Announcement

Collapse
No announcement yet.

Multiple Subnets

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Multiple Subnets

    Hi All

    I am after a bit of advice with my network.

    Currently I have got four different subnets, each of these is connected to an interface on my PIX 515.

    These are :

    eth0/0 - 192.168.100.x - LAN ALL
    eth0/1 - 192.168.10.x - DMZ 1
    eth0/2 - 192.168.20.X - DMZ 2
    eth0/3 - 192.168.30.x - DMZ 3

    The problem I have is that my LAN is now running out of addresses, so I want to look to put servers on one range,

    desktops on one range and printers on one range.

    ie I want to have the LAN on 3 subnets such as :

    192.168.100.x - Servers
    192.168.101.x - Desktops
    192.168.102.x - Printers
    My problem is that I am not 100% sure of the best way to do it.

    If my existing LAN (192.168.100.x) is using a subnet of 255.255.0.0 do I just change my DHCP scope etc for my desktops to the new one above and it will all work or is it more involved?

    Thanks in advance

    Paul

  • #2
    Re: Multiple Subnets

    I could use a little more information on how you plan to add the subnets to give a better answer but here goes:

    Is the PIX your DHCP server? If so then you should be able to configure the interface for the new subnet and then reconfigure the scope or add another scope. If you use a Windows server then you'll need to enable DHCP relay on the PIX.

    You will also need to make sure that the PIX allows all traffic to pass between the trusted subnets.

    Also, I assume "255.255.0.0" (/16) is a typo and you meant to say "255.255.255.0" (/24). Otherwise if it is a /16 subnet then that would mean 192.168.0.1 - 192.168.255.254 are all on the same subnet.
    Regards,
    Jeremy

    Network Consultant/Engineer
    Baltimore - Washington area and beyond
    www.gma-cpa.com

    Comment


    • #3
      Re: Multiple Subnets

      Hi

      Will that is really by question - how

      No my DHCP is done via my Windows 2003 Server.

      Why do I need to enable DHCP Relay on the PIX?

      No I meant 255.255.0.0, currently all the servers and the firewall use this as the subnet address, the desktops still use 255.255.255.0.

      Why should it matter if they are all of the same subnet?

      Thanks

      Paul

      Comment


      • #4
        Re: Multiple Subnets

        Originally posted by [email protected] View Post
        No my DHCP is done via my Windows 2003 Server.

        Why do I need to enable DHCP Relay on the PIX?
        Because if the DHCP server is on a different subnet then the DHCP requests won't make it to the server without the router (DHCP relay) forwarding the requests to the DHCP server.

        Originally posted by [email protected] View Post
        No I meant 255.255.0.0, currently all the servers and the firewall use this as the subnet address, the desktops still use 255.255.255.0.
        This is a problem. If the servers right now have a mask of 255.255.0.0 then they can't communicate with the DMZ hosts. And if you're breaking up the LAN into subnets then the servers won't be able to communicate with the other subnets.

        Like I said before, if you have a mask of 255.255.0.0 that means 192.168.0.1 - 192.168.255.254 are all on the same subnet.

        Originally posted by [email protected] View Post
        Why should it matter if they are all of the same subnet?
        I thought you said you wanted to break up your LAN into 3 subnets. Are you wanting to create a larger subnet and designate IP ranges for servers, desktops, and printers?

        If so then you need to change the subnet mask on all the servers, desktops, and printers to 255.255.252.0 and then you can put them in ranges you specified in your first post. As for DHCP, simply change the scope and when the desktops renew their lease they'll get an IP address in the range you specify.

        The mask of 255.255.252.0 puts 192.168.100.1 - 192.168.103.254 on the same subnet.
        Regards,
        Jeremy

        Network Consultant/Engineer
        Baltimore - Washington area and beyond
        www.gma-cpa.com

        Comment


        • #5
          Re: Multiple Subnets

          Hi Jeremy

          Sorry if I am sounding a bit thick here.

          So I am just trying to work this out.

          If I use a Subnet Mask of 255.255.248.0 this will allow me to use 192.168.96.1 - 192.168.103.254. (This is correct isn't it?)

          So currently this is how my LAN is setup :

          Servers - 192.168.100.x / 255.255.0.0
          Desktops & Printers - 192.168.100.x / 255.255.255.0
          DMZ's - As explained before

          So if I first change the server subnet masks to be 255.255.248.0, this won't affect the desktops & printers that are using 255.255.255.0 from being able to connect to the servers will it?

          Assuming that it won't cause issues I will then adjust the DHCP Scope so that it hands out addresses in the 192.168.101.x / 255.255.248.0 to the desktops.

          Now onto the DHCP Relay on the Firewall - Do I still need to do this now with my new setup above?

          I have now just tested what you said about the servers with the 255.255.0.0 mask not being able to communicate with the DMZ and you are spot on, I hadn't even noticed this! - Good spot

          So is there anything else I have missed?

          Again thanks for your help.

          Paul

          Comment


          • #6
            Re: Multiple Subnets

            I think you're on the right track now.

            Originally posted by [email protected] View Post
            If I use a Subnet Mask of 255.255.248.0 this will allow me to use 192.168.96.1 - 192.168.103.254. (This is correct isn't it?)
            Yes. That will give you 2046 possible hosts.

            Originally posted by [email protected] View Post
            So if I first change the server subnet masks to be 255.255.248.0, this won't affect the desktops & printers that are using 255.255.255.0 from being able to connect to the servers will it?
            Correct, they should communicate fine.

            A subnet mask is how a computer (or any other layer 3 device) tell if the host it's contacting is on the same subnet or not. For example, the servers on the LAN cannot contact the DMZ hosts because the servers think the they are on the same subnet and therefore try and connect directly to the host instead of sending the traffic to the gateway.

            Originally posted by [email protected] View Post
            Now onto the DHCP Relay on the Firewall - Do I still need to do this now with my new setup above?
            No you won't need to setup the relay. That would only be required if you had the servers and the desktops on different subnets. (which is what I thought you wanted to do)


            So all you need to do is change the subnet masks on any device with a static IP and then configure the DHCP scope to the range you want.
            Regards,
            Jeremy

            Network Consultant/Engineer
            Baltimore - Washington area and beyond
            www.gma-cpa.com

            Comment


            • #7
              Re: Multiple Subnets

              jeremy

              Does it matter if I change the dhcp scope first?

              Some servers might currently have a /24

              Thanks

              Comment


              • #8
                Re: Multiple Subnets

                I would change the static configurations first as this will ensure that the communication is not hindered on the LAN. If you have some hosts with a /24 mask and the desktops start getting IPs in the new range then they will not be able to communicate with the hosts that have the /24 mask.

                Unless you have machines running 2000 or earlier there is no reason not to do this on the fly as it will not bring the systems down.
                Regards,
                Jeremy

                Network Consultant/Engineer
                Baltimore - Washington area and beyond
                www.gma-cpa.com

                Comment


                • #9
                  Re: Multiple Subnets

                  Hi Jeremy

                  Understood on changing the Static Devices first, that is no problem.

                  So when you say I can do it on the fly do you mean change the mask on the servers?

                  Will this not cause the clients to disconnect? all clients are win2000 and winxp

                  Thanks

                  Comment


                  • #10
                    Re: Multiple Subnets

                    Yes, if you have 2003 or newer servers then you can change the mask without affecting the connection.
                    Regards,
                    Jeremy

                    Network Consultant/Engineer
                    Baltimore - Washington area and beyond
                    www.gma-cpa.com

                    Comment

                    Working...
                    X