Expanding Subnet Mask

What will happen if we expand the subnet mask from 255.255.255.0 to 255.255.240.0 on our SonicWALL router? Our current IP range is 10.0.0.1 - 10.0.0.254. I know the new mask will expand the network to 10.0.0.1 - 10.0.15.254. However, what will happen if we update the mask on the SonicWALL router first before updating all the devices? Will the computers be able to communicate with each other still? I know refreshing the DHCP pool will update all those clients to the new Subnet. However, most of the computers have static IP addresses and they have 255.255.255.0 set in their adapter's IPv4 settings.

Basically, I want to know if I should update the router first or all the devices to the new subnet first.
smihelpAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

J SpoorTMECommented:
you should be fine as long as you don't change IP's first that fall outside of the old sub net size
0
smihelpAuthor Commented:
The DHCP will probably renew automatically to the new subnet mask but I can leave the DHCP scope within the old sub net range of IP's until we have all the important devices changed. My main concern is that everyone will still be able to access the servers which are not changing IP's.
0
Fred MarshallPrincipalCommented:
If a host launches a packet that's destined outside its subnet and inside the new subnet then the packet will be directed to the gatway router.

If you update the router first then any packets arriving inside the new subnet and outside the old subnet will be directed back out onto the wire.
If a host does that then presumably it's still in the old subnet but wants to communicate with a device on the new subnet.

If you update the hosts first then even though the router will drop or ignore packets that are outside its subnet,  the packets will be out on the wire and not directed to the gateway anyway.  Presumably there will be a target device.

I would start with the router because if a host isn't updated yet and it sends a packet to a device that has an address outside the old subnet then the router will need to handle it and will.  
On the other hand, if the router is updated or not, it will still handle the old subnet just fine.

Be aware, should you care, that the broadcast address will change.  So you will want to make the changes as expeditiously as possible to avoid situations where the broadcast address is needed.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

smihelpAuthor Commented:
that's helpful! So the Broadcast Address of a device with the old subnet settings wouldn't get a response from the devices outside their known sub net because they aren't even looking that far? Is that correct?

Also, how would this affect traffic over our site-to-site VPN? Do those devices behind the VPN even care about the new subnet?
0
Tom CieslikIT EngineerCommented:
Netmask:   255.255.240.0 = 20    11111111.11111111.1111 0000.00000000
Wildcard:  0.0.15.255            00000000.00000000.0000 1111.11111111

Network:   10.0.0.0/20           00001010.00000000.0000 0000.00000000 (Class A)
Broadcast: 10.0.15.255           00001010.00000000.0000 1111.11111111
HostMin:   10.0.0.1              00001010.00000000.0000 0000.00000001
HostMax:   10.0.15.254          00001010.00000000.0000 1111.11111110
Hosts/Net: 4094                  (Private Internet)

You should get 4094 addresses in your private network
You can use this calculator to calculate different options
http://jodies.de/ipcalc

You should switch all static addresses to dynamic first , change networks setting then make DHCP reservation for addresses you want to be permanent.
0
Fred MarshallPrincipalCommented:
re: broadcast address:

It's the highest address in the subnet.

Right.  And so, the highest address in the old subnet will no longer be a broadcast address to some.  They won't listen there any longer.
And, depending on DHCP ranges, it could be a legit host address.
0
Tom CieslikIT EngineerCommented:
I forgot to mention, if you want that much addresses be handled by DHCP you need to create Superscope with 16 scopes.
0
smihelpAuthor Commented:
Thanks! I'm thinking about changing the DHCP range to 10.0.1.1 -- 10.0.1.254. Currently the DHCP range is set to 10.0.0.120 -- 10.0.0.138 and we are constantly running out. We can't expand that right now because almost all the other IP's are statically assigned. Setting every device to dynamic and using DHCP reservation where needed sounds like a good idea.
 
Would changing the subnet mask affect traffic over our site-to-site VPN? Do those devices behind the VPN even care about the new subnet if they are on their own network?
0
Tom CieslikIT EngineerCommented:
If you running Out just simple create superscope in your DHCP with 2 scopes for example

first one 10.0.0.120-138 - your current one
second 10.0.1.1 - 10.0.1.254
0
Fred MarshallPrincipalCommented:
Why are you running out?  Might the lease time be too long?  When "transient" clients come in and take a lease and leave shortly thereafter ... well, there goes an address out of the pool for the entire lease time.

