Running out of IP addresses on LAN

Jason Shaw
Jason Shaw used Ask the Experts™
on
I have a 172.16.2.1 / 255.255.255.0 range currently that is running out of IP addresses. If I am understanding correctly, in order to allow for more IP addresses I.E. 172.16.3.0, all I need to do is change the subnet mask on all devices to 255.255.254.0? So, any device with static IPs would need to changed...Just trying to make sure we do everything correctly in the correct order. Do we change our AD servers first? Change on our firewall?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Network Administrator
Commented:
Use an online subnet calculator to change your mask from a /24 to a /23 to ensure you know what the range will be:

http://www.subnet-calculator.com/subnet.php?net_class=B

By my quick calculation, a /23 will give you a range of 172.16.2.1 - 172.16.3.254 usable

You do not need to change existing IP addresses, but you do need to change the netmask
Pete LongTechnical Consultant
Commented:
You are proposing the 'drop' the subnet by one bit so instead of 256 addresses you will get 512

Do the default gateway device first then static and the servers etc, then the DHCP scope.


Pete

Author

Commented:
Thanks guys. Quick question for Pete...Our default gateway device is our firewall so we just need to change the IP config of the firewall first? We dont need to change any configuration for WAN/LAN on firewall? I.E. current firewall IP is 172.16.2.1 / 255.255.255.0..simply change firewall to 172.16.2.1 / 255.255.254.0?
Sorry, novice here..
Should you be charging more for IT Services?

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Distinguished Expert 2018
Commented:
We dont need to change any configuration for WAN/LAN on firewall? I.E. current firewall IP is 172.16.2.1 / 255.255.255.0..simply change firewall to 172.16.2.1 / 255.255.254.0?
Correct, that is the one thing you need to change as far as the LAN interface on your firewall is concerned.

I'm also going to post this quote from CES:
You do not need to change existing IP addresses, but you do need to change the netmask

I put that one in particular, because you also need to update the subnet mask for any devices that have static IP addresses, as well as on the DHCP server.
Pete LongTechnical Consultant
Commented:
>>Thanks guys. Quick question for Pete...Our default gateway device is our firewall

Depends on the firewall buddy, its a cheap and cheerful one then just change the IP, BUT for example, if it were a Cisco ASA then you would need to change the NAT rules to accommodate the wider network space as well :)

Pete
Brian BEE Topic Advisor, Independant Technology Professional
Commented:
Yes, change the firewall first to ensure it can manage all the traffic as you move things over.

You might also want to take this opportunity to set up a second DHCP server. If you are using server 2012 or higher for DHCP you can use redundant DHCP. Otherwise set up the two DHCP server both covering the range discussed, but exclude half the range on each server.
Pete LongTechnical Consultant
Commented:
You can change the scope 'on the fly' if you like again see the following link

Windows Server – Change a DHCP Scopes Subnet Mask

I did this last week on  a live server without even a blip :)

Pete

Author

Commented:
Great info! My plan is as follows per comments....Change firewall subnet mask....change subnet mask on all other static devices...change subnet mask on servers. Change IP info on DHCP server scope.....a reboot of all workstations should then supply new IP addresses....I believe I would also need to change subnet mask on any firewall rules that are setup correct?
Distinguished Expert 2018
Commented:
If the 255.255.255.255 mask is used in a rule, then the answer is no because that's solely there is specify a specific host (and would not be impacted by such a change). If you're specifying the entire LAN subnet, then the answer is yes.
Pete LongTechnical Consultant
Commented:
>>subnet mask on any firewall rules that are setup correct?

If you have defined an ACL with a subnet, or an 'object' that has a subnet defined for it then yes :)

P

Author

Commented:
One more question...is this the simplest process for us at this point? I am assuming there is no way to leave current IP scheme in place and just make additions somewhere to add ip's?
Pete LongTechnical Consultant
Commented:
Thats a different Question :)

Yes (depending on your switches) you could spin up  a VLAN with a new range and setup a new DHCP scope for that new range.

Pete
Brian BEE Topic Advisor, Independant Technology Professional
Commented:
You could use two DHCP servers like I said, but you'd still have to change the subnet settings to all devices can find each other.

You could also add a second server on a new subnet and set up VLANs with routing between the two networks, but that may require some more planning.

Author

Commented:
We are using Meraki MS220 switch....So, I would setup VLAN on the Meraki and also setup DHCP and new scope on the Meraki or continue with our current Windows server DHCP or does it even matter?
Pete LongTechnical Consultant
Commented:
You would create VLAN 2 then setup a DHCP Relay see this article on that VLAN then configure a scope on the DHCP relay you specify.

You then need to tag the ports into the new VLAN that you want to use the new network scope, you can do this en-masse in the Meraki dashboard.

Pete
David SpigelmanPresident / CEO
Commented:
What you're talking about now is creating an entirely different subnet. (E.g. 172.16.3.0 with a mask of 255.255.255.0). You can certainly do that, but it does mean that, in order for traffic to go between the 2.x network and the 3.x network, it has to go through some sort of routing function. They're not on the same subnet, and cannot communicate directly. A VLAN is essentially another ip subnet running through the same wiring scheme, or through the same switch,, or through the same physical router interface. But there is still some routing function that would have to take place.

Some switches may be able to provide that function internally. I know that some of the higher end Cisco switches often have routing blades in them, for example. Don't know about the Merakis. And it's not hard to do. But you should understand what you're doing, if you choose that method. Widening the net mask would definitely be architecturally simpler. (But that doesn't mean it's the better option.)

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial