Running out of ip's 192.168.100.x

We are currently running out of ip's, we are using a class C 192.168.100.x / 255.255.255.0.  I understand there are many options i can take, but i am unclear the best solution.  My thoughts were to move all the users to another ip range and route between the two networks.  We have a few cisco's in the equation a 2x2950 and a 3560g.  Here is a quick run down of the setup.


DHCP
   |            
   -------------
        |
        |
    3560g
     /   \
   /      \
2950    2950      
      \  /      
       |        
       |
    Users

The Dhcp server is windows 2000.  I also understand i can create a VLAN on the 3560 as well.  I assume i could do that and add another w2k server for dhcp on that?

I'm just not exactly sure what i need or what i should do.  Let me know anything else i can explain to my setup.  We have about 100 users inner office and expanding like crazy.

Thanks in advance!

Chad
lgropperAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

RDAdamsCommented:
Ok, so you have 254 address now, 100 users how many network printers, servers, etc?
0
RDAdamsCommented:
You could just change the netmask to 255.255.0.0 giving you a bunch more range of IPs.  That may open it up too much for your liking though.  
0
lgropperAuthor Commented:
about 10 network printers, 30 servers.  I'm sure we can get away with just adding another 254 but it only makes sense to add more then that.  Could i add 192.168.x.x? or should i not seeing as i have 192.168.100.x already and that could cause problems?

Chad
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

RDAdamsCommented:
by changing your netmask to 255.255.0.0 you open up the entire 192.168.x.x range.
0
lgropperAuthor Commented:
If i changed the netmask to that would everything stay in tact? we have at least 75 devices/servers with static addressing?  Its probably best to leave the existing network intact and add another that i could move the users to then route between?
0
RDAdamsCommented:
You could then use different subnetting if you wanted to partition off specific groups.
0
lgropperAuthor Commented:
how would i route between the networks? what would i be changing?  I would assume just the mask on the dhcp server.

0
RDAdamsCommented:
othing except the netmask.  It just allows you to use more ip address' from 192.168.0.1 to 192.168.254.254.   Yes, you need to change the netmask in your IP pool on the server and then ensure all the computers obtain new leases from the server.  
0
RDAdamsCommented:
I would ensure I increase the static ip range for future growth also.  In our company we use the x.x.0.1 to x.x.0.x for servers, and x.x.99.x for routers, x.x.30.x for printers, x.x.50.x for specialty IP addressed equipment such as scan to pdf copiers.
0
RDAdamsCommented:
Depending on how you setup your IP ranges you can remove those you don't want from the pool.  
0
lgropperAuthor Commented:
interesting.  now if i understand correct there would be no need for anything to route between them because the netmask states the ip range 192.168.0.1 - 254.254 so everything will see everything.

For some reason i can't see it being that easy.  There has to be some sort of drawback.  We have a few remote networks via vpn as well.  Will those be affected?

I will have to change the netmask on all static devices right?

is there anything i must watch out for? i am scared i will take my network down.
0
RDAdamsCommented:
By opening up the range your VPNs may be affected but I am assuming you are currently having them assigned in the same IP range.  You just need to ensure that everything you currently assign will not be adversly affected by added more IP address to the IP pool.  You could specify smaller ranges to limit that keeping the 255.255.x.x netmask.  

You will need to ensure the static devices have the same netmask yes.  

Drawback is opening more IP address to your network.  More opportunity for people to plug in devices you do not want on the network such as rogue wireless routers etc.

Correct on the routing.  Since all you are changing is the netmask those items currently on your network will still see everything else.  

It would be more tricky if you were subnetting into groups which would take more setup planning but from what you are saying you just have a basic setup without anything to complicated.  Keep it simple.....
0
RDAdamsCommented:
ps.  which makes it easier to document also.  
0
RDAdamsCommented:
You don't have multiple sites or anything like that?

Just the VPN which shouldn't be a big hassle.  Just be sure to document what you have now so you can be sure you change everything in the right order to ensure it works after.  You will also want to test each of these components after the change to ensure they are working correctly.  

