IP Addressing Guide

Revision: H1CY11

The Purpose of This Guide

The Purpose of This Guide

This guide introduces you to the basics of IP addressing and prepares you to create an IP addressing plan for your network.

This guide is a concise reference on IP addressing best practices, including:

• ThebasicconceptsofIPaddressing

• TheIPaddressingplanusedintheCiscoSmartBusinessArchitecture(SBA)Foundationlabnetwork

• ThestepsyoushouldfollowtocreateyourownIPAddressingPlan

• HowtomaintainyourIPspaceasyournetworkevolves

Who Should Read This Guide

This guide is intended for the reader with any or all of the following:

• Anorganizationwithupto2500connectedemployees

• Upto75remotesiteswithapproximately25employeeseach

• ITworkerswithaCCNA®certificationorequivalentexperience

Thereadermayrequireanyofthefollowing:

• AgeneralunderstandingofIPaddressingandsubnetting

• GeneralIPaddressingguidancewhileredesigninganexistingnetwork

• Guidanceonhowtoaddnewservicestoanexistingnetwork

• AssistanceplanningfortheacquisitionofacompanythathasadifferentIP address space

• AplanforexpansionafterrunningoutofIPaddressspace

• AnIPaddressmigrationpathforgrowth

• AnIPaddressingplanthatcanbeusedinmidsizenetworksasatem-plateforcustomerdeployments

Before reading this guide

FoundationDesignOverview

FoundationDeploymentGuide

FoundationConfigurationFilesGuide

IPv4 Addressing

ConfigurationFiles

Design Guides Deployment Guides

Foundation

IPv6 Addressing

You are Here

Supplemental Guides

Table of Contents

ALLDESIGNS,SPECIFICATIONS,STATEMENTS,INFORMATION,ANDRECOMMENDATIONS(COLLECTIVELY,"DESIGNS")INTHISMANUALAREPRESENTED"ASIS,"WITHALLFAULTS.CISCOANDITSSUPPLIERSDISCLAIMALLWARRANTIES,INCLUDING,WITHOUTLIMITATION,THEWARRANTYOFMERCHANTABILITY,FITNESSFORAPARTICULARPURPOSEANDNONINFRINGEMENTORARISINGFROMACOURSEOFDEALING,USAGE,ORTRADEPRACTICE.INNOEVENTSHALLCISCOORITSSUPPLIERSBELIABLEFORANYINDIRECT,SPECIAL,CONSEQUENTIAL,ORINCIDENTALDAMAGES,INCLUDING,WITHOUTLIMITA-TION,LOSTPROFITSORLOSSORDAMAGETODATAARISINGOUTOFTHEUSEORINABILITYTOUSETHEDESIGNS,EVENIFCISCOORITSSUPPLIERSHAVEBEENADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGES.THEDESIGNSARESUBJECTTOCHANGEWITHOUTNOTICE.USERSARESOLELYRESPONSIBLEFORTHEIRAPPLICATIONOFTHEDESIGNS.THEDESIGNSDONOTCONSTITUTETHETECHNICALOROTHERPROFESSIONALADVICEOFCISCO,ITSSUPPLIERSORPARTNERS.USERSSHOULDCONSULTTHEIROWNTECHNICALADVISORSBEFOREIMPLEMENTINGTHEDESIGNS.RESULTSMAYVARYDEPENDINGONFACTORSNOTTESTEDBYCISCO.

AnyInternetProtocol(IP)addressesusedinthisdocumentarenotintendedtobeactualaddresses.Anyexamples,commanddisplayoutput,andfiguresincludedinthedocumentareshownforillustrativepurposesonly.AnyuseofactualIPaddressesinillustrativecontentisunintentionalandcoincidental.CiscoUnifiedCommunicationsSRND(BasedonCiscoUnifiedCommunicationsManager7.x)

©2010CiscoSystems,Inc.Allrightsreserved.

Table of Contents

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1Guiding Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

IP Addressing Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2

IP Addressing Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3IP Address Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Private IP Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Subnetting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

VariableLengthSubnetMasks(VLSMs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

VoiceOverlaySubnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Summarization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

IPMulticast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Managing IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8IPAddressingintheSmartBusinessArchitecture. . . . . . . . . . . . . . . . . . . . . . 8

Appendix A: Subnet Design Worksheet for SBA . . . . . . . . . . . . . . . . . . . . . . . . .16

Appendix B: SBA for Midsize Organizations Document System . . . . . . . . . .17

1Introduction

SBAOverview

The Cisco®SmartBusinessArchitecture(SBA)isacomprehensivedesignfornetworkswithupto2500users.Thisout-of-the-boxdesignissimple,fast,affordable,scalable,andflexible.Therearethreeoptionsbasedonyourscalingneeds:upto600users,1000users,andupto2500users.

TheCiscoSBAforMidsizeOrganizationsincorporatesLAN,WAN,wireless,security,WANoptimization,andunifiedcommunicationtechnologiestestedtogetherasasolution.Thissolution-levelapproachsimplifiesthesystemintegrationnormallyassociatedwithmultipletechnologies,allowingyoutoselectthemodulesthatsolveyourorganization’sproblemsratherthanworrying about the technical details.

