Announcement

Collapse
No announcement yet.

Changing DHCP - Process?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Changing DHCP - Process?

    Hi all,

    I have inherited a network at a local non-profit charter school, and one of the first things I noticed was that fundamentally, Active Directory and DNS wasn't working. Thanks to several fine gentlemen in the AD forum, that issue has largely been taken care of.

    But now I'm getting ready to move into a DHCP issue I have...

    My facility uses an eSoft InstaGate EX2 router/firewall as a DHCP server. It's internal address is 192.168.1.1. My DC/DNS server is 192.168.1.3.

    Right now, the network is configured in the Class C IP addresses range of 192.168.1.x. I'd like to accomplish a few things...
    1. What I would like to do is move the DHCP services from the EX2 to the DC.
    2. I'd like to change the IP range from 192.168.1.x to 172.16.1.x

    I think this will need to be a two step process. But to let you know why I would like to change the IP range, I think it's important to mention that the reason I don't like the 192.168.1.x range is because, as we all know, almost all IP ranges for your average household is that. And I've setup VPN access to our facility. But I've noticed that it only seems to work for me at my own house. Now, there I have a 192.168.5.x range. But when I'm somewhere that has a typical 192.168.1.x range, I can connect to the VPN, but not actually do anything. I think it's because of IP conflicts with DNS servers, gateways, etc...

    I believe I can eliminate all those issues in going to a new scheme here at work. Obviously, I can't change people's LAN ranges at home... Erf...

    Now, I'm not an IP addressing guru, but I have a decent understanding of what I'm doing. But the main thing that cannot happen is for the network to go down. School has begun and that would be Uber Bad. So before I do anything, I want to have all my ducks lined up!

    There are only 4 devices with static IP information here.
    1. The DC/DNS server
    2. An application server
    3. The email/AV server
    4. The EX2 router

    Well, there are also a few network printers, but I'm not terribly concerned if those go down temporarily.

    I plan on following this article to help me get DHCP setup on the DC. That'll be step 1. Does anyone see any issues that could pop up if I take this step, and eliminate the EX2 as my current DHCP server? Am I missing anything?

    Thanks!

    Chris

  • #2
    Re: Changing DHCP - Process?

    Didn't have time to read the article rigt now, but the easiest way to handle the network printers (IMO) is to assign the IPs etc through DHCP Reservations. That way if any of the little monsters, err I mean students change a printer IP, all you have to do is power cycle it and all the settings (IP, Subnet Mask, Default Gateway (DG), DNS, WINS (if using), Time Server etc ) are reset. All you need is the MAC address of the printer.

    I don't think the Class C subnet will be the cause of your VPN problems. I would suggest you troubleshoot that problem before changing the IP range. I would still move it off the Router and make sure you have some sort of structure. For example, in the schools I work in:

    x.x.x.1 = Router/Default Gateway
    2 - 16 = Switches
    17 - 29 = Servers, with 19 always as the Proxy/ISA Server
    30 - 45 = Printers
    46 - 59 = Other as required
    Dynamic IP start at 60 and go up.

    Why do you need VPN access to your school and how many users would be connecting and why? There may be an alternative option that could fit your circumstances.
    1 1 was a racehorse.
    2 2 was 1 2.
    1 1 1 1 race 1 day,
    2 2 1 1 2

    Comment


    • #3
      Re: Changing DHCP - Process?

      Originally posted by biggles77 View Post
      Didn't have time to read the article rigt now, but the easiest way to handle the network printers (IMO) is to assign the IPs etc through DHCP Reservations. That way if any of the little monsters, err I mean students change a printer IP, all you have to do is power cycle it and all the settings (IP, Subnet Mask, Default Gateway (DG), DNS, WINS (if using), Time Server etc ) are reset. All you need is the MAC address of the printer.
      So I can assign a static address through DHCP? Is that what you're saying? If so, I did not know that. Very cool.

      Originally posted by biggles77 View Post
      I don't think the Class C subnet will be the cause of your VPN problems. I would suggest you troubleshoot that problem before changing the IP range. I would still move it off the Router and make sure you have some sort of structure.
      For example, in the schools I work in:

      x.x.x.1 = Router/Default Gateway
      2 - 16 = Switches
      17 - 29 = Servers, with 19 always as the Proxy/ISA Server
      30 - 45 = Printers
      46 - 59 = Other as required
      Dynamic IP start at 60 and go up.
      Good idea. The only trouble is that the switches I've inherited are all unmanaged (Netgear). If I can do with the printers what you suggested above, I' think I'll be good...
      Originally posted by biggles77 View Post
      Why do you need VPN access to your school and how many users would be connecting and why? There may be an alternative option that could fit your circumstances.
      Well, I need VPN because a lot of work I can do from home late at night. And several other administrators (school, not technical) also use remote access, except that they have historically used (and still do use) GoToMyPC.com. Not a very good solution considering it's slow, costly, and the EX2 already has the VPN capability! Why use GTMP.com when we have a solution built-in? I just have to make sure it works for everyone before going 100% live with it... And the reason I think the IPs are a conflict of the VPN is this... For example... When I am at my brother-in-law's house, I almost always get an IP address of 192.168.1.3 from his router... So if I connect to the VPN, I try to remote desktop to my DC at work. But I can't because it's address is also 192.168.1.3! See the issue? We're definitely not talking about a robust RSA VPN solution here... Am I wrong in my thinking? Should I be looking at something else as the trouble? Sorry, I'm definitely not a VPN guru...
      Last edited by WorldBuilder; 25th August 2008, 15:12.

      Comment


      • #4
        Re: Changing DHCP - Process?

        Well changing a complete Ip subnet isn't that easy to do within a couple of minutes like your DNS problem

        One of the first thinks to do is to create an inventory of your firewalls rulebase.
        DNS/AD, workstations firewalls and switches won't be a problem, but a firewall can give you some problems.
        First of all you need to reconfigure your complete rulebase.
        Printers needs to be changed and also the printerqueues. Also it's possible that you need to remap the printers if they are connected based on ipaddresses.
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: Changing DHCP - Process?

          True that. I would definitely prefer to leave the 192.168.1.x scheme in place. But I'm worried that I'll never be able to get the VPN reliably working otherwise... *sigh*

          Changing the complete scheme could be a PITA, but simply removing the DHCP service from the router and making the DC the DHCP server (with all the same rules that are currently in place) should be pretty transparent a change, right? I just want to make sure I'm not overlooking anything before going forward. You see any caveats?

          Comment


          • #6
            Re: Simple IP adress question...

            Hi all,

            I have a similar issue and actually posted in the Windows Server Forum a while back. I'm going to need to move my DHCP serving off my router device and on to my Windows Server 2003 DC.

            The current IP scheme is 192.168.1.xxx and on problem is that this scheme seems to interfere with the VPN that is setup here. You can see that issue in the other post.

            So I was thinking of using 10.34.xxx.xxx (34 is our street address). I think that'll solve my VPN conflict. Yes? No?
            • I have taken Cisco classes in year's past but am only somewhat knowledgeable of IP addressing and subnetting.
            • All told, I'll need far less than 500 addresses for as long as I can foresee here...
            • Routing and VLAN'ing is pretty well out of the question... Cost issue...
            • All in all, I will have three small buildings... What if I use 10.34.1.x for Building One, 10.34.2.x for Building Two, and 10.34.3.x for Building Three? Can I set that scope up in DHCP (scope of 10.34.1.0 - 10.34.3.254)?
            • If I do it this way, do I have to route? The reality will be that there will be less than 100 hosts in each building.
            • How can I set this up as far as masking to try not to have to route?


            Help! Thanks!

            Chris
            Last edited by WorldBuilder; 2nd September 2008, 15:00.

            Comment


            • #7
              Re: Changing DHCP - Process?

              Worldbuilder, your above post has been moved from its previous location because it (you) hijacked another members thread in progress. This is very disappointing behaviour from a member with a post count like yours.

              Please do NOT hijack any other threads and as the following says:
              Originally posted by Posting Rules
              14) No Thread Hijacking

              Please do not hijack other peoples' threads asking a similar but not quite identical question! If you do, it is not clear which question someone is giving an answer to and everyone will get confused. If you have a question, start a new thread instead, adding a cross reference to previous posts if you want to.
              Thank you.

              As to your subnetting problem. Remember the KISS Rule. By creating 3 different subnets you are making things very difficult and overly complex/complicated. If you want to keep the IP range, 10.34.0.0/22 This will give you a range from 10.34.0.1 to 10.34.3.254 Subnet mask 255.255.252.0 and give you 1022 addresses.

              If you will have the need for 300 IPs then you could use a 23 subnet and that will give you 512 addresses. by keeping them all on the same subnet you do not have to do any routing. You don't have to do anything out of the ordinary in DHCP and it is a lot easier to change if you decide you need more IPs in the future. Remember to include an Exclusion Range that will be sufficient for all devices that have a static IP like Switches, Servers, Network Printers, Wireless Access Points etc.

              Changing the range is not a huge job. If you have the MAC address of all the switches and printers you could add them into DHCP and assign the IP via DHCP Reservations. This could be setup (prepared) while the old IP range is running and on Friday night or Saturday morning, change the Server IPs, disable DHCP and then Authorise the new DHCP Scope. Reboot all Switches and THEN the Printers. Make sure all the workstations have been turned off so they will pickup the new IP on Monday morning. Also make sure you change any IP references you have in Login Scripts.

              Just make sure you plan it properly, document it and then follow the documentation.
              1 1 was a racehorse.
              2 2 was 1 2.
              1 1 1 1 race 1 day,
              2 2 1 1 2

              Comment


              • #8
                Re: Changing DHCP - Process?

                Howdy Biggles,

                Sorry for the thread hijack. Didn't mean to upset anyone. My bad...

                So basically what you're saying is that if I create a range of 10.34.0.0/23, I will have 510 addresses available from 10.34.0.1 - 10.34.1.254, correct? And no routing is necessary?

                That'd be perfect.

                Heck, that'd give me 253 available addresses in the 10.34.1.x range if I felt like using the entire 10.34.0.x range for static devices... Would waste a lot of IPs, but would give me enough room for expansion while minimizing broadcasts.