0
lgropperAuthor Commented:
we have recently installed another dc in the US but DHCP and everything is on that side.  its a really small office, only 10 ppl.

This sounds like a big change that should probably be done to get everything setup nice and clean.  

What about moving the users to another range and routing between? Not the best route? I am just scared that changing the netmask will cause a ton of problems with the existing network? its been in place for years and there are a lot of static addresses that i may not even know about.  

I understand its hard for you to advise not knowing the exact structure! but everything you have said so far makes sense.

Chad

0
davino_1Commented:
I would not open up 192.168 to a /16.  This would bring a multitude of problems the least of which being device/ip management and broadcast issues.  The best solution for expandibility and management would be a new vlan.  You could use your dhcp server as a router between the two networks but I highly would not reccomend this setup (usually only done because of financial constraints).  An additional vlan does require configurable router/switches but it sounds like you may need it at some point and I believe that your switches will work fine.  You can use the same dhcp server for a new vlan so you won't need a new server.
0
lgropperAuthor Commented:
Davino,

That sounds interesting.  Could you elaborate on what would need to be done in order to do this?  My understanding would be create a VLAN on the 3560 but how would i get dhcp from the existing server into the new vlan on the cisco? add another NIC and plug it into the vlan?

Chad
0
makanaCommented:
30 Servers, umm. Quite a Big Network. I wonder why you still not using Subnetting as you have lotsa Computers. And another thing is evident is that you dont have the proper documentation of this network.  
0
lgropperAuthor Commented:
Thanks for the help makana.  Glad you have such a helpful answer.  

There is no documentation on the network.  I am new to this network and i am trying to get it to where it should be.

Chad
0
DawilliamsCommented:
Your best bet for ease of management and scalability is to set a another scope on your dhcp server 192.168.200.0 255.255.255.0 I would not open up the range to 16 bits as this will give you 64516 addresses which is alot to manage
set a vlan on the 3560 in this range and it will route between the two subnets problem solved
for the specifics on the vlan go to http://www.cisco.com/en/US/products/hw/switches/ps637/products_configuration_guide_chapter09186a00800d9d3e.html
0
RDAdamsCommented:
We use subnetting on ours but we have 5 major offices.  Subnetting allows us to use a different range at each office and route internal packets locally without affecting our WAN traffic.  

If you do the subnetting you can still use the netmask of 255.255.0.0 just using the subnetting on your router to eliminate some of the traffic.
0
RDAdamsCommented:
Also you don't necessarily need to assign the full scope of IP address to DHCP with that netmask it just allows for ease of expansion down the road.  

You should probably document what is in place now and what you want it to look like prior to making any changes.

I am not sure a VLAN is necessary myself but the bottom line is it is up to you.  (VLANS are usually used to limit access to certain areas or groups within the LAN/WAN environment)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AngelGabrielCommented:
Just adding my 2 pence here, *yes, I'm from England!* If I was in your shoes, I would think hard about just how much expansion I am going to actually do. Patching up a network every few months is great, and each time you do it, it feels good, trust me, I know! BUT in the long run, you are gonna wish that you spilt the thing into smaller manageable chunks, that make it easy to expand in the future. you have to ask your self, would you prefer to be stabbed in the hand now, or have a pen knife through hand for the rest of your life?

I can't provide you with the best solution, and I don't think anyone here really can, it really depends on the effort your prepared to put in. All the solutions, and advice I've read here seem correct, but only you know the actually physical layout of the place in question.

In my own personal experience, I always try and keep things small, like if one floor has 20 computers, they get their own subnet, for example 192.168.10.x so at least I can track down problems when i read my logs, if the IP is 192.168.10.4, I know that it's in accounting. If someone sends a 300 page printout to the colour laser A3 Xerox monster, I at least know where to start when tracking them down, so i know that I throw the correct person out the window! Same thing with issues such as spyware, if I noticed suspicious requests coming from 192.168.40.x - I know to start checking computers in the lobby.

