Solved

Network architecture advice needed.  1 domain 3 locations

Posted on 2007-04-06
4
186 Views
Last Modified: 2010-03-18
Hi I need some suggestions / pointers on network design.

Environment:

1 domain
3 locations
3 firewalls (vpn tunnels to each location)
Servers and workstations at each location
External VPN  connections at each location
Wireless at each location.
Exchange at one location

I am looking for suggestions for the subneting of this environment.  The netmask for the subneting.  Will routing need to be configures and if so should it net a routing device or routing setup on a windows server? Do I need to setup site in Sites and Services?

Also for the subneting I have seen suggestions to configure the structure like this:
10.168.0.0/24 - Servers location#1
10.168.1.0/24 - Static IPs
10.168.2.0/24 - DHCP Scope
10.168.3.0/24 - Servers Location#2

Or
10.168.0.0 - All Servers
10.168.1.0 - All Workstations
10.168.2.0 - All Switches
10.168.3.0 - Phones etc.

Any input as to the wisdom in that?  Pros/cons?

Thank you in advance for your time.
0
Comment
Question by:jrlitm
  • 2
4 Comments
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 18864416
A couple of pointers:
Where you have multiple sites connected by VPN's, each site MUST use their own subnet. Something like 10.1.0.0, 10.2.0.0, and 10.3.0.0

As for your suggestions above; 10.168.0.0/24, 10.168.1.0/24  etc, that will not work as each group is on their own subnet and will not be able to communicate, unless their are routers between each subnet. Also there are issues with the multiple sites as stated above. If you change the subnet mask from 24 to something 22-16 would work. The choice really depends on how many IP's you need. Perhaps you could try something like:

10.1.0.0/16 - Servers location#1
10.1.1.0/16 - Static IP's location#1
10.1.2.0/16 - DHCP Scope location#1

10.2.0.0/16 - Servers location#2
10.2.1.0/16 - Static IP's location#2
10.2.2.0/16 - DHCP Scope location#2

10.3.0.0/16 - Servers location#3
10.3.1.0/16 - Static IP's location#3
10.3.2.0/16 - DHCP Scope location#3
The above may be far larger scope than you need, but would work and be organized. If you require less than 250 IP's I would suggest:
10.0.x.0/24 - Servers location #x (use 10.0.x.1 to 10.0.x.20)
10.0.x.0/24 - Printers and Misc location #x (use 10.0.x.20 to 10.0.x.50)
10.0.x.0/24 - Static IP's location #x (use 10.0.x.51 to 10.0.x.100)
10.0.x.0/24 - DHCP Scope location #x (use 10.0.x.101 to 10.0.x.200)
10.0.x.0/24 - Routers location #x (use 10.0.x.201 to 10.0.x.254)
Where x = site #
0
 

Author Comment

by:jrlitm
ID: 18864916
Relitively small sites 40 systems each site including servers and devices.

What about routing?  Will routing need to be configured and if so should it be a routing device or routing setup on a windows server?  I was also curious about site setup.  Do I need to setup sites in Sites and Services?

So with a netmask of 22 or 16 they should all be able to see each other, correct?

0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18864994
If each site has a single subnet the VPN configurations will look after the routing. No need for additional routers or configuration.

Do you have server's at each site ? If so, yes sites and services and DNS will need to be configured if the server's are part of the domain.

Yes 22, 21, 20...16 will allow 10.168.0.0 - 10.168.3.0 to "see" each other.
You may want to use a site like the following to get a better idea of the subnet sizes with different subnet masks:
http://tstools.co.uk/ipcalc.php
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 18866246
Yea, I don't think you quite understand subnetting, and why it is needed, but I might suggest that you even use completely different private class ranges for your 3 locations..    192.168.1.x /24, 172.16.x.x /16, and your 10.x.x.x /8....   then you don't have to worry about overlap on your subnets with your VPN tunnels..    your original thought not only wouldn't work for your VPNs, you would need routers subdividing your subnets multiple times at each location..    at least, unless I am missing something here..  :)

Regardless, Rob layed it out nicely..
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now