN from home networks.

    If your subnets are big enough to fit everything in, you don't have IP conflicts across sites and you haven't put ~1,500 hosts into a single subnet (worked at a site that did that - the amount of broadcast traffic was hilarious) then just leave it as is.

    Like others here, I follow a general rule of 10.site-id.subnet-id.host-id/24. Create a new subnet when it makes sense to group devices (VoIP phones are a good example) or if you have specific security requirements.
     
  4. FiShy

    FiShy Member

    Joined:
    Aug 15, 2001
    Messages:
    9,682
    null route any host addresses that in end in .13, they are bad luck.
     
  5. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,678
    +1 To this,

    Also, do not use any switchport or patch port labelled 13
     
  6. plasticbastard

    plasticbastard Member

    Joined:
    Jul 30, 2003
    Messages:
    4,004
    Location:
    Sector ZZ9 Plural Z Alpha
    +11eleventy

    Always use port 8, label all your patch ports with the number 8, and only ever use eight port switches.
     
  7. grommet80

    grommet80 Member

    Joined:
    Oct 28, 2003
    Messages:
    496
    Location:
    Lismore NSW
    We do more or less the same. We have allocated device ranges too but they aren't subnetted. It used to be different but we've just renumbered as we've rolled out Cisco routers to all the "sites". Wouldn't have bothered otherwise, it was working how it was, this is just neater and it was still a pain in the arse to do.
     
  8. _omni_

    _omni_ Member

    Joined:
    Jun 17, 2005
    Messages:
    4
    Location:
    Sydney - 2112
    All that can be ignored if you use gap filler on the last 6 ports on your 48 port switch(s).

    - On topic, cheers for the info etc posted in here, I am currently looking at a similar thing.
     
  9. OMGguru

    OMGguru Member

    Joined:
    Apr 1, 2003
    Messages:
    3,488
    Location:
    CFS
    DEFINITELY don't segment into VLAN's too much, as to get between them has to be routed. Either via a router or via a Layer 3 switch (which is basically a router).

    This is not too bad for things like VoIP where the only traffic traversing the 2 networks is probably http management or something, but between workstations and servers, if there are large amounts of data, then it can choke up really quick.

    I like the system you have now, everyone on a 10.x.0.0/16 so locally all traffic is layer2, then traffic to other sites layer3. This is how it should be =).
     
  10. FiShy

    FiShy Member

    Joined:
    Aug 15, 2001
    Messages:
    9,682
    l3 inter-vlan is done in hardware at line rate, you would run out of port capacity in most cases before you hit the hardware limits.
     
  11. driver

    driver Member

    Joined:
    Jun 28, 2001
    Messages:
    3,583
    Location:
    Brisbane
    Correct - a true layer 3 switch doesn't suffer any noticable performance issues like your average router would. Even multicast ghost with server and PC's on multiple VLANs is unaffected.
     
  12. ltd73

    ltd73 Member

    Joined:
    Apr 14, 2005
    Messages:
    1,724
    your statement may have been accurate/correct in/around the mid 1990s.

    its not true of any half-decent L3 switch.

    the old adage is 'route where you must, switch where you can' does still hold true, but smart network folks don't build large L2 networks.
     
  13. evilasdeath

    evilasdeath Member

    Joined:
    Jul 24, 2004
    Messages:
    5,026
    It really depends on the year your in, it seams to swap back and forth slowly. You can probably thank Cisco for that.

    Cisco says you should switch your network, everyone buys switches.
    Everyone has switches
    Cisco says you should route your network, everyone buys routers.
    Everyone has routers
    Cisco says you should switch your network again by which time the older switching hardware is behind the times. Rinse and repeat.
     
  14. chip

    chip Member

    Joined:
    Dec 24, 2001
    Messages:
    3,984
    Location:
    Pooraka Maccas drivethrough
    Cheers for the tip!
    I try to use /16 or larger subnets. More zeros in the mask = less CPU load in the routers.
     
  15. ltd73

    ltd73 Member

    Joined:
    Apr 14, 2005
    Messages:
    1,724
    this made me laugh.
    because its actually _true_.

    If you did use a /16 then there are likely less 'strides' to use in a m-trie lookup algorithm, used by pretty much any networking equipment be it hardware or software.

    https://www.google.com/search?q=m-trie
     
  16. 192.168.0.1

    192.168.0.1 Member

    Joined:
    Nov 18, 2004
    Messages:
    1,540
    Location:
    Postcode: 2528
    As a rule of thumb

    Enterprise => 10.0.0.0 - 10.255.255.255 (10/8 prefix)
    Enterprise/SMB => 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
    Home/SMB = 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
     
  17. fR33z3

    fR33z3 Member

    Joined:
    Jul 16, 2001
    Messages:
    2,164
    Location:
    Perth
    My brain just exploded
     
  18. IACSecurity

    IACSecurity Member

    Joined:
    Jul 11, 2008
    Messages:
    760
    Location:
    ork.sg
    That makes you a House then? What is is like being a House?
     
  19. FiShy

    FiShy Member

    Joined:
    Aug 15, 2001
    Messages:
    9,682
     
    Last edited: Jul 28, 2012
  20. mjunek

    mjunek Member

    Joined:
    Apr 1, 2003
    Messages:
    1,146
    Location:
    Western Sydney
    This is what we implemented. Each site, datacentre, customer etc, gets a 10.X.0.0 /16 subnet, with that subnet split for VLANs. Head office, for example, has Prod, ESX Mgmt, Dev, Citrix, Demo, Voice and Legacy VLANs, each having their own /24 subnet on the head office site. An edge router does inter-vlan routing, which allows us to control ACLs and vlan-vlan traffic.

    Each site router then connects back into the core networks, which are 10.255.x.x/16. This /16 supernet is basically the OSPF area 0.
    Having each site with its own router and 10.x.0.0 subnet allows decent route summarisation on the ABRs, so route tables around the network contain a smaller number of routes to each site.
     

Share This Page

Advertisement: