1

I know there a 3 different class of ip address reserved for privete network. they are 192.168.0.0/16 , 172.16.0.0/12 and 10.0.0.0/8.

in our company we use 192.168.0.0/16 for many things, servers,printers,vpn,computers etc. but I have noticed many other company use 172.16.0.0/12 or 10.0.0.0/8 instead. I know the technical differences, they are offer different numbers of contiguous segment and the quantity of ips. but can you tell me why they use 172.xx or 10.xxx ? what's the advantage in a network infrastructure?

MadHatter
  • 79,770
  • 20
  • 184
  • 232
Yichaoz
  • 381
  • 4
  • 8
  • 20

2 Answers2

5

There is no technical difference.

The main reason I choose to avoid 192.168 like the plague is that every piece of SOHO equipment comes out of the box using it; often, using 192.168.0/24, which means that many company networks that have grown from small installations using this equipment are still using that address range.

Sooner or later, every RFC1918-addressed network I've ever run ends up needing to peer (via VPN) with some other RFC1918-addressed network. If there's no overlap, it make the whole job much easier; 172.16 networks have the least chance of overlapping, simply because so few people choose to use that space. 10. is next best, though don't run with a /8 netmask unless you know for a fact that it's a good idea (hint: it never is).

Edit: Kossel, I don't entirely understand your comment. If you mean "can I use 192.168 for the desktops but NAT it all to 172.16 for VPN purposes", that's exactly the sort of headaches us old-timers are grumbling about in the comments. It's much better if your office network doesn't overlap with the network you're trying to VPN to. Usually you don't control the addressing on the remote network, it belongs to some business partner or outsourced provider, who will have often picked 192.168 for their network. So I find the chances of avoiding overlap are maximised when I'm using 172.16 on my desktops.

MadHatter
  • 79,770
  • 20
  • 184
  • 232
  • +1000 for the VPN consideration. This is the explanation our network admin found himself forced to beat into my skull... and sure enough.. The second I had to deal with overlapping subnets on the 192 in a vpn setup, I found myself with a headache that lasted for days. -- Worth mentioning: IF you are using the whole 192.168.0.0/16 subnet, and you ever have to implement VPN traffic, there will almost certainly be issues. – Daniel Widrick Sep 30 '13 at 14:23
  • 3
    I'm glad some others besides myself think this way, though I'm sorry for your headache. Ubiquitous ipv6 can't come too fast for me! – MadHatter Sep 30 '13 at 14:23
  • I'm using IPv6 very aggressively - even tunneling when I have to - just to avoid these sorts of issues. – Michael Hampton Sep 30 '13 at 14:35
  • can 192.168x network coexists with 172? I mean, office pc 192.168, and for vpn use 172 – Yichaoz Sep 30 '13 at 14:36
  • Ditto; I just look forward to the day when someone comes and says "we need to hook a new network in via VPN, it's 2001:4e58:cb51:35/56" as a matter of course. – MadHatter Sep 30 '13 at 14:37
  • @kossel Can modern devices use more than one IP address? Yes. But if you're going to assign an address from 192.168.0.0/16 for internal use and an address from 172.16.0.0/16 for VPN use to the same device twice, then why not just assign the 172.16.0.0/16 address and use it for both purposes and save yourself a lot of work? – Rob Moir Sep 30 '13 at 14:44
  • thanks, after this post, I'm considering change the ip address to 172 before it's too late, we started with 20 pcs as a small office, but now we are like 150 devices + 20 vpn users – Yichaoz Sep 30 '13 at 15:02
  • 1
    RobM, good point, though dual-addressing won't help with the scenario I'm describing: all the local devices, possessing as they do 192.168 addresses, will believe that the remote 192.168 network is in fact local. Dual-addressing helps get packets get in from the remote network, but it does nothing to help replies get back. – MadHatter Sep 30 '13 at 15:07
  • I was fine on 192.168.1.0/24 and 192.168.2.0/24 for my two networks until I had to get VPN working for one, and the explosion of devices (Number of devices >> number of users) on the other. I moved to 172 (but not .16 - not needing a /12, I set up a /22 and a /18 in the upper part of the space, away from 172.16 for the same reason I was moving there at all - wanting to minimize the possibility that "wherever my users were coming from" was using the same space. I am also awaiting widespread IPv6 adoption with anticipation of life getting somewhat easier when it comes to pass. – Ecnerwal Sep 30 '13 at 16:09
0

There is no advantage beyond the number of available addresses in each range.

longneck
  • 23,082
  • 4
  • 52
  • 86