• 0

Network Resubnetting - Running out of IPs - Advice?


Question

xendrome

Hey guys,

 

Current setup - 172.16.50.0/24 with a superscope handing out address say 172.16.50.100 to 150 and 172.16.51.100 to 150

I have multiple sites connected via dark-fiber and am looking at moving to 172.16.50.0/21 which will give usable addresses of - 172.16.48.1 - 172.16.55.254.

 

All of my static assigned clients are reservations and I can work with Server 2016 DHCP to reconfigure that or re-make the entire scope if I have to do it manually. My main concern is, my core router and switches, can I set them manually as I move through this process to the new subnet or do I have to do all of this at once to ensure connectivity? All of the clients will reside within 172.16.50.0/24 until I have those devices totally changed. I assume since that range falls within the new subnet as well everything should still be able to talk.

 

Any suggestions or input would be great.

Link to post
Share on other sites

5 answers to this question

Recommended Posts

  • 0
+BudMan
9 minutes ago, xendrome said:

I have multiple sites

That is great and all that your all connected via DWDM... But I really wouldn't suggest 1 flat network.. This gives you way less control if you need to do anything specific, etc.

 

I would plan out your address space so each site can have plenty of space and ability to segment as well for isolation of different classes of devices and or users, etc.

Link to post
Share on other sites
  • 0
xendrome
4 minutes ago, BudMan said:

That is great and all that your all connected via DWDM... But I really wouldn't suggest 1 flat network.. This gives you way less control if you need to do anything specific, etc.

 

I would plan out your address space so each site can have plenty of space and ability to segment as well for isolation of different classes of devices and or users, etc.

Well let me rephrase it. These are buildings all on a single campus, next to or across from each other. Each building has just a few computers, some have 4, some have 15. For a total of about 89 systems. We are currently running Unifi APs with a guest network which are isolated and we see a lot of temp connections throughout the day from ipads, cell phones, apple watches, etc taking up a lot of address space.

 

I don't really want to segment the buildings from each other as they do share resources, printers, servers between each other. 

 

My biggest concern is the order at which the resubnetting has to be done.

Link to post
Share on other sites
  • 0
+BudMan

Yeah so what if they share.. Being on multiple segments has nothing to do with with accessing a printer or a file share.

 

If your to the point that your thinking of using a /21 because of addresses needed..  Buildings, shoot even floors in the same building should be on their own segments..

 

If you have only 89 systems, what is the point of a /21?

 

Your wireless for damn sure should be on its own segment!!!

Link to post
Share on other sites
  • 0
xendrome
Just now, BudMan said:

Yeah so what if they share.. Being on multiple segments has nothing to do with with accessing a printer or a file share.

 

If your to the point that your thinking of using a /21 because of addresses needed..  Buildings, shoot even floors in the same building should be on their own segments..

 

If you have only 89 systems, what is the point of a /21?

Well if you have a better suggestion on the subnet I should use I am all ears, with the static devices, wireless clients, etc, our DHCP range is running out of IPs and everything I've read Superscopes are not really recommended. I don't really want to get down into VLANs or separating buildings/floors. I can give you more details on the setup as well if necessary.

Link to post
Share on other sites
  • 0
+BudMan

If you need more addresses, you need more address - I would prob look to just using a lower lease time if you have a bunch of devices temp jumping on some guest network..

 

First thing I would do is isolate your wifi to its own segment..   You could give it a /16 if you have so many devices jumping on and off, etc.  What it does for its address space doesn't effect your actual network once you segment it off.

 

Why do you not want control of your devices either at a logical level or a security level..  Types of devices for sure should be on their own segment.. Lets say your printer was compromised.

https://arstechnica.com/information-technology/2019/08/microsoft-catches-russian-state-hackers-using-iot-devices-to-breach-networks/

 

Why should your printers be able to talk to anything on your network?  The communication from users/servers to printers should be 1 way..  You accomplish this via putting your printers (and any other iot devices) on their own segments.. And then via your firewall not allowing them to create unsolicated traffic to anything else on your network - unless its actually required.. say dns, or some server to check for files it printers - maybe a log server, etc.

 

Are you running private vlans?  If your just on 1 big L2 - then any device can talk to any other device on any port.. So idiot user #1 gets his box infected - how do you stop it from taking to everything else on your network?  There are many different methods of segmenting out your network best depending on a companies needs and use cases, etc.  But segmentation gives you ability to control connectivity outside user permissions and host firewalls.  Allows you to contain any sort of outbreak of the next wanna cry worm - or whatever the next ransomware thing might be.. There is one thing to limit a users account to only what it needs access to... But there are many devices that have zero reason to even talk to say a server, or other user devices.  Be it they have a valid account or not - if they can talk to the service, it could be exploited via some zero day or unpatched issue, etc..

 

I personally would take the opportunity of needing more address space to rethink your whole network layout and provide for isolation..  The very act of segmenting your different devices will give you way more flexibility in growing address space for a specific segment..

  • Like 2
Link to post
Share on other sites
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By hendy
      Modem running as first router on 192.168.0.1 with DHCP on (mask 255.255.255.0 address range 10-254).  Second router wired to first on 192.168.0.2 with DHCP off, in router mode. Internet works for clients attached to either router.

