Address Management Issues for an Enterprise WAN


An end-user enterprise demonstrates some fairly consistent network attributes. For example, an enterprise wide-area network (WAN) should have a fairly secure perimeter. This implies that the borders are well-defined in the first place. The WAN, by virtue of its isolation from other, external networks, affords cocoon-like safety for the networked computing operations. The routers in this network spend much more of their time forwarding IP packets than they do tracking routes, simply because the network's limited scope results in a limited number of internal routes. If there is to be a connection to the Internet, all network addresses that lie outside the network can be treated using the concept of a default gateway. As you saw in Chapter 11, "Internetworking with IP," a default gateway is a simplifying logical mechanism. It lets you tell a router which of its interfaces should be used to forward any packets bearing a destination address for which it doesn't have a valid route.

Any specific routes that a router tracks are, by design, for internal addresses. Figure 13-1 shows a typical network topology for an enterprise with five locations and one connection to the Internet. We'll use this topology as our example to reinforce some of the issues unique to an enterprise WAN. Each location is a separate office building that contains its own LAN.

Figure 13-1. An Enterprise Network Topology


Looking at this figure, you can see that an IP address space is already selected. For the sake of example, we'll assume that the address space was properly obtained and is directly registered to your company. In reality, the address block 99.1.0.0 /22 has not yet been assigned. There might come a day when it is, but for the foreseeable future, it remains reserved by IANA and, ostensibly, available for future use.

This /26 block is advertised to your ISP. Thus, at least in theory, the rest of the world can access this network using that network address. The ISP, however, doesn't advertise your /26 network block to the rest of the Internet. Instead, it aggregates that block with the other blocks assigned from its /22 and then just advertises the /22 network block to the Internet.

Hierarchical Allocation

Having acquired an address space, the next priority is figuring out what to do with it. In other words, you need to allocate some addresses to each of the locations. Remembering the distinction between allocation and assignment, it would behoove you to allocate slightly oversized subblocks from your /22 to each of your five locations. The size of each subblock should depend on the size of each location. Obviously, you want to have slightly more than enough addresses at each location as opposed to just enough or not quite enough. Let's assume, for the sake of simplicity, that each location requires no more than 200 addresses. Thus, you need a /24 network for all the various endpoints at each location. Two of your locations, numbers 4 and 5, are only about half the size of the other sites. They can share a /24 with ease. As such, each is given a /25 network.

Besides keeping the example simple, this assumption also allows plenty of room to grow at each location. As explained earlier, this is an allocation of addresses. From the hostmaster's perspective, it is enough to know that a /24 or /25 has been allocated to a specific location. Figure 13-2 shows how you've allocated your CIDR subnet blocks throughout the enterprise network.

Figure 13-2. Address Allocation Within an Enterprise Network


The LAN administrators at each location are responsible for assigning addresses to the individual endpoints on their LANs from the allocated /24s. These administrators are unlikely to just spool out addresses in a serial fashion. Instead, they probably will take advantage of CIDR's flexibility and create subnetworks for groups of related devices.

Grouping Related Devices

Having segmented your /22 into smaller network blocks for each location, the next step is to start grouping related devices at each location. Such grouping might be considered arbitrary. Some people would tell you it's a waste of time. They might even say that you are creating work with no demonstrable benefit. Such folks clearly have never managed an IP address space and are speaking from ignorance.

Creating logical groups lets you form subnets more intelligently. Consequently, you can better manage and secure a network. Imagine if all devices in a network were created from the same address block, with no attempt made to logically subnet them. Subnetting can be achieved by picking any one of a number of characteristics, including political boundaries (departments in a company), local geography (floors or wings of a building), or capability (printer, desktop computer, server). There is no right approach; all can be made workable.

