Should I subnet my network?

[roger85]

Hi Guys,

Need some advice with my Lan with regards to a possible change because we are running out of Private IP’s.

Let me start by explaining what we have.

15 HP Proliant Servers (all with dual nics setup as Teaming)

1 x HP 2824gb Switch (used for all servers only, port trunked to below switch)

3 x HP Procurve 4208vl Giga Switch’s (total off around 300gb ports split between all switches, loads spare)
No VLANS are setup.
Port trunking is used between switches
RSTP is enabled on all Switches

Each of the switches has been setup with port trunking to each switch ( 2 network cables to each switch, Ring Method)

Sonicwall Pro 2040 Firewall – 192.168.111.1

We have exactly 170 Desktop Computers.
30 Network Printers and other devices.

We have two Windows 2003 Domain Controllers each with split DHCP Scope, range is from 192.168.111.50 to 250

Anything below 192.168.111.49 is Server or Printer

Our network IP Structure is as follows

Flat network

Range 192.168.111.1 to 254
Mask 255.255.255.0
DNS1 DC1
DNS2 DC2
Wins DC1
Gateway 192.168.111.1

The network is a 2003 Domain, we have no need at all to split any departments up, and every user has many mappings to a mixture of servers.

I need to ensure that we don’t run out of IP Addresses, we are ok for now but need to get this sorted before it’s too late.

So I’ve done some very basic research and from I’ve read I can do something call Subnetting. PLEASE CORRECT ME IF I AM WRONG. My current MASK is 255.255.255.0 and my IP Range is 192.168.111.x, if I was to simply change my entire network mask to 255.255.0.0 I could then change the DHCP scope to use 192.168.222.1 to 192.168.222.254, leaving the Servers and Devices on 192.168.111.x network.

The above will let me have 254 addresses on 192.168.222.x for Desktops and 192.168.111.x for Servers, printers and devices, both ranges will talk and network will run fine.

254 addresses is more that perfect for our next 5 years so we won’t need to go above this.


Is the above correct?
As we have two internal DNS servers on the 2003 Servers each pc has a IP address allocated already with a dns name, this will change if I was to so a new scope, should I be doing something to the old DNS list ?
Am I doing this correct, or are there any better options?
Are there any problems that I could cause doing the above ?
Other than the above, what else could I do ?

From my understanding my Network switches are pretty good units, they can handle VLANS etc, but I’m negative towards VLAN’s as I see no need for such a small company to confuse the network by introducing VLANS, our network is based on every seeing every one including servers. As I said above were not intrested in setting up departments. To give you a idea 5 of our servers are Data Servers and they have data split all over them for all the users, secured by NTFS.

Last thing I must say is I don’t not want to introduce any possible problems as my network currently runs great without any issues. If you feel the above could cause major issues please say so.

Looking forward to help, please feel free to comment good or bad on my thoughts or network.

Thanks

 

[stduc]

254 addresses is more that perfect for our next 5 years so we won't need to go above this

I'm not quite with you as your current setup gives you 254 hosts.

Subnet Mask Subnet Size Host Range Broadcast
192.168.111.0 255.255.255.0 254 192.168.111.1 to 192.168.111.254 192.168.111.255

You could change the mask to 255.255.254.0? which would give you 510.

Subnet Mask Subnet Size Host Range Broadcast
192.168.110.0 255.255.254.0 510 192.168.110.1 to 192.168.111.254 192.168.111.255

But I'm not sure why you need to do anything.

[navy]When I married "Miss Right" I didn't realise her first name was 'always'. LOL[/navy]

 

[roger85]

Thanks mate,

I think i have made it not clear enough, let me try again.

Let me start by saying yes 254 addresses for Desktops would be perfect, we dont have this at the moment as the current network is shared between servers and desktops.

