Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 416
  • Last Modified:

IP address for LAN devices?

Hi EE,

Good Day,

I have to setup 55-60 PC network with 2K8 Domain,

Can any expert share there experience for assigning IP range to the network devices for better isolation/management & I have to decide for my LAN & Server as below: (attached is the network diagram as well)

1. Is DMZ advisable= if Yes what IP Range I have to use? (10-11 nos server)
2. IP Range for Fortigate firewall? (2 nos)
3. IP Range for Edge & Core Switches? (2+12 nos switches)
4. IP Range for Cisco Call manager & Phones? (is it advisable to keep voice network?) (50-55 phones)
5. IP Range for Client PCs (for Win7 & Win8) (60 nos PCs)
6. IP Range for some POS machines (Win7) (12 nos POS)
7. IP Range for some WAP devices? (6-7 nos WAP)
8. IP range for Symantec backup device 3600 (1 nos)
9. IP range for Netapp SAN device (on firber) (1 nos)

Pls advice & share your expert's experiences,

Many thanks in advance..
lan-setup.jpg
0
dxbdxb2009
Asked:
dxbdxb2009
  • 3
  • 2
  • 2
2 Solutions
 
Cooker85Commented:
You should use the ranges reserved in RFC 1918 for an internal private network behind NAT.  For example 10.0.0.0/8 172.16.0.0/12 or 192.168.0.0/16.  These can be broken down further for example you could split up the 10.0.0.0/8 into smaller /24 ranges like 10.0.1.0/24 and 10.0.2.0/24.

Normally for a DMZ you would use publically rouatable addresses or port forward public addresses to an internal subnet.  Best speak with your ISP about what your options are for public addresses.

Having more smaller subnets can help performance by reducing the amount of broadcasts but it also adds complexity.  If for example you only have 3 server and they will work on the normal client vlan/subnet you may as well put them there, but if on the other hand you have 500 then you are likley going to need multiple subnets.

Another reason you may wish to use a seperate vlan or subnet is for security, for example you might want your public wifi to be kept separate and not routable to your main internal network.
0
 
Fred MarshallPrincipalCommented:
Don't forget to provide for spare addresses in each of the "groups"....

Splitting them up will possibly cost more and will result in higher maintenance costs.

You want "better isolation/management" but it's not clear what that really means to you.
I think better management is often NOT having separate subnets for a wide variety of reasons.

Isolation is another matter of course.  What kind?  What for? etc.

Start with a single subnet if you can justify doing that.
0
 
dxbdxb2009Author Commented:
thanks for your valuable replies...

@Cooker85 :
So basically Can I use:
1. Is DMZ  = 10.90.1.0- 254 /24
2. IP Range for Fortigate firewall = 10.90.1.0- 254 /24
3. IP Range for Edge & Core Switches = 10.90.1.0- 254 /24
4. IP Range for Cisco Call manager & Phones? = 10.90.5.0- 254 /24
5. IP Range for Client PCs  = 10.90.1.0- 254 /24
6. IP Range for some POS machines (Win7) (12 nos POS) = 10.90.2.0- 254 /24
7. IP Range for some WAP devices (For Internal Network) = 10.90.1.0- 254 /24
8. IP Range for some WAP devices (For Guest Network) = 10.90.4.0- 254 /24
8. IP range for Symantec backup device 3600  = 10.90.1.0- 254 /24
9. IP range for Netapp SAN device (on firber) = 10.90.1.0- 254 /24
Am I correct here as per the best practice?
Normally for a DMZ you would use publically rouatable…….I will do the NATing in Firewall ..
Having more smaller subnets can help performance ….. I am sorry I don’t understand your point=pls explain?
Another reason you may wish to use a separate vlan or subnet is for security, = Yes…I want to keep the separate for security reasons…...
Any suggestion/advice….to improve security by dividing / isolating network subnets?
--------------------------------------------------------------------------------------------------_--------------------
@ fmarshall:
Don't forget to provide for spare addresses in each of the "groups" = WHICH GROUP?

Splitting them up will possibly cost more and will result in higher maintenance costs = If it can improve the security I am ready to bear the maintenance cost (by the way how the cost will be more by splitting it)
You want "better isolation/management" but it's not clear what that really means to you = Reason is Security/securing the network with best practice & improving the performance as well,
0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

 
Cooker85Commented:
That all looks OK.  You may want to prevent the Guest WLAN range from routing to the other ranges or use a different device as a gateway.  Depends on your specific requirements and security concerns.

I would try and stick to say 10.90 as you have for this site, then should you need to add another they can be 10.80 and it should simplify routing later on.

My comment on subnets helping performance is that during normal use some devices will have to broadcast. DHCP requests are an example of this.  If you have a single huge subnet with thousands of devices these broadcasts can become a problem and impact on performance as all devices will receive a broadcast and switches have to by design forward a broadcast.  Keeping subnets to 254 hosts or less helps to keep the number of broadcasts down so they aren't such an issue.  With only 50-60 hosts it isn't something to worry about.

I think what fmarshall is saying is that you should make sure the subnets are correctly sized with a view to growth.  If you only have 50-60 users a single /24 is fine but it would be prudent to watch the DHCP leases and prepare to add another if required.
0
 
Cooker85Commented:
Did all that make sense?  Was there anything else you wanted me to explain?
0
 
Fred MarshallPrincipalCommented:
I would provide for spares in all the "groups".  You can decide how many for each group of course.  Zero is not a good option.  Maybe 10% and not less than 8?  I wouldn't go lower than that.  20% and not less than 8 would be better.  But it's a judgment call.

The cost of splitting things up would be in whatever hardware you're going to use and in the configuration and maintenance.  If the people are full-time employees then it may seem like less than if the people are contractors on time and materials.
0
 
dxbdxb2009Author Commented:
thanks for your reply...

Kindly hold with me for 2-3 days..i will keep you posted soon

thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

  • 3
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now