Slashdot Mirror

← Back to Stories (view on slashdot.org)

Local Network IPs - 10.0.0.0/8 or 192.168.0.0/16?

Posted by Cliff on from the matters-of-personal-opinion dept.

mike9010 asks: "After reading a few articles on the net about networking, I have come up with a question. It seems that most of them say to use 192.168.0.0/16 for a local network. Why not use 10.0.0.0/8 though? It is my understanding that it can hold a lot more IP addresses, and it is also prettier." What local network range are you using for your networks?

42 of 215 comments (clear)

  1. What about 172.16.0.0/12? by Sunlighter · · Score: 5, Insightful

    This is an intermediate one that isnt widely used.

    I dont think it matters too much; few businesses have as many as 64,000 computers, so the 192.168 is big enough. But the 10 makes it easy to do interesting things with the other numbers, like making the first number the department number, etc.

    --
    Sunlit World Scheme. Weird and different.
    1. Re:What about 172.16.0.0/12? by Magic+Thread · · Score: 5, Interesting

      I use 172.16.0.0/12. That way I don't have any problems connecting over VPN to networks that use 10.0.0.0/16 or 192.168.0.0/8.

    2. Re:What about 172.16.0.0/12? by nocomment · · Score: 3, Informative

      That's exactly it.

      Here at my company I use the 10/8 wherever I can.

      Set it up something like this

      10.0.0.0 = IT
      10.0.1.0 = dhcp range

      10.1.0.0 = IT at a different site
      10.1.1.0 = dhcp range 2nd site

      10.4.0.0 = test systems
      10.5.0.0 = production nat

      The ranges have been changed to protect the weak ;-) But you get the idea. I have seen a /24 fill up which was a huge pain so I use a /16 for the dhcp range. I will never ever run out of IP's.

      There's a couple of 192.168 network scattered about, but this makes things really easy.

      I do use the 192.168.0.* range on my home LAN though.

      --
      /* oops I accidentally made a comment, sorry */
      /* http://allyourbasearebelongto.us */
    3. Re:What about 172.16.0.0/12? by macwhiz · · Score: 2, Funny

      I use a /24 chunk of 172.16.0.0/12, because it's a chunk that is easy for me to remember -- it maps to my birth date.

      Plus, if I wind up with more than 254 networked devices in the house, I'll either go bankrupt paying the power bill, or the girlfriend will kill me once she finds her way through the Cat5 to throttle my neck.

    4. Re:What about 172.16.0.0/12? by alatesystems · · Score: 2, Informative
      Well...I'd want the default subnet mask to be correct, so barring other concerns, I'd choose the IP range that has the subnet mask correct.

      CIDR, an acronym for Classless Inter-Domain Routing makes this irrelevant.

      Oh yes, and an Everything2 Node for your reading pleasure.


      Chris Benard

  2. Why not? by iCEBaLM · · Score: 3, Interesting

    There's no reason why not. I have no idea why every manufacturer wants the masses to use the pretty confusing IP range when 10.0.0.0./8 is easier to remember/type.

    I use it myself. Nothing wrong with it.

    -- iCEBaLM

  3. we use 10/8 by chongo · · Score: 2, Informative
    We use the 10/8 within our internal network. We have subnets such as 10.10/16 and 10.20/16 on which several LANs operate, usually at the /24 level.

    Use of 10/8 can be a fine choice.

    --
    chongo (was here) /\oo/\
  4. I use by The+Clockwork+Troll · · Score: 5, Funny
    I use the 66.35.192.0/18 block.

    It doesn't seem to conflict with anything important.

    --

    There are no karma whores, only moderation johns
  5. Why? Why not? Because. by MattCohn.com · · Score: 5, Interesting

    There is no real reason to use one or the other except that many devices come with built in static IP addresses. I've seen some with 10.x addresses, others with 192.168.x addresses. I guess not looking at that, it just comes down to choice. I like 192.168 and use it on my home network... but my work network uses 10. JUST GO FOR IT MAN!

  6. What if your provider has a private network too? by epsalon · · Score: 4, Interesting

    The 10.x.x.x IPs are used for larger networks. Suppose you switch ISPs and get connected with an ISP with a NAT, or you VPN with some other network. Chances are they will be 10.x.x.x. In general use 10.x.x.x if you're running a large network and 192.168.x.x for a smaller network.

    --

    Make even shorter URLs - 8LN.org

  7. Pretty? by Henry+V+.009 · · Score: 3, Funny

    Oh sure, it's prettier if you are into the modern reductionist view of IP address beauty. I, for one, continue to prefer form and substance. How can someone compare 192.168 with 10.0? Praising 10.0 is like calling a blank canvas a masterpiece. Some people would not know real IP art if it hit them in the face.

