Last updated:
22 October 2006;
Supplements this
Knowledgebase Article.
IP Addressing Considerations For
Networks
When building your network for Home or
Office, be sure to choose your IP addressing scheme with care. The
choice you make today can have long lasting effects, and will very likely be
harder to change as time goes by.
When deploying a firewall or router, particularly broadband devices, don't
just accept whatever default your hardware vendor suggests. Instead,
consider selecting a different IP range within the acceptable private
address blocks. One reason for this is that should you ever desire to
setup a site-to-site
VPN, or even a single-client
VPN from behind your network, you will have problems connecting to
the remote network if it is using the same addressing scheme for its local
LAN. Simply put, it becomes a routing issue when a remote network is
using the same addressing scheme as a local network and you attempt to
connect the two via
VPN.
For example, if both you and your neighbor have chosen to
use 192.168.0.0/24 (i.e. 192.168.0.0 with subnet mask of
255.255.255.0) as your local LAN addresses, when you attempt to setup
a tunnel between each other's networks, you will find that your respective
machines, routers and firewalls are not able to establish which traffic to
keep local, and which to send across the wire. Most modern firewalls
would raise alarms of spoofing upon getting such packets.
To avoid
this dilemma, consider using addresses in the 172.16.x.x - 172.31.x.x range,
since these are most frequently overlooked by hardware vendors and other
users.
Using DHCP
DHCP stands for Dynamic Host Configuration
Protocol. It allows devices to obtain IP addresses automatically for the
network that they are on. When considering the use of DHCP, it is recommended
that you use
static IPs for servers and network devices, and dynamic addresses for
everything else. Things like IP-based printers should be configured
using reserved DHCP
addresses.
Static IP .................. Network
Devices, Servers Standard DHCP ........ Regular Client
systems Reserved DHCP ........ Printers,
special Client systems
While some people recommend configuring
servers with reserved IP addresses, it is far better to avoid having all of
your critical servers relying on such a single point of failure, or subject
to interference if someone should accidentally deploy a rogue DHCP server on
your network.
If you are a broadband user who is also
using a domain, you will find it more flexible to have your domain
controller (or some other server) handle your DHCP responsibilities, instead
of your broadband router. On a peer-to-peer network, it will probably
be easier for you to use the DHCP functionality of the router, but be
advised that if the router is configured to allow access to one of your
internal systems from the outside, you will either need to assign a static
address to that system, or a reserved DHCP IP using a different DHCP server
(i.e. not the router).
IP Address Allocation
Within a given subnet, you should consider
allocating your IP addresses in a consistent fashion, which will make it
easier for you to identify or manage users and computers.
(For instance, setting
firewall rules are easier when all the machines of a certain type, are also
numbered a certain way) Here are
the suggested guidelines for
IP Address
Allocation.
Related Knowledgebase Articles
|