At the moment we have a single flat network " 192.168.111.1 - 254"

This is for absolutly everything, servers, pcs, printers etc.

we have around 30 spare ip's we can use, this is ok for now but down the line will cause me problems.

so i want to possibly setup the servers and printers on the 192.168.111.x netowrk, and then all the PC's on the 192.168.222.x netowrk.

So what i'm asking is if i change my mask right now for all devices to 255.255.254.0 i could change my dhcp scope to 192.168.222.1 to 192.168.222.254.

This would leave the servers on the 192.168.111.x netowrk, and anything else would be on the 192.168.222.x network.

The gateway would remain as 192.168.111.1 for both networks.

So in the end i have two networks, 111.x for all servers and printers/swithcs etc, and 222.x for all desktop comptuers.

Would i need to do anything on the DNS servers ?

What are the downside of what the above would do ?

254 address for all desktops would be fine.

Thanks guys

 

[stduc]

You would need a router for your plan. Without a router devices cannot "see" more than their network.

Devices like Servers and printers need static IP's anyway. Not a problem as they don't change and you you don't want their IPs to change.

In your situation I would simple manually configure the static devices in whatever range I felt appropriate. I would set the DHCP server to use a range I wanted with a suitable mask.

One simple way would be using your plan.

change DHCP scope to 192.168.222.1 to 192.168.222.254 subnet mask 255.255.0

Configure static devices - servers etc to be in the 192.168.111.x range subnet mask 192.168.0.0

All on one network though. Otherwise you will need to configure a router!

Personally I tend to use 192.168.0.1 as the gateway
192.168.1.1 though 192.168.99.254 for PCs DHCP range
192.168.100.1 though 192.168.100.254 for servers
192.168.200.1 through 192.168.200.254 for printers
192.168.210.1 through 192.168.210.254 for scanners
192.168.220.1 through 192.168.220.254 for Fax machines

1 network subnet mask 255.255.0.0 - 1 network - no router complications.

Why? Because its easy to remember - up to 99 it's a PC - 100 it's a server - etc.

You don't need to get into different networks and using routers unless network contention and congestion become an issue.

[navy]When I married "Miss Right" I didn't realise her first name was 'always'. LOL[/navy]

 

[theravager]

Advantage of changing the mask to 255.255.254.0 is that everything will still work fine and you can take your time to update anything that has static addresses. (note stuff using on one of the new addresses won't be able to talk to devices that haven't had their mask updated).

This would not have been advisable to make a subnet so large a while back, but with modern switches its not a big deal.

 

[roger85]

Thanks Again Guys,

reading about i'm going to go ahead and do the following on my live lan.

First change mask to 255.255.254.0 for all kit allocated with a Static IP Address, this includes servers, printers and my Firewall (gateway)

Second, change my dhcp scope to new ip address range of 192.168.222.1 - 250

Is above correct, sorry but sounds a little too easy ?, i really dont want to start buying new routers etc.

Third, how about my current dns servers, as currently they are populated with the current addresses does this need to be flushed or something ?

Cheers

 

[Dinkytoy]

Why not do the following as you have a Sonicwall 2040.

You've got 192.168.111.0/24 already setup and working.

Why not add 192.168.222.0/24 to your Firewall on another interface. Ensure full access between the two on it and the Firewall will take care of the routing.

It is NOT advisible to try and run it all on a single /16 subnet. I'm extremely suprised people are recommending this to you.

At the very least, you should setup a VLAN for each, and have a layer 3 switch to route between them.

 

[roger85]

Thanks for the update mate, but can you tell me why you think i need to look at the VLAN side of things, as i said we have a very basic level network, all i need to do is expand the IP structure for possible more pc's in the future.

I was thinking the following:

192.168.111.x for all server and printers.
192.168.222.x for all desktop pc's
255.255.224.0 mask for all equipment
192.168.111.11 gateway for all qquipment.

Our network switchs are 3 x HP 4208GB UNITS.

Introducing a VLAN, and using the sonicwall with another lan port to me simply means complicating the network.