  8. 10.0.0.0/8 by MazTaim · · Score: 4, Informative

    I actually asked this question once. Nobody could really give me a good answer. I personally prefer 10.0.0.0 over 192.168.0.0. It does look pretier, it's easier to type, and you do have more IPs to play with. Who has need for all those IPs is beyond me, but I say you can never have too many IPs.

    It does look prettier. here is how I broke down my NAT network

    10.0.0.0-255 = Routers/Server - Kinda, sorta DMZ
    10.0.1.0-255 = Wired Workstations
    10.0.2.0-255 = Wireless Workstations
    10.0.3.0-255 = Test stuffage

    192.168.0.0 is the defacto standard for just about any router you buy off the shelf. Perhaps there is a valid reason?

  9. Broadcast domains. by cbiffle · · Score: 2, Insightful

    If you use same-size subnets in both cases, there's no difference between the 10-net and the 192-net.

    If you're using 10/8 vs. 192/24, and have enough computers to justify that, you'll want to break it up into subnets to limit the size of your broadcast domains.

  10. What ever you do PLEASE document it by MerlynEmrys67 · · Score: 4, Insightful
    Worked for a company doing networking software, so I kept a LARGE number of test devices/networks hanging off of my workstation on a test subnet... Problem was various company sites would drop off of my workstation when the IT dept. would randomly assign private addresses inside the company... I couldn't even get them to whack off a /16 for "test networks" because they thought that they would need all of the private address space scattered across all three ranges...

    So my advice is whack off 1/4 of the 10/8 space - and reserve it for true "private addressing" and use all of the rest of the private addressing ranges as you see fit

    --
    I have mod points and I am not afraid to use them
    1. Re:What ever you do PLEASE document it by Motherfucking+Shit · · Score: 2, Funny
      So my advice is whack off
      For once, good advice in a Slashdot post!
      --
      "BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
  11. Re:What if your provider has a private network too by ArmorFiend · · Score: 4, Informative

    furthermore, DO NOT use 192.168.0.XX. Because you might get a job with a vpn-ing company that uses that to. Get a random number under 256, and use that instead of 1.

    e.g. I use 192.168.88.XX. I used to use 192.168.1.XX, but guess what, I got a job ...

  12. IP Subnetworking by hawkstone · · Score: 5, Informative
    From the IP subnetworking HOWTO:
    There are also special addresses that are reserved for 'unconnected' networks - that is networks that use IP but are not connected to the Internet, These addresses are:-

    * One A Class Network
    10.0.0.0
    * 16 B Class Networks
    172.16.0.0 - 172.31.0.0
    * 256 C Class Networks 192.168.0.0 - 192.168.255.0


    The one most often used by home networking products is 192.168.1.x in my experience, not the full /16. They are designed to hold 254 addresses, no more. Why are these designed for only a small number of IP addresses? Well, the home routers often have 4 ports, with maybe wireless. Are you really going to have a few hundred clients? Anyway, it's probably best to stick with the 192.168.1.x for a small network if you're planning on connecting to one of these. If, not, do whatever floats your boat!
  13. Choose randomly by Fluffy+the+Cat · · Score: 4, Informative

    RFC 1918 recommends that you choose a network randomly in order to reduce the chances of colliding with any other internal network you may ever want to connect to.

    1. Re:Choose randomly by vitroth · · Score: 2, Funny
      You're not nearly geeky enough.

      The right answer is 8 d2's, and simple binary arithmetic.

      Or a perl one-liner.

      Take your pick.

  14. No real difference by blate · · Score: 4, Interesting

    The 192.168 and 10 networks are functionally equivalent except that the 10 network is class A and the 192.168 is class B (i.e. 10 is bigger).

    You will find that many off-the-shelf devices, like NAT/Routers from Linksys, Netgear, etc. use 192.168.x.x by default; some of them don't let you use anything else (I think Linksys locks you in to 192.168, but you can change the lower two octets).

    I personally use a 10.x.x.x network in my test lab at work, because it allows me to choose network addresses that make sense and are somewhat human-readable. If you're setting up a network for a business, it might make sense to use a 10 network just for expandibility. Then again, if you need more than 64k addresses, you probably have bigger problems to deal with.

    One thing I like about the 10 networks is that when you see their addresses scream across a packet dump, you can immediately recognize them as "fake" addresses.