WehavedesignedtheCiscoSmartBusinessArchitecturetobeeasytoconfigure,deploy,andmanage.Thisarchitecture:

• Providesasolidnetworkfoundation

• Makesdeploymentfastandeasy

• Acceleratesabilitytoeasilydeployadditionalservices

• Avoidstheneedforre-engineeringofthecorenetwork

BydeployingtheCiscoSmartBusinessArchitecture,yourorganizationcangain:

• Astandardizeddesign,testedandsupportedbyCisco.

• Optimizedarchitecturesformidsizeorganizationswithupto2500users.

• WANwithupto75remotesiteswithaheadquarterssite,regionalsite,andapproximately25usersperremotesite.

• Flexiblearchitecturetohelpensureeasymigrationastheorganizationgrows.

• Seamlesssupportforquickdeploymentofwiredandwirelessnetworkaccess for data, voice, teleworker, and wireless guest.

• Securityandhighavailabilityforcorporateinformationresources,servers, and Internet-facing applications.

• ImprovedWANperformanceandcostreductionthroughtheuseofWANoptimization.

• SimplifieddeploymentandoperationbyITworkerswithCCNA® certifica-tionorequivalentexperience.

• Ciscoenterprise-classreliabilityinproductsdesignedformidsizeorganizations.

Guiding Principles

Wedividedthedeploymentprocessintomodulesaccordingtothefollowingprinciples:

• Ease of use:AtoprequirementofCiscoSBAwastodevelopadesignthatcouldbedeployedwiththeminimalamountofconfigurationandday-twomanagement.

• Cost-effective: Anothercriticalrequirementasweselectedproductswastomeetthebudgetguidelinesformidsizeorganizations.

• Flexibility and scalability: Astheorganizationgrows,sotoomustitsinfrastructure.Productsselectedmusthavetheabilitytogroworberepurposed within the architecture.

• Reuse: Westrived,whenpossible,toreusethesameproductsthroughoutthevariousmodulestominimizethenumberofproductsrequiredforspares.

UserServices

NetworkServices

NetworkFoundation

Voice,Video,

Web Meetings

Security, WAN Optimization,

Guest Access

Routing, Switching,Wireless, and Internet

TheCiscoSmartBusinessArchitecturecanbebrokendownintothefollow-ingthreeprimary,modularyetinterdependentcomponentsforthemidsizeorganization.

• Network Foundation: A network that supports the architecture

• Network Services: Featuresthatoperateinthebackgroundtoimproveandenabletheuserexperiencewithoutdirectuserawareness

• User Services: Applications with which a user interacts directly

2IPAddressingOverview

IPAddressingOverview

An IP address uniquely identifies a device on an IP network.

Allocating,recycling,anddocumentingIPaddressesandsubnetsinanet-work can get confusing very quickly if you have not laid out an IP addressing plan. A sound plan will help you prepare the network foundation to support additionalservicessuchasunifiedcommunications,wirelessaccess,andenhanced network security.

IPaddressingisaNetworkFoundationservice,whichmakesitcoretothenetwork design. It provides the base for all other network and user services. Withoutthefoundation,itwouldnotbepossibletointeractwithnetworkanduserservices,frompickingupthephoneusingthephoneservicetoreadingemailusingtheemailservice.

ByfollowingrecommendedIPaddressmanagementstandards,youcanavoid:

• Overlappingorduplicatesubnets

• Unsummarizedroutesinthenetwork

• DuplicateIPaddressdeviceassignments

• WastedIPaddressspace

• Unnecessarycomplexity

3IPAddressingBasics

IPAddressingBasics

IPversion4(IPv4)addresses,whichuniquelyidentifyadeviceonanIPnetwork,are32bitsinlengthandaretypicallycommunicatedinaformatknownasdotteddecimal.

The32binarybitsare:

• Dividedintoanetworkportionandhostportion

• Brokenintofouroctets(1octet=8bits).Eachoctetcanbeconvertedtobinary.

ConsiderthisIPaddress,whichispresentedindotteddecimal:10 .10 .16 .1. The address breaks down into the following octets:

• 10

• 10

• 16

• 1

Thevalueineachoctetrangesfrom0to255decimal,or00000000–11111111binary.Inbinary,theaddress10.10.16.1isrepresentedas:00001010 .00001010 .00010000 .00000001.

IP Address Classes

IP addresses are split up into several different categories, including Class A, B,C,D(Multicast),andE(Reserved).

Addressclassesaredefined,inpart,basedonthenumberofbitsthatmakeupthenetworkportionoftheaddress,andinturn,onhowmanyareleftforthe definition of individual host addresses.

• InClassAaddresses,thefirstoctetisthenetworkportion.

• InClassB,thefirsttwooctetsarethenetworkportion.

• InClassC,thefirst3octetsarethenetworkportion.

Figure1showshowthenetworkandhostIDsaredifferentforeachclassofIP addresses.

ClassAhas3octetsforthehostportionoftheaddress.Deployedasis,aClass A address represents a very inefficient use of address space, since availableLayer2technologiescannoteasilysupportthismanyhostsonasinglesubnet.Subnettingusesthisaddressspaceefficiently.

Tech Tip

IPversion6(IPv6)isthenextgenerationofIPaddressing.IPv6 quadruplesthenumberofnetworkaddressbitsfrom32bits(inIPv4) to128bits,whichprovidesenoughgloballyuniqueIPaddressesforeverynetworkeddeviceontheplanet.IPv6isanimportantprotocol forthefutureofIPnetworking.Moreinformationcanbefoundat www.cisco.com/go/ipv6.

