IPv4 private addressing tradeoff: small footprint vs even VLSM length?

Is minimising one's use of the private address space to avoid unnecesary potential overlap worth the hassle of having un-even VLSM lengths?
I am designing my first non-trivial IPv4 addressing scheme in the 10.0.0.0/8 range.  Just two small branch offices, but on the access-layer, I'm putting servers, printers, desktops and phones onto separate VLANs.  (In fact, when doing L3 at the access-layer, you can quickly end up with multiple VLANs).
Now, few of these VLANs are so big that they'll need a /24 all to themselves.  In fact, a /27 for phones and printers will be fine.  I'll give a /24 to desktops because 255.255.255.0 is the only mask which semi-technical users understand.  Maybe a /25 for servers, which gives a bit of room for further subnetting and putting VMs onto their own VLANs. 
I'll summarise each site over DMVPN as a /21 subnet.  Neat.
But at each site the routing tables look messy, with the router sporting addresses like 10.9.13.129/27 and there isn't any real pattern between the L3 address and the VLAN number.
Why don't I just dole out /24's to each VLAN,  After all, I'm hardly going to minimise conflict with private IP addresses chosen by prospective partners by using /20's instead of /21's for each site (right?), and even if they do, NAT can handle all these situations elegantly (right?).
What about you, would you minimise your footprint in the address space and deal with 'unevenness' in subnet sizes?  Or would you be easier on your eyes now and simply bite the bullet if you had to NAT one day?
thanks!
David.
Message was edited by: David Bullock - tries to get the crux of the question closer to the top of text.

I chose Alessio's as the 'correct' answer, since it mentioned route summarisation.  But both answers were correct in the sense that they were quite reasonable.
In the end, I decided to go wtih my varying-length VLSM approach, to keep the address-sprawl at each site confined to a /21 subnet.  I don't find the varying-length VLSM to be much of an nuisance in practice.  I miss out on being able to make the 3rd octet 'line up' with the VLAN, but I feel that's a pretty delicate affair anyhow.  Some person just has to give VLAN100 as a 'best practice' for the Voice VLAN, for example, and you either start working with a /17 at each site (minimally), or abandon your numbering scheme.  You'd really have to go with a /16 for each site to ensure you can number 254 VLANs in this fashion.  And that means for each site that you chose, there's a 1-in-256 chance you'll pick the same second octet as someone else.  With my scheme, there is a 1 in 8192 chance that I'll pick the same address range, so I've decreased the likelyhood of a conflict by a factor of 32.
At the end of the day though, so long as route summarisation works, all other considerations seem to be a matter of taste.

Similar Messages

  • Ipv4 mapped addresses bind problem: address already in use.

