Need Network Redesign and Firewall Advice

I need some advice for a network redesign and firewall project I will be working on soon, and this will be my first major network change and I don't want to do it wrong.

We currently have a mix of DHCP servers and Sonicwall TZ 300 firewalls that handle DHCP services at our various locations. A few years ago, consultants setup the network with Class C IP addresses and we are running out of IP addresses (99% used) at 2 of our main sites. We cannot add any new devices, and so I have been asked to change our network to have more available for current and future use. A few months ago I tried to change the scope at one site, but for some reason those changes knock out all ISP connections at all sites, so I reverted back to the old IPs.

I've made a diagram of what we have and the changes I would like to perform:
Company Network
Does this seem to be the best way to change IP addresses at our sites, and what could of happened on our SonicWalls when I tried to change our scope and lost Internet connectivity at all sites? Also, what would be the best way to handle DHCP at our branch offices?

Thanks in advance!!!
Robert GroverNetwork Systems AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Lee W, MVPTechnology and Business Process AdvisorCommented:
Rather than supernet, why not add separate class C networks where necessary.  For example, put wireless devices on a different network.  Larger companies I've worked for, separated things by subnets for different buildings (or in some cases, different floors or by department or by interface type (wired/wireless) and put servers on their own subnets.  No supernetting.

The biggest downside to supernetting, is increased broadcast traffic.  Though that may not be that big a deal if your use of broadcast protocols is minimal.
Robert GroverNetwork Systems AdministratorAuthor Commented:
We currently do that for our WiFi users, but that also tends to fill up. Over the last year, our company has added more network devices and users connect their devices. In a couple of months, my director will be adding even more devices, so I am being pushed to get this done soon. I tried to shorten the TTL on DHCP so that inactive devices lose their assigned IPs if they have been offline for a while.

I was thinking about setting up separate domains, ex. dfw.domain.com, chi.domain.com, ect and let the DCs at each location to handle IPs
Tom CieslikIT EngineerCommented:
You can also set superscope in your network on your server DHCP and set another LAN port on sonic wall as separate gateway to the internet.
This simple task will allow you to add 254 or more devices.

If you have now 192.168.1.x with single scope
your mask is 255.255.255.0
gateway 192.168.1.1

just assign another LAN interface in SOnic/firewall and add 192.168.2.1 as second gateway
then create superscope with 2 scopes

192.168.1.x  255.255.255.0   192.168.1.1
192.168.2.x   255.255.255.0   192.168.2.1
DNS will stay same

This will resolve your issue without re-design network and disturbance in your locations.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Lee W, MVPTechnology and Business Process AdvisorCommented:
I wouldn't setup multiple AD domains.  there's no need for that.  DHCP can be handled by local servers anyway.

And you could just break up the network more.  Like I said, by floor, by department, by device type (printers/desktops/wifi/servers/etc).  Or supernet.  I don't like that option (I think it's lazy and sloppy) but it should work...
Robert GroverNetwork Systems AdministratorAuthor Commented:
Don't mean to sound dumb, but if I setup 2 scopes on the DHCP server:

10.0.0.X 255.255.255.0 10.0.0.1
10.1.0.X 255.255.255.0 10.0.0.2

Will the clients on the network automatically switch to the other subnet?
masnrockCommented:
You could have multiple scopes on the DHCP server, but you also need to make sure to have the other subnets in place (I would go with a floor by floor plan as Lee has suggested). As long as the switch port the DHCP server is connected to can see all of the subnets, this will be a non-issue for the Windows DHCP server.
Tom CieslikIT EngineerCommented:
Yes, superscope is designed for. When first scope will be fulfilled then people will start picking up address from second scope.

but this will not work in example you've writed down

10.0.0.X 255.255.255.0 10.0.0.1
10.1.0.X 255.255.255.0 10.0.0.2

it must be

10.0.0.0 255.255.255.0 10.0.0.1
10.1.0.0 255.255.255.0 10.1.0.1

or

10.0.0.0 255.255.255.0 10.0.0.1
10.0.1.0 255.255.255.0 10.0.1.1
Tom CieslikIT EngineerCommented:
This is mine superscope and is working perfect

Capture.JPG
Robert GroverNetwork Systems AdministratorAuthor Commented:
Do I still have to put the 2nd subnet on a different port on the firewall?
Tom CieslikIT EngineerCommented:
Yes, because this must be a gateway for second scope in superscope, DNS can be same like for first one
Robert GroverNetwork Systems AdministratorAuthor Commented:
I'll give it a shot and let you know. Thanks!!!
Tom CieslikIT EngineerCommented:
Yes please.
Make sure you going to set second port X1, or X2 or X3 on your firewall to allow internet traffic with IP you going to use as superscope/second scope gateway
Blue Street TechLast KnightCommented:
You need to determine what your drivers are too? Do users at any site need to share or access resources of another subnet or site?

How are the sites communicating to each other, e.g. VPN? If so what topology have you designed again my first question plays into this and will guide you down a topology that works for your environment.

I agree with @Lee W and @masnrock regarding dividing the subnets by device/floors/departments, etc. Every environment has different demands and goals but you can effectively run smarter policies, reduce congestion, and enhance security when every device isn't shared on one network. Furthermore, you can define more granular security by only allowing specifically needed ports to be open between interconnected Zones, thus protecting servers and isolating BYOD/mobile devices more prone to infeciton. You can easily achieve this by Sub-Interfaces and VLAN configurations within your SonicWALL or your L3 switches depending on how your network topology is laid out.

If you haven't authorized your DHCP servers properly and you add a "rogue"/foreign DHCP server to your Windows network (e.g. enabling SonicWALL DHCP server), Windows will shutdown the DHCP server to protect against conflicts. This is easily remedied by authorizing DHCP servers as verified in AD DS (Active Directory Domain Services) before they service clients and unauthorized, or rogue, servers are detected. This prevents most of the accidental damage caused by either misconfigured DHCP servers or correctly configured DHCP servers running on the wrong network. If you have not done this you will need to logon as a member of the Enterprise Admins group where the server is being added.

You can then consolidate all DHCP management into Windows via IPHelper on your SonicWALLs. That way WLAN, VPN, LAN is all managed in one place; centralized and standardized.

Let me know how it goes!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.