Figure1.Classful Addresses

24 bits (Node ID) 1.0.0.0 – 127.255.255.255Class A 0

Net ID

1 20 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 00 1 2 3

1 2 3 4 5 6 7

16 bits (Node ID) 128.0.0.0 – 191.255.255.255Class B 1 0

1 0

1 1 0

1 1 1 0

Net ID

1 20 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 00 1 2 3

1 2 3 4 5 6 7

8 bits (Node ID)21 Bits 192.0.0.0 – 223.255.255.255Class C 1

Net ID

1 20 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 00 1 2 3

1 2 3 4 5 6 7

Multicast Group ID (28 Bits) 224.0.0.0 – 239.255.255.255Class D 1

Multicast

1 20 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 00 1 2 3

1 2 3 4 5 6 7

Reserved for Future Use (27 Bits) 240.0.0.0 – 254.255.255.255Class E 0

Experimental

1 20 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 00 1 2 3

1 2 3 4 5 6 7

4IPAddressingBasics

Private IP Addressing

TheInternetAssignedNumbersAuthority(IANA)hasreservedanumberofIPv4 network ranges as private. These network addresses are routed in the publicInternetasdefinedinRFC1918.

Thesenetworkranges,knownasRFC1918addresses,arereservedfororganizationsthatwanttobuildaninternalnetworkinfrastructurebasedonTCP/IPbuteitherdonothaveordonotwanttousepublicIPspace.

RFC1918spaceincludesthefollowingthreeblocksofIPaddressspace:

• 10.0.0.0–10.255.255.255(10.0.0.0/8),whichallowsthegreatestflexibilitywiththeequivalentof255ClassBaddressspacestobeusedasneeded.

• 172.16.0.0–172.31.255.255(172.16.0.0/12),whichallowsfor16ClassBaddress spaces.

• 192.168.0.0–192.168.255.255(192.168.0.0/16),whichallowsforoneClassBaddressspace.

Byuniversallyrecognizingtheserangesasprivateandnon-routableintheInternet,multipleorganizationscanusetheserangesinternallywithoutcausingaconflictwithpublicInternetaddresses.Ifanorganizationattemptstoroutethesenetworksexternally,thetrafficisfilteredanddroppedbytheInternetServiceProvider.

SinceRFC1918spaceiscompletelyprivate,itallowsanincredibleamountofflexibilitywhendesigninganetwork.

Tech Tip

ToallowtrafficfromhoststhatareusingprivateaddressestoaccessInternethostsusingapublicaddress,NetworkAddressTranslation(NAT)isrequired.NATallowsinternalhoststobetranslatedtoapublicaddress for Internet access. Public address space is difficult to get and canbeexpensivesothesmallpoolofpublicaddressesthatanISPallocatesmustbeusedsparingly.(PleaseseeNATintheCiscoSBADeploymentGuide.).

Subnetting

SubnettingallowsyoutocreatemultiplelogicalnetworksthatexistwithinasingleClassA,B,orCnetwork.Ifyoudonotsubnet,youcanonlyuseonenetworkfromyourClassA,B,orCnetwork,whichissimplyunrealistic.

Eachdatalinkonanetworkmusthaveauniquenetworkaddress,witheveryhostonthatlinkbeingamemberofthesamenetwork.Ifyoubreakamajornetwork(ClassA,B,orC)intosmallersubnetworks,youcancreateanetworkofinterconnectedsubnetworks.Eachdatalinkonthisnetworkwouldthenhaveauniquenetwork/subnetworkID.

Tosubnetanetwork,extendthemaskusingsomeofthebitsfromthehostIDportionoftheaddresstocreateasubnetworkID.Forexample:Givenanetworkof192.168.5.0/24,whichhasamaskof255.255.255.0,youcancreatesubnetsinthismanner:

192.168.5.0 - 11000000.10101000.00000101.00000000255.255.255.224 - 11111111.11111111.11111111.11100000------------------------------------------[sub]------

Theaddressontheleftisindotteddecimalnotation,andthebinaryrepre-sentationisontheright.WhenplanningIPsubnetting,sometimesitiseasiertovisualizethedifferentportionsofthenetworkaddresswhenlookingatthebinaryformat.Thesubnetmaskisalsorepresentedindotteddecimalandbinary.Anyaddressbitsthathavecorrespondingmaskbitssetto1repre-sentthenetworkID.Anyaddressbitsthathavecorrespondingmaskbitssetto0representthehostID.

Byextendingthemasktobe255.255.255.224,you’vetakenthreebits(indi-catedbysub)fromtheoriginalhostportionoftheaddressandusedthemtomakesubnets.Withthesethreebits,youcancreateeightsubnets.WiththeremainingfivehostIDbits,eachsubnetcanhaveupto32hostaddresses.Asinglesubnetcanbesplitupintoeight32-hostsubnets.Eight32-hostsubnets,however,maynotbeflexibleenough.Forexample:

192.168.5.0 255.255.255.224 address range 0 to 31 192.168.5.32 255.255.255.224 address range 32 to 63 … 192.168.5.224 255.255.255.224 address range 224 to 255

5IPAddressingBasics

Tech Tip

Therearetwowaystodenotesubnetmasks:

• Sinceyouareusingthreebitsmorethantheoriginallyspecified255.255.255.0mask,themaskisnow255.255.255.224.