    Hello. It's me again with another, may be newbie, question.
    This time I observe different behavior binding different type of ip addresses on tcp sockets. For instance
    - when I bind ipv4 mapped addresses, if there is a remaining old socket in TIME_WAIT state from a previous run
    I get the error 'Address already in use', event with SO_REUSEADDR set.
    - when I bind another type of ipv6 or just ipv4 addresses. if there if a remaining old socket in TIME_WAIT state from
    a previous run, the bind is successful (SO_REUSEADDR is set).
    How can be explained this behavior?
    Thanks a lot.
    Details
    =======
    I made a small program to test this. This program:
    - dump the addresses to be used in bind() and connect()
    - creates a LISTEN SOCKET calling
    - socket(AF_INET6, SOCK_STREAM, 0)
    - fcntl(F_SETFD, fcntl(F_GETFD) | FD_CLOEXEC)
    - fcntl(F_SETFL, fcntl(F_GETFL) | O_NONBLOCK),
    - setsockopt(SO_REUSEADDR),
    - setsockopt(SO_KEEPALIVE),
    - setsockopt(TCP_NODELAY),
    - bind()
    - listen()
    - creates a CONNECTING SOCKET calling
    - socket(AF_INET6, SOCK_STREAM, 0)
    - fcntl(F_SETFD, fcntl(F_GETFD) | FD_CLOEXEC)
    - fcntl(F_SETFL, fcntl(F_GETFL) | O_NONBLOCK),
    - setsockopt(SO_REUSEADDR),
    - setsockopt(SO_KEEPALIVE),
    - setsockopt(TCP_NODELAY),
    - connect()
    - creates a ACCEPTED SOCKET calling
    - accept()
    - fcntl(F_SETFD, fcntl(F_GETFD) | FD_CLOEXEC)
    - fcntl(F_SETFL, fcntl(F_GETFL) | O_NONBLOCK),
    - setsockopt(SO_REUSEADDR),
    - setsockopt(SO_KEEPALIVE),
    - setsockopt(TCP_NODELAY),
    - issue a std::system( "netstat -an | grep 10329" )
    - wait with select() for a write event in the CONNECTING SOCKET
    - wait with select() for a write event in the ACCEPTED SOCKET
    - close the accepted socket
    - close the connecting socket
    - close the listen socket
    - issue another std::system( "netstat -an | grep 10329" )
    - exit(0)
    Note: please don't get confused with my notation of addresses, the last component, after the last colon, is the port.
    I run it with ipv4 mapped listen address, with this result:
    $ ./test_reuseaddr listen_address=0.0.0.0:10329 connect_address=127.0.0.1:10329
    Listener in *'::ffff:0.0.0.0:10329'*
    1a 00 28 59 00 00 00 00 00 00 00 00 00 00 00 00 |..(Y............|
    00 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 |................|
    Connect to '::ffff:127.0.0.1:10329'
    1a 00 28 59 00 00 00 00 00 00 00 00 00 00 00 00 |..(Y............|
    00 00 ff ff 7f 00 00 01 00 00 00 00 00 00 00 00 |................|
    Creating listen socket
    Creating connecting socket
    Creating accepted socket
    netstat -an | grep 10329
    *.10329 *.* 0 0 49152 0 LISTEN
    127.0.0.1.35114 127.0.0.1.10329 49152 0 49152 0 ESTABLISHED
    127.0.0.1.10329 127.0.0.1.35114 49152 0 49152 0 ESTABLISHED
    Closing connecting socket
    Closing accepted socket
    Closing listen socket
    netstat -an | grep 10329
    *127.0.0.1.10329 127.0.0.1.35114 49152 0 49152 0 TIME_WAIT*
    Immediately run it again the same way, with this result (Address already in use):
    $ ./test_reuseaddr listen_address=0.0.0.0:10329 connect_address=127.0.0.1:10329
    Listener in *'::ffff:0.0.0.0:10329'*
    1a 00 28 59 00 00 00 00 00 00 00 00 00 00 00 00 |..(Y............|
    00 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 |................|
    Connect to '::ffff:127.0.0.1:10329'
    1a 00 28 59 00 00 00 00 00 00 00 00 00 00 00 00 |..(Y............|
    00 00 ff ff 7f 00 00 01 00 00 00 00 00 00 00 00 |................|
    Creating listen socket
    *### SYSCALL ERROR: bind(): 125, Address already in use*
    Wait and verify that the TIME_WAIT socket has disappeared
    $ sleep 120
    $ netstat -an | grep 10329
    Now run the same program with normal ipv6 listen addresses
    $ ./test_reuseaddr listen_address=*::0*:10329 connect_address=127.0.0.1:10329
    Listener in *':::10329'*
    1a 00 28 59 00 00 00 00 00 00 00 00 00 00 00 00 |..(Y............|
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
    Connect to '::ffff:127.0.0.1:10329'
    1a 00 28 59 00 00 00 00 00 00 00 00 00 00 00 00 |..(Y............|
    00 00 ff ff 7f 00 00 01 00 00 00 00 00 00 00 00 |................|
    Creating listen socket
    Creating connecting socket
    Creating accepted socket
    netstat -an | grep 10329
    *.10329 *.* 0 0 49152 0 LISTEN
    127.0.0.1.35115 127.0.0.1.10329 49152 0 49152 0 ESTABLISHED
    127.0.0.1.10329 127.0.0.1.35115 49152 0 49152 0 ESTABLISHED
    *.10329 *.* 0 0 49152 0 LISTEN
    Closing connecting socket
    Closing accepted socket
    Closing listen socket
    netstat -an | grep 10329
    *127.0.0.1.10329 127.0.0.1.35115 49152 0 49152 0 TIME_WAIT*
    Immediately run it again the same way (no error this time)
    $ ./test_reuseaddr listen_address=*::0*:10329 connect_address=127.0.0.1:10329
    Listener in *':::10329'*
    1a 00 28 59 00 00 00 00 00 00 00 00 00 00 00 00 |..(Y............|
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
    Connect to '::ffff:127.0.0.1:10329'
    1a 00 28 59 00 00 00 00 00 00 00 00 00 00 00 00 |..(Y............|
    00 00 ff ff 7f 00 00 01 00 00 00 00 00 00 00 00 |................|
    Creating listen socket
    Creating connecting socket
    Creating accepted socket
    netstat -an | grep 10329
    127.0.0.1.10329 127.0.0.1.35115 49152 0 49152 0 TIME_WAIT
    *.10329 *.* 0 0 49152 0 LISTEN
    127.0.0.1.35116 127.0.0.1.10329 49152 0 49152 0 ESTABLISHED
    127.0.0.1.10329 127.0.0.1.35116 49152 0 49152 0 ESTABLISHED
    *.10329 *.* 0 0 49152 0 LISTEN
    Closing connecting socket
    Closing accepted socket
    Closing listen socket
    netstat -an | grep 10329
    *127.0.0.1.10329 127.0.0.1.35115 49152 0 49152 0 TIME_WAIT*
    *127.0.0.1.10329 127.0.0.1.35116 49152 0 49152 0 TIME_WAIT*
    Run it againg many times with no error.

