I'm looking to upgrade my hub and spoke network configuration, which currently utilizes the 192.168.0.0 IP scheme with varying third octets for five remote sites, and I'm considering a transition to VLANs as I roll out new firewalls. My main site hosts around 200 devices, including critical servers, while each remote site has 20-50 devices, all with static IPs. Should I go ahead and switch to a 10.0.0.0 network using a format like 10.site.vlan.0, or stick with the 192.168.0.0 scheme and keep organizing by the third octet? For the rollout strategy, I was thinking about implementing both the new VLAN setups and a temporary old range on the firewall, gradually migrating devices while tightening security policies. Does this sound reasonable? What issues might arise regarding the domain controller and DNS if I fully switch to the 10.0.0.0 scheme?
5 Answers
Going with a 10.x.x.x format for each VLAN would be a smart move. Just migrate from the old VLAN as planned. Your domain controllers should be fine; I usually run `dcdiag /fix` after a re-IP to catch any issues. Just remember to set up new DNS zones and don't skip the reverse lookup zones in your configuration. Also, be sure to define the subnets in Active Directory sites and services to keep everything organized.
I suggest making your IP schemes as unique as possible. Many users have problems when their home VPN IPs clash with work VPN IP schemes. I typically align the third octet with the building number for organization, which helps avoid confusion.
When I revamped my firewall setups, I organized our network into separate class C ranges for each site. Each site would have a range like 192.168.10.x to 192.168.19.x, subdivided into VLANs for different types of traffic. It looks like you've got a solid rollout plan already!
The 10.site.vlan.x approach is the way to go! It provides flexibility and makes future VLAN additions easier. I also recommend spacing out your VLAN numbers for security levels—higher numbers for sensitive systems and lower numbers for less secure devices like guest access.
Your plan sounds good, but definitely test it all in a lab first, especially if the new firewalls differ significantly from the old ones. I used a set of 172.16/12 addresses years back and it worked out well for us. Just take care during the transition phase, that's where issues often pop up.
I second that! I used a similar setup with 10.site.vlan.x. Just remember to update firewall rules and address objects. You could even add the new subnet as a secondary IP during the transition. This trick let me keep access to both old and new subnets while I switched static IPs around.