Network Resubnetting - Running out of IPs - Advice?

[xendrome 5,412]

Hey guys,

 

Current setup - 172.16.50.0/24 with a superscope handing out address say 172.16.50.100 to 150 and 172.16.51.100 to 150

I have multiple sites connected via dark-fiber and am looking at moving to 172.16.50.0/21 which will give usable addresses of - 172.16.48.1 - 172.16.55.254.

 

All of my static assigned clients are reservations and I can work with Server 2016 DHCP to reconfigure that or re-make the entire scope if I have to do it manually. My main concern is, my core router and switches, can I set them manually as I move through this process to the new subnet or do I have to do all of this at once to ensure connectivity? All of the clients will reside within 172.16.50.0/24 until I have those devices totally changed. I assume since that range falls within the new subnet as well everything should still be able to talk.

 

Any suggestions or input would be great.

[+BudMan 3,513]

9 minutes ago, xendrome said:

I have multiple sites

That is great and all that your all connected via DWDM... But I really wouldn't suggest 1 flat network.. This gives you way less control if you need to do anything specific, etc.

 

I would plan out your address space so each site can have plenty of space and ability to segment as well for isolation of different classes of devices and or users, etc.

[xendrome 5,412]

4 minutes ago, BudMan said:

That is great and all that your all connected via DWDM... But I really wouldn't suggest 1 flat network.. This gives you way less control if you need to do anything specific, etc.

 

I would plan out your address space so each site can have plenty of space and ability to segment as well for isolation of different classes of devices and or users, etc.

Well let me rephrase it. These are buildings all on a single campus, next to or across from each other. Each building has just a few computers, some have 4, some have 15. For a total of about 89 systems. We are currently running Unifi APs with a guest network which are isolated and we see a lot of temp connections throughout the day from ipads, cell phones, apple watches, etc taking up a lot of address space.

 

I don't really want to segment the buildings from each other as they do share resources, printers, servers between each other. 

 

My biggest concern is the order at which the resubnetting has to be done.

[+BudMan 3,513]

Yeah so what if they share.. Being on multiple segments has nothing to do with with accessing a printer or a file share.

 

If your to the point that your thinking of using a /21 because of addresses needed..  Buildings, shoot even floors in the same building should be on their own segments..

 

If you have only 89 systems, what is the point of a /21?

 

Your wireless for damn sure should be on its own segment!!!

[xendrome 5,412]

Just now, BudMan said:

Yeah so what if they share.. Being on multiple segments has nothing to do with with accessing a printer or a file share.

 

If your to the point that your thinking of using a /21 because of addresses needed..  Buildings, shoot even floors in the same building should be on their own segments..

 

If you have only 89 systems, what is the point of a /21?

Well if you have a better suggestion on the subnet I should use I am all ears, with the static devices, wireless clients, etc, our DHCP range is running out of IPs and everything I've read Superscopes are not really recommended. I don't really want to get down into VLANs or separating buildings/floors. I can give you more details on the setup as well if necessary.

[+BudMan 3,513]

If you need more addresses, you need more address - I would prob look to just using a lower lease time if you have a bunch of devices temp jumping on some guest network..

 

First thing I would do is isolate your wifi to its own segment..   You could give it a /16 if you have so many devices jumping on and off, etc.  What it does for its address space doesn't effect your actual network once you segment it off.

 

Why do you not want control of your devices either at a logical level or a security level..  Types of devices for sure should be on their own segment.. Lets say your printer was compromised.

https://arstechnica.com/information-technology/2019/08/microsoft-catches-russian-state-hackers-using-iot-devices-to-breach-networks/

 

Why should your printers be able to talk to anything on your network?  The communication from users/servers to printers should be 1 way..  You accomplish this via putting your printers (and any other iot devices) on their own segments.. And then via your firewall not allowing them to create unsolicated traffic to anything else on your network - unless its actually required.. say dns, or some server to check for files it printers - maybe a log server, etc.

 

Are you running private vlans?  If your just on 1 big L2 - then any device can talk to any other device on any port.. So idiot user #1 gets his box infected - how do you stop it from taking to everything else on your network?  There are many different methods of segmenting out your network best depending on a companies needs and use cases, etc.  But segmentation gives you ability to control connectivity outside user permissions and host firewalls.  Allows you to contain any sort of outbreak of the next wanna cry worm - or whatever the next ransomware thing might be.. There is one thing to limit a users account to only what it needs access to... But there are many devices that have zero reason to even talk to say a server, or other user devices.  Be it they have a valid account or not - if they can talk to the service, it could be exploited via some zero day or unpatched issue, etc..

 

I personally would take the opportunity of needing more address space to rethink your whole network layout and provide for isolation..  The very act of segmenting your different devices will give you way more flexibility in growing address space for a specific segment..