    sunlover1984 wrote:
    Sorry, to use such short forms in forums as i dont know much about this. i rarly use java forum. well, i removed the code that i gave u for server starting. but still it is giving me the same error. this time i put it in a java bean file.(Hint "u" is just another short form).
    Did you try the suggestion to put a log statement just before you start the server? Or put a breakpoint at that line and see how often it is reached.
    Because the only reason for this problem is that something is already listening at that port.
    And if there's really nothing listening before you start you application, then only your application itself can listen there already, so the logical conclusion for me would be that you're starting the Server twice.

  • IPv4 Multicast address range

    Hello there.
    How can we classify the IPv4 multicast range ( 224.0.0.0 - 239.255.255.255 ) in terms of Public or Private addresses ?
    regards.        

    It's a mixture of private and public addresses depending on the particular subnet within that range. See below
    http://en.wikipedia.org/wiki/Multicast_address

  • My iCloud account shows an old email address i no longer use even though I've updated my apple id with my new email information.  How do I get the old email account off my iCloud

    my iCloud account shows an old email address i no longer use even though I've updated my apple id with my new email information.  It keeps asking me my old password to the old email address which is NOT a valid email any longer.  I'm unable to manage my iCloud until this is resolved.  HELP

    If your Apple ID is the one that you use for making all of your purchases, it should, automatically appear in FaceTime already. How a no longer valid email address got there to begin with is a mystery to me, if in fact you do have, and have been using another Apple ID.
    Go to Settings>FaceTime>Apple ID. Tap the old email address and sign out, sign in with your Apple ID. It should be verified and allow you to select it as the address that you can be reached by for FaceTime.
    If that does not work, time FaceTime off, restart your iPad and then start all over again.

