DHCP Scope overlap

Edgar Veloz
Edgar Veloz used Ask the Experts™

My company currently it's moving to a new phone system and we are stock. our DHCP it's set to IP Scope 192.168.16.xx and I created a second Scope 10.11.0.xx so it can connect via VPN tunnel with the VoIP system of our another office (we are in So. Cal and the other office in Florida) now, To my knowledge I need to create the scopes and the services on DHCP so I can setup the relay to ensure that traffic can go from the 10.11 network using the 192.168 network as gateway and at some point  create a VLAN in my switches to route.

I did all the first part until before the VLAN part, I have some problems.

1-Computers on my Scope 192.168.16.xx are registering on the 10.11.0.xx I need to know how to stop them from doing that, I need to keep them alive but without merging

2-Do I need to create a vlan to route all my VoIP traffic ? we have layer 2 switches and the router it's managed by our ISP or Do I need to setup a a new port in my firewall with that subnet routing all traffic from 10.11 to the public IP

I have a VM running server 2008 R2 as my DHCP I have 2 virtual NICS installed one running on 192.168.16.xx and the other on 10.11.0.xx
I have RRA installed with IGMP installed, and my gut tells me that I did something wrong

I have not done something like this in years so if there is anyone that can give me some guiadence I will really appreciate it.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
I don't understand part of the description.
I understand that the local subnet is
It appears that there's another subnet but it's unclear to me exactly where it's being used and its relationship to the VOIP.

Are you running VOIP on a separate subnet?
Are you running VOIP on a separate subnet on a VLAN?
What subnet is the other end of the VPN using?

Could you please describe what *had been* working before any changes?
Then describe the changes to that base case?
Edgar VelozIT Consultant


Commented: it's use for local Lan it's a local subnet not VLAN
the 10. subnet will be used for VoIP only I need to have these two subnet coexist with each other but keeping VoIP and LAN traffic separate.

currently I do not have any VLAN setup on any of my switches.
I do not quite understand your architecture here, but I think I can help with DHCP.

There exists an extension to DHCP, called "DHCP User Classes". If you configure a user class on each client PC and your server, then clients will use the DHCP scope with a matching class. This lets different machines on the same VLAN use predetermined scopes.

More here: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd145308(v=ws.10)
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Edgar VelozIT Consultant


in my DHCP I have 2 scopes this is a legacy scope all serves, computers and printers report to this scope.

I had to create a new scope
this scope has be used for our new VoIP, the only reason why this new scope has to use the 10.11 subnets it's because that's the same subnet that are Florida office use for their phone system and once we at subnet to VPN tunnel we will be able do dial by extension instead of dialing out we are located in southern California and the other offices located in Florida.

my main problem is that once I created the scope 10. 11. 0. 0 / 24 and set up the relay in my remote routing agent a lot of my computers on the 192. 168 Network just started to report into the 10.11 Network.

I need to keep those subnets separate from each other, right now I do not have any vlan setup for the VoIP routing but I'm pretty sure at some point I'm going to have to if I want to ping any of the devices on that Network.

this is new to me and the other companies that I have worked before both networks live on different patches so you have two ports on each computer one for phones and one for computers this is the first time in a long time that I have to set up both subnets  in one patch.

I hope this makes more sense it's use for local Lan it's a local subnet not VLAN
I want to make sure that I understand as the terminology is pretty important.....
You have a local LAN - that means wires, ports, switches, etc,  The physical stuff.
You have a local subnet that you're running on the local LAN.
You have a local subnet but it's not clear it's on any physical LAN yet....  But, it's for the phones.  Might they be separately wired then?
I don't know what the remote subnet at the other end of the VPN might be.  What is it?

There was a recent question similar to this where the VOIP system was controlled by  internal site devices and there was a desire to run them over a VPN or MPLS .. I don't recall which.

But, to move forward quicker, I'll make some assumptions or at least will play back some of what you've said:

If you want the phones on the same LAN and on a different subnet then there are some things you can do:
1) you could just run the two subnets on the same physical LAN.  I don't think anyone does this but I believe it works.  I'd not recommend it.
2) you can set up a VLAN for the VOIP.  In my experience, the main LAN is termed a VLAN also - so you end up with two VLANs that are controlled by routers and/or switches and all on the same LAN physical structure.  It saves adding wires and switches just for the phones.
Usually the phones then act as a forwarding device to the computers that are already there in a daisy-chain manner.  (Plug the phone into the network jack and plug the computer into the phone).

I don't know what you have in mind for internet connection for the VOIP.
The most common is that the ISP provides the service and the LAN subnet is shared.  There's a single public IP address.
I don't know how that might be done with two private subnets....  A router/firewall with a VLAN capability I suppose.

Also, I've never done this with a Layer 3 switch - Just Layer 2.  So there would be differences.
With Layer 2, VLAN capable switches:
I'll assume there's a central or top-level switch in the network hierarchy.
Then there's the question of how to configure that switch.
Here's what I've done in the case of 2 VLANs:
Assign one port to the internet gateway for the main LAN subnet.
Assign another port to the VOIP internet connection.  This can be an access port if there's no VLAN awareness upstream.
Then trunk all the other ports or most of them anyway - as may be appropriate.
Trunk all the downstream switch ports.
The phones should be capable of splitting out the VLANs....

