Second DHCP Scope

isaackhazi
isaackhazi used Ask the Experts™
on
We have a Server 2008 machine acting as a DHCP server. Currently our DHCP scope is between 192.168.0.16 to 192.168.0.225. Our default gateway address (Fortigate 80C Firewall/Router) is 192.168.0.X and subnet mask is 255.255.255.0, DNS address is 192.168.0.3

This scope was enough for us, until of late, when we require more devices to be connected to our network. Therefore I created a new scope of the same DHCP server for leasing extra addresses between 192.168.1.16 to 192.168.1.255. Since the IP address and default gateway has to be of the same subnet, I gave 192.168.1.X (subnet mask: 255.255.255.0) as a secondary IP address to the same LAN port on our Fortigate firewall. I am able to ping the firewall with this new IP address from anywhere within our network. So on the new DHCP scope, i gave this new 192.168.1.X as the default gateway address, the DNS server address i gave the same old 192.168.0.3 address.

I deactivated the old scope and tried to connect a few computers onto our network. They were unable to get IP addresses from the new scope. Could you please help figure out what i am doing wrong here? Or is there some additional steps to be done that i'm not aware of? please help.

also, all of our main servers like exchange server, sql server are all on 192.168.0.xxx
Once i get the new DHCP scope working, will the PCs connecting to this newly leased ip  addresses starting with 192.168.1.xxx have any problem connecting to the above mentioned server with the address 192.168.0.xxx ?

thanks.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Sorry but the 3rd octet in a 255.255.255.0 is crucial. .0 and .1 are different networks and unless routed, will not work.

Author

Commented:
so in this case, what should the third octet be?

Commented:
Hi

you should first decide your requirement in terms of number of host IP required and then adjust the subnet mask.

for your help I am including a link which helps you quickly calculate the subnet just give it a go and you should be able to create the scope with larger number of host IP.

http://www.subnet-calculator.com/subnet.php?net_class=B
How to Generate Services Revenue the Easiest Way

This Tuesday! Learn key insights about modern cyber protection services & gain practical strategies to skyrocket business:

- What it takes to build a cloud service portfolio
- How to determine which services will help your unique business grow
- Various use-cases and examples

You will have to move from a class C to a class B to get more IP addresses, or set up another routed vlan etc. The 255.255.255.0 means that the only IP's that are on the same network are the ones whose first 3 octets match. In this case the 3rd would have to be 0 to be able to talk to each other. Unless you VLAN and route them

Author

Commented:
so if i change the subnet mask of both the existing and the new scope to 255.255.0.0 and change the subnet mask of all servers and firewalls to 255.255.0.0, will everything work perfectly? or would there be more for me to consider beyond the ones i mentioned?

Author

Commented:
or would i have to change my IP address to start with 128.168.0.xxx and 128.168.1.xxx too?

Author

Commented:
if such is the case, can i route these two networks using the same firwall/router that i have? changing static addresses of servers may result in some complications where the static ip was hard-coded somewhere.

so what is my other option? how do i route the two new networks?

Commented:
Changing the subnet mask from 255.255.255.0 to 255.255.0.0 on all equipment in  your network should work. Please note you have to test it before implementing in your production environment.

Author

Commented:
but wont i have to change my IP address to start with 128 to 191, instead of 192, since this subnet will be class B? according to this website:

http://www.subnet-calculator.com/subnet.php?net_class=B
you are talking about a LOT of work changing your Subnetting...a Class C would need to be changed to a class B to get more addresses across the board. I wouldnt change ANY IP's of production servers until ALL this is worked out and only if needed.
Try putting a conditional forwarder in your DNS to the other server on the other subnet.

Author

Commented:
if it is best to change to class B considering the long run, i'll try and populate where all static addresses require change. we have about 200 PCs/Laptops connected on DHCP. so no need to change anything there besides the DHCP subnet mask entry and then removing all existing leases and thus re-leasing new DCHP parameters to client computers. We have about 9 servers in total with static addresses and some printers/multifunction machines and some routers/firewalls/switches with static addresses. i manage the 2 exchange 2010 servers across 2 sites. i dont think there will be much changes if IP is changes as long as both the exchange servers are able to ping and find one another. i will check with our SQL administrator to see if there are places where he has hard coded server addresses. Once i change all the IP addresses to class B addresses with subnet mask 255.255.0.0, dont you think everything will continue to function as they should? Cant all this be done over a weekend at both sites? the main site (where i work) is the larger office with around 200 PCs with 7 servers, and the second site with 2 servers and 20 PCs which I believe can be controlled remotely with their own AD/DNS, DHCP and exchange 2010 server. I dont think i need to change anything there as they have plenty of time and wouldnt immediately require a shift from class C to class B addressing.