So the best advice I can give you, is how do YOU want to run YOUR network? If your company doesn't want to spend on routers, feel free to build your own *I do, and trust me, it's brilliant, cost effective, and helps eliminate so many issues*

Oh, and don't forget to document everything. And before I forget..... Windows is not exactly the best platform for managing network traffic, you only really need one windows server, two at best if you want to do load balancing, getting another machine just for DHCP, not cost effective at all, after all, a little £40 router from BT can do DHCP, so why by a £700 machine to do it? DHCP? *linux is your friend* Routing traffic? *linux is your friend* It's not hard to learn, and you'll impress all the right people.
0
slyskawaCommented:
I would also advise against the 192.168.0.0/16 as that would mean you would not be able to route to any other 192.168 in your company ever again.

I would think about using the 172.16.x.x range and start subnetting as other people have suggested.  The advantage of the 172 class be addresses is you will not run out at 254 users and you can have many other subnets.  You can also use the class A 10 addresses.
0
Keith AlabasterEnterprise ArchitectCommented:
Can we put this into perspective?

Currently you use 192.168.100.x / 255.255.255.0

option 1.
Changing the subnet mask from 255.255.255.0 to 255.255.254.0 will double the number of IP addresses you can use to
192.168.100.0 to 192.168.101.255
just remember that ALL devices (that use the 192.168.100.0 id currently) will need their mask changing to 255.255.254.0 from 255.255.255.0. This includes printers, servers that might have static IP addresses, router ports etc.

option 2.
Put a layer 3 switch device or a router into the mix and start the next subnet using the 255.255.255.0 mask again.

0
Keith AlabasterEnterprise ArchitectCommented:
PS. yes, could create a VLAN on the 3560 as per my option 2
0
pseudocyberCommented:
Second Keith's post with some additional suggestions.  The simpliest thing to do here is to change the subnet mask on the DHCP server and then hit the statics and change them as well.

Suggestion 1)  While you're reaching out and touching all the static machines - change them to DHCP.  Use reservations in your DHCP scope instead of doing static IP assignments - then this will be the last time you touch them to reconfigure the IP settings.

Suggestion 2)  Since you're expanding, I'd go a bit higher (get it?) and put in network of 192.168.100.0/22 (mask of 255.255.252.0) which will give you 1022 host addresses availabe.  In a switched environment, this is fine - especially since odds are you won't really have 1000 devices on your network.  Unused IP addresses have ZERO effect to an operational network - except for planning purposes.

Suggestion 3) Give some thought to VLANs - or give MORE thought to it.  Implementing the VLANs for managability and security is a good idea, but you don't want to do it piecemeal without a well thought out implementation plan, management approval, downtime authorization, backout procedures, etc.

Personally, I would put the servers in their own VLAN, a DMZ if you have one, and a User segment.  Whether you have multiple user VLANs would depend on your building(s)' topological layout, your campus layout (if you have one), departments, and the internal structure of your company.  With the servers behind their own VLAN, you can implement some rudimentary security with access control - say you have known protocols - such as http, ssl, ftp, and ssh.  You could have an ACL allowing these protocols to pass and alert you to anything else.  So you would know it when someone is doing an SNMP scan, or trying to telnet to a server.

Just something to keep in mind.

Hope this helps.
0
lgropperAuthor Commented:
Wow, guys thanks for the awesome answers and the fast responses!

To me, it seems that creating a VLAN and segmenting the users to it would be the best strategy, but i have a few questions on that with DHCP.  We have our current DHCP server on 192.168.100.x, would i be adding a second NIC to it and plugging that into the new VLAN and configuring it for a new range 192.168.200.x /22 or /24 would seem sufficient.  Also if that is correct, what is the gateway on this new NIC? itself?

I'm sure there needs to be some forwarding setup on this machine?

Again, thanks for all the answers. I have upped the points so i can give credit to everyone.
0
pseudocyberCommented:
The standard way to handle DHCP with multiple vlans is to implement "DHCP forwarding" which is configured on different ways on different platforms.

In a nutshell, DHCP requests are broadcasts which wouldn't normally be forwarded on by a routing process (router).  However, you can tell your router to forward DHCP requests onward or specifically to an IP request.  Then you set up multiple scopes on your DHCP server and it determines where the request is coming from and responds with an appropriate IP address from the correct scope.

Dualhoming a server on multiple vlans is not advised except for very specific needs of an application.  
0
pseudocyberCommented:
Sorry, typo.

or specifically to IP address.
0
davino_1Commented:
as it has been said, you will need a router or some configurable layer 3 device between.  with a cisco router this is done with a "ip helper-address <dhcp server ip>" within the vlan configuration.

interface vlan <vlan#> or sub-interface
ip address 172.16.x.x 255.255.255.0
ip helper-address <ip address of dhcp server>

Clients on Vlan <vlan#> will have a gateway of the ip specified on this interface (if the router is configured correctly).  Hope this helps!

0
lgropperAuthor Commented:
Ok here is what i have done and tested.  If you could let me know if there is anything that needs changing.

I have created a second VLAN on the 3560 with the ip 192.168.200.201.  I have setup a second NIC on the existing DHCP server and plugged it into the second VLAN.

Second NIC settings
IP : 192.168.200.20
Mask : 255.255.255.0
Default gateway : 192.168.200.201
DNS : 192.168.100.5

I have setup an IP forwarder on the 3560 to forward to our gateway on 192.168.100.x

When i plug in a pc on the new VLAN i get an ip from the new 192.168.200.x and everything seems to work fine.  Would this be correct?

Chad
0
pseudocyberCommented:
I would NOT dual home the DHCP server AND do DHCP Forwarding/IP Helper.  Pick one.  Right now, it's conceiveable that the server could get requests from both "directions" directly through the NIC on vlan200 and also through the NIC on vlan100.
0
lgropperAuthor Commented:
This is new to me, could you elaborate a bit?
0
pseudocyberCommented:
Well - on the one hand, you've set up dhcp helper on the vlan200 right?  Which forwards dhcp replies onto the 192.168.100.0 vlan to the dhcp server 192.168.100.x.

AND you've got the DHCP server sitting on the 192.168.200.0 network with an IP of 192.168.200.x

So, a device on 192.168.200.0 issues a BROADCAST for a DHCP address.  The routing process gets it and the NIC on the DHCP server gets it.  Which one gets it first would be unpredictable - it is conceivable that the DHCP request could be forwarded onto the 192.168.100.0 vlan and sent via unicast to the 192.168.100.x ip (DHCP server)

So, lets say the "native vlan dhcp request" was slightly delayed.

Now, you have TWO DHCP REQUESTS from the SAME machine arriving at the DHCP server on two different netorks - the NIC on vlan100, AND the NIC on vlan200.

I don't like this design because your traffic flow is too unpredictable.  At the least, it causes unnecessary traffc.
0
lgropperAuthor Commented:
ahhhhh makes sense.  I'm not sure its a DHCP helper that was setup though.  under IP routing i enabled default route forwarding.  So i would assume any packets it didn't know are being sent to another router that knows everything on the 192.168.100.x network is.

does that make sense? or am i loosing my mind?
0
pseudocyberCommented:
The command on a Cisco is "ip helper".  Default route forwarding is something else.
0
lgropperAuthor Commented:
Ok its not the IP helper.  Basically i have the second VLAN and the dhcp server's second NIC plugged into it.  there are no dhcp helpers.  My only real question is the default gateway on the second NIC in the DHCP server.  should it be the cisco's ip?  192.168.200.201 as stated above?

I have left the ip forwarding on for now, but i will be creating a few static routes.

Chad
0
Keith AlabasterEnterprise ArchitectCommented:
Sounds fine to me.
0
pseudocyberCommented:
It should be whatever the default gateway is for the vlan200 - I assume it's the 192.168.200.201
0
RDAdamsCommented:
Thank you for points.  Hope you have a sound solution in hand to continue with.
0
Keith AlabasterEnterprise ArchitectCommented:
Thanks :)
0
AngelGabrielCommented:
Thanks for the points :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.