DHCP Scope overlap


My company currently it's moving to a new phone system and we are stock. our DHCP it's set to IP Scope 192.168.16.xx and I created a second Scope 10.11.0.xx so it can connect via VPN tunnel with the VoIP system of our another office (we are in So. Cal and the other office in Florida) now, To my knowledge I need to create the scopes and the services on DHCP so I can setup the relay to ensure that traffic can go from the 10.11 network using the 192.168 network as gateway and at some point  create a VLAN in my switches to route.

I did all the first part until before the VLAN part, I have some problems.

1-Computers on my Scope 192.168.16.xx are registering on the 10.11.0.xx I need to know how to stop them from doing that, I need to keep them alive but without merging

2-Do I need to create a vlan to route all my VoIP traffic ? we have layer 2 switches and the router it's managed by our ISP or Do I need to setup a a new port in my firewall with that subnet routing all traffic from 10.11 to the public IP

I have a VM running server 2008 R2 as my DHCP I have 2 virtual NICS installed one running on 192.168.16.xx and the other on 10.11.0.xx
I have RRA installed with IGMP installed, and my gut tells me that I did something wrong

I have not done something like this in years so if there is anyone that can give me some guiadence I will really appreciate it.
IT on The DotConsultantAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Fred MarshallPrincipalCommented:
I don't understand part of the description.
I understand that the local subnet is
It appears that there's another subnet but it's unclear to me exactly where it's being used and its relationship to the VOIP.

Are you running VOIP on a separate subnet?
Are you running VOIP on a separate subnet on a VLAN?
What subnet is the other end of the VPN using?

Could you please describe what *had been* working before any changes?
Then describe the changes to that base case?
IT on The DotConsultantAuthor Commented: it's use for local Lan it's a local subnet not VLAN
the 10. subnet will be used for VoIP only I need to have these two subnet coexist with each other but keeping VoIP and LAN traffic separate.

currently I do not have any VLAN setup on any of my switches.
Mal OsborneAlpha GeekCommented:
I do not quite understand your architecture here, but I think I can help with DHCP.

There exists an extension to DHCP, called "DHCP User Classes". If you configure a user class on each client PC and your server, then clients will use the DHCP scope with a matching class. This lets different machines on the same VLAN use predetermined scopes.

More here: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd145308(v=ws.10)
Maximize Customer Retention with Superior Service

The IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more to help build customer satisfaction and retention.

IT on The DotConsultantAuthor Commented:
in my DHCP I have 2 scopes this is a legacy scope all serves, computers and printers report to this scope.

I had to create a new scope
this scope has be used for our new VoIP, the only reason why this new scope has to use the 10.11 subnets it's because that's the same subnet that are Florida office use for their phone system and once we at subnet to VPN tunnel we will be able do dial by extension instead of dialing out we are located in southern California and the other offices located in Florida.

my main problem is that once I created the scope 10. 11. 0. 0 / 24 and set up the relay in my remote routing agent a lot of my computers on the 192. 168 Network just started to report into the 10.11 Network.

I need to keep those subnets separate from each other, right now I do not have any vlan setup for the VoIP routing but I'm pretty sure at some point I'm going to have to if I want to ping any of the devices on that Network.

this is new to me and the other companies that I have worked before both networks live on different patches so you have two ports on each computer one for phones and one for computers this is the first time in a long time that I have to set up both subnets  in one patch.

I hope this makes more sense
Fred MarshallPrincipalCommented: it's use for local Lan it's a local subnet not VLAN
I want to make sure that I understand as the terminology is pretty important.....
You have a local LAN - that means wires, ports, switches, etc,  The physical stuff.
You have a local subnet that you're running on the local LAN.
You have a local subnet but it's not clear it's on any physical LAN yet....  But, it's for the phones.  Might they be separately wired then?
I don't know what the remote subnet at the other end of the VPN might be.  What is it?

There was a recent question similar to this where the VOIP system was controlled by  internal site devices and there was a desire to run them over a VPN or MPLS .. I don't recall which.

But, to move forward quicker, I'll make some assumptions or at least will play back some of what you've said:

If you want the phones on the same LAN and on a different subnet then there are some things you can do:
1) you could just run the two subnets on the same physical LAN.  I don't think anyone does this but I believe it works.  I'd not recommend it.
2) you can set up a VLAN for the VOIP.  In my experience, the main LAN is termed a VLAN also - so you end up with two VLANs that are controlled by routers and/or switches and all on the same LAN physical structure.  It saves adding wires and switches just for the phones.
Usually the phones then act as a forwarding device to the computers that are already there in a daisy-chain manner.  (Plug the phone into the network jack and plug the computer into the phone).

