Saturday, January 29, 2011

Best practice for assigning private IP ranges?

Is it common practice to use certain private IP address ranges for certain purposes?

I'm starting to look into setting up virtualization systems and storage servers. Each system has two NICs, one for public network access, and one for internal management and storage access.

Is it common for businesses to use certain ranges for certain purposes? If so, what are these ranges and purposes? Or does everyone do it differently?

I just don't want to do it completely differently from what is standard practice in order to simplify things for new hires, etc.

From serverfault Tauren

  • RFC1918 details the 3 IP blocks that are reserved for private address space. The 2 common ones are:

    • 10.0.0.0 - 10.255.255.255 (10/8 prefix)
    • 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

    If you're setting up a separate network for storage, it would probably make sense to choose an IP range similar but slightly different to what you are using for regular networking. Consistency is good, but using different IP ranges allows you to be connected to both networks simultaneously, for example if you need to look something up while doing management with your laptop?

    Tauren : So my laptop gets an IP number in the 192.168.0.x range from DHCP. I'm thinking that my storage network should be in the 10.x.x.x range to keep them really separate. Is this common practice, or do many places use something lik 192.168.1.x for their storage?
    Antoine Benkemoun : 172.16-31/16 also =) Not much used though.
    pulegium : @Tauren: 192.168.1.x/24 is as equally separate from 192.168.0.x/24 as 10.0.0.x/24 is. It can't be "more" or "less" separate. They are on different subnets, full stop... :)
    pboin : That's true for computers, but not for the people that work on them. Keeping staff members non-confused is a good thing, and naming standards go a long way towards that.
    Tauren : @pulegium: yes, I understand they are actually separate, but I meant in the "human sense", like @pboin mentions.
    From Nic

  • There is about as much consensus on IP addressing as on server names (see this site ad naseum) it just comes down to personal preference - typically of the first guy to set it all up!

    No there is no proper way of doing it - simply pick one of the the 3 RFC1918 ranges (cheers @Nic Waller), split it into subnets (traditionally /24s but /23s are becoming more popular). Assign one of the subnets for public access and one for private - job done. Really the hard part is setting up the VLANs and ACLs.

    Personally I prefer using the 10.x.x.x range as I can type it quicker than the other two, but really it makes no difference unless you need the larger size (192.168.x.x gives you 256 subnets of 254 IP addresses whereas 10.x.x.x gives you 65,536).

    I would not suggest mixing the ranges for instance having 192.168.x.x for private and 10.x.x.x for public, technically it shouldn't matter but it would be very confusing.

    Tauren : @Jon, thanks for your suggestions. this helps confirm most of what I thought was the case.
    From Jon Rhoades

  • Most systems I've seen attempt to map the IP ranges to a hierarchy of geography and/or system components.

    One employer tended to use:

    10.building.floor.device (with non-user resource VLANs using 10.x.100.x to 10.x.120.x)

    and

    10.major_system.tier_or_subsystem.component

    Tauren : @caelyx: this sounds like a good approach that I could make use of. thanks!
    caelyx : @Tauren - no worries; happy to help! Thanks for the upvote :)
    From caelyx

  • One thing I would suggest is to use randomly selected private ranges from the 10.0.0.0/8 block for all of your private addresses. This avoids lots of problems, particularly when setting up VPNs between home/partner networks and your corporate network. Most home routers (and many corporate setups) use 192.168.0.0/24 or 10.0.0.0/24, so you'll spend hours sorting out various connecticity issues when you try to establish connectivity between two private networks.

    If, however, you chose a random range like 10.145.0.0/16, and then subnet from there, it is far less likely that you will "collide" with a business partner or home network's private IP range.

    : for site addressing you could subnet 10.0.0.0/24 and encode the longitude and latitude in the the spare octet's. ;-)
    rmalayter : Unless your sites are less than one degree apart. We had two offices a few city blocks apart at one point, which are less than 0.02 degrees apart in terms of lat/lon ;-)
    From rmalayter
Posted by Mu Cat at 5:40 PM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)