  • Can we assign IPv4 IP address pool to IPv6 VPN Client

    We are planning to enable IPv6 SSL VPN clients, Let me explain the current setup
    We have Cisco ASA firewall used for SSL VPN and Cisco ACS for user authentication and RSA for two factor authentication.
    LAN Server are in IPv4 only..
    Requirement :
    Client (IPv6) --- Cloud (IPv6) ---- Outsite(IPv6) -Cisco ASA - Inside(IPv4) ----- ACS (IPv4) & RSA (IPv4)
    Client with IPv6 internet connectivity connect to SSL VPN with IPv6, Cisco ASA outside interface with IPv6 address will receive the request.
    Qus:
    1. Will Cisco ASA check two factor authentication with ACS and RSA both are in IPv4 address for an IPv6 client ?
    2. Once if authenticated, Cisco ASA can assign IPv4/IPv6 address pool to the client, if i prefer only IPv4 address pool and client will get IPv4 address as tunnel interface IP address. Will it work? Means IPv4 over IPv6 SSL VPN tunnel.
    Thanks
    Sankar

    AFAIR, with SSL we support IPv4 and IPv6 assigned IP addresses, with IPsec IKEv2 we only support IPv4 addressing. 
    Query to AAA servers are separate process, from user<-> headend authentication flow, unless we're talking about IKEv2 with standard EAP methods.

  • HT1541 the email informing the giftee that album has been sent has not arrived after many resends. Email address is fine. Have even tried a second email address and still no joy!!!

    the email informing the giftee that album has been sent has not arrived after many resends. Email address is fine. Have even tried a second email address and still no joy!!!
    Anyone out there with any ideas?

    Your dad should go here:
    http://www.apple.com/support/itunes/contact/
    and follow the instructions to report the issue to the iTunes Store.
    Regards.

  • Weblogic 9.2 move to private address

    Hello,
    I really appreciate any help from the community.
    Now I have 9.2 cluster having EJB deployed and listening on Public internet addresses.
    Client connect to to cluster using t3 (RMI).
    Now we need to start cluster on private addresses behind the NAT.
    How should I reconfigure the Cluster to listen private addresses but client should connect to Public Internet DNS name and then we NAT it to private address.
    In docs I see:
    Use of ExternalDNSName is required for configurations in which a firewall is performing
    Network Address Translation, unless clients are accessing WebLogic Server using t3 and the
    default channel.
    But I use T3 any other way to do it?
    Thanks in advance.

    Hi,
    Please add the following JAVA_OPTIONS in your server startScript:
    set JAVA_OPTIONS= %JAVA_OPTIONS% -Djava.library.path=C:\bea\weblogic92\server\native\win\x64;C:\bea\WEBLOG~1\server\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\bea\WEBLOG~1\server\native\win\x64\;C:\bea\WEBLOG~1\server\bin;D:\oracle\product\102~1.0\client_1\jdk\jre\bin;D:\oracle\product\102~1.0\client_1\jdk\bin;C:\bea\WEBLOG~1\server\native\win\x64\oci920_8;D:\oracle\product\10.2.0\client_1\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
    The above complete thing is one line without any space in it. The only space is there between %JAVA_OPTIONS% and -Djava.library.path
    Thanks
    Jay SenSharma
    http://jaysensharma.wordpress.com (WebLogic Wonders Are Here)

  • Cache Engine with a private address

    Can I configure my CE590 with a private address ( for ex. 172.16.1.1 )
    Should I translate this private address to a public address ?
    The sample configuration in the below URL comment :
    !---Important: If you configure the Cache Engine
    !---with a private address, it must get!---translated to a public address. "
    http://www.cisco.com/warp/customer/117/cache_engine/transparentconfig.htm
    please advise me
    Thanks
    Mohamed Abdallah

    Should I configure a static NAT on the router for the CE ip address
    OR use the PTR record in my DNS for the CE ip add. for the DNS reverse lookup ??
    Answer: In any event, you will need a PTR record configured in your DNS network for the CE ip address. This must be a public record so that the internet sites can do a reverse lookup. Best case senario for security is to configure static nat on the router with a public ip address that resolves to the internal private ip address of the CE
    What if I give the CE a public IP address ? Do I need PTR record in my DNS for the CE ip address?
    Answer: You can certainly do that and it does make things a bit easier. For security though, I recommend going with the private ip with nat upstream.
    Regards
    Pete..

