how to ip adress a typical office network

Posted on 2005-03-20
Medium Priority
Last Modified: 2010-03-18
i thought this would be an easy question, but after several hours of googleing, i am giving up and asking the experts.  this should be a 101 setup for most small to mid-sized company networks.  i am looking for real world explantion / "how to" and not an in-depth discussion on binary, subnetting and routing.  first let me introduce the network parts:

1.  firewall with multple interfaces like a netscreen 5gt or above
2.  foxnet - physically seperate network with its own switch, contains vpn access points and wireless access points ex: 192.168.25.X / i should never have more than 255 access points or vpn clients using these ip address so this class and subnet work fine

3.  sheepnet - office workstations, printers etc 172.16.x.x / 255.255.x.x
4.  servernet   - server farm, files, mail, applications etc 172.16.x.x / 255.255.x.x

obviously the idea is to create a secure network.  the part i understand is connecting foxnet and sheepnet to the firewall and setting up rules so foxnet can not access sheepnet.  what i am not sure about is how to handle servernet.  below are my questions:

1.  should sheepnet and servernet be seperated??  if so how??  

a.  should sheepnet and servernet be seperate physical networks such as 172.16.20.x and 172.16.25.x requiring each network to have its own switch and the firewall to route?  the pro would be enabling rules in the firewall between the networks, the cons would be all traffic between workstations and servers would now have to go through the firewall interface, a potential bottleneck.

b.  should sheepnet and servernet use the same physical network such as 172.16.5.x and then us seperate subnets?  this would elminate the firewall interface bottle neck.  but i am not sure how i would ip the server vs the workstation.  also i am not sure how to make select clients or servers see both subnets

c.  should sheepnet and server net be consolidated into one physical network??? the concern being a workstation with a virus, trojan or spyware could then scan the servers.

hopefully this makes sense.  again i am looking for the actual ip and subnet for the server and workstation, not a discusion on bits.  i understand the bits, its the real world application that i need.  

Question by:kwindlinx
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 40

Accepted Solution

Fatal_Exception earned 252 total points
ID: 13587470
ONe of the primary reasons to subnet a domain is to reduce broadcast traffic, so I guess the answer is "that depends".  :)

Personally, if this is a relatively small network, then I would keep sheepnet and servernet in the same subnet.  You segment subnets with the mask, so your network would be 172.16.x.x with a mask of

As long as you run good AV, good password policy, and have a written security policy for your users (that they understand and obey), you should be just fine.


Assisted Solution

royalcanin earned 248 total points
ID: 13591892
As you said, if you put servernet and sheepnet on sep. subnets you'll need hardware between like a router and then you have a single point of failure and/or bottleneck.

If your really worried about putting the workstations and servers on the same subnet you could implement RADIUS as a secured wired network.  This link talks about 802.11 wireless networks, but there is a related artical on how to use RADIUS for secured Wired networks as well:  http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx

However, "real world"  - because of the time involved setting up radius, you may be more inclined to follow the suggestion above and place workstations and servers on "securenet" and have your "unsecurednet" (instead of the 3 net setup of Fox, sheep, and server).


Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in response to a question (http://www.experts-exchange.com/Networking/Network_Management/Network_Analysis/Q_28230497.html) here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question