What do you think?

please let me know if there are more to consider.

thanks for all the help so far and would welcome more ideas if i'm not seeing the entire picture yet.

Author

Commented:
also, i wont have to change the IP addresses of any of the servers/routers/printers, etc, just their subnet masks, right?
Here is what I'd recommend:

Starting with the original configuration:

Change the subnet mask on the gateway and DHCP server to 255.255.254.0.  
This will double the size of the subnet which is likely fine for your situation if I understand it.

Most things will continue to "just work" after this change.  Yet, I would make the other changes expeditiously.

Now go around and change the subnet mask for all the computers and devices with static manually-entered addresses.  But, leave the addresses alone.

Finally, go to the DHCP server and increase the upper end of the scope to something like 192.168.1.199.  This will leave some margin from 192.168.1.200 to .254 without having to mess with DHCP and existing leases at some point in the future when there's a need for more static addresses, etc.

This is straightforward and simple and should not cause undue troubles.

The network address will remain unchanged at 192.168.0.0
The broadcast address will change to 192.168.1.255
The usable adddresses will change from
 192.168.0.1 - 192.168.0.254
to
192.168.0.1 - 192.168.1.254
that's an increase of 255 addresses.

Author

Commented:
the trouble with that approach is i have devices set on static IP addresses from 192.168.0.1 to 192.168.0.15 and then our VPN DHCP allotment is from 192.168.0.226 to 192.168.0.240 and some other devices using static IP addresses from 192.168.0.241 to 192.168.0.254

that is the reason our current DHCP scope for client PCs/Laptops are set from 192.168.0.16 to 192.168.0.225

And therefore, I cannot increase it straightaway to 192.168.1.199 as you say without removing all the static allotment in between.

could you please explain why i cannot just change every device and DHCP settings to subnet mask 255.255.0.0 ? and then just make a new scope for 192.168.1.15 to 192.168.0.199 ?

this way, as the company grows, if there is a need for a new subnet, i can then have adequate new scopes created, cant i?

also, since we already have another site with IP range 192.168.5.XXX which I have been forwarding through your firewall to our private link which connects directly to that site, will this arrangement require any kind of adjustment?

Author

Commented:
what is the reason you suggest just moving to subnet 255.255.254.0 ? why allow only 2 subnets instead of using 255.255.0.0 and getting more?

Author

Commented:
but if i'm moving to Class B addressing with subnet 255.255.0.0 or 255.255.254.0, wont i still have to change all ip addresses (static and DHCP) to start with 128.168.X.X or something like that instead of 192.168.X.X ?

either way it is a lot of change, as someone mentioned, but if i make sure all devices have their IPs changes to class B IP addresses and the subnet mask changed to 255.255.0.0, and if i make sure i correct the IP addresses wherever they are hard-coded (in applications, routing tables, etc), it should work well right?
Well, it's easy and it's effective.  You don't have to change any of the existing addresses!  Only the subnet masks.  So all those assignments can stay put.

Yes, you can go beyond 255.255.254.0 if you really want more addresses NOW.

You can go to /16 or 255.255.0.0 starting at 192.168.0.0.  It's up to you.
I just picked 255.255.254.0 because it sounded like your needs were modest.

Either way, you don't need to change the existing address assignments.
I also think that talking "classes" is archaic and there's no need for doing so.  CIDR pretty much covers the entire subject.
Commented:
I set ours up as 255.255.248.0
that gave us plenty of addresses for any future growth.
Ranges are-
192.168.0.xxx thru 192.168.7.xxx
I chose 'ranges' of IP addresses for certain things.

such as:  
any static IP's or DHCP reservations were all in the 192.168.0.xxx range. Like servers, printers, switches, etc.
All non static IP's were in the 192.168.3.xxx and 192.168.4.xxx ranges/scopes. Like workstations, laptops, etc.

Certain special devices, or odd scenarios were in the 192.168.5.xxx ranges.

nothing elaborate but somewhat useful.

you mentioned having 192.168.5.xxx forwarded to a private link through the firewall. You woulnd't need to change that unless you wanted to keep the traffic separate. If so, use 255.255.252.0 instead. That would give you 192.168.0.xxx thru 192.168.3.xxx addresses and keep 192.168.5.xxx separate.