    One security/network citizenship point (assuming that your 10 or 192.168 network is behind a NAT connected to the outside world): your firewall/router should NEVER pass packets destined to or accept packets sourced from a fake address range (10/24, 192.168/16, etc.). This can lead to evil attacks, garbage traffic on or out of your network, and a whole host of problems.

    I inadvertently flooded my company's T1 line while running a test because our sysadmins hadn't configured our firewall to block outbound packets destined to a 10 address. A bug in a server I was testing caused it to send data back to the wrong address and our router happily sent the data out over the T1. No major harm was done, but a few people couldn't read their Slashdot until we discovered what the problem was.

    Bottom line: choose what works for you (which may be either address range).

  15. I use 127.0.0.1 by s88 · · Score: 4, Funny

    Its lightning fast! I always have 0 msec pings!
    I highly recommend you try it.

    1. Re:I use 127.0.0.1 by DrSkwid · · Score: 2, Interesting

      0ms, which OS/NIC is that ?

      64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.043 ms
      64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.053 ms
      64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.044 ms
      64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.061 ms
      64 bytes from 127.0.0.1: icmp_seq=4 ttl=64 time=0.052 ms

      I had a situation where someone external to my network got lower pings to the game server sat on the LAN only 100Mbs away. It was NT adding the latency, dropping to 98 sorted it out.

      --
      There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
  16. Re:FP... by man_ls · · Score: 2, Informative

    APIPA is Windows way of doing "dhcp-less dhcp" for "fast" networks, where there's no DHCP server. I.e. a quick meeting workgroup. with no external network connection.

    All the services will work over APIPA fine...file sharing, etc. just no central server is required to do it.

  17. Re:Don't go with the flow by jareds · · Score: 2, Informative

    Though honestly, you could use whatever you wanted with the proper network setup. After all, if the stuff isn't visible to the rest of the world, then it doesn't matter what you use. Worst case scenerio is that you might stumble upon a computer in the real world with the same IP address as you, but that'd be rare. It might not even be a problem if you accessed it by a DNS entry through a DNS server that was external to your network, but I can't say that for sure.

    You're wrong. How the computer obtains the IP address is irrelevant. When it attempts to send a packet to that IP address, it will be routed to the computer with that address on the private network rather than the one in the real world.

  18. NAT within NAT by epine · · Score: 2, Interesting


    One detail to bear in mind: sometimes you need to NAT within NAT. You can end up with nested NAT zones. 10.x.x.x does *NOT* NAT well within 10.x.x.x I've had to debug routing table illness for this situation several times.

    My company makes a security product with its own Linux host, and the host operates cameras with a private NAT of its own. In one version, we had the Linux host and cameras behind an 802 network gateway, and the gateway performed NAT. We had the gateway configured to create a 10.x.x.x network address space within the private NAT zone. Then one day I brought the system home and plugged it into my own 10.x.x.x private network.

    Do you think the Linux host inside the 10.x.x.x address space behind the 802 gateway NAT could access my local DNS server at 10.0.0.1 upstream from the 802 gateway? Not a chance.

    For this reason, I tend to use all three zones for different purposes, depending on the size of the zone, and whether I think the zones might someday become nested.

  19. HP-UX 11 + (obsoleted) RFCs + 10.0.0.X = bad news by rklrkl · · Score: 2, Interesting
    Apparently, there are some now-obsoleted RFCs (RFC1878 and/or RFC1122) which don't allow a subnet portion of all ones or all zeros (binary).

    Rather incredibly, HP-UX 11 actually won't let you use a 10.0.0.X address by default because it blindly (and wrongly) follows these ancient RFC specs ! If you don't believe me, check out this discussion , which thankfully does indeed have the fixes in the thread (patch PHNE_20633 and a hack to nddconf).

    Yep, we use 10.X.X.X addresses and got bitten by this with our HP-UX boxes :-(

  20. Hi, I'm ignorant. Pleeztameecha! by mstorer3772 · · Score: 2, Insightful

    I get all the mask/subdomain stuff, but what's the / at the end of the IP address mean?

    --
    Fooz Meister
  21. Disabling APIPA by Futurepower(R) · · Score: 3, Informative


    Disabling Auto IP-address generation

  22. Pedantic correction: by Asprin · · Score: 4, Informative


    192.168.0.0/16 doesn't exist.

    It's really a set of 256 (254, really because you aren't supposed to use 0 or 255) /24 networks:
    192.168.1.0/24
    192.168.2.0/24
    192.168.3.0/24
    ...
    192.168.254.0/24

    Now, if you set up your internal routing and gateways correctly, the difference doesn't matter, but TECHNICALLY, since 192 starts with the binary digits '110', it's a class C (/24) network.

