Clarification

[arstacey]

I am really just looking for some clarification on an issue I am working on. We currently use a hardware VPN to connect our 32 location back to the corporate office where they use Terminal Services to run our point-of-sale system. In order for the vpn to work, each location has to be on it's own subnet. The people who initially set everything up set the corporate ip scheme as 192.168.1.x. subnet 255.255.255.0.

So in order to get the vpn to work, I set each location up as 192.168.2.x, 192.168.3.x, and so forth. The problem is, we are running out of ip's at the corporate office due to the 254 ip limit of that specific subnet. This is what I want to do:

Set the corp scheme to 10.[location].[devicetype].[device]

For example, an access point at the corp office may be 10.1.5.1 and a webserver may be 10.1.2.1. Location 101 may be 10.2.1.1 for the first machine and 10.2.0.1 for their vpn firewall/router. I want the second octet to be the one that dictates the location.

My problem is in the subnet mask. Do I set it to 255.255.0.0? I know that 255.0.0.0 works but doesn't that put everything on the same subnet? I was the subnets segregated, which is required for the vpn to work. Thanks in advance for any advice.

[Met44]

You may want to read up a bit on subnetting and variable length subnet masks (VLSM) if you are looking to conserve address space. There are lots of free resources on this - Cisco has a good one here: http://www.cisco.com/warp/public/701/3.html.

Switching to a 10. network could be a good idea, especially if it is a growing company. You would want to use a /16 (or /24) mask if you were not taking advantage of VLSM, which I would encourage you to do if you can understand it, as it will save you more address space (which is probably a non-issue for you with a 10.0.0.0/24 network), but it also looks a little nicer logically.

To answer your question, you must consider what the subnet mask is doing for you. It tells you how much of your IP address is used to define the network address - basically, the non-zero bits are your network bits. ALL network bits must match for two computers to be considered on the same subnet. Consider:

10.1.5.4 /16 is on the same network as 10.1.100.253 /16.

Why? The /16 is shorthand to say the first 16 bits of the IP address (remember that an IP address can be expressed in binary notation, where each number shown represents one bit, rather than decimal as above) is used to define the network. A /16 mask can be expressed in decimal notation as 255.255.0.0.

From a computer's point of view, it "chops off" anything that is not a network bit when trying to match up two IP addresses to see if they exist on the same network. How does it know where to chop? The subnet mask tells it to chop beginning at the first zero (in binary notation - but it happens to also work in decimal notation in this demonstration). This is what your computer sees from the above example:

10.1.0.0 is equal to 10.1.0.0. The computers are on the same network.

Now take these two:

10.1.5.4 /24 and 10.10.10.10 /24

Notice the /24 mask (255.255.255.0). Your computer applies the subnet mask to each IP address, and then compares the two values:

10.1.5.0 is not equal to 10.1.10.0. Different networks.

A 10.0.0.0 /8 (255.0.0.0 mask) would indeed put all of your nodes on the same network.

If the above does not make much sense to you, I would recommend doing some reading on subnetting - the Cisco link above gives a good overview, and there are many other resources online covering the "ropes" of the subject. There is more to subnetting than may first meet the eye, but once you have the concepts tied down it is really not bad at all.

Other advice would be to definitely make sure you have a plan well thought out before implementation, especially if you are going the VLSM route. Make sure to double check that you are not using overlapping address space on multiple networks in your plan, before you start changing things over. Good luck!

[Snurfen]

VLSM - the best way to go for this sort of setup. It takes a little getting your head around, but is worth the effort.

On the link provided by Met44, you probably won't be able to use the subnet calculator (need to be a Cisco partner) .
Here's a good one.