4

I have a Draytek Vigor 2820 which is connected to three gigabit Netgear Layer 2 switches. Currently the network is fairly simple, 192.168.1.0/24.

One the network I have 7 servers, around 50 computers, 6 network printers, 16 IP phones and between 5 and 10 wireless laptops that are connected via three wireless access points.

Although we have plenty of IP addresses available I think it could be a little more efficient in terms of identifying a device using its IP address.

We have three branches as well which connect via VPN tunnels.

So far we have the following IP structure:

Main Practice - 192.168.1.0/24
Branch 1.     - 192.168.2.0/24
Branch 2.     - 192.168.3.0/24
Branch 3.     - 192.168.4.0/24

We refer to them as branches but they are essentially permanent home workers for the most part. It is set that any non-tunnel VPN user is assigned an IP address greater than 192.168.1.200/24.

What I would like to do is put all servers on something like 10.1.1.0/24, the wireless access points on 10.1.2.0/24 and perhaps the printers on 10.1.3.0/24.

I don't think our network needs VLANS, but I think the above idea would simplify things. Not to mention make our number of available host addresses far greater.

Using one router, is it possible to add a static route to a different subnet using the same gateway? I have one DHCP server running on Windows 2008 R2, I presume I can add a new scope for each of the new subnets?

Any major downsides to this plan?

dannymcc
  • 2,717
  • 10
  • 48
  • 72

2 Answers2

5

Any major downsides to this plan?

Yes. It's unnecessarily complicated. Generally speaking you separate out your devices on different subnets because you have a requirement for filtering, logging or routing. For example: All your DMZ services live on a separate subnet that your clients can't directly access.

Unless you get serious advantages by using this setup that I can't see (which is certainly possible), you're just buying extra complexity. Resist the temptation to be overly clever.

Although we have plenty of IP addresses available I think it could be a little more efficient in terms of identifying a device using its IP address.

In my opinion, if you're trying to identify devices via their IP addresses, You're Doing It Wrong. While it sounds like a nice idea to have your servers in this IP subnet, and printers in that one, and workstations in another, and wireless clients in yet another one - pretty soon you'll find your routing tables getting complicated... quickly (and needlessly).

There already is a service setup to identify devices... DNS! Why bother trying to remember IPs when you can give your devices, human-meaningful names?

I don't think our network needs VLANS, but I think the above idea would simplify things. Not to mention make our number of available host addresses far greater.

I think you're right here, you probably don't need VLANs. However it may still be worth putting all your VOIP devices on a separate VLAN if there are performance issues.

Community
  • 1
0

I assume you want to add multiple subnets on the same physical segment? While this is possible, this will require you to define an "ip alias" or a "subinterface" (depending on the exact terminology used by your exact brand of router - I am not familiar with it) basically assigning multiple IP addresses on the same physical interface.

One problem with doing this is that all your traffic from your LAN to the server will have to pass through the router, which will most probably not be able to route at gigabit speeds, and even if it can, there'll still be a slowdown.

I'm not too familiar with Windows' DHCP server so I don't know if it will do what you want it to do - multiple subnets on a single network segment. But you'd have to have some way to configure the DHCP server to provide different subnets depending on the MAC address of the computer requesting an IP.

There is not really any security benefit, either, an attacker could just as well just create an IP alias on your workstations to access your server LAN directly.

I would personally not implement something like this, because it would make your network more complex - not less. I would either use multiple VLANs or I'd just stick everything on the same subnet.

Per von Zweigbergk
  • 2,625
  • 2
  • 19
  • 28
  • Hmm, maybe it would be simpler to use a wider range of IP's with a lower subnet mask. 255.255.0.0 would allow me to assign 1.0 for one range of devices and 2.0 for another. This would dramatically increase broadcast traffic though, wouldn't it? – dannymcc Nov 26 '11 at 18:44
  • 2
    Making your subnet mask bigger won't increase the amount of broadcast traffic per se. The amount of broadcast traffic depends on the number of devices connected to a single broadcast domain. Simply using multiple subnets on the same Ethernet network will do nothing to reduce your broadcast traffic - because broadcast traffic will be sent out to every port on the switch connected to the same VLAN irrespective of what Ethernet subnet it has configured. Remember, Later 2 switches don't care at all about what Layer 3 protocol you're running, broadcasts frames go out on all ports. – Per von Zweigbergk Nov 26 '11 at 18:56