Solved

IP address for LAN devices?

Posted on 2013-05-21
7
382 Views
Last Modified: 2013-08-26
Hi EE,

Good Day,

I have to setup 55-60 PC network with 2K8 Domain,

Can any expert share there experience for assigning IP range to the network devices for better isolation/management & I have to decide for my LAN & Server as below: (attached is the network diagram as well)

1. Is DMZ advisable= if Yes what IP Range I have to use? (10-11 nos server)
2. IP Range for Fortigate firewall? (2 nos)
3. IP Range for Edge & Core Switches? (2+12 nos switches)
4. IP Range for Cisco Call manager & Phones? (is it advisable to keep voice network?) (50-55 phones)
5. IP Range for Client PCs (for Win7 & Win8) (60 nos PCs)
6. IP Range for some POS machines (Win7) (12 nos POS)
7. IP Range for some WAP devices? (6-7 nos WAP)
8. IP range for Symantec backup device 3600 (1 nos)
9. IP range for Netapp SAN device (on firber) (1 nos)

Pls advice & share your expert's experiences,

Many thanks in advance..
lan-setup.jpg
0
Comment
Question by:dxbdxb2009
  • 3
  • 2
  • 2
7 Comments
 
LVL 3

Accepted Solution

by:
Cooker85 earned 250 total points
ID: 39183685
You should use the ranges reserved in RFC 1918 for an internal private network behind NAT.  For example 10.0.0.0/8 172.16.0.0/12 or 192.168.0.0/16.  These can be broken down further for example you could split up the 10.0.0.0/8 into smaller /24 ranges like 10.0.1.0/24 and 10.0.2.0/24.

Normally for a DMZ you would use publically rouatable addresses or port forward public addresses to an internal subnet.  Best speak with your ISP about what your options are for public addresses.

Having more smaller subnets can help performance by reducing the amount of broadcasts but it also adds complexity.  If for example you only have 3 server and they will work on the normal client vlan/subnet you may as well put them there, but if on the other hand you have 500 then you are likley going to need multiple subnets.

Another reason you may wish to use a seperate vlan or subnet is for security, for example you might want your public wifi to be kept separate and not routable to your main internal network.
0
 
LVL 25

Assisted Solution

by:Fred Marshall
Fred Marshall earned 250 total points
ID: 39184751
Don't forget to provide for spare addresses in each of the "groups"....

Splitting them up will possibly cost more and will result in higher maintenance costs.

You want "better isolation/management" but it's not clear what that really means to you.
I think better management is often NOT having separate subnets for a wide variety of reasons.

Isolation is another matter of course.  What kind?  What for? etc.

Start with a single subnet if you can justify doing that.
0
 

Author Comment

by:dxbdxb2009
ID: 39185065
thanks for your valuable replies...

@Cooker85 :
So basically Can I use:
1. Is DMZ  = 10.90.1.0- 254 /24
2. IP Range for Fortigate firewall = 10.90.1.0- 254 /24
3. IP Range for Edge & Core Switches = 10.90.1.0- 254 /24
4. IP Range for Cisco Call manager & Phones? = 10.90.5.0- 254 /24
5. IP Range for Client PCs  = 10.90.1.0- 254 /24
6. IP Range for some POS machines (Win7) (12 nos POS) = 10.90.2.0- 254 /24
7. IP Range for some WAP devices (For Internal Network) = 10.90.1.0- 254 /24
8. IP Range for some WAP devices (For Guest Network) = 10.90.4.0- 254 /24
8. IP range for Symantec backup device 3600  = 10.90.1.0- 254 /24
9. IP range for Netapp SAN device (on firber) = 10.90.1.0- 254 /24
Am I correct here as per the best practice?
Normally for a DMZ you would use publically rouatable…….I will do the NATing in Firewall ..
Having more smaller subnets can help performance ….. I am sorry I don’t understand your point=pls explain?
Another reason you may wish to use a separate vlan or subnet is for security, = Yes…I want to keep the separate for security reasons…...
Any suggestion/advice….to improve security by dividing / isolating network subnets?
--------------------------------------------------------------------------------------------------_--------------------
@ fmarshall:
Don't forget to provide for spare addresses in each of the "groups" = WHICH GROUP?

Splitting them up will possibly cost more and will result in higher maintenance costs = If it can improve the security I am ready to bear the maintenance cost (by the way how the cost will be more by splitting it)
You want "better isolation/management" but it's not clear what that really means to you = Reason is Security/securing the network with best practice & improving the performance as well,
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 3

Expert Comment

by:Cooker85
ID: 39185214
That all looks OK.  You may want to prevent the Guest WLAN range from routing to the other ranges or use a different device as a gateway.  Depends on your specific requirements and security concerns.

I would try and stick to say 10.90 as you have for this site, then should you need to add another they can be 10.80 and it should simplify routing later on.

My comment on subnets helping performance is that during normal use some devices will have to broadcast. DHCP requests are an example of this.  If you have a single huge subnet with thousands of devices these broadcasts can become a problem and impact on performance as all devices will receive a broadcast and switches have to by design forward a broadcast.  Keeping subnets to 254 hosts or less helps to keep the number of broadcasts down so they aren't such an issue.  With only 50-60 hosts it isn't something to worry about.

I think what fmarshall is saying is that you should make sure the subnets are correctly sized with a view to growth.  If you only have 50-60 users a single /24 is fine but it would be prudent to watch the DHCP leases and prepare to add another if required.
0
 
LVL 3

Expert Comment

by:Cooker85
ID: 39200722
Did all that make sense?  Was there anything else you wanted me to explain?
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 39202215
I would provide for spares in all the "groups".  You can decide how many for each group of course.  Zero is not a good option.  Maybe 10% and not less than 8?  I wouldn't go lower than that.  20% and not less than 8 would be better.  But it's a judgment call.

The cost of splitting things up would be in whatever hardware you're going to use and in the configuration and maintenance.  If the people are full-time employees then it may seem like less than if the people are contractors on time and materials.
0
 

Author Comment

by:dxbdxb2009
ID: 39204189
thanks for your reply...

Kindly hold with me for 2-3 days..i will keep you posted soon

thanks
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Hello to you all, I hear of many people congratulate AWS (Amazon Web Services) on how easy it is to spin up and create new EC2 (Elastic Compute Cloud) instances, but then fail and struggle to connect to them using simple tools such as SSH (Secure…
The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now