IP restructure

[k3lvin]

Hey there,

We are currently on a class C network address 192.168.0.x and we are starting to run out of addresses. The plan is to create a new class A scope on our DHCP server then assign our servers a secondary address in the new range, this has not been tested but hoping this works.

What is the best way to structure the new IPs? Is it recommended to stick everything in the same subnet or is this bad practice?

Network attributes:
20 servers
180 clients
20 printers
30 voip phones (not installed yet)
20 vpn users

Thanks, want to do this properly as once this is set theres no going back!

 

[North323]

what kind of network gear are you working with? do you use vlan's? why not carve things up with vlan's like

servers: 192.168.20.x
clients: 192.168.25.x
printers: 192.168.30.x

create dhcp scopes from your windows box (if you use windows) then create static routes as needed.

 

[k3lvin]

HP Procurve switches and a Sonicwall router, Windows server environment. We do not use VLANS. So far I have a couple of servers and the SonicWall on the new 10.10.0.x/16 as well as the old 192.168.0.x/24 range.

I have a client machine on just the 10.10.0.x/16 range and it seems to be communicating (more testing is required) My ultimate question is what IP and subnet addresses do I go for? Can some people give me some examples on how things are set up on their networks? Thanks!

 

[VinceWhirlwind]

As you are planning VoIP phones, VLANs really are a necessity.

This is how to do it:
Your router has the default GW for each subnet
each subnet equates with a VLAN
trunk from the router to your network with all VLANs included
VLANs are trunked through your switches to where they are required.

Personally I would go for 4 subnets/VLANs:

Servers:
VLAN2, 10.10.2.0/24

VoIP:
VLAN5, 10.10.5.0/24

Clients1:
VLAN11, 10.10.11.0/24

Clients2:
VLAN12, 10.10.12.0/24

Separate the clients into two roughly equal halves based on your network topology: pick a common-sense group of switches with a common uplink or something to be VLAN11 and another group to be VLAN12.

Ignore the old fogeys who tell you to separate Clients into VLANs by function: that used to be the idea back in the 1980s/90s before Windows NT gave you control over who accesses what, but its still in all the textbooks even though it's now a dumb idea for security reasons.

 

[k3lvin]

Ok I've decided VLANs are the way to go:

VLAN0 192.168.0.0/24 - Clients and Servers (a lot of work to change the servers so will keep the same for now, maybe deploy new servers on their own VLAN)
VLAN1 192.168.1.0/24 - This needs to be reserved
VLAN2 192.168.2.0/24 - Voip

But I have no idea how to set up a VLAN, can somebody help me on this? Is this all set up on routers or switches, or both? Also I was told that QoS needs to be setup on our switches, is this true as I can't seem to find anywhere on our switches to enable this.

Network kit:
Cisco 1800 series router
SonicWall PRO 2040 firewall
HP J4865A ProCurve Switch 4108GL (I think these are layer 2 but not sure!)

Thanks

 

[burtsbees]

If it is a layer 2 switch, the vlan access ports are set up on the switch as well as the trunk port and encaps (must be dot1q), and the router is set up with subinterfaces...

router>en
router#conf t
router(config)#int fa0/1
router(config-if)#no ip add
router(config-if)#no shut
router(config-if)#exit
router(config)#int fa0/1.10
router(config-subif)#descr clients_and_servers
router(config-subif)#encaps dot1q 10
router(config-subif)#ip add 192.168.0.1 255.255.255.0
router(config-subif)#ip nat inside
router(config-subif)#int fa0/1.110
router(config-subif)#descr reserved
router(config-subif)#encaps dot1q 110
router(config-subif)#ip add 192.168.1.1 255.255.255.0
router(config-subif)#ip nat inside
router(config-subif)#int fa0/1.120
router(config-subif)#descr voip
router(config-subif)#encaps dot1q 120
router(config-subif)#ip add 192.168.2.1 255.255.255.0
router(config-subif)#ip nat inside
router(config-subif)#end
router#wr

this is assuming that the LAN port is fa0/1 in the router. The nat is if the router is doing nat. Do not do the

router(config-subif)#ip nat inside

command if the FW is natting, of course.

and on the switch, I am not sure about HP...set up access ports for each node as access for vlan whatever, and the trunk port is encaps dot1q. On a layer 2 switch, you can only have one SVI for the native (untagged) vlan for management, which I recommend to make other than vlan 1 (default) for security reasons. Make it like vlan 69 (lol)...in the router...

router(config-subif)#int fa0/1.69
router(config-subif)#descr native_untagged_vlan_management
router(config-subif)#encaps dot1q 69 native
router(config-subif)#ip add 192.168.69.1 255.255.255.0

Then, in the switch, you also need to set the ip default-gateway to 192.168.69.1, and the ip address (SVI) of the native vlan (vlan 69, in this case) to 192.168.69.254, or something in that subnet.

If the HP is a layer 3 switch, then no subinterfaces are configured in the router, as the switch will route all the vlans. This is MUCH faster since the intervlan routing takes place in hardware (ASICS) as opposed to software (router interface via subinterfaces, bottle neck...AKA router-on-a-stick).

HTH

/


tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[VinceWhirlwind]

Tell us when you're starting to feel confident and on top of things and we can bring up QoS....

 

[VinceWhirlwind]

Actually, just one other thing: I thought about putting all servers and clients into 1 VLAN and decided it would add up to so many hosts (20 + 180) that you wouldn't be leaving much room for future growth.

It's up to you, but there's nothing worse than filling up a subnet and then having to plan a redesign after you've already gone to all the effort of configuring a new network.

 

[burtsbees]

Plus you really don't want more than 254 hosts in one subnet.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[k3lvin]

Hey guys thanks for all the help really appreciating it! (Sorry for the slow replies I'm pretty busy at the moment)

I now understand the concept of VLAN's but I need to understand the topology to fully understand this. Is the topology that I have attached correct?

http://i152.photobucket.com/albums/s190/kelvindavisuk/ScreenShot1309-Apr-101613.jpg

 

[VinceWhirlwind]

Looks good, apart from the typo in the bottom right-hand corner. Also, you will need to re-think your VLAN numbering as VLAN0 isn't valid as far as I know.

Don't forget your router will need routes for 192.168.0,1,2 pointing at your L3 switch, and the L3 switch will need a default route pointing to the router.

Your VLAN2 will presumably need an IP helper address pointing at your DHCP server which is presumably not on VLAN2.

 

[k3lvin]

Ok yes sorry about the typo! I have another obvious question but still need to ask it. I assume the IP address's of the switches will be native to their VLANs address?

For example all the phones will need to be given an IP address on the 192.168.2.x/24 range by a DHCP server. So the switch they plug directly into needs to be on the 192.168.2.x/24 address (VLAN2) range too. (So that the DHCP server will allocate IP addresses to the phones on this rage.)

 

[burtsbees]

No, not necessarily---routes just need to be made in the routers for them to get there. However, it would make the most sense, so yes, from a common-sense point of view.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[VinceWhirlwind]

Generally, people would rather manage just one DHCP server on the entire network, not have one DHCP server per VLAN. This means the DHCP broadcasts have to be forwarded by the L3 switch or router from the VLAN without a DHCP server on it to the VLAN with a DHCP server on it.
Generally it is best to forward the DHCP request to the server rather than forward it as a broadcast.

Also, the switch IP address is completely irrelevant to the functioning of your network - that address is used for managing the switch, nothing else.

 

[burtsbees]

Example---native vlan=231
ip address of switch=192.168.231.x

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!