• Themaskcanalsobedenotedas/27asthereare27bitsthataresetinthemask.Themaskisdenotedwiththenotationprefix/length.Forexample:192.168.5.32/27denotesthenetwork192.168.5.32withamaskof255.255.255.224.

Whenappropriate,theprefix/lengthnotationisusedtodenotethemaskthroughouttherestofthisdocument.

Variable Length Subnet Masks (VLSMs)

VariableLengthSubnetMasks(VLSMs)allowyoutousedifferentmasksforeachsubnet,andtherebyuseaddressspaceefficiently.Withprivateaddressspace,itisrarelynecessarytoshrinkbelowa/24subnetmaskasspaceisplentiful.UseVLSMto:

• Createalargersubnetofmorethan255hostaddresses

• CreateverysmallsubnetsforWANlinks

• Configureloopbackaddresses

VLSM Example

Giventhe192.168.5.0/24networkandrequirementsbelow,developasubnettingschemewiththeuseofVLSM:

• netAmustsupport330hosts

• netBmustsupport6hostsforapoint-to-pointWANlinksupportingHotStandbyRouterProtocol(HSRP)

• netCmustsupport2hostsforaT1circuittoaremotesite

• netDmustsupportasingleaddressforarouterloopback

Thefirststepistodeterminewhatmaskallowstherequirednumberofhosts.

• netArequiresa/23(255.255.254.0)masktosupport510hosts

• netBrequiresa/29(255.255.255.248)masktosupport6hosts

• netCrequiresa/30(255.255.255.252)masktosupport2hosts

• netDrequiresa/32(255.255.255.255)masktosupport1address

*This is a special configuration reserved for loopback addresses.

Theeasiestwaytoassignthesubnetsistoassignthelargestfirst.Forexample:Youcanassignthesubnetsinthismanner:

• netA—192.168.5.0/23addressrange5.0to6.255

• netB—192.168.7.0/28addressrange0to7

• netC—192.168.7.8/28addressrange8to11

• netD—192.168.7.12/32addressof12

Reader Tip

ForspecificinformationonIPaddressingandvariablelengthsubnetmasks,pleasereference“IPAddressingandSubnettingforNewUsers,”DocumentID:13788,www.cisco.com/en/US/tech/tk365/technolo-gies_tech_note09186a00800a67f5.shtml.

Voice Overlay Subnets

Whenaddinganewservicesuchasunifiedcommunicationsorqualityofservice,itissometimeshelpfultooverlayadifferentprivateIPaddressrangeonanexistingIPaddressingscheme.Forexample:

• Allvoicecouldbeonitsownsubnetrangefromthe10.0.0.0/8or172.16.0.0/16blocks.

• Asimplemaskcoveringall172.16.0.0/16or10.0.0.0/8addressescouldbe used to classify voice traffic across all sites.

Suchanapproachcanhelpsolvescalabilityissueswithanaddressingplanthatwasnotdesignedtoaccommodateenoughsubnetsandhostsforeachsite to support a new service.

6IPAddressingBasics

Forexample:Twoexistingbrancheshavewiredandwirelessdataaccessandwouldliketoaddvoice.Theyhavereservedalloftheir192.168subnetspace.Thevoicesubnetisoverlaidina10.X.X.XaddressrangehighlightedinredinFigure2.

Figure2.VoiceOverlaySubnets

192.168.64.0/24 Data Subnet192.168.65.0/24 Wireless Subnet

Two Routes Advertised as192.168.64.0/21 ➝10.1.0.0/21 (Voice) ➝

Remote Site 1

Headquarters

10.1.1.0/24 Voice Subnet

192.168.72.0/24 Data Subnet192.168.73.0/24 Wireless Subnet

Remote Site 2

10.1.8.0/24 Voice SubnetTwo Routes Advertised as192.168.72.0/21 ➝10.1.8.0/21 (Voice) ➝

Summarization

SummarizingIPaddressesensuresthattherearenoentriesforchildroutes,whichareroutesthatarecreatedforanycombinationoftheindividualIPaddressescontainedwithinasummaryaddressintheroutingtable.Thissummarizationreducesthesizeoftheroutingtableandallowstheroutertohandlemoreroutes.

Inasmallnetwork,summarizationisoftennotnecessaryatfirst.However,asthenetworkstartstoexpand,itneedstoscale.SummarizationprovidestheabilitytoscaleIPaddressspacefromasingle-siteheadquarterstoanadditionalremotesitelocationandthenincludehundredsofremotesites.

AnexampleofsummarizationfromthenetworkheadquartersouttotheremotesitelocationsisshowninFigure3.NormalIProutingadvertisementwouldhavesentoutsevenroutesintheroutingtable.Withsummarization,allsevenroutesaresummarizedbacktotheheadquartersasasingleroute.

Figure3.IPSummarizationatHeadquarters

HQ Access 1

HQ Access 2

Server Room

Single Route Advertised as10.10.0.0/19 ➝

10.10.32.0/24 Core RoutingSubnet

10.10.0.0/24 Data Subnet10.10.2.0/24 Voice Subnet10.10.16.0/24 Wireless Data Subnet10.10.20.0/24 Wireless Voice Subnet

10.10.48.0/24 Data Subnet10.10.49.0/24 Data Subnet

Summarizationcanbeusedinallplaceswheretheaddressingiscontigu-ousorspecifictoalocation.IfexistingIPaddressingdoesnotallowforsummarization,documentitandleaveitbewhileyoudeployfutureIPspacethatcanbesummarized.

