• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 215
  • Last Modified:

how to ip adress a typical office network

i thought this would be an easy question, but after several hours of googleing, i am giving up and asking the experts.  this should be a 101 setup for most small to mid-sized company networks.  i am looking for real world explantion / "how to" and not an in-depth discussion on binary, subnetting and routing.  first let me introduce the network parts:

1.  firewall with multple interfaces like a netscreen 5gt or above
2.  foxnet - physically seperate network with its own switch, contains vpn access points and wireless access points ex: 192.168.25.X / i should never have more than 255 access points or vpn clients using these ip address so this class and subnet work fine

3.  sheepnet - office workstations, printers etc 172.16.x.x / 255.255.x.x
4.  servernet   - server farm, files, mail, applications etc 172.16.x.x / 255.255.x.x

obviously the idea is to create a secure network.  the part i understand is connecting foxnet and sheepnet to the firewall and setting up rules so foxnet can not access sheepnet.  what i am not sure about is how to handle servernet.  below are my questions:

1.  should sheepnet and servernet be seperated??  if so how??  

a.  should sheepnet and servernet be seperate physical networks such as 172.16.20.x and 172.16.25.x requiring each network to have its own switch and the firewall to route?  the pro would be enabling rules in the firewall between the networks, the cons would be all traffic between workstations and servers would now have to go through the firewall interface, a potential bottleneck.

b.  should sheepnet and servernet use the same physical network such as 172.16.5.x and then us seperate subnets?  this would elminate the firewall interface bottle neck.  but i am not sure how i would ip the server vs the workstation.  also i am not sure how to make select clients or servers see both subnets

c.  should sheepnet and server net be consolidated into one physical network??? the concern being a workstation with a virus, trojan or spyware could then scan the servers.

hopefully this makes sense.  again i am looking for the actual ip and subnet for the server and workstation, not a discusion on bits.  i understand the bits, its the real world application that i need.  

2 Solutions
ONe of the primary reasons to subnet a domain is to reduce broadcast traffic, so I guess the answer is "that depends".  :)

Personally, if this is a relatively small network, then I would keep sheepnet and servernet in the same subnet.  You segment subnets with the mask, so your network would be 172.16.x.x with a mask of

As long as you run good AV, good password policy, and have a written security policy for your users (that they understand and obey), you should be just fine.

As you said, if you put servernet and sheepnet on sep. subnets you'll need hardware between like a router and then you have a single point of failure and/or bottleneck.

If your really worried about putting the workstations and servers on the same subnet you could implement RADIUS as a secured wired network.  This link talks about 802.11 wireless networks, but there is a related artical on how to use RADIUS for secured Wired networks as well:  http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx

However, "real world"  - because of the time involved setting up radius, you may be more inclined to follow the suggestion above and place workstations and servers on "securenet" and have your "unsecurednet" (instead of the 3 net setup of Fox, sheep, and server).


Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now