    FYI.

    Which (10.0.0.0/8 or 192.168.0.0/24) you use doesn't matter unless you need to connect your network to somebody else's, but a bad decision (or evaluation of capacity) early on can come back to create problems if your network grows beyond the address space you planned for it. GOOD DESIGN IS ESSENTIAL to preventing problems down the road. Usually the # of hosts you need on your network segments drives the decision. Some larger networks will use the /24 blocks for local departmental LANs, and hook them together with /8 block addresses on the internetwork routers, but there are gobs of ways to do it.

    I'd recommend searching Cisco's site for white papers on network design, or maybe googling for TCP/IP tutorials.

    --
    "Lawyers are for sucks."
    - Doug McKenzie
  23. Neither by anthony_dipierro · · Score: 3, Insightful

    Use IPv6 for your internal network.

  24. Re:Hi, I'm ignorant. Pleeztameecha! by Medieval_Gnome · · Score: 5, Informative

    It is a method of indicating how many bits in the address are part of the 'network' number, as opposed to the 'host' number. For example..

    In 10.0.0.0/8 that means there are 8 bits that identify the network (10.x.x.x) and 24 bits (IP addresses are 32 bits, 8 bits are already used for network; 32-8=24) for the machine number (the x.15.53.45)

    So now, for '192.168.0.0/16'. The 192.168 part is the network part, and the '/16' means the last 16 bits are used for hosts. When the slash-number is larger, that means the person with that IP range has less IPs. /24 means the user has 254 hosts at their disposal, while a /8 means over 16 million.

    I really hope this helps, sorry I'm not the greatest at explaining things.

    --

    :wq

  25. Re:Hi, I'm ignorant. Pleeztameecha! by shfted! · · Score: 3, Informative

    It's to seperate the bitmask. An IPv4 address is 32 bits long, in big endian order (biggest value goes first, like our decimal system). The /XX is simply an abbreviated way of writing a subnet that starts with n 1's and ends with 32-n 0's. For instance, 10.0.0.0/8 means the 10.x.x.x network with a subnet mask of 255.0.0.0. 192.168.0.0/16 means the 192.168.x.x network with a subnet mask of 255.255.0.0. 192.168.123.128/26 means the 192.168.123.[128 to 192] network, with a subnet mask of 255.255.255.64.

    Almost always, if written in binary, subnets will look like a bunch of ones, then a bunch of zeros. Sometimes, it's convenient to have a subnet that does *NOT* designate a contiguous network segment. For instance, you might have 192.168.2.[64 to 127] and 192.168.3.[64 to 95]. In this case, this is a network 192.168.[2-3].[64-95] with a subnet mask of 255.255.253.32 (which can't be represented in the / form). Don't try this though, as certain buggy OS's might get confused.

    --
    He who laughs last is stuck in a time dilation bubble.
  26. CIDR! by tachyonflow · · Score: 5, Informative
    Welcome to the world of classless routing!

    192.168.0.0/16 certainly does exist. The first three bits has not dictated the netmask for years. See RFC1817 for more information on this. Here's a relevant excerpt (emphasis added):

    Classless Inter-Domain Routing (CIDR) ([RFC1518], [RFC1519]) is deployed in the Internet as the primary mechanism to improve scaling property of the Internet routing system. Essential to CIDR is the generalization of the concept of variable length subnet masks (VLSM) and the elimination of classes of network numbers (A, B, and C). The interior (intra-domain) routing protocols that support CIDR are OSPF, RIP II, Integrated IS-IS, and E-IGRP. The exterior (inter-domain) routing protocol that supports CIDR is BGP-4. Protocols like RIP, BGP-3, EGP, and IGRP do not support CIDR.
  27. paper or plastic? by josepha48 · · Score: 2, Interesting
    It seems to me that this is kinda the same thing. 192.168/16 is actually a lot of address space, unless you are a really big company. One thing you could do is implement an ipv6 network and than do a ipv6 to 4 nat to access the internet.

    Alternately, nat allows a natted ipaddress to be natted again and again. So you could setup a 192.168.1.x network then each 192.168.1 consists of 192.168.0.x networks. That should give you about 255 * 255 or 65025 ip addresses to play with. It would be interesting to know if it worked and you have a 192.168.0.1 address that gets natted to 192.168.1.1 and gets natted again to then to your public ip address.

    I think the 10's give more addresses without double natting so it depends on how much you expect your network to grow.

