Public IPs

[drebo]

We have a /20 of public IPs for our web, email, and other servers. I'm curious as to which is the better accepted practice... Should I keep all of the IPs together in one monolithic network or should I break it down into smaller segments using VLANs to logically separate traffic?

Right now (I didn't set this up) they're set up as multiple subnets existing all in the same layer 2 logical network and performance sucks. The router port is a 10mb port assigned with secondary IP addresses. Needless to say, I need to change this.

I have two 100mb ports available, so I was going to create a port channel and use dot1q trunking to separate each group of servers (web servers, email servers, phone servers, other appliances) into their own VLANs of smaller subnets.

Benefits I can see with this method is greater throughput and faster server-to-server communication (although this is generally rare). It will also give me greater control, and I'll be able to do things like restrict off a management subnet I can use to plug all my iLO ports into. Basically, I want more control over the network, and I think this is the way to do it.

But, is this way the standard practice or is it better to use a single gigantic subnet?

 

[spidey07]

It really depends on what you want to do security wise, it has no impact on performance (it shouldn't). By doing really small subnets like that you are wasting address space. If it were me I'd group the servers like so:

1) Does the internet need to reach these? - that's your "external"
2) Any semi-trusted hosts?
3) Management network - that should be a separate network with appropriate firewall rules in place.

Also be very careful with trunking, that's easy to bypass from a security perspective.

 

[drebo]

I'm not worried about physical security risks from trunking, as the servers are physically secure in a key-card access building. Are there any external risks associated with trunking between switches and switch-to-router? Servers will be connected to access ports.

 

[kevnich2]

What type of business is this, data center or web hosting? a /20 of Public IP's is a lot of IP's for servers

 

[drebo]

Web hosting, email hosting, and ITSP (service and hosted PBX).

The reason we have so many IPs is that we used to handle the ports for our dialup ISP ourselves. We now outsource that portion of our business, but we still would like to keep our IPs. A good portion are unused. We are currently fully utilizing about 5 of the 16 C blocks.

 

[kevnich2]

I'd organize them in the fashion that Spidey mentioned. Get them organized nicely and avoid wasting space Just because you have the IP's doesn't mean you need to waste them.

 

[spidey07]

I must be having a brain fart. I thought it was a /26. A /20 absolutely should be divided up. But how it is done would take a full on redesign that cannot be done over an internet forum. Too many variables and what is predicted to happen in the future will drive the design. Do it right the first time so you don't have to redo it again.

 

[drebo]

Indeed, spidey. The reason I'm having to do this is because whoever set the network up originally did it in a slapshod manner that did not lend itself to expansion at all.

Because I'm expanding our ITSP profile, I feel that we definitely need to fix the problems caused by the idiot who originally set it up. It is rare that any single server will need more than 254 IP addresses, so I feel confident that assigning each server its own /24 would be fine. I've laid it all out, and I think it will be fairly future proof. Also, I'm much more conservative in my IP assignments...my predecessor didn't understand what a virtual host was, and so assigned every single website its own IP address, even if they were the same organization.

My question was whether or not we should keep everything as a single subnet and that was answered with what I figured the answer would be. Thanks for the help!

 

[kevnich2]

Just out of curiosity, how many servers are you working with?

 

[drebo]

Currently, we have roughly 20 servers (though some are purpose-built servers, such as our DNS servers which only need a single IP) and another roughly 5 appliances that perform one task or another. Then we have some virtual servers which are mostly virtual PBXs. Nothing too fancy, but if I'm to get the ITSP side of things to where I want it, I need to reconfigure things. Servers with IPs from three (or more) discontiguous subnets make me psychotic. Not to mention that no one had done an inventory of what IPs were used and where in probably 5+ years.