Slashdot Mirror
Local Network IPs - 10.0.0.0/8 or 192.168.0.0/16?
mike9010 asks: "After reading a few articles on the net about networking, I have come up with a question. It seems that most of them say to use 192.168.0.0/16 for a local network. Why not use 10.0.0.0/8 though? It is my understanding that it can hold a lot more IP addresses, and it is also prettier." What local network range are you using for your networks?
There's no reason why not. I have no idea why every manufacturer wants the masses to use the pretty confusing IP range when 10.0.0.0./8 is easier to remember/type.
I use it myself. Nothing wrong with it.
-- iCEBaLM
There is no real reason to use one or the other except that many devices come with built in static IP addresses. I've seen some with 10.x addresses, others with 192.168.x addresses. I guess not looking at that, it just comes down to choice. I like 192.168 and use it on my home network... but my work network uses 10. JUST GO FOR IT MAN!
The 10.x.x.x IPs are used for larger networks. Suppose you switch ISPs and get connected with an ISP with a NAT, or you VPN with some other network. Chances are they will be 10.x.x.x. In general use 10.x.x.x if you're running a large network and 192.168.x.x for a smaller network.
Make even shorter URLs - 8LN.org
I use 172.16.0.0/12. That way I don't have any problems connecting over VPN to networks that use 10.0.0.0/16 or 192.168.0.0/8.
The 192.168 and 10 networks are functionally equivalent except that the 10 network is class A and the 192.168 is class B (i.e. 10 is bigger).
You will find that many off-the-shelf devices, like NAT/Routers from Linksys, Netgear, etc. use 192.168.x.x by default; some of them don't let you use anything else (I think Linksys locks you in to 192.168, but you can change the lower two octets).
I personally use a 10.x.x.x network in my test lab at work, because it allows me to choose network addresses that make sense and are somewhat human-readable. If you're setting up a network for a business, it might make sense to use a 10 network just for expandibility. Then again, if you need more than 64k addresses, you probably have bigger problems to deal with.
One thing I like about the 10 networks is that when you see their addresses scream across a packet dump, you can immediately recognize them as "fake" addresses.
One security/network citizenship point (assuming that your 10 or 192.168 network is behind a NAT connected to the outside world): your firewall/router should NEVER pass packets destined to or accept packets sourced from a fake address range (10/24, 192.168/16, etc.). This can lead to evil attacks, garbage traffic on or out of your network, and a whole host of problems.
I inadvertently flooded my company's T1 line while running a test because our sysadmins hadn't configured our firewall to block outbound packets destined to a 10 address. A bug in a server I was testing caused it to send data back to the wrong address and our router happily sent the data out over the T1. No major harm was done, but a few people couldn't read their Slashdot until we discovered what the problem was.
Bottom line: choose what works for you (which may be either address range).
One detail to bear in mind: sometimes you need to NAT within NAT. You can end up with nested NAT zones. 10.x.x.x does *NOT* NAT well within 10.x.x.x I've had to debug routing table illness for this situation several times.
My company makes a security product with its own Linux host, and the host operates cameras with a private NAT of its own. In one version, we had the Linux host and cameras behind an 802 network gateway, and the gateway performed NAT. We had the gateway configured to create a 10.x.x.x network address space within the private NAT zone. Then one day I brought the system home and plugged it into my own 10.x.x.x private network.
Do you think the Linux host inside the 10.x.x.x address space behind the 802 gateway NAT could access my local DNS server at 10.0.0.1 upstream from the 802 gateway? Not a chance.
For this reason, I tend to use all three zones for different purposes, depending on the size of the zone, and whether I think the zones might someday become nested.
Rather incredibly, HP-UX 11 actually won't let you use a 10.0.0.X address by default because it blindly (and wrongly) follows these ancient RFC specs ! If you don't believe me, check out this discussion , which thankfully does indeed have the fixes in the thread (patch PHNE_20633 and a hack to nddconf).
Yep, we use 10.X.X.X addresses and got bitten by this with our HP-UX boxes :-(
0ms, which OS/NIC is that ?
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.043 ms
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.053 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.044 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.061 ms
64 bytes from 127.0.0.1: icmp_seq=4 ttl=64 time=0.052 ms
I had a situation where someone external to my network got lower pings to the game server sat on the LAN only 100Mbs away. It was NT adding the latency, dropping to 98 sorted it out.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Alternately, nat allows a natted ipaddress to be natted again and again. So you could setup a 192.168.1.x network then each 192.168.1 consists of 192.168.0.x networks. That should give you about 255 * 255 or 65025 ip addresses to play with. It would be interesting to know if it worked and you have a 192.168.0.1 address that gets natted to 192.168.1.1 and gets natted again to then to your public ip address.
I think the 10's give more addresses without double natting so it depends on how much you expect your network to grow.
Only 'flamers' flame!
Does slashdot hate my posts?
Management of your IP space is extremely important, if you are working in an environment that has more than a few sites/divisions/business units, etc. There is a lot of good information available about IP network design. Overall, the guiding principle is this:
/24s (or larger) for campus or business units, and 192.168.x.x /25-31 blocks for WAN links, point to point, etc.
Reasonably estimate how many hosts will ever exist on a subnet, and use the RFC1918 netblock size that will best handle the hosts, and predicted expansion.
For example, don't use 10.0.0.0/8 for your local LAN if you only have 20 machines. Decisions like this will come back to haunt you, especially if your organization starts developing a need to have routed links to vendors/remote sites/etc.
With CIDR you can easily slice and dice your IP subnets allocations into correctly sized networks for the intended purpose. In very large enterprises, I've used 172.16/12 blocks broken down into
10/8 is something we stay away from, due to so many bad vendor documents that suggest that 10/8 is the preferred way to configure everything. A good example is MS Windows server clustering. Following the MS config documentation "to the letter" will result in the cluster blackholing 10/8. The documentation that accompanys this product instructs the user to configure the "cluster hearbeat" network connection (generally 2 hosts) using 10.0.0.0 with a Class A subnet mask. This means that the clustered servers will *never* be able to talk to any other host using a 10-net address. Digging a little further into the maze of MS documentation one will find articles on proper IP address allocation for hearbeat connections, but the MCSE Rocket Scientists that I deal with apparently didn't read past page 1. They decided that because the heartbeat was a "private" network they could just go ahead and allocate any IP range, and it would not affect the server's ability to communicate. DOH!
Anyway, in general, if you concentrate on efficiently allocating your private IP space you will have far fewer headaches in the future. I've heard plenty of stories about people having to re-engineer idiotically designed 10/8 networks, but I can't ever recall hearing someone complain about how hard it is to fix a routed 192.168/24 network.