      However, I want to be able to connect to either router from any client. File sharing across clients on different router seems to also drop. When I make a change to the configuration (IP address, DNS server, gateway, etc.) the second router is visible from clients on the first (it shows up in "arp -a"). After some time, the router IP, 192.168.0.2 just drops off the list (can't ping it, can't login to admin). I am still able to login to the router if I'm connected to it directly, but it is really annoying that I can't see it within the 192.168.0.x network and not having file sharing is a no starter. Also, when I'm on the second router, I can see the first router and a PC I'm trying to file share with. However, the files are inaccessible but the Internet is fine.
       
      If it is supposed to do this, I don't get it. If it is not supposed to do it, I have no idea what is causing it. 
    • By zeta_immersion
      DHCP is on 192.168.1.1
      PXE is on 10.0.1.1 (3rd party - Brainware Columbus)
       
      Routing between subnets seems to be fine bidirectional
       
      The problem that I am having is this:
      If PXE is on 192 subnet the client PC PXE-es just fine
      If PXE is on 10 subnet  the client PC sees the PXE server but does not boot
       
      I have tried many things but cannot seem to be PXE-ing successful if the 2 servers are on different subnets (all firewalls have been disabled to make this easier) 
      Settings changed:
      DHCP = scope options 066 (Boot Server Host Name (was set to 10.0.1.1)
                 = Option value 67 set as PXEClient (no other option values configured or show up)
       
      There is some talk about IP helper and other tools but I feel this is not the case to add such complexity to a 2 server 1 client PC infrastructure. Does anyone have any thoughts on this? Thanks.
    • By zeta_immersion
      I am trying to connect 2 subnets but have some issues
       
      subnet 1 router
       
      Wan IP 192.168.1.10
      LAN IP 10.10.2.10
      Sub. mask 255.255.255.0
       
      routing table
      destination 192.168.1.2
      sub mask 255.255.255.0
      gateway 10.10.2.10
       
      with this I can access the internet and ping my 192.168.1.XXX computer - no issues what so ever
       
      my problem is subnet 2
       
      subnet 2 router
      Wan IP 24.192.222.3             (provided by ISP)
      LAN IP 192.168.1.2                
      Sub. mask 255.255.255.0
       
      routing table
      destination 10.10.2.10          (the router for the 10.x.x.x.x subnet)
      sub mask 255.255.255.0
      gateway 192.168.1.10         (192 address for WAN of the subnet 1 router)
       
      in Subnet 2 i can ping all 192 addresses except for 192.168.1.10. That being said I cannot ping any of the 10.x.x.x IPs. 
       
      What am I doing wrong?
    • By gregor
      Hi,
       
      even though we usually use Cisco VPN clients, I've recently had a weird issue with networking and here it is:
       
      - pc (client) on location A needs to connect through VPN to location B. 
      - client's local network subnet is 192.168.1.0/24.
      - client's external IP is A.B.C.D.
      - server local network subnet is same as clients, 192.168.1.0/24.
      - server runs VPN server on Microsoft Small Business Server.
      - servers external IP is W.X.Y.Z.
       
      Connection is successful. However, when trying to access other computers on local network on location B, we found out, because of same subnets, we're still accessing clients networking. 
       
      Example (problem):
       
      Client > VPN > Server. Success. Client access 192.168.1.10 on server part (should lead to Exchange server). Error. It leads to NAS device (which is on client intranet.
       
      Is there any easy workaround for this or is it better to reconfig Work intranet IP's and switch them to 192.168.X.Y?
       
       
      Thank you for your help!
    • By Roger H.
      AT&T demands we change our networks


      If you recall, some time ago I had problems with my AT&T U-verse DSL service until a small village's worth of AT&T folk got involved and resolved the issues. Since then, an executive director from the "Office of the President at AT&T," who I'll call "Bob," has followed up with me once a week to make sure things are still OK.
      Earlier this month Bob emailed me to schedule a telephone call, saying, "I need to discuss something with you ... Has to do with a change we are making that affects some customers ...painless and non-service affecting, but I wanted to personally cover it with you."
      If you recall, some time ago I had problems with my AT&T U-verse DSL service until a small village's worth of AT&T folk got involved and resolved the issues. Since then, an executive director from the "Office of the President at AT&T," who I'll call "Bob," has followed up with me once a week to make sure things are still OK.
      Earlier this month Bob emailed me to schedule a telephone call, saying, "I need to discuss something with you ... Has to do with a change we are making that affects some customers ...painless and non-service affecting, but I wanted to personally cover it with you."
      We had the call and the thing he wanted to tell me was I would have to change my network subnet address and that there was a tech support document to explain what was required. The document, "Changing the private 10.x IP range on your AT&T U-verse Modem/Gateway," explains:
      "As part of AT&T's efforts to enhance our network to accommodate future growth, we will be making a firmware upgrade to your AT&T U-verse Gateway. Customers who have configured their network to use the 10.0.0.1 - 10.255.255.255 private Internet Protocol (IP) ranges within their AT&T U-verse Gateway will need to change to an alternate IP range. AT&T recommends changing to a 192.168.1.x IP range. Customers who don't update their network by July 6, 2012 may potentially encounter a disruption in service."
      *Emphasis Added
      See More: http://www.networkwo...2-backspin.html?