Solved: Re: Checklist for designing a new ip structure

stevenerie · ‎11-16-2010

Hello,

I am working with a relatively small organization that still has all of its network devices running on vlan1. There are currently less than 1000 network devices, but they are using an ip structure with a /17 mask (255.255.128.0), so they have one unnecessarily large subnet.

I would like to move them onto some /24 (255.255.255.0) subnets so they don’t continue to have an immense broadcast domain.

The organization is doing all it’s routing on a Cisco 4503. The closet switches are all L2 HP ProCurve 2108’s. All but a few devices are getting their IP’s via DHCP.

I’ve never done this before, so I wanted to ask if there is a how-to resource out there or a checklist so I can feel somewhat confident that I haven’t overlooked a step in this transition. In a perfect world I could implement this one new vlan at a time and move the devices over with little to no downtime.

I would appreciate any suggestions or links to resources!

Thanks!

-Steve

Jon Marshall · ‎11-16-2010

Steve

Couple of things to note -

1) use /24 or /25 for your subnets/vlans. Personally i always used /25's but /24's work just as well

2) Always leave space in any subnet/vlan so you can easily add additional users.

3) Allocate separate vlans for users ( you will need multiple vlans here), servers, network management eg. you would typically use a different vlan for switch IP addresses.

4) Get rid of vlan 1. Don't use vlan 1 for anything.

5) The most important one is summarisation. Summarisation can cover a number of things -

i) currently it sounds like you only have one site. Even so it is best to make sure you can represent the entire range you choose as one supernet address so if you add another site in future you only need to advertise one summary route across the WAN.

ii) within the same building. If you are using L3 from the access-layer then it is good to be able to summarise from each floor for example. However, from the sounds of your setup, it doesn't sound like this is going to be an issue for you.

As for migraton, yes you can move blocks of users at a time if using DHCP. One thing i would suggest is that you an keep the same server IPs, just move them into another vlan. Obviously the subnet mask would change and it only really works if the servers have been addressed consecutively.

The biggest issue with readdressing is always the servers ie. if all applications etc. are referenced by DNS names you are fine but there always seems to be at least one application that clients have hardcoded IPs for. You need to find out if there any in your setup because this will cause no end of pain, especially if it is a crtical server.

Jon

View solution in original post

Jon Marshall · ‎11-16-2010

stevenerie wrote:

That is VERY helpful information. Thanks for taking the time to respond Jon!

I am really showing my lack of understanding here, but if I want to create new, smaller vlans and begin moving devices over, can I use ip’s that are in the current range?

For instance, their current vlan1 is 10.20.10.1/17, so that covers 10.20.0.1 - 10.20.127.254. So, since a large portion of this range is unused, can I create new vlans like 10.20.80.0/24 and 10.20.81.0/24 on the router without causing an issue? OR…should I just pick something completely outside the existing range?

If you have an interface on your L3 device with an IP address from the 10.20.0.0/17 network block using a /17 subnet mask ie. 255.255.128.0 then you won't be able to create new smaller subnets on the same L3 device because it will not let you ie. it will complain of an overlapping address space.

So as vmiller says, best to start with a new IP address range. Once you have migrated all the users etc. you could still use a part of the 10.20.0.0/17 address space for your servers as mentioned before but if the servers are spread throughout that address block in terms of addressing then there is little point in doing it.

One last thing. You can use -

10.0.0.0/8

172.16 - 172.31.0.0/16

192.168.1 - 192.168.255.0/24

for private addressing for your new IP ranges. Don't pick 192.168.1.x onwards. The reason being just about everybody uses these address ranges and if you merge with another company or more likely have to connect to another company via VPN for example, it helps if you each have separate addressing.

Jon

View solution in original post

Jon Marshall · ‎11-16-2010

Steve

Couple of things to note -

1) use /24 or /25 for your subnets/vlans. Personally i always used /25's but /24's work just as well

2) Always leave space in any subnet/vlan so you can easily add additional users.

3) Allocate separate vlans for users ( you will need multiple vlans here), servers, network management eg. you would typically use a different vlan for switch IP addresses.

4) Get rid of vlan 1. Don't use vlan 1 for anything.

5) The most important one is summarisation. Summarisation can cover a number of things -

i) currently it sounds like you only have one site. Even so it is best to make sure you can represent the entire range you choose as one supernet address so if you add another site in future you only need to advertise one summary route across the WAN.

ii) within the same building. If you are using L3 from the access-layer then it is good to be able to summarise from each floor for example. However, from the sounds of your setup, it doesn't sound like this is going to be an issue for you.

As for migraton, yes you can move blocks of users at a time if using DHCP. One thing i would suggest is that you an keep the same server IPs, just move them into another vlan. Obviously the subnet mask would change and it only really works if the servers have been addressed consecutively.

The biggest issue with readdressing is always the servers ie. if all applications etc. are referenced by DNS names you are fine but there always seems to be at least one application that clients have hardcoded IPs for. You need to find out if there any in your setup because this will cause no end of pain, especially if it is a crtical server.

Jon

stevenerie · ‎11-16-2010

That is VERY helpful information. Thanks for taking the time to respond Jon!

I am really showing my lack of understanding here, but if I want to create new, smaller vlans and begin moving devices over, can I use ip’s that are in the current range?

For instance, their current vlan1 is 10.20.10.1/17, so that covers 10.20.0.1 - 10.20.127.254. So, since a large portion of this range is unused, can I create new vlans like 10.20.80.0/24 and 10.20.81.0/24 on the router without causing an issue? OR…should I just pick something completely outside the existing range?

vmiller · ‎11-16-2010

Depending on how you have defined your current address space on the router, Its generally easier to migrate to a new address block-vlan id.

If you have solid evidence that the unused range you mention is truly unused, slicing up pieces of that is a bit more work. One thing to keep in mind

is the end state of the IP address space. Neatness does count.

Jon Marshall · ‎11-16-2010

stevenerie wrote:

That is VERY helpful information. Thanks for taking the time to respond Jon!

I am really showing my lack of understanding here, but if I want to create new, smaller vlans and begin moving devices over, can I use ip’s that are in the current range?

For instance, their current vlan1 is 10.20.10.1/17, so that covers 10.20.0.1 - 10.20.127.254. So, since a large portion of this range is unused, can I create new vlans like 10.20.80.0/24 and 10.20.81.0/24 on the router without causing an issue? OR…should I just pick something completely outside the existing range?

If you have an interface on your L3 device with an IP address from the 10.20.0.0/17 network block using a /17 subnet mask ie. 255.255.128.0 then you won't be able to create new smaller subnets on the same L3 device because it will not let you ie. it will complain of an overlapping address space.

So as vmiller says, best to start with a new IP address range. Once you have migrated all the users etc. you could still use a part of the 10.20.0.0/17 address space for your servers as mentioned before but if the servers are spread throughout that address block in terms of addressing then there is little point in doing it.

One last thing. You can use -

10.0.0.0/8

172.16 - 172.31.0.0/16

192.168.1 - 192.168.255.0/24

for private addressing for your new IP ranges. Don't pick 192.168.1.x onwards. The reason being just about everybody uses these address ranges and if you merge with another company or more likely have to connect to another company via VPN for example, it helps if you each have separate addressing.

Jon