In the case of network ports with small switches added for multiple computers, printers or other networked devices, you will need a switch that will handle the VLANs.  I've used DDG-1100-05 switches for this and did have to make settings appropriate for the situation.

The issue of DHCP is important.  In our case, factory set phones get an IP address on the main LAN to reach the internet.  Then they get provisioned, become VLAN aware, reboot and get a new IP address from the VOIP router for normal operation.  I don't care for the arrangement but it works.

And then you have the issue of the VPN connection....
Distinguished Expert 2017

A drawing of the network local and remote would help.

There are two locations.
To facilitate VoIP calls between them a VPN exists that assigns this requires a DHCP relay agent, ip helper ti which the DHCP server will select an ip from the scope versus from the local.

The other part deals with configuring access list ...
Edgar VelozIT Consultant


@Fred Marshall

At this customer's office they have a LAN that they use for all computers and servers, they have never deployed VLAN everything it's on one subnet I'm not to sure but their old phone system was still on pots lines so now they are presented to move into full VoIP for what the new subnet was created to route the phones, They have a PBX system with one Static IP ( for the main system.

DHCP it self its been hosted in Hyper V in a local SAN with two virtual NIC one for and another for

There is 2 Layer 2 POE EnGenius Switches controlling everything there is no VLAN in the environment at all.

At this point I'm trying to figure out the best course of action, since in my experience whenever I have deal with VoIP my customers they have to separate patched networks for internet and phones
.Here the Network from DHCP
Distinguished Expert 2017

In a flat network setup which is what you have, without statically allocating, the only way is to split, use a separate dedicated switch for VOIP/PHONES
a managed switch would be needed to use IP Helper, DHCP relay agent, other wise the hyper-V DHCP server would need another NIC that has the IP on the network.

Often, PBX's have built-in DHCP servers.

Split networks are commonly best to avoid phone quality decline...
Much depends on the environment.
I think it might help to get back to basics:

The most basic VOIP systems run on the same physical LAN.   AND they use the same subnet address range.  So the phones and the computers reside side-by-side as equals in a sense.

As I mentioned earlier, it is possible to run multiple subnets through the same wires and simple smart switches.  
I don't know what the downside might be for this other than all the traffic will be available subject to switch port connectivity.
I only mention it for completeness and not necessarily as a recommendation.
But, if you used this then conceptually you'd have the VOIP connection on the physical LAN and all the phones as well (there may be cabling needs at the phones).
And, as now, you'd have all the computers, servers, etc. on the same physical LAN.

If that approach doesn't work or makes one nervous then you could have separate switches, separate cables, separate wall jacks, etc. for the phones vs. the computers.  Usually this isn't very feasible with a pre-wired building.  But, of course it can be done.
A variant on this would be to combine switches and then split the switches into two untagged VLANs and cable them separately - but this doesn't solve the cabling issue.  

Next in the order of complexity but perhaps the least expensive to implement is to use VLANs on the same physical LAN - one for each subnet.  This requires support from the switches at the very least.  Then only one cable is needed to support each downstream wall jack.
That's what I described in more detail earlier.

All of this addresses your latest question.  I remain concerned about the mention of a VPN and that remains cloudy.
Distinguished Expert 2017

If possible, please provide what the remedy/solution was as it may help others running into a similar situation and could be useful to them.
I'll object to get the authors attention to assess whether the above request is something the author is willing to share.

The reason against running VOIP on the SAME LAN as a flat network, is the latency that might result in computer data.
Often when running on the same LAN wire, the PC is connected to the network via the PHONE's PC connection.
The switch is vland and the prioritization to the VOIP type data.
There are times when the Experts just don't hit the nail on the head because they don't address the question that was asked.
There are other times when the Experts provide valuable information.
If the Questioner decides to use another solution, that's fine.
But, the Experts who provided good information and effort shouldn't be shut out of EE credit because of an independent decision.
My opinion.

And I agree with Arnold about publishing the solution at least.
Edgar VelozIT Consultant


I agree 💯 with all, here's the scenario during the events with this project I left that part of the assignment to do other parts of it because time was coming upon us.

I asked his members of the team that took over and they told me that this was their solution to the problem.

they setup a secondary DHCP running on CentOS, also they added a secondary Port on the firewall that work with the secondary subnet so they could route traffic across and essentially they split both subnets

192.*.*.* on Windows DHCP and 10.*.*.*. on CentOS with that they eliminated the need for Vlans on the switches. also it need to be noted that the switches were layer 2. so this is the best solution that they came with.

I hope this can help.
Distinguished Expert 2017
IT is vlaned if they "split" the switche ports not subnets (VLAN would have .

In the switches you have, traffic between segments has to go through the firewall/router.
in a layer 3 switch, the traffic could flow within the switch if/when configured

They've could have achieve it by adding another scope to the DHCP server and configuring an IP helper, DHCP relay agent on the second port to forward DHCP related broadcasts to the Windows DHCP with the Firewall Port IP which would be within the second scope.

You can have two DHCP server in the environment allocating IPs from the same SCope but with different ranges.
70/30 i.e. primary main DHCP allocates 70% of the scope while the Secondary allocates the remaining 30% of the scope.
The static allocation exclusion and the IP reservations have to be defined on both.
There is a conflict resolution on the dhcp which the secondary would be configured to delay their response by one or two milliseconds. (right click on the windows DHCP server and get properties...)

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial