• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Company-Wide IP Numbering/Routing Question

M

MysticLlama

Golden Member
Well, I got my T1 installed, and my router configured, and PIX firewall set up. I even got the first of the little firewalls to VPN to the first.

Now I'm running into some little nagging routing problems.

My original network is 192.0.0.0/24.

I'm going to be attaching the Webservers to a VPN access point on their secondary interfaces, and I was going to number that 192.0.5.0/24.
I'm going to eventually be making a WAN out of the stores and I was going to number that 192.0.10.0/24.

Now that I have the first VPN connected up, I'm going to have to make the .5.0 route to the main network, and also the reverse of that, and I'll have to use a couple of Win2k servers to do it, because I'm out of budget for more "real" routers.

On the other hand, I could come in over the weekend and renumber the whole mess to 10.0.0.0, and then make the mask on the boxes that should talk to different subnets bigger, i.e. 255.255.0.0.

Is this going to create me a big traffic mess, am I better to go through the process of setting up a bunch of routes to get stuff around the network, or should it all work fine if I just make the net bigger?

As far as scale, I only have about 50-60 total IPs in use at the main office, I will have 26 stores that will each take 1-2 in the future, and I have about 10-15 IPs I want to use for the web stuff. So, even if the whole thing doubles or triples, it still won't be incredibly massive.

Comments?
 
you might want to stay away from the 192.168 and 10. networks. Everybody uses them and it can cause minor headaches down the road.

Try 172.29 or 172.28. rarely used. So basically your entire network would be in the 172.28.0.0 network. This is a nice way to sumarize your net with 172.28.0.0/16.

Now for the stores. Make sure you know exactly how many addresses would possibly be used at each store. then double or triple it. Start each one on a nice bit boundary so you can summarize all stores with one or two routes, this way your VPN concentrator or device will handle the routing to the stores.
 
It's a little messy, and not recommended for the long term, but while you are migrating your addresses, most routers will allow you to "multi-net" (a Cisco "secondary" address).

Basically assign two or more addresses (different networks/subnets) to a single interface - so the old addresses would work, and the new addresses would work. When you get an entire segment switched to the new addresses, kill the old network number on that interface.

As I said, it's not recommended as a normal operating mode, but it'll give you some breathing room and allow you to sleep a couple hours a night during the transition.

Next: Don't do ANYTHING until you have the entire plan on paper, and bulletproffed as much as possible ahead of time. If you do it right, you can really perk up the ol' network ... if you try to pull addresses out of yer a$$ while you do it, bad things will happen ... up to, and including, the end of all life as we know it. Be careful.

The goal is to block out the addresses such that (as Spidey mentioned) you can summarize your routes, and, if you're clever, describe a connection/location with the IP address (then when you get a report that address W.X.Y.Z is having problems, you'll know EXACTLY what the equipment and infrastructure path is between that host and its resources).

A customer I worked with used rack and port numbers for their local addresses. So, when someone (or the management stations) reported a problem with 11.4.5.16, they'd know to look at rack 11, switch/router 5, blade 5, port 16. This is an example, of course; you may not need a system like this.

Summary: Multinetting may be helpful, get it done on paper first, think deeply on how you can implement an address scheme that'll make things easier on you as well as your equipment. The absolute top objective here is to give your boss something to brag about on the golf course ... everything else is secondary 😉.


Good Luck

Scott
 
This discussion sounds vaguely familiar to a topic a week or so ago. The wan you are refering to is actually a bunch of vpn's? If their vpn's I have to be missing something. The vpn you're creating is hub and spoke? Why would you need to summarize any routes in this network? Any special reason why you want to multihome your webservers? Out of address space on your class C?



 
Okay, I'll try to clarify a little, and I also have another question.

Yes, the WAN is actually a bunch of VPNs. The way it is going to work is that I have a Cisco515E w/T1 here at the office that everything will link to.

The webservers that are hosted offsite already have two sets of addresses, a public set, and a private set between them for database access and such. Also, the database server on the web has a public IP that is uses to contruct an SSH tunnel to here to link to the database for replication. The SSH tunnel doesn't work very well, and we are adding more servers, so I am going to put a Cisco 501 up there, and set it up for "network extension" mode. This way we can eliminate the SSH Tunnel, and also link the private network to the one here transparently to replicate logs and such to the corporate office and eliminate some administration hassles.

As far as the stores go, I'd like to put a Cisco 501 attached to a broadband connection in each location to also tie them to here. This is for taking care of POS polling, as well as allowing any roaming managers and such to drop by and plug in to be attached to the network.

I just wanted to subnet things to simplify in my head what was where more than anything.

There isn't any current routing going on in the network except for on the 2620 on the T1, everything else is just a big LAN.

There aren't enough computers to take me too long, I'd estimate 35-40 workstations, half DHCP, about 20ish servers (including the web ones, which don't even need to be messed with in the first round), and the stores aren't connected yet, so they don't even have IP assignments except for where they attach to an Etherminal for a second register.

I was talking to the admin at our application provider (they do our POS, inventory, accounting, and web stuff), and he said that they would like us to move to a 10.54.0.0 for corporate, and 10.54.n.0 for the stores (where n is store number) for ease of administration (and their benefit).

The problem I run into with this is that I want to use the Cisco Easy VPN solution for the stores because it works really well with dynamic IPs, which most of them will probably end up with. But in that case I have to completely configure it separately for each store, because I can't figure out how to dynamically assign a middle octet like that. Any suggestions on this plan?

I'm probably just gonna say screw em' and make the stores a single class C, I don't see any reason not to, other than to satisfy them. Their big thing is that they are doing their own WAN solution by using software on the Linux POS systems and tying them to corporate, and I'm trying to avoid that. It will actually cost us more money to implement than the Cisco stuff, and then we also have to clear using it for other things (laptops, workstations, cameras, etc.) through them and make sure they won't drop our support of that store over it. Also, we have been kicking around the idea of switching systems for a while, and if that happens two years down the road and it's not hardware, but software, then we lose our investment and time.

Clarify anything? More thoughts?
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top