Tech Tip

Besuretoturnoffauto-summarizationintheEnhancedInteriorGatewayRoutingProtocol(EIGRP)iftherearenoncontiguousIPspaces.

IP Multicast

IPMulticastisabandwidthconservationtechnologythatreducestrafficandserverloadsbyallowingasinglestreamofinformationonthenetworktobereceived by thousands of users.

Applicationsthattakeadvantageofmulticasttechnologiesinclude:

• Videoconferencing

• Corporatecommunications

• Musiconhold

7IPAddressingBasics

• Distancelearning

• Distributionofsoftware,stockquotes,andnews

IANAhasreservedtherangeof239.0.0.0/8asAdministrativelyScopedaddressesforuseinprivatemulticastdomains.TheseaddressesaresimilarinnaturetothereservedIPunicastranges(suchas10.0.0.0/8)definedinRFC1918andwillnotbeassignedbytheIANAtoanyothergrouporprotocol.

AcorporatemulticastIPaddressingplan,justlikeaunicastaddressingplan,needs to be provisioned for the entire network.

Reader Tip

FormoreinformationonIPMulticast,pleasevisit www.cisco.com/go/multicast .

8ManagingIPAddresses

ManagingIPAddresses

Withproperplanning,theIPnetworkcanbemoreorganized,easiertosetup, and easier to troubleshoot than user and network services.

BeforeexplaininghowtocreateyourownIPaddressingplan,wewillrelatethe technical concepts already described to an actual network design, using theCiscoSBAdesignasthenetworkexample.

IP Addressing in the Smart Business Architecture

CiscoSBAuses10.0.0.0astheexampleaddressrange,youcanapplythesesameprinciplestotheotherranges.YourIPspacerequirementswilldeterminetherangeorrangesyouimplement.Thesesameprinciplesapplytoapublicaddressrange,butmostmidsizeorganizationswilllikelydeployprivateaddressesinternallyandusepublicaddressesfromaserviceprovider when connecting to a public network such as the Internet.

TheCiscoSBAIPaddressingrangesareassignedfromthe10.0.0.0/8rangeofprivateaddressestocoverthefollowingmainsectionsofthenetwork:

• Headquarters

• WAN

• RemoteSites

• ServerRoom

• DMZ

• RegionalSite

• Security

• Voice

The chosen address space is allocated in contiguous IP address blocks to eachoftheseareastopromoteIPsummarization.

• Headquartersisassignedaddressesinthe10.10.0.0/19block,allowingfor32/24subnets.

• Theregionalsiteisassignedaseparateblock.

• Branchesareassignedan8subnetblockoutof10.11.0.0/21.

• FortheNetworkFoundation:

– DataSubnetsarerequiredforwiredandwirelessusers.

– Wirelessaccessmayrequireadditionalsubnetsforguestaccess,quarantine of nonsecure devices, etc.

– Subnetsforend-useraccessarecommonlyspecifiedas/23or/24,andallowfor253hostsor509hosts,respectivelywithasinglerouteraddress being used.

– VoiceSubnetsareseparatefromdatanetworkstosimplifyconfigura-tion of quality of service, and to avoid having IP phones contributing to the lack of space on already congested data subnets.

– Onesubnetforwireddataandonesubnetforwirelessallowsforflex-ibility.Subnetscanbe/24or/23,andallowfor253hostsor509hosts,respectively with a single address reserved for the default gateway.

9ManagingIPAddresses

Table1presentsanexampleofIPaddressassignmentandsummarization.

Followingthetable,youcanfindadiagramoftheCiscoSBAarchitecturewithsampleIPsubnetassignmentandsummarization.Summarizationcanbeextrapolatedtoeachremotesiteandacrossacampusasrequired.Toaddanotherremotesite,simplyassignanotherblockofeightaddresses.Forexample:Branchtwowouldbeassigned10.11.8.0/21.

Table 1. CiscoSBAAssignedIPAddresses

Location VLAN Subnet DepartmentSummary Address

Headquarters 10.10.0.0/19

100 10.10.0.0/24 HQWiredData

102 10.10.2.0/24 HQWiredVoice

104 10.10.4.0/24 HQWiredData

106 10.10.6.0/24 HQWiredVoice

116 10.10.16.0/24 HQWirelessData

120 10.10.20.0/24 HQWirelessVoice

124-31 10.10.24.0/21 InternetEdge

132-39 10.10.32.0/21 HQWAN

148-63 10.10.48.0/24 HQServerFarm

RemoteSite1 10.11.0.0/21

NA 10.11.0.0/24 Loopbacks

NA 10.11.1.0/24 NetworkServices

102 10.11.2.0/24 WirelessData

103 10.11.3.0/24 WirelessVoice

104 10.11.4.0/24 WiredData

NA 10.11.5.0/24 Reserved

106 10.11.6.0/24 WiredVoice

NA 10.11.7.0/24 Reserved

TheCiscoSBAdesignasseenintheSBAforMidsizeOrganizations—BorderlessNetworksFoundationDesignGuideisshowninFigure4withtheadditionofIPaddressassignmentsandroutesummarization.

