Tips and Suggestions IP Address Re-Addressing?

Question

Hello serverfault Universe,

My ever evolving and expanding local area network is currently using a class-C address. My network consists of multiple subnets depending on site/location.

192.168.1.x is site HQ
192.168.5.x is secondary site
192.168.10.x is third, so on and so forth.

Long story short - I have inherited this network design from the previous admin who has left the company which started off with a dozen people and now has just over 300 full time/part time employees. We do not yet have client VPN access; but we do have site to site VPN setup.

EDIT - to include details concerning my current setup and future planning:

• The main and secondary sites (subnets) have 25 physical servers. The branch sites have 5 (each domain controllers). So in total we are expecting this to grow about 50% in the next 3 years.

• We currently have a Web Server and Domino Web Mail server facing the public. I have purchased a Cisco ASAs for DMZ, Client Access VPN, and Site to Site VPN to replace our existing off the shelf (Linksys) VPN/router solution. The only changes I see is the replacement of Domino with Exchange (OWA) and I am looking to add a Cisco VPN server accessible on the internet.

• In total, DHCP from our main router is leasing out 150 IPs to client workstations on my main 192.168.1.x subnet which also happens to be the same subnet as my main servers. About 100 IPs on multiple subnets for the remaining sites on the other subnets.

• Our management "network" (HP ProLiant iLO) is on the main 1.x subnet.

• There are no immediate plans to implement iSCSI SAN or VoIP but these are highly likely down the road.
• Our MFP (printers) are all static IP which probably will need to be remapped if a readdressing happens.
• I want to add guest access WiFi for guests/visitors.
• Client access VPN is on the top of the list of priorities, however.

It looks something like this: 192.168.1.x consists of Servers using addresses 10 to 40. Printers using 40 to 50. Workstations 50 to 200. iLO management addresses using 200 to 250.

My question is, in preparation for outside client access to my network via Cisco ASA, I would like to re-address the HQ site because I understand a 192.168.1.x or 192.168.0.x are not very good choices for a company subnet - it may conflict with a home user's LAN when connecting to my LAN, I believe? Through your experience, does anyone out there have any suggestions and tips on how I can proceed with re-addressing my subnets. If I designed this network I would have gone with a 10.0.0.0 so I am leaning towards changing it to fit. Thank you.

Answer 1

I would say this is a good time to step back and re-evaluate your ip design and not just dive in with what first comes off the top of your head. Which you are doing :)

The first thing I would do is make an evaluation of each site:

• Does the site have servers?
  • How many?
  • Do i expect this to grow in the next 3 years?
  • By how much?
• Does the site have publicly facing servers?
  • How many?
  • Do I expect this to grow?
• How many clients are at the site?
• Does the site have a management network?
• What kind of technologies are implemented at the site? Do I plan to implement new technologies?
  • iSCSI?
  • VoIP?
  • etc
• Does the site deal with anything that would fall under a sercurity certifications?
  • HIPPA
  • SOX
  • PCI
• Do you have visitors?
• Do you implement WIFI?
  • Do you allow guest access to WIFI?
• Am I going to allow client access vpn?

Once the evaluation is done, you can then proceed to designing your IP space.

I would then take the 10.0.0.0/8 subnet it up as needed (Plugging Evan Anderson's Great post)

For just about every one of those items above best practice is to give it it's own subnet (with the exception of the leading questions to determine size of course).

Answer 2

One thing that I have run into with VPN access is that there are many vendors out there that use 10.0.1.x and 10.0.0.x addresses as the default. In my network 10.0.0.0/21 is our server subnet which makes it very difficult to support remote access. If I had it to do over again I would put the server address space at the very top of the 10-net space (somewhere like 10.253.0.0/21) because I have not seen vendors up that high in default configurations. If you have resources that you know absolutely wont be accessible from the VPN then you could utilize the lower end of ip space to those resources.

FWIW.. I know that Cisco / Linksys is in the 192.168. ranges and Apple ships Airports using either a 10 or a 172 address scheme.

Hope that helps

Answer 3

Assuming you want to change to a 10.1.1/8 subnet to replace your HQ 192.168.1/8 network. You would do the following,

1. Change your DHCP configuration to use the new Subnet
2. Manually change any static IP configurations in the HQ (like printers and servers maybe)
3. Setup a route to connect the new subnet to the existing 192.168/16 addresses at other locations

This is a starter, if you elaborate more we can see what might be left out.

Answer 4

One thing that MAY be worth keeping in mind is that most routers can deal with having secondary IP addresses on the network interfaces, so you don't necessarily need a "flag day" where everything changes at once.

You might want to separate server address space from client address space, that opens up the possibility of having separated network infrastructure in the future.

Once you have VoIP on site, consider how you want phones and PCs to interact. At least Cisco phones supports having the PCs piggy-backed behind the phone, allowing more efficient use of switch ports. And, as Quincey Adams kindly points out, the phone and PC can (and should) be on separate VLANs in taht configuration.

Other than that, Zypher's points are all worth considering.

Answer 5

Check this out

MySubnetPlanner

It takes the tedium out of the process.