i would download a subnetting calculator so save you from getting a migrain
baz
Printable View
i would download a subnetting calculator so save you from getting a migrain
baz
I have been looking into thisone myself as I am about to change the IP layout at the school to build in some extra scope:
An IP subnet mask of: 255.255.248.0 would give you 2048 IP addresses based over 8 host networks i.e.:
192.168.1.0 - 192.168.2.0 - 192.168.3.0 - 192.168.4.0 - 192.168.5.0 - 192.168.6.0 - 192.168.7.0 - 192.168.8.0.
What you need to remember is that 192.168.0.0 and 192.168.0.8.255 can not be used so you only have 2046 IP's available.
This knid of setup is really good if you wish to "assign" IP's to specifc kit or VLANS.
We run VLANS in my school and the plan would be to do something like:
192.168.1.0 - Servers/Switches/Routers (VLAN1)
192.168.2.0 - Student PC's (VLAN2)
192.168.3.0 - Student PC's (VLAN2)
192.168.4.0 - Student PC's (VLAN2)
192.168.5.0 - Staff PC's/Admin PC's (VLAN3)
192.168.6.0 - Staff PC's/Admin PC's (VLAN3)
192.168.7.0 - Wireless Access (VLAN4)
192.168.8.0 - SPARE
Not any easy thing to turn around but if you manage to work out your subnet first this will save you alot of hassle. The idea is to capacity plan, look at what you have already (number of devices that need an ip address) then double it.
It's always easier to have more than you need than to have less and strugle to add more later.
Before you set up this VLAN just have a check with your ISP.
This was one of the options we considered (the LEA guys and me) but they realised it might cause problems because other sections of their network, that we would need access to, had a VLAN in the same way. This would mean that one of my PC's could in theory have the same IP address as another PC connected to the LEA network making access not only impossible but likely chaotic.
You are probably fine, and you have probably already checked it out with your LEA - but just worth a mention to anyone else thinking about doing this.
@ictnut
I'm a bit confused about your suggested setup.
IF you use a subnet mask of 255.255.248.0 - you get a big range to put all your devices into.
But isn't VLANing (If that's the word to use :) ) on switches used to separate traffic from one network to another?
So, although all devices are on same subnet, the VLANing process will stop them communicating?
Or is that not what VLANs are for :confused:
regards
Simon
Nat with private address means you will never run out of addresses simple.
@bossman
NATing could cause problems with other services supplied by a RBC -e.g. in Lancs, we have a cachepilot with Espresso on it that has a fixed IP RBC assigned address and also we are told to use fixed IP's for our Video conferencing.
Although I presume these issues are bypassable, I know the RBC wouldn't support doing so, so in reality NATing is not an option :(
regards
Simon
This situation is possible but unlikely. The following conditions would need to be true:Quote:
This was one of the options we considered (the LEA guys and me) but they realised it might cause problems because other sections of their network, that we would need access to, had a VLAN in the same way. This would mean that one of my PC's could in theory have the same IP address as another PC connected to the LEA network making access not only impossible but likely chaotic.
1) Two schools had be allocated the same IP range by the LEA.
2) They wanted to communicate with each other.
VLAN's are not relevant to this problem, it's purely a traffic management tool. It's a clash of IP ranges that's the issue.
Correct. One would probably have a router/firewall combination to allow communication between hosts on separate VLANs as required.Quote:
So, although all devices are on same subnet, the VLANing process will stop them communicating?
Implememting a DMZ solves the first problem, port forwarding (or a Gatekeeper or a SOCKs proxy) the second.Quote:
NATing could cause problems with other services supplied by a RBC -e.g. in Lancs, we have a cachepilot with Espresso on it that has a fixed IP RBC assigned address and also we are told to use fixed IP's for our Video conferencing.
@Geof - the resources that may have a similary range are part of the LEA hosted services - things that they provide that we want to use - not within another school so 2) would definately be true and 1) the entire 192. range within the two vlans would be the same so you would be going say 192.168.1.48 in my school to the LEA service running on 192.168.1.48 in their VLAN.
It probably would be ok - but they suggested not to risk it.
VLAN tagged data should not exit your internal network. If it does, your network is broken.
If your LEA network is accepting VLAN tagged data then their network is broken.
Implement proper egress/ingress filtering on your border firewall.
@Geoff - Just repeating what I was told in the hope of helping someone else.
Fair enough, I'm saying what best practise is. :)
@Geoff and @Limbo:
Our LEA only provides a single Gateway/Router IP so schoolcan get out on the "internet". At the moment NO OTHER services are provided to schools via the LEA.
All schools are in control ofthier own internal IP addressing.
Each school LEA assigned IP is on its own VLAN within the LEA and resides in a 10.x.x.x range. All schools are advised to use either a 192.168.x.x or 172.x.x.x range.
All of our VLAN data is tagged at switch/router level and relaying is used in order to distribute IP's along the correct VLANs