static to DHCP and increase host IP's 2

[mayfran]

Our current network configuration is on a single subnet with a subnet mask of 255.255.255.0 with the host addresses being 192.1.1.1-192.1.1.254. This IP range was set up by a prior network admin. and he decided to use "public" addresses. We currently have only 22 addresses left. All of our addresses are statically assigned. I would like to switch to a DHCP server and change our addressing over to a "private" address range (192.168.0.0). I would also like to allow our network to handle more that 254 hosts (ie around 1000). We would obviously have some statically assigned reserve addresses for printers, servers, etc. but statically assigning ip's has become cumbersome and we are growing beyond 254 hosts. What is the best way to handle this? What are some good links that would describe how to handle this? Thanks in advance for you responses.

Our physical hardware path from Internet to client is as follows.

T1 -> Cisco 2524 series router -> firewall -> Cisco 3750 stack -> servers and clients

 

[chipk]

Well, to support 1000 hosts, you could do a single, large network (192.168.0.0 255.255.252.0), which would certainly enable you to re-number very easily (just change the vlan your clients are in and create a dhcp scope with this range), but that may get a little unwieldy when it comes to broadcasts, traffic, controlling access, etc.

Your best bet would be to separate everything by use, or location, e.g. clients on different floors, buildings, etc., and resources like servers and printers in other vlans. Or if you do it by usage, for instance, Finance users go in one vlan, along with their servers and printers, etc.

 

[mayfran]

Thanks for the response. We currently have no VLANs set up. We have an exchange server, a file server, an ERP server, a print/virus server, an intranet server, 2 domain controller/dns and 2 other multi function servers. Everyone needs access to all servers. Does it still help to create vlans if everyone needs access to all servers?

thanks

 

[chipk]

Yes, it does. Do you really have 1000 hosts?

If everyone needs access to all servers, then I would separate them by location (floors, buildings or whatever).

1000 computers would generate a lot of brooadcast traffic, you would probably have a lot of problems with things like Windows Browsing and general sluggishness.

How many IP devices do you have online right now? And what is the % of printers, servers, workstations?

Perhaps the easiest thing to do would be to identify your server and printer ports, hard code those to a new vlan, and then just spread all your other ports in your switches across 2 or 3 "class C" size vlans.

 

[mayfran]

No i don't need 1000. If i implement DHCP and a new ip scheme, i wanted to allow for growth. Righ now, we have about 30 printing devices, 6 wireless access points (expanding though), 8 servers, and the rest are clients which include 15 ip's reserved for mobile user vpn's.

thanks

 

[chipk]

First let me mention that it sounds like you are doing some public stuff on your servers/workstations, so you do realize that if you take away the public IPs, you'll have to do some NAT/PAT on your router, right? For insta,ce your vpn, any e-mail, or web hosting.

Anyway, what I would do with my internal IP scheme, if I were in your shoes, is this:

Create 4 separate vlans in the private range, just take your pick, but something like:

192.168.0.0
192.168.1.0
192.168.2.0
192.168.3.0

I'd do something like one for servers, one for printers, one for clients, and one for wireless access. Some may think that's a waste of space, but who cares, it's private, and it's just easy to manage that way. You could get into Variable Length Subnet Masks, like take a chunk of 64 addresses for your printers, another chunk for your servers, etc., you get the idea, but with private addressing this isn't really necessary. If you want to just do it for the "coolness" factor, then feel free. I can help you out with that if you want.

Anyway, you have to do several things to make this happen:

1) set up dhcp scopes with those address ranges, and all your options, like DNS, WINS, etc.
2) Set up routed vlans on your router, or your L3 switch, (setup will differ depending on which of these you do).
3) assign ports to these vlans accordingly
4) and of course, change the clients to DHCP

Also consider stuff like printer IPs changing. If these are running off a print server, you'll need to change the IP ports on the Print Server to point to the new IP.

 

[mayfran]

This is the exact information that i was looking for. Thanks a lot. We are doing some public stuff, but are using our Firewall to NAT from our Public addresses (208.xxx.xxx.xxx) to our "public" like private addresses (192.1.1.xxx), if that makes sense. So with the proposed solution, the subnet mask would be 255.255.252.0 and clients with 192.168.3.xxx can communicate with 192.168.2.xxx?

thanks again for this information.

 

[chipk]

With this solution, you're separating those vlans, so the subnet mask would be /24 (255.255.255.0). You end up with 4 separate networks with 254 usable addresses each.

I understand what you're saying about the "public" private addresses. It's all clear now, so you won't have to do anything else with NATing, so that is good.

 

[mayfran]

thanks ChipK!!

So our cisco 3750 will provide routing between vlan's so that all networks can access our file server for example which would be on a separate vlan.

thanks

Kevin

 

[chipk]

Right, so you'd have VLAN configs on your 3750 like so:

...
interface Vlan2
ip address 192.168.2.1 255.255.255.0
ip helper-address xxx.xxx.xxx.xxx (dhcp address)
!
interface Vlan3
ip address 192.168.3.1 255.255.255.0
ip helper-address xxx.xxx.xxx.xxx (dhcp address)
...
etc.

If you have other switches carrying multiple vlans, you would set up trunks to those switches, or if you're just connecting clients directly to the 3750, or wireless APs, you can just do access ports and put those ports in the desired vlans.

 

[mayfran]

thenks for your help. This definitely gives me some direction. We will be doing this in the next few weeks and i will post any further info or problems.

 

[chipk]

Ok, just FYI, there are Cisco Switch and Router forums here on Tek-Tips. I also hang out there, but htere are a lot of people who can help you out.

 

[mayfran]

Ok. I setup vlan 2 with 172.16.10.1 and set the gateway on the single member of the vlan to this address and the dns address to the dns server we have on vlan 1. I am able to ping devices on vlan 1 from the device in vlan 2. However, I can't ping by name. From hosts on vlan 1, i am able to ping device in vlan 2 by name and ip. I can't figure out what i am missing here. Is this a dns problem or a switch (vlan) problem. I can resolve web pages through the firewall but not domain members. (i manually entered the dns record for the host in vlan 2)

thanks

Kevin

 

[chipk]

Can you clarify where you placed those DNS entries? Did you create a new DHCP scope with the addresses, gateway, and DNS server? Or did you create these entries on the layer3 switch, or manually configure on the workstation? I'm not quite clear on where you did that...

If you post "ipconfig /all" from one host in vlan1 and one in vlan2, that may help to figure out what the problem is.

 

[mayfran]

I figured it out. I need to do an "ip helper-address xxx.xxx.xxx" command on the destination vlan that the dns server resides on.

thanks

 

[chipk]

Yeah, that's where I was going with whether you made entries on the switch.

Well done.