I’ve pretty much talked myself into this, but just want a little community sign-off.
The original admin setup our network as a 192.168.0.0/24 sub net thus giving me .1 to .254 of addresses. Well we’ve been bumping pretty hard against that. I understand what all needs to be done, and I can just move us to a 192.168.0.0/23 to get twice the addressing. However what complicates things are our remote sites on VPN tunnels to our ASA. There are about 15 of them subnetted to 192.168.X.0/24 (192.168.1.0, 192.168.2.0, etc), so if I just flip us to /23 and a client here needs to see 192.168.1.20 it won’t know if that is 192.168.1.20 here or the VPN tunnel to 192.168.1.20. I know could probably tunnel using externals IPs or some funky stuff but that seems like it could get cumbersome. To make matters worse we have a local VLAN on 192.168.2.0/24 for our VoIP, that I don’t really want to touch.
So my gut tells me to pick a higher subnet say 192.168.200.0/22 giving me 192.168.200.1 to 192.168.202.254 for future-proofing (hah! Like it’s possible in IT lets say future resisting). That would put it far out enough that none of the VPN tunnels would interfere, and my VLAN wouldn’t be impacted either. Either that or move up to a 20bit 172 subnet but that seems overkill and may tax my equipment too much on broadcast traffic.
If this all makes sense and passes mustard here is my plan.
Obviously starting at the ASA I have to reconfigure the internal interface. While I’m in there reconfigure all VPN connections, and reconfigure them on the remote end as well. Plus any NAT or other dozen things that could need my attention in there.
Then reconfigure every statically assigned device.
Setup a new DHCP scope.
Detox from all the caffine and finally sleep.
Little misc info. We are a Windows 2008 shop. We use a Cisco ASA and Cisco 3560G's for the bulk of the work (there are a few workgroup switches here and there).
Anything I'm missing here??? Or any suggestions.