regsamp
asked on
Changing Lease Duration for DHCP clients
We run a small network for a small company of about 100 people and we have a lot of users that use our Wi-Fi with iPhones, AppleWatches, iPads, Androids and other devices. We also have clients that come in for meetings that use our Wi-Fi and take up IP addresses.
We are starting to run low on available DHCP IPs and our lease has always been 8 Days for years. We are thinking of changing that along with having users not use their personal devices on our network.
Our question is if we change the lease to 3 days, does that have any kind of negative impact on DHCP or the network? Too much activity or just something that we are potentially missing?
Any help would be appreciated.
We are starting to run low on available DHCP IPs and our lease has always been 8 Days for years. We are thinking of changing that along with having users not use their personal devices on our network.
Our question is if we change the lease to 3 days, does that have any kind of negative impact on DHCP or the network? Too much activity or just something that we are potentially missing?
Any help would be appreciated.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
"This will ensure that only business machines are allowed on your local network (you don't want personal and guest devices on here for business security,"
"1) You should have a guest network that is separate of the main network. You can accomplish this via VLANs. I also do not suggest allowing non corporate devices on the main network at all."
This is just for Wi-Fi that clients and users use. But I understand what you mean. Even this is a security loophole and we should have a whole separate network for guests.
"1) You should have a guest network that is separate of the main network. You can accomplish this via VLANs. I also do not suggest allowing non corporate devices on the main network at all."
This is just for Wi-Fi that clients and users use. But I understand what you mean. Even this is a security loophole and we should have a whole separate network for guests.
If you are already on a separate DHCP scope and wifi network (fingers crossed in the perfect world) a quick and dirty fix would be to change this network from /24 to /23 network but this does depend on the existing network configuration and any routing requirements.
192.168.0.0/24 (254 hosts)
192.168.0.0/23 (510 hosts)
192.168.0.0/24 (254 hosts)
192.168.0.0/23 (510 hosts)
ASKER
We have just the one DHCP scope with a few Wi-Fi routers located in the building for clients and guests. 192.168.1.1 to 129 are excluded from distribution and then above to 192.168.1.254 is open to distribution.
This has been setup for years like this but now with the amount of devices, it is a problem. None of our Wi-Fi routers look like they do any good VLAN options.
This has been setup for years like this but now with the amount of devices, it is a problem. None of our Wi-Fi routers look like they do any good VLAN options.
You can have a VLAN and only utilize it for wireless (you could try to make use for wired as well if you needed, but I assumed that wasn't necessary in your case)
If you wanted a recommendation for lower-cost APs that support VLANs, I'd suggest the Ubiquiti UniFi units. What type of firewall and wireless devices do you have now?
If you wanted a recommendation for lower-cost APs that support VLANs, I'd suggest the Ubiquiti UniFi units. What type of firewall and wireless devices do you have now?
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
We have a SonicFirewall and the wireless routers we use range from Apple, to Belkin, Cisco, ect. Our clients will come in with iPhones and Androids, iPads, ect.
Maybe a recommendation for a lower-cast smart switch that we could put on a small Windows Network and create a VLAN?
Maybe a recommendation for a lower-cast smart switch that we could put on a small Windows Network and create a VLAN?
ASKER
Hmm, that Superscope option sounds interesting Tom. That could possibly work too. And you have not any problems with traffic or network communication?
Not at all, but to do this you need to have DHCP server on Windows server not on Sonic Wall or other router
ASKER
We have DHCP on our Windows Server and not with the SonicWall. I see. You are saying that a second gateway setting has to be on the SonicWall. Second NIC though? I am not sure about that part. We need our DHCP Windows Server to have an another NIC and then configure that NIC for the new Scope, correct?
All you need to do is activate your X2 network adapter on SonicWall and assign IP. In your case 192.168.2.1 to be gateway to internet for second scope users.
Then create supersope in your DHCP and configure router to be 192.168.2.1
If you need 3rd scope you need to activate X3 network on sonic and assign IP 192.168.3.1 and set this in your 3rd scope router settings.
Remember that sonic must be physically connected on active ports to your network switch.
Then create supersope in your DHCP and configure router to be 192.168.2.1
If you need 3rd scope you need to activate X3 network on sonic and assign IP 192.168.3.1 and set this in your 3rd scope router settings.
Remember that sonic must be physically connected on active ports to your network switch.
If this will be only for internet connection then you don't need configure any firewall rules for X2 and X3 but if you'll decide to put some services / servers on this scope then you going to need create appropriate rules on Sonicwal to forward traffic from External IP to appropriate X2 or X3 LAN.
ASKER
"If this will be only for internet connection then you don't need configure any firewall rules" Well, this would also be to allow more IPs in DHCP for the network too. "All you need to do is activate your X2 network adapter on SonicWall and assign IP" I am not sure if it even has multiple network adapters. I get what you are saying about adding the Gateway within the SonicWall. I guess I would have to get with SonicWall support for this situation to confirm everything.
What kind of SonicWall you have ?
ASKER
It is an NSA 2600.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
"As I see you have 8 LAN connections from X1-X8" I see Tom. I see mashrock. I still might go that route and thank you for the suggestions. Especially the switch. I am just seeing if the superscope might be quicker/easier for us.
@masnrock
You are absolutely right, but then he need to play with routing between his LAN and VLAN. I think my advise is much simplest.
You are absolutely right, but then he need to play with routing between his LAN and VLAN. I think my advise is much simplest.
@Tom
There's no major playing with routing as it's a Sonicwall. While the goal is simply to have more available IP addresses, it does leave the mixing of corporate and guest devices in one network, which is a nono. Both of our approaches both do provide separation, my advise also leaves the OP only needing to have one set of wireless devices from one vendor, which would be managed centrally. So while it would require more effort upfront, the reward will make him wonder why he didn't go through the undertaking before.
There's no major playing with routing as it's a Sonicwall. While the goal is simply to have more available IP addresses, it does leave the mixing of corporate and guest devices in one network, which is a nono. Both of our approaches both do provide separation, my advise also leaves the OP only needing to have one set of wireless devices from one vendor, which would be managed centrally. So while it would require more effort upfront, the reward will make him wonder why he didn't go through the undertaking before.
ASKER
@Tom, well we do have multiple network ports to do it like you said. It had been a little bit since I had checked behind all the cables in the way so I will have to look more into this.
ASKER
"While the goal is simply to have more available IP addresses, it does leave the mixing of corporate and guest devices in one network, which is a nono." This is a very good point.
Let's be honest, both of our approaches (mine and Tom's) can work. However, it becomes a question of what you want the end result to look like and what you're willing/able to spend.
Are your APs all over the place in the office? How many access points are covering the space, and do you mind having two sets of APs?
Are your APs all over the place in the office? How many access points are covering the space, and do you mind having two sets of APs?
ASKER
We are a small company so we have three wireless routers/APS. Two on on the second floor and one on the main floor for a conference room. It is just that when we have a lot of meetings one week and the clients use the Wi-Fi downstairs the leases stay in DHCP for a week so were thinking of decreasing it to 3 or 4 days. And then we were thinking of VLANS or something to separate it all and get IPs back too.
What model(s) of switch(es) do you have now? I provided in an earlier links and suggestions for a switch in the case you need one. However, what model you currently have dictates whether you really need a new one or not. But also, there's the question of whether you desire POE switches or you want to use injectors.
As far as the APs go, this is what I'd advise to get (either one of these):
UniFi AC Lite 5 Pack - Not that you need 5, but you can deploy 2-3 and have extras for expansion or as spare in case units go bad.
UniFi AC Pro 5 Pack - Same idea, but these are the ones that I mentioned work with normal POE switches.
Obviously, you can buy them individually instead, but I thought presenting in packs of 5 like this would be comparatively simpler.
With these, you'll have APs that will work with multiple SSIDs and multiple VLANs. So even if you wanted even more wireless networks in the future, you're set without some ridiculous cost.
As far as the APs go, this is what I'd advise to get (either one of these):
UniFi AC Lite 5 Pack - Not that you need 5, but you can deploy 2-3 and have extras for expansion or as spare in case units go bad.
UniFi AC Pro 5 Pack - Same idea, but these are the ones that I mentioned work with normal POE switches.
Obviously, you can buy them individually instead, but I thought presenting in packs of 5 like this would be comparatively simpler.
With these, you'll have APs that will work with multiple SSIDs and multiple VLANs. So even if you wanted even more wireless networks in the future, you're set without some ridiculous cost.
ASKER
We have HP ProCurve Switches currently and that is all we have used for awhile now. Okay, thank you for the recommendations.
Ah. If you have ProCurves, then you really don't have to buy replacement switches at all (they should already support VLANs). It would just be more configuration than anything else. Assuming the switches are not POE, get the Lite APs. If they are, I'd recommend going with the Pro. Your monetary cost would solely revolve around the APs themselves. You could have an existing server act as the controller.
ASKER
Okay, I will certainly look into it. I am looking at the Superscope too. We are a small business so sometimes we just have to go with the cheapest and quickest options or at least present all the options so I appreciate all the advice.
Windows DHCP? Lower lease times and enable conflict resolution
ASKER
All of the options would work and I did not want to choose a best option but it looks like I have to. Sorry, I would have given equal points if I could.
ASKER
Sorry Shaun, I closed this without seeing your good suggestion too. I am doing that now to see if that helps but thank you, very much.
1) You should have a guest network that is separate of the main network. You can accomplish this via VLANs (this also requires that you have infrastructure that will support them). I also do not suggest allowing non corporate devices on the main network at all, even if it is employee owned.
2) Shortening the lease time should not hurt anything at all. If anything it will ensure better utilization of IP addresses.