How to Expand DHCP in my scenario

I have taken over a network that is on the verge of running out of IP's, and is experiencing a variety of annoying issues that appear to be IP/DHCP related.

I am attaching pictures of the scope itself as it is now. Ideally I would like to double the total available IP's that I currently have.

I have done some reading on scopes and super scopes, but am not confident/comfortable that I am really grasping how to expand what I currently have.

I am hoping that someone can take a look at what I have, and walk me though what I need to do to add more IP's to the network, without changing or screwing up what is already in place.

Thank you.
MaysvilleDHCP-General.jpg
MaysvilleDHCP-NAP.jpg
MaysvilleDHCP-DNSl.jpg
MaysvilleDHCP-ADVANCED.jpg
tjwo94Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pradeep DubeyConsultantCommented:
You can extend the scope by right-clicking on the scope and changing the start and end IP address in the Properties.


http://www.petri.co.il/forums/showthread.php?t=24052

http://networkingforintegrators.com/2012/11/mikrotik-how-to-change-the-dhcp-range/
0
tjwo94Author Commented:
I tried to do this, and it would not allow me to make a change.
I receive this error:

The specified range either overlaps an existing range or is not valid.
0
tjwo94Author Commented:
I simply tried to expand the top end of the range to be 192.168.2.254, to give myself another 254 IPS
0
Learn SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

Pradeep DubeyConsultantCommented:
So whats problem you need to do so only for expanding and adding more IP's. did you get any error ?
0
tjwo94Author Commented:
Look at my previous post for the error. Based on some of the reading material you gave me, I'm assuming the subnet class I am using will not allow me to expand further?

Is it possible to just add another scope, and that scope be able to communicate with my existing one accordingly?
0
Mike RoeCommented:
You would need to do some type of routing to do this.  I have my watchguard firewall doing routing for me because i ran into the same issue and added a new scope to extend my network.
0
tjwo94Author Commented:
Can you I assume your routes are set up as such to allow access from lan ip's from one scope permission to communicate and see the other?

I guess for example if you have a machine on 192.168.3.1, could you add to the original domain residing on 192.168.0.1?
0
Mike RoeCommented:
I have two interfaces on the firewall one is for 192.168.1.1 and one for 192.168.5.1/  In DHCP, based on IP address, I route all traffic to the firewall as the default gateway and then the firewall routes packets if need to other interface or to internet.
0
tjwo94Author Commented:
Would it not be possible to add another scope in DHCP with the same sub netting, and then add the existing scope with the new scope to a super scope and effectively have both scopes able to run on the same physical line at the same time?
0
arnoldCommented:
The simplest instead of using one flat DHCP scope, you could VLAN and define IP-helper that will use different scopes.
Increasing IPs while reducing broadcasts/cross chatter.

What is your router/switches are like?

If you have two DHCP's, you could recreate a larger scope on this one, and then swap/update the other.
The issue with increasing scope/altering the netmask is that this change has to be implemented on the router which may break other things I.e. VPNs.
0
tjwo94Author Commented:
Arnold, I do want to further detail on what your are suggesting, but I admit you have lost me to some extent.

I can tell currently the DC is handling DHCP, and there is a CIPA firewall handling gateway and routing duties.

My hope with the superscope, as I understand it to work, is that I could add an additional scope and include the new and existing to a superscope which would allow them to essentially act as the same scope, thus providing the additional IP's needed.

Apart from the configuration this requires in DHCP, I am NOT certain what else I would need to do for this to work as intended (provided I am correct in how it should function.

The problem I have is, there are several machines on this network that hold static settings, yet the onsite IT has no idea what they all are, thus it is important that I do not make any changes that will affect the existing/original DHCP scope in use.

If you can provide a solution that can help, I am all ears.
0
arnoldCommented:
You can add supersocopes, but you would need to configure switch/ip helper/dhcp relay that will relay the requests with the new scope as a parameter as that is the only way your DHCP server will know from which scope to allocate the IP.



Here is the doc on supersope with illustration
http://technet.microsoft.com/en-us/library/cc757614%28v=WS.10%29.aspx

The IP helper is a DHCP relay agent either configured on the switch or on the router where its network is set.
i.e. VLAN1 is main and into which the DHCP server is connected
VLAN2 172.16.0.0/24 ip helper is setup with IP 172.16.0.0 and destination of the DHCP server as your existing DHCP. When the DHCP receives this requests it is prefixed with 172.16.0.0 so it allocates from the 172.16.0.0 scope.
Similar for VLAn2 and 172.31.0.0/24 a relayed request to your DHCP server will be fullfilled from the 172.31.0.0 scope.

Usually DHCP allocates based on the IP address of the interface on which the request came.

depending on your switch, you could have it

The difficulty is that the increase in IPs mean you have to split the switch/es to which systems connect. You need to work things out if the group of system you switch to a new VLAN/IP may loose access to resources they commonly used.

Enlarging the existing scope from four subnets to eight,
192.168.0.0/22 192.168.0.0-192.168.3.255
to
192.168.0.0./21 192.168.0.0-192.168.7.255

requires the reconfiguration of the servers (mask update netsh can be used), the firewall to update the netmask on the configuration.

on the firewall
GIGport1 is the current LAN
Gigport2 is the new VLAN with a new IP scope

The switches you have and how you want to repartition your users, by departments, etc..
This has to be worked out to simplify the setup/update/upgrade/upscope.
0
tjwo94Author Commented:
Okay...I somewhat understand.