However, I can make an argument in favor of subnetting by technical capability. The connectivity patterns of different types of devices can be very distinct. For example, you can count on printers receiving potentially large amounts of traffic but never initiating a communications session. Similarly, client devices can initiate a communications session via a remarkably diverse array of applications, but (hopefully!) they will never be the destination of an inbound request for connectivity. That function is typically reserved for servers. So, the differing communications patterns can serve as a basis for establishing subnets within a LAN. This also makes it easier to enforce some security technologies.

Based on such communication patterns, it is also possible to identify devices that must have a single IP address statically assignedin other words, an IP address that will remain reliably constant over time. Servers, printers, management ports on hubs and switches, and router interfaces should all have a statically configured IP address. Client endpoints, however, would probably be better served with a dynamic IP address assignment. Several technologies can provide this function, including bootp for UNIX-based computers, and Dynamic Host Configuration Protocol (DHCP). Such technologies work in similar ways: A client machine sends out a broadcast message to find an address server immediately after it boots. This server assigns an IP address to that client machine. These tools were originally part of the massive effort to stave off the Date of Doom, but they have proven themselves far more valuable in saving time by relieving network administrators of the burden of statically configuring IP addresses on client machines.

For the sake of example, you'll carve your /24 CIDR block by function into subnets. You'll use 99.1.1.0/24, which is assigned to Location #2. Table 13-2 shows you the resulting logical groups and the size of their required address blocks. It is important to remember that, because you are using CIDR, the distinction between a subnet and a network address is purely a matter of semantics. All get aggregated up to the /24 block for advertisement to the other routers within the enterprise WAN, and all the /24 networks within that WAN are aggregated back into the /22 for communicating across the Internet.

Table 13-2. Allocating Blocks Within a /24

Description of Subnet

Block Size Required

Available Number of Addresses

Base network address

/24

254

DHCP pool for desktops

/25

127

Servers

/28

Network interfaces

/29

Management ports

/29

Printers

/29


The next step is figuring out how to carve these required subnet blocks into your /24 address space.

Subnetting the Address Space

After figuring out how much space to allocate to each of your intended subnets, you have to figure out how to subnet the network address space to accommodate these requirements. Table 13-3 shows how the requirements listed in Table 13-2 are accommodated via the subnetting of the 99.1.1.0 /24 network address space.

Table 13-3. Subnetting the /24

Description of Subnet

Address Block

Base network address

99.1.1.0 /24

DHCP pool for desktops

99.1.1.0 /25

Servers

99.1.1.128 /28

Network interfaces

99.1.1.144 /29

Management ports

99.1.1.152 /29

Printers

99.1.1.160 /29

Unassigned

99.1.1.168 /29

Unassigned

99.1.1.176 /28

Unassigned

99.1.1.192 /26


NOTE

Did you notice in Table 13-3 that the unassigned address space was not identified as a single, large group of addresses? Instead, three subnetworks remain unassigned. These subnetworks preserve the symmetry of the CIDR address space and ensure that no boundaries between subnetworks are compromised by future network assignments.


After you have figured out how you will categorize the pool of devices in your network and subnet the network, one last step is leftassigning the IP addresses.

Assigning IP Addresses

The last step in the overall process is to assign unique IP addresses to endpoints. As you saw earlier, "endpoint" is a way to describe virtually anything that lives on or in a network. Desktop computers, networked printers, management ports, and interfaces on network devices, such as switches and routers, servers, and a seemingly infinite list of other types of devices, can all require an IP address.

You know some of these devices will need to be statically configured with an IP address. Such an approach is tantamount to a permanently assigned IP address, but you know that nothing is permanent. Thus, we'll use the term statically configured instead of permanently assigned. For the endpoints that can be given a dynamic address, a block of addresses is carved from the /24 (in the current example) and is fed to DHCP or a similar tool.

NOTE

It is imperative that you maintain very careful records on any and all statically configured endpoints!





IP Addressing Fundamentals
IP Addressing Fundamentals
ISBN: 1587050676
EAN: 2147483647
Year: 2002
Pages: 118
Authors: Mark Sportack

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net