 

[PeterHurst]

Although there are advantages to using subnets on a flat layer two network it doesn't reduce much of the underlying chatter at layer 2 if you don't segregate into VLANs

It's not clear whether you're segregating just for tidyness or for added security but deploying L2 VLANs along with subnetting is usually the way to go - you can segregate different data completely which can make diagnosis and dhcp easier.

It doesn't require any more than already mentioned as long as your devices all support L2 vlans (802.1Q) just a bit more thinking. Improves security between areas/devices and can fall in nicely with the subnetting.

 

[roger85]

There are no requiements for any tidyness or added security.

All i want to do is to ensure we dont run out of ip address in the future, thats why i thought playing around with the subnet would help. In asking this question some have said sbunetting is fine and some have said setup vlans...

I'm stuck as to which way to go, all i know is we have a very very straight forward simple lan....unless i can see any downsides on subnetting i dont see why i should be complicating the lan by setting up vlans....

Our network has around 220 devices right now, lets say we grown to a maxium of 400 in total in the next 5 years..and thats a very big if.

 

[PeterHurst]

Fair point. It's certainly slightly more complicated but it's usually the subnetting that bends the brain. DHCP will be tricky without vlans. One last thought is it's a lot easier to do it before you have too many devices.

 

[roger85]

I know what your saing Peter, everyone i have spoken and everything i have read says VLANS are the way to go but from my point of view all with this LAN i'm currently working on all i need to do is :

Change the Mask from 255.255.255.0 to 255.255.254.0 on all devices and the dhcp scope., i understand this can happen anytime and all i would need to do are simple reboots, so really no down time.

Then from the dhcp scope, change the range from 192.168.111.x to x to 192.168.222.x to x

Job done, now have 254 addresses i can use on the 192.168.111.x network and another 254 that can be used on the 192.168.222.x network....

job done..

does this make send to anyone ?

 

[PeterHurst]

Oh yes indeed (assuming your Ip ranges are right)

Just bear in mind because you've supernetted what looks like a class C address the odd device (ie printer cards some odd hardware like door controllers) might ignore the supernet.

I've come across it most with cheap routers and printer cards.

Again - ignoring vlans if you have dhcp you <i>could</i> just change the whole range to a 172.16.x.x - often subnetting is more logical than supernetting.

You could test this if your gateway supports multiple IP's by adding a seconfaru IP of - say 172.16.0.1/16 (or even /24) and adding a second DHCP scope with only DHCP reservations for a couple of devices to prove you can get them on and do everything you should be able to.

Nothing you are doing strikes me as technically wrong - just not easy to maintain going forward and not obviously logical to an outsider looking in. Purists will be wheezing and coughing.

It's also possible you can more easily miss things - like a firewall rule with the old subnet stopping half the trraffic or ACL's stopping the other half when you retain the IP range.

Hope this is of some help!

 

[PeterHurst]

Oh - forgot to point out you could run both together then to allow you to migrate the older static devices at your leisure..

 

[roger85]

More and more and more i read and look into it Peter VLANS seem to be the way forward, i'm just getting stuck on how how i sould design it as i know nothing about them but also how i can justify in a meeting to my boss that this is the way forward, can you help at all.

I put together a basic level network diagram to you you all an idea of my lan. please feel free to comment.

 

[PeterHurst]

Hmm.

Network switches are HP's so will do VLAN's fine but can be fiddly without a management tool. We ahve a few left - you need to set ports on the web interface tagged into each vlan which can be confusing (and I've seen the Web interface fall over sometimes and had to go to command line)

Once you understand it's simple, as I say the IP subnetting is trickier in my opinion and you're looking to do that anyway.

Still it makes sense if you aren't convinced to break it up into segments and you can probably do most if not all the ip stuff without vlans (DHCP is the biggest worry)

I see from the diagram why you're wary of using multiple subnets and vlans - you're already at a point where it isn't necessarily a simple task especailly as I started researching enabling routing on the HP's.