This is what I setup at my office as a test. I essentially replicated exactly what the client has:

Client setup
One DHCP server @ 192.168.0.10
Router/Firewall/Gateway @ 192.168.0.1
Existing DHCP Scope of 192.168.0.0/23 192.168.0.1-192.168.1.254 (255.255.254.0)

I added another scope of 192.168.2.0/23 192.168.2.1-192.168.3.254 (255.255.254.0)

Then added these to a superscope.

I configured a second network adapter on the server @ 192.168.2.10 (255.255.254.0)

I then added to my Router/Firewall/Gateway 192.168.2.1 as another gateway.

This allowed machines static'd in  the range of 192.168.2.0/23 192.168.2.1-192.168.3.254 (255.255.254.0) the ability to be added/login to the domain see/access resources, printers, and machines on the range of 192.168.0.0/23 192.168.0.1-192.168.1.254 (255.255.254.0)

So far I am seeing what I would want to see in terms of communication. I guess my questions is, once the original range is full, will clients automatically be assigned IP's in the new range? or is there something else I need to do that I am not seeing/understanding in order for this to happen? I can say that I could care less which range a client acquires a lease from, so long as it does get a lease and can function.
0
arnoldCommented:
No, you need to configure the switch to break the ranges by defining an IP helper, DHCP relay agent, depending on the switch you have. This way when a connected computer tries to get an IP depending on which switch/port it is connected it will get an IP on one or the other scope.
Without an IP helper/DHCP relay agent, the only IPs that will beat located will be based on the original scope since DHCP server will see the request on the 192.168.0.0/23 interface thus allocating from that scope.
0
tjwo94Author Commented:
Okay...I don't have switches that can do this, but I'm thinking the firewall/router may be able to relay. I'll check tomorrow and update.
0
tjwo94Author Commented:
Actually before I check this, can the firewall/router be the relay agent? Based on the images in the reading material you provided, I am assuming it can if It has the ability. And if not, since my switches can't do it...then what? Software based, or do I need to get another additional piece of equipment to do this?
0
arnoldCommented:
Yes, a firewall can be a relay agent. I.e. no DHCP server configured. Then a relay agent is setup on each interface with the requests configured to be sent to the sole DHCP server.
In the absence, you can have a server on the second segment configured as a relay agent, but if you have a DHCP server on the other segment, why not let it allocate IPs?
0
tjwo94Author Commented:
We only have the one server handling DHCP. It just has a NIC configured for both scopes, to prevent cross traffic, reduce network stress.

Now when you mention setting up a relay agent on each interface, what are you referring to when you say interface? A gateway is configured in the firewall for both scopes, but there is one interface/Ethernet port feeding the LAN.
0
arnoldCommented:
On your firewall you should be able to VLAN/separate each Ethernet port
I.e. G1 192.168.0.1/23
G2 192.168.2.1/23
Then you need to define an IP helper for the G2 since the DHCP server is already on the 192.168.0.0/23.

I tried looking for the firewall you have and the support pages that might shed light on the terminology they use.
IP helper is a cisco term for DHCP relay agent.  Each vendor may choose to use something else.

Unfortunately, the support pages for your firewall are not viewable without presumably registering with the vendor.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tjwo94Author Commented:
Okay, that is what I thought you meant, thank you for clarifying. I will give them a call and find out what the device is capable of, and get back to you as soon as I can.
0
tjwo94Author Commented:
I found out today that the firewall/router will not be able to act as an IPhelper/dhcp relay.

But they do have an alternative which we are going to test today.

As it was explained to me, we can delete our current DHCP scope of:

192.168.0.0/23 192.168.0.1-192.168.1.254 (255.255.254.0)

and rebuild it with the larger scope we need of say:

19.168.0.0/21   192.168.0.1 - 192.168.7.254 giving us 2046 IP's

We would then change the subnet mask on the firewall to the new 255.255.248.0/21

Our concern for not wanting to simply do this before, was the need to run around and change 100 static IP's to reflect the new subnet mask, for a variety of reasons.

However, it was explained to me that the firewall has the ability to resolve/route the static ip's using the smaller subnet mask to the larger one without any issue.

I'm sorry I cannot provide a more technical explanation than that.

We will be testing this today to verify, and if it works, then we can re-create a larger scope as needed, and that gives us the time then, to update the static ip's when it's convenient so the network is following the best practices.

If this does not work, I don't have another device on the network to act as an IP helper, so we would basically be forced I believe at that point to coordinate the update of all the static IP's at once, when replacing the existing scope with a larger one.
0
arnoldCommented:
Look into using netsh or wmi, powershell, vbscript.

The problem with large scopes deals with broadcasts and cross chatter wasting bandwidth.
0
tjwo94Author Commented:
Granted my equipment wont allow me to implement this solution, BUT, it would have worked otherwise had we been able to. Thank you very much for your assistance, as all the information provided was useful and I learned quite a bit at the same time.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.