10ManagingIPAddresses

Figure4.CiscoSBADesignwithAssignedIPAddressesandSummarization

Remote Site Router with Application Acceleration

WirelessAccess

Point

10.11.4.0/24 Data SubnetRemote Site Switch

10.11.6.0/24 Voice Subnet

10.11.2.0/24 Wireless Subnet

Single Route Advertised as10.11.0.0/21 ➝

� Single Route Advertisedas 10.10.0.0/19

Remote SiteWireless

Access Point

PSTN

WAN

Internet

Firewall

Campus Router

ApplicationAcceleration

WirelessLAN Controller

ClientAccessSwitch

Server RoomSwitch

Servers

Client AccessSwitch Stack

Server RoomStack

UCManagmentHost

10.10.0.0/24 Data Subnet10.10.2.0/24 Voice Subnet10.10.16.0/24 Wireless Data Subnet

10.10.48.0/24 Server Subnet10.10.49.0/24 Server Subnet

CoreSwitchStack

Hardwareand

Software VPN

Server Room

Headquarters

Access

11ManagingIPAddresses

Process

Creating an Addressing Plan

1. DefineAddressingStandards

2. Plan Range

3. AllocateIPSpace

4. DocumentPlan

ItisimportanttoapproachtheIPaddressingplanwiththeentirenetworkinmind,notjustthefoundation.ProperplanningofIPaddressspaceacrosseachofthelayersiscriticaltoensuringtheirinteractionisseamlessandintegrated.Withineachsubnetrange,theplanshouldaccountfor:

• Subnetsizes

• Subnetassignment

• Staticaddressassignmentsfornetworkdevices

• Dynamicaddressassignments

Well-plannedanddocumentedIPaddressspacecanyieldmanysavedhoursoftroubleshootingtime.

Procedure 1 Define Addressing Standards

Usingconsistentstandardsacrossthedifferentlocationssimplifiesoverallmaintenanceandtroubleshootingofthenetwork.

Step 1: CreatestandardsforIPaddressassignmentswithineachsubnetrange.Somestandardsyoumayconsiderapplyinginclude:

• Foreaseofidentification,VLANscanbecreatedtomatchthethirdoctetoftheIPsubnetplus100.Forexample:x.x.71.x.isassignedVLAN171.Thisresultsinaself-documentingdesign.

• Routers,gatewaysandhotstandbyrouterprotocol(HSRP)virtualaddresses within a subnet are assigned the first available addresses within the range.

• Printersandotherfixedaddressassignments.

• Dynamicaddressrangesfordynamichostcontrolprotocol(DHCP).Forexample:Allusersubnetsmaybe/24subnetswith253availableaddressassignmentsforendhosts.

• Routersmaybeassignedthe.2and.3addresses,andtheHSRPaddressassigned the .1 address.

• Printersmaybeassignedthe.5through.9addresses.

• DHCPmayrangefrom.10through.250addresses.

Step 2: Defineaconsistent,structurednamingconventionandDNSfordevices. This helps:

• Createaconsistentaccesspointtoroutersforallnetworkmanagementinformationrelatedtoadevice.

• ReducetheopportunityforduplicateIPaddresses.

• Createsimpleidentificationofadeviceshowinglocation,devicetype,and purpose.

• Improveinventorymanagementbyprovidingasimplermethodtoidentify network devices.

Step 3:IdentifyDHCPrangesandaddthemtoDNS,includingthelocationoftheusers.ThisrangemaybeaportionoftheIPaddressoraphysicallocation.Anexamplemightbedhcp-bldg-c21-10todhcp-bldg-c21-254,which identifies IP addresses in building C, second floor, wiring closet 1. Alternatively, the precise subnet or variation thereof can be used for identification.

Step 4: Documentallstandardsthatyoudevelopandreferencethemonallnetworkengineeringplandocumentstohelpensureconsistentdeployment.

12ManagingIPAddresses

Procedure 2 Plan Range

Thereisnoincorrectprivatesubnettoallocate,butsomechoicesprovidemoreflexibilitythanothers.

Step 1: Determinewhichaddressspacetousebyevaluatingalloftheuserandserverrequirements.Considerthefollowingexamples:

• The192.168.0.0rangeisusedbymanycompaniesandnetworkequip-mentvendors.Thisaddressrangehasalowernumberofhostaddressesavailable,whichmaybecomeanissueasanorganizationgrowsorwhenamergeroccurswithanothercompanyusingthesamerange.

• Ifyouhavetheluxuryofstartingfromscratch,considerthe10.0.0.0rangetoallowforthemostflexibility.The10.0.0.0rangeallowsformanymorehostsinthesamerange,whichprovidesmoreflexibilitywhensub-netting.Forexample:Eachbranchorbuildingneedstohaveaconsistenthostrangeandthe10.0.0.0networkprovidesthisflexibility.

• Inmanycases,organizationsmayhavemultipledifferentaddressRFC1918spacesintheirnetwork.Tosimplifyconfigurationandtroubleshoot-ing,itiseasiertoworkwithonerangefromRFC1918spaceandusesummarization.UsingmultipleIPrangesfromdifferentaddressspacesisnotaproblemiftheaddressingplaniswelldocumented.