I don't know what you have in mind for internet connection for the VOIP.
The most common is that the ISP provides the service and the LAN subnet is shared.  There's a single public IP address.
I don't know how that might be done with two private subnets....  A router/firewall with a VLAN capability I suppose.

Also, I've never done this with a Layer 3 switch - Just Layer 2.  So there would be differences.
With Layer 2, VLAN capable switches:
I'll assume there's a central or top-level switch in the network hierarchy.
Then there's the question of how to configure that switch.
Here's what I've done in the case of 2 VLANs:
Assign one port to the internet gateway for the main LAN subnet.
Assign another port to the VOIP internet connection.  This can be an access port if there's no VLAN awareness upstream.
Then trunk all the other ports or most of them anyway - as may be appropriate.
Trunk all the downstream switch ports.
The phones should be capable of splitting out the VLANs....

In the case of network ports with small switches added for multiple computers, printers or other networked devices, you will need a switch that will handle the VLANs.  I've used DDG-1100-05 switches for this and did have to make settings appropriate for the situation.

The issue of DHCP is important.  In our case, factory set phones get an IP address on the main LAN to reach the internet.  Then they get provisioned, become VLAN aware, reboot and get a new IP address from the VOIP router for normal operation.  I don't care for the arrangement but it works.

And then you have the issue of the VPN connection....
A drawing of the network local and remote would help.

There are two locations.
To facilitate VoIP calls between them a VPN exists that assigns this requires a DHCP relay agent, ip helper ti which the DHCP server will select an ip from the scope versus from the local.

The other part deals with configuring access list ...
IT on The DotConsultantAuthor Commented:
@Fred Marshall

At this customer's office they have a LAN that they use for all computers and servers, they have never deployed VLAN everything it's on one subnet I'm not to sure but their old phone system was still on pots lines so now they are presented to move into full VoIP for what the new subnet was created to route the phones, They have a PBX system with one Static IP ( for the main system.

DHCP it self its been hosted in Hyper V in a local SAN with two virtual NIC one for and another for

There is 2 Layer 2 POE EnGenius Switches controlling everything there is no VLAN in the environment at all.

At this point I'm trying to figure out the best course of action, since in my experience whenever I have deal with VoIP my customers they have to separate patched networks for internet and phones
.Here the Network from DHCP
In a flat network setup which is what you have, without statically allocating, the only way is to split, use a separate dedicated switch for VOIP/PHONES
a managed switch would be needed to use IP Helper, DHCP relay agent, other wise the hyper-V DHCP server would need another NIC that has the IP on the network.

Often, PBX's have built-in DHCP servers.

Split networks are commonly best to avoid phone quality decline...
Much depends on the environment.
Fred MarshallPrincipalCommented:
I think it might help to get back to basics:

The most basic VOIP systems run on the same physical LAN.   AND they use the same subnet address range.  So the phones and the computers reside side-by-side as equals in a sense.

As I mentioned earlier, it is possible to run multiple subnets through the same wires and simple smart switches.  
I don't know what the downside might be for this other than all the traffic will be available subject to switch port connectivity.
I only mention it for completeness and not necessarily as a recommendation.
But, if you used this then conceptually you'd have the VOIP connection on the physical LAN and all the phones as well (there may be cabling needs at the phones).
And, as now, you'd have all the computers, servers, etc. on the same physical LAN.

If that approach doesn't work or makes one nervous then you could have separate switches, separate cables, separate wall jacks, etc. for the phones vs. the computers.  Usually this isn't very feasible with a pre-wired building.  But, of course it can be done.
A variant on this would be to combine switches and then split the switches into two untagged VLANs and cable them separately - but this doesn't solve the cabling issue.  

Next in the order of complexity but perhaps the least expensive to implement is to use VLANs on the same physical LAN - one for each subnet.  This requires support from the switches at the very least.  Then only one cable is needed to support each downstream wall jack.
That's what I described in more detail earlier.

All of this addresses your latest question.  I remain concerned about the mention of a VPN and that remains cloudy.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.