Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
647
Views
0
Helpful
1
Replies

VPN IP Addressing Scheme

Go to solution
tterenzetti
Level 1
Level 1

‎05-24-2004 12:03 PM - edited ‎02-21-2020 01:10 PM

I am in the process of constructing a site-to-site VPN. We have 1 central location, and 7 branch offices. We are utilizing PIX firewalls.

My question pertains to the IP addressing scheme which would make the most sense, and which would most closely follow standard conventions.

At our central location, we have approximately 25 users, plus network printers and servers. At our two largest branch offices, we have approximately the same. The remaining branch offices are rather small,

with only 3-5 users.

I know it really doesn't make a lot of difference, but I'm debating between a :

192.168.1.x Central Office

192.168.2.x Branch Office #1

192.168.3.x Branch Office #2

192.168.4.x Branch Office #3 , etc.

addressing scheme ......

versus an

10.x.1.x Central

10.x.2.x Branch 1

10.x.3.x Branch 2

10.x.4.x Branch 3 , etc.

scheme, or even an

172.x.x.x

type scheme.

Any thoughts on which would make the most sense.

And what about subnet masks (255.255.255.0 versus

255.255.0.0 ).

Down the road,we may do away with the VPN and

implement a bona-fide private wide-area network,

constructed/hosted by a local telcom vendor.

However, at this point in time, funding makes this

impossible - hence, our VPN solution.

Thanks for your input.

Terry J. Terenzetti

terry@adirondackcomputer.com

tterenzetti@wnylc.com

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ehirsel
Level 6
Level 6

‎05-24-2004 06:54 PM

To allow for future growth, mainly in the central site, but also for future branch growth (such as implementing Voice over IP, SAN/NAS, etc.) and to make routing summarizations possible and effiecient between the sites, try going with this scheme:

Overall/summary subnets:

10.1.0.0 255.255.0.0 central site

10.2.0.0 255.255.0.0 bo #1

....

10.8.0.0 255.255.0.0 bo #8

and then within each site, use the 3rd octet and a CIDR mask to break down the reason for the vlan/subnet: i.e.

at the CO: 10.1.1.0/24 common data server subnet

10.1.2.0/24 printer subnet

10.1.16.0/24 nas/san

10.1.64.0/24 reserved for IP Phone/voice over IP

10.1.128.0/24 user subnet #1

10.1.192.0/24 test-lab subnet

Similar setup for the branch offices.

Note the gaps in address assignment within each location: the reason is to allow more summarization with acls from a security perspective. For example you can allocate 10.1.128.0 - 10.1.159.254 as the range for user devices and a dhcp server can be setup to handout appropriate addresses, and each user vlan is a 255.255.255.0 (or /24 subnet). However in setting up acl's you can refer to the entire block as 10.1.128.0/19 so one acl entry can refer to the entire block.

By doing this, the routing summaries between the sites makes the route tables small, and if dynamic routing protocols are used, a failure of a vlan at bo #3 will not cause route changes across the backbone - bo #3 is 10.4.0.0/16 so all traffic whose ip address begins with 10.4 will be routed to bo #3, even if the vlan 10.4.9.0 is down at that location.

I hope this helps.

Using the 10.0.0.0 address space gives you the most flexibility within your network - use the 192.168/16 or 172.16/20 for out-of-band mgmt, or when connecting to external sites as a nat/pat pool.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
ehirsel
Level 6
Level 6

‎05-24-2004 06:54 PM

To allow for future growth, mainly in the central site, but also for future branch growth (such as implementing Voice over IP, SAN/NAS, etc.) and to make routing summarizations possible and effiecient between the sites, try going with this scheme:

Overall/summary subnets:

10.1.0.0 255.255.0.0 central site

10.2.0.0 255.255.0.0 bo #1

....

10.8.0.0 255.255.0.0 bo #8

and then within each site, use the 3rd octet and a CIDR mask to break down the reason for the vlan/subnet: i.e.

at the CO: 10.1.1.0/24 common data server subnet

10.1.2.0/24 printer subnet

10.1.16.0/24 nas/san

10.1.64.0/24 reserved for IP Phone/voice over IP

10.1.128.0/24 user subnet #1

10.1.192.0/24 test-lab subnet

Similar setup for the branch offices.

Note the gaps in address assignment within each location: the reason is to allow more summarization with acls from a security perspective. For example you can allocate 10.1.128.0 - 10.1.159.254 as the range for user devices and a dhcp server can be setup to handout appropriate addresses, and each user vlan is a 255.255.255.0 (or /24 subnet). However in setting up acl's you can refer to the entire block as 10.1.128.0/19 so one acl entry can refer to the entire block.

By doing this, the routing summaries between the sites makes the route tables small, and if dynamic routing protocols are used, a failure of a vlan at bo #3 will not cause route changes across the backbone - bo #3 is 10.4.0.0/16 so all traffic whose ip address begins with 10.4 will be routed to bo #3, even if the vlan 10.4.9.0 is down at that location.

I hope this helps.

Using the 10.0.0.0 address space gives you the most flexibility within your network - use the 192.168/16 or 172.16/20 for out-of-band mgmt, or when connecting to external sites as a nat/pat pool.

0 Helpful
Customers Also Viewed These Support Documents