  • Gateway WAN interface has no IP, private address

    I am trying to set up a gateway on a new install of OS X 10.6. I have the WAN connected to the first ethernet port on my XSERVE which connects to my cable modem. The second ethernet port connects to a DIR655 wireless router (I have it set up to only fuction as a switch and wireless, no DHCP or firewall). The internal network us working fine, and the XSERVE is routing and doing DHCP. However, the WAN connection cannot get an IP address from the modem... It has an automatic private address. The connection is working, I tried it directly into a computer. But it will not work on the xserve. I have powered off all equipment and still no luck. I have tried both stright thru and crossover ethernet cables. Please help!

    It could be a firmware related issue. Reset the router and perform a firmware upgrade. If you are using the latest firmware already, re-flash the firmware. Once done with the firmware re-flash/upgrade, reset and reconfigure the gateway.

  • How do I install Tiger with a smaller footprint??

    I seem to run into a problem with re-installing Tiger on my Mac Mini Core Duo 1.66 with a 60GB drive. It says I only have 39.7GB free so how can I install with a smaller footprint without all of the applications that I don't need??

    Hi Dougled, Welcome to Apple's Users Help Users Forums.
    With over 50% free, space is not the cause of your problem. You can safely delete, do a custom install without, unneeded printers and foreign languages. Don't mess with Fonts unless you are sure of yourself.
    A forum search on "install 10.4." will give you lots of suggestions.
    Good Luck, JP

  • Small Footprint Router

    Does anyone know if Cisco offers a device that is capable of performing layer2/3 services (supports T1 cards) that is in a smaller footprint then say the 2800 series.
    Thanks,

    I may suggest to get a 1800 rather than a 1700 as it may get end of lifed in near future.
    http://www.cisco.com/en/US/products/ps5853/index.html
    Note this router is not rack mountable.

  • IOS XR - ipv4 virtual address

    In case when there is failover between RP on the GSR; tend to lose the ssh /
    telnet session for few mintues.
    is this ipv4 virtual address needs to be configured. how does it help? i have configured it but still loses my connection.
    ipv4 virtual address 10.10.138.19 255.255.255.248
    MgmtEth0/8/CPU0/0              unassigned      Up                    Up
    MgmtEth0/9/CPU0/0              10.10..138.20  Up                    Up
    Thanks.

    Hello Atif,
    in order to have a working virtual address both management interfaces need to have an IP address in the same IP subnet
    see from one of our CRS:
    sh ip int br | inc Mgmt
    MgmtEth0/RP1/CPU0/0            10.85.17.50     Up                    Up     
    MgmtEth0/RP0/CPU0/0            10.85.17.49     Up                    Up    
    then you configure the virtual IP address in the same IP subnet
    sh run | inc 10.85.17.
    Building configuration...
    ipv4 virtual address 10.85.17.51 255.255.255.240
    10 permit ipv4 10.85.17.48 0.0.0.15 any
    ipv4 address 10.85.17.49 255.255.255.240
    ipv4 address 10.85.17.50 255.255.255.240
    Hope to help
    Giuseppe

  • "The even-numbered length of the DEC field I_DFZ_EX can lead to problems"

    Hi All,
    I am getting the following warning message while activating the PP datasources,
    2LIS_04_P_MATNR
    2LIS_04_P_ARBPL
    Warning Message: "The even-numbered length of the DEC field I_DFZ_EX can lead to problems"
                                   "The even-numbered length of the DEC field I_DLZ_EX can lead to problems"
                                   "The even-numbered length of the DEC field S_DFZ_EX can lead to problems"
                                   "The even-numbered length of the DEC field S_DLZ_EX can lead to problems"
    Checked in SDN, but no answer.
    Need your expert solution, to resolve.
    With Regards,
    Sekhar