• Whateveraddressspaceisselectedorinherited,theremaybeanadvan-tagetostartsomewhereotherthanthebeginningoftherangewhenchoosingnetworknumbering.IncaseofamergerwithanothercompanythatisusingIPaddressingfrom10.0.0.0or192.168.0.0,itisadvisablenotto start at the beginning of the range, to decrease the chance of address conflicts.

Procedure 3 Allocate IP Space

Step 1: CarefullydefinethesizeoftheIPspacewithpublicaddressesasitisavailableonlyinafiniteamount.Besuretotakeintoaccountthat:

• Privateaddressesarenotconstrained

• Foreaseofuse,a/24maskshouldbeusedasaminimumforusersubnets.

• Enddevicesalwaysgrowinnumber,sothereisnoreasontosetalowlimitonthenumberofprivateaddresses,sincetheyarereadilyavailable.

• WANconnectionshavemuchsmallerrequirementsforIPaddresses.Ingeneral, a point-to-point network connection between two sites has two IPaddressesinuse.IfHSRPisusedwithredundantroutesoneachside,thenumberofaddressesincreasestosix,threeforeachsideofthelink.

– /30subnetallowsfortwousableIPaddresses

– /29subnetallowsforsixusableIPaddresses

Step 2: Reserveasubnetforphysicalsecurity.Theserequirementscanbeassimpleasasubnettocontroldooraccesstoabuildingorsomethingmorecomplexlikevideosurveillancefortheentirebuilding.Evenifphysicalsecurityisnotrequiredattheinitialsetup,youshouldstillcompletethisstep.

Step 3: Reserve a subnet for facilities. This subnet addresses physical plant requirementssuchasremotepowercontrol,airconditioning,andfacilitiesmonitoring,whichcannowbemonitoredwithnewtechnologyontheIPnetwork.

Step 4: Allocatepublicaddressesforallproductionnetworksinthedemili-tarizedzone(DMZ),whichisthenetworkornetworkssituatedbetweenanISPedgerouterandcorporatefirewalls.AnalternativeistouseNAT.

Step 5: AllocateasubnetforRemoteAccess,whichisgenerallysetupasavirtualprivatenetwork(VPN).

Step 6: AllocateasubnetforNetworkManagementtoprovideaccesstonet-workdevicessuchasEthernetswitches,firewalls,routers,etc.Thissubnetwillallowforeasymanagementwithaseparatelogicalnetwork.CiscoSBAusesVLAN1formanagementofnetworkdevices.

13ManagingIPAddresses

Tech Tip

Wherepractical,aseparatephysicalnetworkcanalsobeusedformanagement.

Step 7: Createaloopbackaddresstomakeiteasiertomanageasingleaddressforarouterwithmultipleinterfaces.

Loopbacks:

• Arealwaysup.

• Arereachableevenifasingleinterfacegoesdownwhentherouterhasmultipleinterfaces.

• Canprovideasinglesourceaddressforvoiceapplications,networkmanagement,routing,etc.

• Givecontinuity,forexample,toavoicegatewayinarouter.IfthevoicegatewayisconfiguredfortheWANinterfaceanditgoesdown,thevoicegatewayalsogoesdown.Loopbackspreventtheseproblemsastheystay up as long as the router stays up and is reachable over an interface.

• NeedtobeadvertisedbytheIProutingprotocol.

Loopbackinterfacescanbeassignedanaddressof/24oruptoasingle/32(besuretosummarizeifusing/32loopbacks).Configureloopbackinter-facesasthesourceIPaddressfortraps,SecureShell(SSH),andSimpleNetworkManagementProtocol(SNMP).

Procedure 4 Document Plan

Step1:DocumenttheentireIPaddressspaceinaspreadsheetshowingsite-allocation,usage,andavailablesubnetsforeachsubnetsizewithintheblock,alongwithsummaryaddressesforeachparticularblockofaddresses.

AnexampleofasimpleIPaddressingworksheetisavailableintheAppendixof this guide.

Process

MaintainingandGrowingNetworkSpace

1. ResolveOverlappingAddressRanges

2. IncreasetheNumberofIPAddresses

3. MergewithAnotherCompany

OncetheIPaddressingplanisinplace,youarereadytoresolvesituationsastheycomeup.Thefollowingproceduresexplainhowtohandlesomeofthespecialsituationsyoumayencounter.

Procedure 1 Resolve Overlapping Address Ranges

Iftwoaddressrangesoverlap,twoscenariosmaybeinplace.

Thefirstpossiblescenarioisthattherangesarethesamebutthesubnetsused within these ranges are unique to each site and there is no overlap as seeninFigure5.Thisscenarioisnotoptimal,butthenetworksshouldstillbeabletocommunicate.Inthisscenario,completethefollowingsteps:

Step 1: Removesummarizationfrombothsidesifitcontainsanyoftheoverlapping IP space.

Note:Thisstepisenoughtoallowthenetworkstocommunicatewhilestep2isbeingcompleted.

Step 2:Renumbertheoverlappingspace.

Step 3:Reinstatethesummarization.

Figure5.OverlappingIPAddressSpace,NonConflicting

Branch Headquarters

Remote Site Using 192.168.0.0/19192.168.20.0/24 Data Subnet192.168.30.0/24 Wireless Subnet

Headquarters Using 192.168.0.0/19Data Subnets192.168.1.0/24…192.168.15.0/24

14ManagingIPAddresses

Thesecondpossiblescenarioisthatthespacesconflict,meaningtheyusethesamesubnetsasseeninFigure6.Thisisarealproblem.Unlikethesimplesolutionofthepreviousexample,thisoneismorecomplex,butitcanbeovercome.

Completethefollowingstepstoresolvethesituation:

Step 1: UseNATfromtheconflictingsiteinanewnonconflictingIPaddressspaceasatemporaryworkaround.

Step 2:Renumbertheconflictingspace.

Step 3: Oncethehostsarerenumberedintothenewaddressspace,turnNAToff.

Figure6.OverlappingIPAddressSpace,Conflicting

Branch Headquarters

Remote Site Using 192.168.0.0/19192.168.1.0/24 Data Subnet192.168.15.0/24 Wireless Subnet

Headquarters Using 192.168.0.0/19Data Subnets192.168.1.0/24 Server Subnet192.168.15.0/24 Data Subnet

NAT from Source Subnets to Two Temporary Subnets in theExisting Headquarters IP Address Space That Are Not in Use:192.168.30.0/24 and 192.168.31.0/24

Procedure 2 Increase the Number of IP Addresses

Asanorganizationgrows,sodoesitsneedforIPaddresses.Ifyourplanincludesprovisionsforexpansion,growthisnotaproblem.

IfthehostsareallDHCPandthenextavailablesubnethasbeenreserved,completethefollowingsteps:

Step 1: AdatasubnetmayhavehadanadequateamountofIPaddresseswhenitwasfirstdeployed,butasthecompanygrowsitbecomesapparentthatthe/24assignedneedsmoreroom.Oneapproachistoexpandthesubnetbychangingthemasktoa/23todoubletheIPaddressesavailable.Therouterinterfaceconfigurationwillgetreconfiguredforthenewmaskandrouting verified.

Tech Tip

ThischangeofmaskcanonlybedoneifthenetworkIPplanningtookthisfutureexpansionintoaccountwhenthenetworkwasdesigned.Ifitwasplanned,thehostsareallDHCP,andthenextavailablesubnethasbeen reserved..

Step 2: Withtherouterconfigurationcomplete,addressthehosts.WiththehostsconfiguredforDHCP,theyreceivetheirIPaddressesandsubnetmasksfromtheDHCPserver.

Step 3: ChangethemaskandaddtheadditionalrangetotheDHCPserver.NotethattheDHCPmaskneedstobechangedontheDHCPserverandnoton every host.

Step 4: OncethemaskhaspropagatedwhenDHCPrenewstotheexistinghosts,theywillhavevisibilitytotheexpandedrangeinDHCP.Atthispoint,expandtheDHCPrangetothelargersetofIPaddressessotheycanbeassigned.

Tech Tip

IfthehostsarenotconfiguredforDHCP,eachhostwillhavetobevisited or it will not be aware of hosts and gateways on the subnet.

15ManagingIPAddresses

Procedure 3 Merge with Another Company

ConsidertheexampledepictedinFigure7.Assumeanewlocationwasacquiredbyabusinessthatalreadyhasanetworkwith172.16.20.0and172.16.42.0addressspaceinuse.Youwouldneedtoeitherrenumbertheaddressspacetofitwithintheactive192.168.0.0spacecurrentlydeployedattheheadquarters,orsimplysummarizetheaddressspaceatthebordertotheremotesiteas172.16.0.0/16.

Figure7.MergingwithDifferentIPSpace

Branch Headquarters

172.16.20.0/24 Data Subnet172.16.42.0/24 Wireless Subnet

Headquarters Using 192.168.0.0 AddressSpace Summarizes and Advertisesa Single Route Out to the Remote Site. 192.168.0.0/16

Remote Site Using 172.16.0.0 AddressSpace Advertises a Single Router to theHeadquarters Site172.16.0.0/16

Reader Tip

FormoreinformationonIPaddressing,pleaseseethefollowingresources:

• RoutingandSwitchingBestPractices:HowCiscoITDeploysIPAddressingintheEnterprise,www.cisco.com/web/about/ciscoi-tatwork/downloads/ciscoitatwork/pdf/Cisco_IT_IP_Addressing_Best_Practices.pdf

• ConfigurationManagement:BestPracticesWhitePaperwww.cisco.com/en/US/tech/tk869/tk769/technologies_white_paper09186a008014f924.shtml

• “GeneralDesignConsiderationsforSecureNetworks”,inNetwork Security Architectures, a Cisco Press book.

16AppendixA

AppendixA:SubnetDesignWorksheetforSBA

Location VLAN Subnet Department Summary Address

17AppendixB

AppendixB:SBAforMidsizeOrganizationsDocumentSystem

Panduit

Wireless CleanAir

Web Security

Email Security

Ipswitch

ScienceLogic

SolarWinds

Network Management

Configuration Files

Foundation

Business Continuance

IPv6 Addressing

IPv4 Addressing

FoundationDesign Overview

3G Wireless Remote Site

Design Guides Deployment Guides

You are Here

Supplemental Guides

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.

Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)

Americas HeadquartersCisco Systems, Inc.San Jose, CA

Asia Pacific HeadquartersCisco Systems (USA) Pte. Ltd.Singapore

Europe HeadquartersCisco Systems International BVAmsterdam, The Netherlands

C07-629862-0112/10