    --

    Only 'flamers' flame!
    Does slashdot hate my posts?

  28. Re:I use... by legend · · Score: 2, Informative

    Hopefully you don't try to access Los Alamos hosted Web Sites. http://ws.arin.net/cgi-bin/whois.pl?queryinput=192 .16.42.0

    --
    If you can't figure out my address, just drop me an e-mail and I will explain.
  29. There can only be one! by Anonymous Coward · · Score: 5, Funny
    I use a /24 chunk of 172.16.0.0/12, because it's a chunk that is easy for me to remember -- it maps to my birth date.

    On the 17th day of February, in the year of our Lord 1600, I was born a highlander. I am Colin McLeod of Clan McLeod and I cannot die.

    1. Re:There can only be one! by Glonoinha · · Score: 2, Funny

      >Friend 2: 10.0.0.4
      >Friend 3: 10.0.0.5.

      Three friends? Who are you and what have you done with the real Echnin?

      --
      Glonoinha the MebiByte Slayer
  30. Re:FP... by afidel · · Score: 5, Informative

    These are not BS. This was an IP block set aside for future use and Apple, MS, Sun, and others decided to use it for local link zero config stuff. This was codified by the ietf and is specified in RFC 3330 and other places.

    --
    There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
  31. Re:A completely pointless question by Bombcar · · Score: 4, Funny

    You probably have a hard time spelling banana or Mississippi, don't you? :)

    --
    Fellowship 9/11
  32. Yes, mod as flamebait, but it's true. by Outland+Traveller · · Score: 2, Informative



    The correct answer to this question is RTFM. If you have to ask this question, you're not competent to plan out a large network.

  33. Re:Don't go with the flow by schon · · Score: 3, Informative

    Now granted this limits me to 256 IP's

    So if you're concerned about that, why not just change the mask to /16 instead of /24? Considering that the 172.(16-32).x.x addresses are all /16's anyway.

    honestly, you could use whatever you wanted with the proper network setup.

    Please, PLEASE, PLEASE, never do any network setup. Ever. Until such time as you understand what you're talking about.

    Worst case scenerio is that you might stumble upon a computer in the real world with the same IP address as you, but that'd be rare.

    Depending on the range, "rare" is pretty subjective.

    It's not the specific IP address, but the whole network. When you take an IP address belonging to someone else, you are not only limiting yourself from talking to that one IP address, but you're limiting yourself from talking to every computer on that IP network.

    It might not even be a problem if you accessed it by a DNS entry through a DNS server that was external to your network

    Before giving out advice, please learn a little bit about IP. DNS means NOTHING .

  34. Badly allocated Private IP space headaches by bofus · · Score: 2, Interesting

    Management of your IP space is extremely important, if you are working in an environment that has more than a few sites/divisions/business units, etc. There is a lot of good information available about IP network design. Overall, the guiding principle is this:

    Reasonably estimate how many hosts will ever exist on a subnet, and use the RFC1918 netblock size that will best handle the hosts, and predicted expansion.

    For example, don't use 10.0.0.0/8 for your local LAN if you only have 20 machines. Decisions like this will come back to haunt you, especially if your organization starts developing a need to have routed links to vendors/remote sites/etc.

    With CIDR you can easily slice and dice your IP subnets allocations into correctly sized networks for the intended purpose. In very large enterprises, I've used 172.16/12 blocks broken down into /24s (or larger) for campus or business units, and 192.168.x.x /25-31 blocks for WAN links, point to point, etc.

    10/8 is something we stay away from, due to so many bad vendor documents that suggest that 10/8 is the preferred way to configure everything. A good example is MS Windows server clustering. Following the MS config documentation "to the letter" will result in the cluster blackholing 10/8. The documentation that accompanys this product instructs the user to configure the "cluster hearbeat" network connection (generally 2 hosts) using 10.0.0.0 with a Class A subnet mask. This means that the clustered servers will *never* be able to talk to any other host using a 10-net address. Digging a little further into the maze of MS documentation one will find articles on proper IP address allocation for hearbeat connections, but the MCSE Rocket Scientists that I deal with apparently didn't read past page 1. They decided that because the heartbeat was a "private" network they could just go ahead and allocate any IP range, and it would not affect the server's ability to communicate. DOH!

    Anyway, in general, if you concentrate on efficiently allocating your private IP space you will have far fewer headaches in the future. I've heard plenty of stories about people having to re-engineer idiotically designed 10/8 networks, but I can't ever recall hearing someone complain about how hard it is to fix a routed 192.168/24 network.