[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

TCP / IP Networking Configuration

Posted on 2011-05-10
15
Medium Priority
?
675 Views
Last Modified: 2012-06-27
Hi Experts,

Wanting to check my sanity before I go ahead and change the internal IP scheme for a new customer site from the existing 10.0.0.x class A mask to something completely different.  Reasoning behind the change is about 5 different companies are coming together to put together a bid for a job and the various companies have various IT requirements.  For the vast majority of the computers, they all work perfectly, but there are 3 French laptops that need VPN access to be able to receive their emails and when they are connected to the 10.0.0.x LAN and VPN - they can't get their emails.

Having spent some time working out what the problem was - initially thought it was an IP conflict of ranges - it turns out to be an IP conflict of ranges!

So - the task here is to work out a Safe internal network IP scheme that I can use to keep the world happy.

So, the IP ranges in use are as follows:

LAN currently configured as 10.0.0.x Class A
3 French Laptops using VPN connecting to 192.168.6.x IP Range with Class C Subnet Mask using DNS server of 10.27.200.98 & 10.27.200.99 (currently working happily)
1 French Laptops using VPN connecting to 192.168.188.x IP Range with Subnet Mask of 255.255.255.252 using DNS server of 10.23.251.171 & 10.102.16.30 (not able to VPN and get mail)
1 French Laptops using VPN connecting to 192.168.190.x IP Range with Subnet Mask of 255.255.255.252 using DNS server of 10.23.251.171 & 10.102.16.30 (not able to VPN and get mail)
3 French Laptops using VPN connecting to 192.168.0.x IP Range with Subnet Mask of 255.255.255.252 using DNS server of 10.23.251.171 & 10.102.16.30 (not able to VPN and get mail)

Remote Office IP internal IP range is 172.17.80.x Class C Subnet Mask

Requirements:

1. Local connectivity to LAN to access IP based printers and a server to save / store documents on and access the internet.
2. VPN requirements for the French laptop users to be able to connect to their remote networks, use their email and also still print, save documents locally to the server and surf the web.
3. Gateway to Gateway VPN to be setup to another office located in the same country and access to that server for the relevant members of staff.

So - what would the 'best' internal IP Range / Subnet Mask be to cater for the above requirements and keep everything working and everyone happy?

Hope that's all clear and everything covered.

I need to go back this Friday PM to change the internal network IP range, so looking for good Experts with IP skills way better than mine!

Thanks

Alan
0
Comment
Question by:Alan Hardisty
  • 8
  • 3
  • 2
  • +1
15 Comments
 
LVL 11

Expert Comment

by:emilgas
ID: 35731636
10.x.x.x is good and that's what you have, the only problem is why is your network configured as Class A?
why don't you have 10.x.x.x /16

This way you will have every remote office separate. I think you have some IP issues, but a bigger problem is your routing.

Do you have a network diagram?
0
 
LVL 76

Author Comment

by:Alan Hardisty
ID: 35731711
Hi Emilgas - thanks for your response.

Good point on the subnet mask and diagram.  Will see if I can throw one together.

Thanks

Alan
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 35731741
A simple solution would be to create a new VLAN with a different IP scheme, say 172.31.247.0/24
Put all those "special" users into this vlan
Let inter-vlan routing handle all the internal routing for printers, server shares, etc
If possible, add a server to this vlan/subnet for dns/file/print
If that won't work, just move an existing dns/file/print server into this vlan.
This assumes of course that you have a L3 switch, or at least a vlan capable switch and a good router that can do the vlan routing.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 76

Author Comment

by:Alan Hardisty
ID: 35731811
I have a ZyXel ZyWall USG 300 as the firewall and a D-Link DGS-1210-24 as the switch (Layer 2 Manageable).

Downloading Visio as I am typing so I can get creative.

Single server handling DNS and DHCP (Windows 2008 R2) and have setup a 2nd Wi-Fi for the French problem users using 172.16.x.x and this allows them to use the VPN but not have access to the Server / Printers.
0
 
LVL 1

Expert Comment

by:gambith
ID: 35732555
hi,
to start you should first see what are the IP Address scheme that is being used on the other sites, with that in hand get a range of IP address that doesn't overlap with that.
now, for the french laptops, if they will need access to their VPN and the local resources; ask the remote VPN Admin to make sure they are using split tunneling for that VPN, that way, the only traffic that goes thru the VPN is the one that needs to.

it shouldn't be that hard ;)
0
 
LVL 76

Author Comment

by:Alan Hardisty
ID: 35733287
I think Split Tunnelling is enabled on the VPN's - but if not - their French IT people are basically lacking in knowledge and that might be like getting blood from a stone or pushing an Elephant up a hill :)

Spent this morning gathering the IP address settings for all remote sites and attached PDF should show how this is configured (hopefully it all makes sense.

Alan
Network-Diagram.pdf
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 35733602
With no more devices than you have, I think the easiest thing to do will be to simply change the subnet mask on everything from /8 to a /24
All IP's stay the same, default getaway stays the same, just change the mask from 255.0.0.0 to 255.255.255.0


> DNS1: 10.23.251.171
> DNS2: 10.102.16.30

Where do these address assignments come from - the VPN client? If yes, then the above will certainly solve the problem in the easiest mannet.








0
 
LVL 76

Author Comment

by:Alan Hardisty
ID: 35733780
That's what I was thinking might be a neat and simple solution.  Thanks

Yes - the DNS assignments are from the VPN client software / connection, so we have no control over those.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 35733798
Be like Nike and "just do it"!
0
 
LVL 11

Expert Comment

by:emilgas
ID: 35733803
The not working VPN connections don't work only when they are in your office or on any network other than public?
0
 
LVL 76

Author Comment

by:Alan Hardisty
ID: 35733818
I will - scheduled for Friday PM to change and then visit on Monday AM and Tuesday AM to check all is well (French laptops won't be there on Monday!!!).

The non-working VPN laptops work elsewhere - and I have setup a 172.16.x.x/16 Wireless AP and they can VPN and get their mail happily, but not access the server / printer etc, so at least they have a temporary workaround - albeit a PITA one.

I need to polish up my TCP/IP networking skills - it's been a while ;)

Thanks

Alan
0
 
LVL 1

Expert Comment

by:gambith
ID: 35734163
ok, basically here's what u need to do:

as irmoore states, change your local netmask to /24 instead of a /8 (from 255.0.0.0 to 255.255.255.0) on all your devices, there is no overlap with the rest of your remote networks.

the easiest way will be to recreate the DHCP pool, change the manual devices and then refresh the dinamic ones.

regards.
0
 
LVL 76

Author Comment

by:Alan Hardisty
ID: 35735549
Thank gambith - I think I could manage to work that bit out.  As per my question it is more of a what to change it to not how to (see my profile - I'm not exactly new to IT).

Alan
0
 
LVL 76

Author Comment

by:Alan Hardisty
ID: 35746272
Okay - latest from the client - changes are not going to be implemented because they are going to be putting the business project on hold for the time being so the server and networking equipment is going to be pulled from the building it is currently in!  (I'm not complaining because we charge for the time to do it all).

I'm going to award points based on what I believe will work as opposed to a tried and tested solution because I can't test it out and don't want to keep everyone hanging on.

Appreciate everyone's input.

Alan
0
 
LVL 76

Author Closing Comment

by:Alan Hardisty
ID: 35746296
I believe this to be the simplest and most elegant solution, but can't put it into action, but logic and my aging brain agrees with the idea.

Thanks very much.

Alan
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Sometimes clients can lose connectivity with the Lotus Notes Domino Server, but there's not always an obvious answer as to why it happens.   Read this article to follow one of the first experiences I had with Lotus Notes on a client's machine, my…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question