Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

IP address for LAN devices?

Posted on 2013-05-21
7
Medium Priority
?
412 Views
Last Modified: 2013-08-26
Hi EE,

Good Day,

I have to setup 55-60 PC network with 2K8 Domain,

Can any expert share there experience for assigning IP range to the network devices for better isolation/management & I have to decide for my LAN & Server as below: (attached is the network diagram as well)

1. Is DMZ advisable= if Yes what IP Range I have to use? (10-11 nos server)
2. IP Range for Fortigate firewall? (2 nos)
3. IP Range for Edge & Core Switches? (2+12 nos switches)
4. IP Range for Cisco Call manager & Phones? (is it advisable to keep voice network?) (50-55 phones)
5. IP Range for Client PCs (for Win7 & Win8) (60 nos PCs)
6. IP Range for some POS machines (Win7) (12 nos POS)
7. IP Range for some WAP devices? (6-7 nos WAP)
8. IP range for Symantec backup device 3600 (1 nos)
9. IP range for Netapp SAN device (on firber) (1 nos)

Pls advice & share your expert's experiences,

Many thanks in advance..
lan-setup.jpg
0
Comment
Question by:dxbdxb2009
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 3

Accepted Solution

by:
Cooker85 earned 1000 total points
ID: 39183685
You should use the ranges reserved in RFC 1918 for an internal private network behind NAT.  For example 10.0.0.0/8 172.16.0.0/12 or 192.168.0.0/16.  These can be broken down further for example you could split up the 10.0.0.0/8 into smaller /24 ranges like 10.0.1.0/24 and 10.0.2.0/24.

Normally for a DMZ you would use publically rouatable addresses or port forward public addresses to an internal subnet.  Best speak with your ISP about what your options are for public addresses.

Having more smaller subnets can help performance by reducing the amount of broadcasts but it also adds complexity.  If for example you only have 3 server and they will work on the normal client vlan/subnet you may as well put them there, but if on the other hand you have 500 then you are likley going to need multiple subnets.

Another reason you may wish to use a seperate vlan or subnet is for security, for example you might want your public wifi to be kept separate and not routable to your main internal network.
0
 
LVL 26

Assisted Solution

by:Fred Marshall
Fred Marshall earned 1000 total points
ID: 39184751
Don't forget to provide for spare addresses in each of the "groups"....

Splitting them up will possibly cost more and will result in higher maintenance costs.

You want "better isolation/management" but it's not clear what that really means to you.
I think better management is often NOT having separate subnets for a wide variety of reasons.

Isolation is another matter of course.  What kind?  What for? etc.

Start with a single subnet if you can justify doing that.
0
 

Author Comment

by:dxbdxb2009
ID: 39185065
thanks for your valuable replies...

@Cooker85 :
So basically Can I use:
1. Is DMZ  = 10.90.1.0- 254 /24
2. IP Range for Fortigate firewall = 10.90.1.0- 254 /24
3. IP Range for Edge & Core Switches = 10.90.1.0- 254 /24
4. IP Range for Cisco Call manager & Phones? = 10.90.5.0- 254 /24
5. IP Range for Client PCs  = 10.90.1.0- 254 /24
6. IP Range for some POS machines (Win7) (12 nos POS) = 10.90.2.0- 254 /24
7. IP Range for some WAP devices (For Internal Network) = 10.90.1.0- 254 /24
8. IP Range for some WAP devices (For Guest Network) = 10.90.4.0- 254 /24
8. IP range for Symantec backup device 3600  = 10.90.1.0- 254 /24
9. IP range for Netapp SAN device (on firber) = 10.90.1.0- 254 /24
Am I correct here as per the best practice?
Normally for a DMZ you would use publically rouatable…….I will do the NATing in Firewall ..
Having more smaller subnets can help performance ….. I am sorry I don’t understand your point=pls explain?
Another reason you may wish to use a separate vlan or subnet is for security, = Yes…I want to keep the separate for security reasons…...
Any suggestion/advice….to improve security by dividing / isolating network subnets?
--------------------------------------------------------------------------------------------------_--------------------
@ fmarshall:
Don't forget to provide for spare addresses in each of the "groups" = WHICH GROUP?

Splitting them up will possibly cost more and will result in higher maintenance costs = If it can improve the security I am ready to bear the maintenance cost (by the way how the cost will be more by splitting it)
You want "better isolation/management" but it's not clear what that really means to you = Reason is Security/securing the network with best practice & improving the performance as well,
0
The Ideal Solution for Multi-Display Applications

Check out ATEN’s VS1912 12-Port DP Video Wall Media Player at InfoComm 2017. Kerri describes how easy it is to design creative video walls in asymmetric layouts and schedule detailed playlists ahead of time with its advanced scheduling feature.

 
LVL 3

Expert Comment

by:Cooker85
ID: 39185214
That all looks OK.  You may want to prevent the Guest WLAN range from routing to the other ranges or use a different device as a gateway.  Depends on your specific requirements and security concerns.

I would try and stick to say 10.90 as you have for this site, then should you need to add another they can be 10.80 and it should simplify routing later on.

My comment on subnets helping performance is that during normal use some devices will have to broadcast. DHCP requests are an example of this.  If you have a single huge subnet with thousands of devices these broadcasts can become a problem and impact on performance as all devices will receive a broadcast and switches have to by design forward a broadcast.  Keeping subnets to 254 hosts or less helps to keep the number of broadcasts down so they aren't such an issue.  With only 50-60 hosts it isn't something to worry about.

I think what fmarshall is saying is that you should make sure the subnets are correctly sized with a view to growth.  If you only have 50-60 users a single /24 is fine but it would be prudent to watch the DHCP leases and prepare to add another if required.
0
 
LVL 3

Expert Comment

by:Cooker85
ID: 39200722
Did all that make sense?  Was there anything else you wanted me to explain?
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 39202215
I would provide for spares in all the "groups".  You can decide how many for each group of course.  Zero is not a good option.  Maybe 10% and not less than 8?  I wouldn't go lower than that.  20% and not less than 8 would be better.  But it's a judgment call.

The cost of splitting things up would be in whatever hardware you're going to use and in the configuration and maintenance.  If the people are full-time employees then it may seem like less than if the people are contractors on time and materials.
0
 

Author Comment

by:dxbdxb2009
ID: 39204189
thanks for your reply...

Kindly hold with me for 2-3 days..i will keep you posted soon

thanks
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Outsource Your Fax Infrastructure to the Cloud (And come out looking like an IT Hero!) Relative to the many demands on today’s IT teams, spending capital, time and resources to maintain physical fax servers and infrastructure is not a high priority.
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question