Perhaps a link might help:-

http://ftp.hp.com/pub/networking/software/ProCurve-SR-InterVLAN-Config-Guide.pdf

http://h40060.www4.hp.com/procurve/uk/en/pdfs/5300xl_portbase.pdf

I THINK your switches support that but without a lot of time spent I'm not sure - and you'd still need to work out the config.

Upshot.. I think in the short term you are making sense... but I really think you should speak to your manager and explain that you're doing a short term solution and if he wants to ahve better visibility and accountability of users/servers etc then he'd be well advised to let you spend some time developing a new structure.

Trying to make it easier to start there's two options -
1) expand the subnet as stated
2) add a second subnet for something - servers?

If we ignore vlans then I still have a concern for DHCP working properly on flat layer2 (even with a range with only reservations for one subnet I'm a bit worred as I've never tried it). In that case suggest picking something with fixed IP (servers) and make a new IP range for them.

Say 192.168.200.X/24. Look at this

http://www.sonicwall.com/downloads/supporting_multiple_firewalled_subnets_on_sonicos_enhanced.pdf

and try carefully putting the secondary gateway on the sonicwall - matching you map I would suggest 192.168.200.11. Then stick something (old server) on the 200.x subner and gw 200.11 and see if you can get the sonicwall routing. Once happy with that you need to try something like a backup DNS server and make sure it can resolve names - get to the net etc. Build it up and once comfortable you could move all your servers to another subnet.

This may be slower than your initial suggestion but not as slow as vlanning as you still have some stuff to learn. The advantage is you don't have inelegant subnets (anal I know) and you begin the logical seperation of servers from clients. This will make it easier to put them on VLANs later.

It also allows tighter control of the internet traffic - you probably have rules covering internet access - that can be dangerous to have on servers - if they're a seperate subnet you can more easily reduce their activity (onl Microsoft update for instance) when you can easily seperate them. Conversly it can help you identify clients and their traffic (blocking updates to PC's maybe or some specific sites only for servers)

Starting thinking in subnets makes things more manageable as you get more tasks... you know server vlan will have "special" rules but a generic internet access on http/https might be fine for all the client subnet, if you do it for printers... block internet access to avoid hackers jumping off.

Understanding the subtleties of L2/L3 is tricky and my final advise is do something you understand - if you didn't understand an implementation in the first place it's a nightmare to fault.


Apologies if all this is a little disjointed as I've been working too and tried to keep the thread over the last couple of hours.

 

[VinceWhirlwind]

The advantage of VLANs is that your servers won't be bombarded with the broadcast traffic from your 200 network devices.
In your situation you won't even need to configure VLANs on any of your switches anyway as you can use your FW as the router.

Personally, I would leave the servers in the subnet they are in and plan on moving everything else as they should all be configured via DHCP anyway.

Get a spare switch and a spare PC and patch them into a new port on your firewall and configure the new subnet on that port. Once you've got it all working to your satisfaction you can migrate the rest of the PCs.

 

[cyberspace]

Based on what the original poster has said, I think changing the network mask to 255.255.254.0 is going to give by far the least headaches.

Also with a mask of 255.255.254.0 you get 510 hosts per subnet...thus 192.168.111.x would not talk to 192.168.222.x without a router so be careful with that. For that to work without a router you need to use 255.255.0.0 and I don't reccomend that.

as already stated, changing the mask to 255.255.254.0 on the current network would give a range of 192.168.110.1 to 192.168.111.254.

You could just add the 110 range to DHCP and therfore solve any issues of running out of space for PCs.

It's not how I would do it, as it's a bit messy. I don't like servers in the middle of the IP range. I'd be using Subnets and VLANs - however, for a quick fix with minimal headaches (and lets face it for a network of that size it's not going to have a noticable negative impact), especially if unfamiliar with the whole area, then it seems the way to go..

'When all else fails.......read the manual'