As a side note, you can also add a 'backup DHCP server' with the same scopes created,  any reservations from the existing one imported to the backup one (with handy dandy scripts it's very easy)... and if the existing DHCP server fails, you can just authorize the backup DHCP server to take over.
Commented:
I would highly recommend some DHCP reservations if you don't use them already.

I use them for control of certain things.
Like, our business office requires a separate ISP connection. Using the reservations, I can assign them all addresses in the range of 192.168.2.1 thru 192.168.2.20 and then in the firewall create a rule to force all internet traffic in that range to that ISP port.

On my laptops, I can use reservations to assign them IP's and control their usage internally, but when they leave or travel, since they are still on DHCP they can connect to their home networks etc., without intervention.

you can do all of that remotely from your desk.  I use scripts or commands to get the MAC addresses.
I have an excel spreadsheet with all reservations listed and all static IP's listed.

Author

Commented:
we also have dhcp address reservations for the purpose of web access control on our firewall.

so, could you confirm that i dont have to change the static ip addresses starting with 192 ? because as per most websites i've checked online, class B addresses have to start with 128 to 192, dont they?

so all i have to do is change the subnet mask to 255.255.0.0 ?

The second site connected through the private link is seperate with their own DHCP/AD server, which is on the same domain, but different AD site. I would like to keep that network separate, as it is now. But they should be able to connect with each other. So would you recommend that i change the subnet mask at the second site as well, to 255.255.0.0 if I'm doing so at the main site?

thanks for all the help so far.

Commented:
Yes you'll be fine using 192 addresses. Lots of folks do it.  I have been using that for 20 years
It'll all be ipv6 one day anyway :)

I recommend using 255-255.252.0 for the mask
That will give a lot of addresses and keep the 192.168.5.xxx traffic seperate

Here is a link for you

http://www.subnet-calculator.com/

Commented:
Even though it shows The 172.16.0.1 when you choose class B you can use 192.168.0.1

When you choose the mask as 255.255.252.0 notice the address ranges

You will have a lot of host addresses.
192.168.0.1 thru 192.168.3.254

Author

Commented:
thank you SeaSenor... it would be great not to change the IP address of the servers... there are a few apps where IP address of servers are hardcoded on each client PC. it would be quite a time-consuming pain to replace all entries. Changing subnet to 255.255.252.0 will give us adequate IP addresses for some time to come. I'll go ahead and do as you say. and also, should i do the same for the second site as well? or should i just statically route in the second site router to route 192.168.0.XXX (already set), 192.168.1.XXX, 192.168.2.XXX and 192.168.3.XXX to the private link connection?

Author

Commented:
also, would you recommend changing all the subnet masks of all devices during the weekend when no clients are connected, or can they be done one by one during the weekdays without interruption in any service? if so, should i follow any order of changing subnets, like changing AD server, router subnet masks first, then other servers, then DHCP, then printers,etc ?

Commented:
start with the DNS and AD servers, and any other devices that most people need to connect to.

because....right now those servers are restricted to the 192.168.0.xxx range because of the mask. If you start giving people ip addresses outside of that range (like 192.168.2.xxx) without opening the subnet mask on the servers they won't be able to connect to them.

you should be fine doing this on weekdays. It would be minimal interruption.

Commented:
as far as the DHCP clients, you will set the new mask in the options of you DHCP scopes.

they will get the new mask automatically... just as they are getting the existing one now.

so you only have to go to the machines/devices with static settings.

Author

Commented:
thank you SeaSenor... i'm currently compiling a list of all devices with static IP addresses.. so that i dont end up missing something... like the fingerprint door security device... would be funny if we end up locking ourselves in, just by going around changing subnet masks :)

thanks for all the help. once the list is ready, i'll be going around changing subnet masks of all existing devices... i'll leave the case open until everything is done and working properly, so that i maybe able to ask for help incase i come across some unexpected difficulties.

p.s: what about my questions about our second site? would i need to route the new 192.168.1.0 , 192.168.2.0 and 192.168.3.0 on their firewall, to our network?
or instead,
should i change their subnet masks to 255.255.252.0 too?

thanks for all the help.
Commented:
As i mentioned ..In order to keep the secondary site with ip addresses in the 192.168.5.xxx range you will need to make the mask 255.255.248.0

That is only if you want traffic to flow between the two sites.

If you don't want traffic to flow then use 255.255.252.0

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial