Subnetting Real World Practices

garrett_j17 · ‎03-20-2015

Hello Everyone,

So I inherited a network in which I think wasn't given much thought in terms of physical design. But aside from this, subnetting has made it, for me, somewhat of a disaster. Just wondering if this is really an accepted practice in the real world.

At our corporate office we're using a 172.24.80.0\21 network. From this range we've assign IP addresses based on device, E.g. Servers=172.24.80.0, Printers=172.24.81.0, Client Machines=172.24.82.0 and so on. This is all fine but where things gets real confusing for me is that at branch offices around the country we carved out IP address from the original network.

So now....lets say at the Miami branch.....we'd use 172.24.81.0\24, Fort Lauderdale=172.24.82.0\24. Ok, I could see where this may have seem like an excellent idea......but idk why anyone would do this when we any amount of priv IPs at your disposal. Can anyone offer any insight.

Thanks

Leo Laohoo · ‎03-20-2015

Whether you're large or small, I don't understand the concept why anyone would want to use 172.16.0.0/12 network. I would always see 172.16.0.0/12 and 192.168.0.0/16 in special environments, like DMZ or test, but never in a production environment.

Joseph W. Doherty · ‎03-23-2015

Could you clarify your question(s)? I'm unclear what you think would be a good way to manage IP address space for remote branches and/or what you mean by that there's any amount of private IP space at your disposal.

Jon Marshall · ‎03-23-2015

Ok, I could see where this may have seem like an excellent idea......

I'm not sure I follow, to me it seems like a particularly bad idea.

Unless you have mistyped the subnets you are saying the branches are using the same IP subnets ie.

corporate clients = 172.24.82.0/24

Fort Lauderdale = 172.24.82.0/24

which means without some sort of NAT configuration there would be no communication.

If it is a typo then to some extent it depends on your WAN topology but if it was done merely to preserve IP address space then it was misguided to say the least because as you say with private addressing you are free to use as much as you need.

Jon

garrett_j17 · ‎03-23-2015

Sorry guys for the confusion. So what we have is an address range that we use in our corporate office 172.24.80.0\21. This gives us a range of 172.24.80.0 - 172.24.87.255 with a subnet mask of 255.255.248.0.

From this scope we assign IP addresses to devices as seen below:

Servers=172.24.80.0\21
Printers=172.24.81.0\21
Client Machines=172.24.82.0\21
.......etc

Now I'm saying that in our branch offices we carved out address from this scope but changed the subnet mask.

So we'd have a branch office in Miami with IP address 172.24.81.0 with a subnet mask of 255.255.255.0. Just making sure that I'm not crazy for bringing up that issue to managers that we should maybe change this.....as I think its a horrible idea. And also wanted to know if this is an accepted practice.

Jon Marshall · ‎03-23-2015

Okay, it's not making a lot of sense.

If at the main site you have used 255.255.248.0 subnet masks for all the IP subnets then every device thinks it's in the same vlan/IP subnet.

And you couldn't have separate vlans because when you tried to create the L3 interfaces the L3 device wouldn't let you.

Are you sure at the main site you are actually using that subnet mask for every device ?

Jon

garrett_j17 · ‎03-23-2015

Hi Jon,

As crazy as it sounds.....that subnet mask is being used for every device.

Jon Marshall · ‎03-23-2015

So can you just confirm that you have only one vlan and all devices are in that vlan ?

If so there are a couple of things -

1) that alone is not a great idea. Assuming they are all in the same vlan that is just one big broadcast domain.

2) using the same IPs at branches doesn't make any sense. The fact they are using different subnet masks is irrelevant.

Do the branches not need to communicate with the main office ?

If they do then I can't see how this is working as any device at the main site using a 255.255.248.0 subnet mask would think the branch IP was local and it would never get routed back to the branch.

Unless, like I say, there is some sort of NAT going on.

Can you clarify about the vlan(s) at the main site.

I think you should be talking to management but we need to understand how it currently works between the main site and the branches (if at all) before you can recommend changes.

Jon

garrett_j17 · ‎03-23-2015

You know whats even crazier.....I'm given the "your the new guy" treatment when I brought this up. Its just one big flat network. Haven't been able to get to the routers since the guy that designed this mess is no longer with the company and no one have the credentials to log in.

Have to schedule downtime to do a password reset on them.

I still don't know how they were able to get over the overlapp error that the router would throw.

FYI........VLAN?????? There are no VLANs.....other than VLAN 1 ofcourse. I just recently created a few to handle our wireless network....but outside of that....we just have daisy chained switches.

Jon Marshall · ‎03-23-2015

Well, for the main site it might be good idea to use more vlans.

If there is only one vlan there would be no error on the router because they only need one L3 interface because everything is in the same vlan.

It's not essential to create more vlans but I would, there may even be a noticeable improvement in performance.

There may be some devices that need to be in the same vlan eg. servers but I have not come across any situation where you need clients, servers and printers all needing to be in the same vlan.

In terms of the branches that is still a mystery. I can't see how there can be communication and if there is then you will need to find out how it works before any recommendations or changes are implemented.

As a general answer to your original question it is not good design to reuse IP subnets within the branches. You are using private addressing so you can choose whatever you want for the branches.

Each site, including the main site, should be able to summarise whatever IP subnets it is using to one summary address ideally and there is no reason why you couldn't do this.

You may find when you get onto the router it becomes a lot clearer so by all means post back if you need more help.

Jon

garrett_j17 · ‎03-23-2015

That's what I'm thinking. Fine at the main site....but why on earth would you wanna use this at the branch. Currently if we do an IP address scan....it pulls in addresses from everywhere.....which makes it hell when your're trying to single out just a few.