Renewing leases is not a concern.
So, I set them at 4 hours.
0
smihelpAuthor Commented:
Good suggestion to reduce the lease time to 4 hours. It was set at 1440 Min (24 Hours). Changing the DHCP lease to 240 Min (4 Hours) might buy us some time. We are planning on making the Subnet mask change this weekend.  We are running out if DHCP IP's because their are more devices needing to use DHCP then we have IP's in the range. We can't expand the range because almost all other IPs in the subnet are statically assigned. This is why we need to expand the subnet mask.  

Does anyone know if the subnet mask change will affect the site to site VPN traffic?  I don't think it will but would love to know what to watch out for.
0
Fred MarshallPrincipalCommented:
Well, for the VPN you should match the subnets in the VPN settings.   Otherwise things may not continue to work as intended.

Just setting the lease time won't do everything.  You will have to release all the leases so they renew.  Otherwise only the *new* leases will likely have the new lease times and that may not be good enough.

Depending on how "transient" the devices connections are, for such a short time I'd go to 120 mins / 2 hours lease time.
0
smihelpAuthor Commented:
The incoming VPN connections through the Global VPN client mostly connect with DHCP on the same 10.0.0.x network. They will be affected the same as the local DHCP devices. However, I'm not sure how the Site to Site connections might be affected. Since they are all on their own separate networks I assume they will be fine.
0
Tom CieslikIT EngineerCommented:
Your VPN client will get local IP from Your DHCP, Try build multiscope (it's really easy) and DHCP should handle VPN requests.
0
Fred MarshallPrincipalCommented:
The site-to-site VPN connections will not be "fine".  They may still work but for how long?
This is because each terminating VPN device has the far-end LAN IP range entered as a setting.  (It already has its own LAN range).  
So, this means that the far-end LAN subnet mask is in those settings.
I would not recommend that you gamble with this.
0
smihelpAuthor Commented:
You're right, the site-to-site VPN's have an auto-negotiated active destination range of 10.0.0.1 - 10.0.0.255. Do I just need to stop and restart the VPN connections to get the new range after updating the subnet mask? I don't see that range predefined in any of the VPN settings.
0
masnrockCommented:
You should restart the machines that are using DHCP so that they pick up their IP with the new subnet mask. And don't forget to adjust the subnet mask in any systems that have static addresses.
0
Fred MarshallPrincipalCommented:
I've never seen a site-to-site VPN device that didn't have the remote LAN subnet as a setting.
Maybe it's not site-to-site??
Otherwise, how is it supposed to know?

Example:
Local subnet is 10.0.1.0/24
Remote subnet is 10.0.2.0/24
Local VPN device is told that the remote subnet is 10.0.2.0/24.
Remote VPN device is told that its "remote" subnet is 10.0.1.0/24.

So, when a packet is launched that is destined for the remote subnet, the VPN device knows that the destination address is one that it can handle - so it will.
If the VPN device is also the network gateway then this is pretty direct.
If the VPN device is NOT the network gateway then there needs to be a route in the gateway that points to the VPN device for the remote subnet and the packets bounce from the gateway to the VPN device first.

If this isn't a site-to-site VPN but rather a client-to-site VPN configuration then the entire discussion would be different.
0
masnrockCommented:
If this is a site to site VPN where one subnet is being applied to machines on BOTH sides, then this matters. That's where the reboots (or at least disconnecting/reconnecting from the network) of devices using DHCP come into play.
0
smihelpAuthor Commented:
Yes, thank you for that info! You are correct, on the remote Site-to-Site VPN connection there is an Address Object created by SonicWALL that has destination settings for Zone Assignment, Network Type, Network Address, and Netmask. That Address Object netmask needed to be updated with 255.255.240.0 to reflect the accurate Destination Range on our main network.  Now the Site-to-Site VPN connection has a new destination range of 10.0.0.0 - 10.0.15.255.  

Over the weekend we changed the SonicWALL subnet to 255.255.240.0 and updated the VPN settings. So far everything is functioning without issue. We tested a few devices using 10.0.3.x and they can be pinged locally and through the VPN. We haven't adjusted the DHCP range but we will after we update all our static IP devices with the new subnet mask settings. We will also look into setting up DHCP reservations to make future changes easier. Thank you all for your help!
1
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.