    Thank you Des, for immediate response.
    But i have already gone through the Note.
    As we are using ghe standard datasources, can you suggest which option should i use to resolve.
    Solution
    If the field is not manipulated in the customer exit or elsewhere, no
    processing is required.
    If you change the field, the following possible solutions are available:
    1. You can make sure that the number of the characters does not
    increase after the manipulation.
    2. If you can change the extract structure of the DataSource without
    affecting other scenarios (for example, if it was generated in
    transaction RSO2), you can increase the length of the DEC field (or
    CURR, QUAN) there to the next odd character (in the example above:
    from DEC 4 on DEC 5).
    3. If neither of these solutions are possible, you can use a customer
    append that contains a relevant DEC field (or CURR, QUAN) with the
    next highest odd length. This can be used for the result of the
    calculations. This means that you do not have to manipulate the
    previous field.
    With Regards,
    Sekhar

  • Error  The even-numbered length of the DEC field LC_SRV_DURATION can lead t

    Hi Guys,
    When I activate or generate Datasource '0CRM_SRV_PROCESS_H' it gives me following warning
    'The even-numbered length of the DEC field LC_SRV_DURATION can lead to problems'.
    Actually , the field LC_SRV_DURATION is type DEC and lenght 10,
    I know this is only waring but still it is not allowing me to activate.
    I have seen some threads regardin this , but none of them have solution .
    Can you please throw some light on this  ?
    Thanks
    Jimmy

    Hi jimmy,
    The reason for the error will be clear for you when you check the following link 
    http://help.sap.com/saphelp_nw2004s/helpdata/en/cf/21f2f2446011d189700000e8322d00/content.htm
    And check your table if you put the even number for the decimal field.
    With regards
    Chandru

  • Small footprints?

    Cisco sems to be good at 'small carbon footprint', which is all well and good, but...
    I have to nail the switches onto the wall because they no longer fit in the d@mn racks!
    Not every building has a full-depth rack, unfortunately. In older buildings I have to make do with what was put in for phone patching.
    And often, if we don't watch the contractors very carefully, they still sneak in shallow racks today.
    And you can't get a full-depth 8U rack.
    (For smaller locations)
    Having a bunch of 2960 8ports is a mess both in the rack and management wise.
    Is it really that difficult to build shallow-depth switches?
    I'd love 24port or 48port switches that's no deeper than the stone-age 2950 (9.5" ), even if they were 2U instead of 1U...
    Sorry... Just wenting...
    (About to start replacing 3750-24port switches with 2960XR-48ports... and in dire need of a shoehorn... )

    It seemed to me that switches starting being 45-50cm deep when PoE and stackable switches came out.
    You have to think of the features such as stacking, PoE, power stacking, redundant PSU's etc.
    If you want all these features, then you are going to get deeper switches to accommodate bigger PSU's and fans etc for cooling.
    The can't get wider so they will need to get deeper :)

Maybe you are looking for

  • Error while creating setuppackage

    Hi All, I am getting the following error while creating a setup package. 0010 tc.mobile.admin.bl  Creation of virtual mi instance failed. Please suggest what can be the reason for the same. Also i have certain queries while creating a setup package f

  • How do I change the font size and color in a text box?

    How do I change the font size and color in a text box?

  • Multiple-page Adobe pdf file and preserving editing capabilities problem

    I can't click the preserve Illustrator editing capabilities when attempting to make a multipage pdf. So when I create the multiple page pdf, and then open it in Ai CS3 any text boxes are changed to individual text lines. Am I doing something wrong? I

  • Hyperlinks in Mail?

    I am a writer and send out links to my Internet articles to a mailing list. I assumed all received links were hyper links. A friend with a Mac was not receiving them as hyperlinks when I was sending them from my old G3 in Outlook Express. I am still

  • AirPort Base Station disk username and password not working

    I got a new AirPort Base Station the other day and everything worked fine until I started to set up the networked disk. On my mac it works fine, it just pops up when I connect to the network ( woot for macs ). On my windows it asks for the username a