                Do I have this right? Thanks!

                Chris

                Comment


                • #9
                  Re: Changing DHCP - Process?

                  If you have a standard Firwall, go into it and verify that NAT (Network Address Translation) has been turned on.
                  From the sounds of things it has.
                  Since that is probably the case then the internal address ARE NEVER seen outside of the internal network.
                  I would check the Rules in your Firewall first, and verify that they are configured correctly.
                  I would also verify that logging is turned on in the router. If it is I would look at the log files, after you have tried to get access from a site that does not work. That way you should see some type of error pointing you in the direction of the problem.
                  Redearl
                  Congress is like diapers; It should be changed regularly as it gets full of the same thing..

                  Comment


                  • #10
                    Re: Changing DHCP - Process?

                    Hello again everyone,

                    I'm sorry to bring up this old topic again, but I felt it was better than starting anew. I'm finally getting ready to actually DO this, and wanted to make sure I understood perfectly.

                    As a refresher, my LAN is currently running 192.168.1.x. It is all fed via DHCP, but that DHCP is not coming from a (MS Windows) server. It is coming from an eSoft InstaGate EX II router/firewall appliance. The IP address of that device is 192.168.1.1 and the LAN subnet mask is 255.255.255.0.

                    Eventually, I will remove DHCP from this device and perform it from a Windows Server (2003), but I don't have that capability yet. So I have what I have...

                    The EX II is not very granular and I don't have the capability to set DHCP reservations or anything like that.

                    As we've discussed, and as Biggles77 has suggested, I would like to change the IP range to 10.34.0.0/23 which will yield a range of 10.34.0.1 - 10.34.1.254.

                    Originally posted by biggles77 View Post

                    As to your subnetting problem. Remember the KISS Rule. By creating 3 different subnets you are making things very difficult and overly complex/complicated. If you want to keep the IP range, 10.34.0.0/22 This will give you a range from 10.34.0.1 to 10.34.3.254 Subnet mask 255.255.252.0 and give you 1022 addresses.

                    If you will have the need for 300 IPs then you could use a 23 subnet and that will give you 512 addresses. by keeping them all on the same subnet you do not have to do any routing.
                    Do I understand this right? Is my thinking correct (taking Biggles77's advice) and going with 10.34.0.0/23 for 510 total available addresses?

                    Originally posted by biggles77 View Post
                    You don't have to do anything out of the ordinary in DHCP and it is a lot easier to change if you decide you need more IPs in the future. Remember to include an Exclusion Range that will be sufficient for all devices that have a static IP like Switches, Servers, Network Printers, Wireless Access Points etc.

                    Changing the range is not a huge job. If you have the MAC address of all the switches and printers you could add them into DHCP and assign the IP via DHCP Reservations. This could be setup (prepared) while the old IP range is running and on Friday night or Saturday morning, change the Server IPs, disable DHCP and then Authorise the new DHCP Scope. Reboot all Switches and THEN the Printers. Make sure all the workstations have been turned off so they will pickup the new IP on Monday morning. Also make sure you change any IP references you have in Login Scripts.

                    Just make sure you plan it properly, document it and then follow the documentation.
                    All good advice. A few thoughts and questions...

                    With the InstaGate, I cannot set reservations, but I can set the starting and ending IP addresses. So here's what I'm thinking...
                    • I will set the InstaGate with an IP address of 10.34.0.1.
                    • I will set my e-mail "server" (an eSoft ThreatWall 300) to 10.34.0.2
                    • I have two buildings connected via wireless on the LAN. I will set those APs to 10.34.0.3 and 10.34.0.4 respectively.
                    • I'll set the DHCP scope to 10.34.1.0 - 10.34.1.254 and leave all remaining 10.34.0.x addresses for static use.

                    Basically, the 0.x will be reserved for any and all static devices and the 1.x will all be dynamic.

                    And obviously whatever devices I set statically, I will have to make the masks 255.255.254.0, right? But anything getting an address via DHCP will get that automatically, correct?

                    This seems awfully simple. Is it really this simple or am I missing something? And most importantly, are there any downsides to having my LAN set to this? I guess it just seems to good to be true... It gives me plenty of addresses now, and in the future. It's simple to manage. So there's got to be a downside, right?!

                    Thanks for all your help, guys! I am going to pull the trigger on this in two weeks come hell or high water so I just want to make sure it goes as smoothly as possible.

                    Chris

                    Comment


                    • #11
                      Re: Changing DHCP - Process?

                      That is a lot of Exclusion addresses you have set aside. By using the x.x.1.x range you will only have 254 available IP for Dynamic use. Is this enough? Of course you could later chage the SubNet Mask to 252 (from 254) and double you total IPs but then you have to redo the Reservations to have the new Mask.

                      Document the IPs and what ranges you will be using for what (like the one I did several months ago) and post it here. At present something looks hinky and I can't put my finger on it but I may just be tired and imagining it. Post the ranges so we can have a look at it.
                      1 1 was a racehorse.
                      2 2 was 1 2.
                      1 1 1 1 race 1 day,
                      2 2 1 1 2

                      Comment


                      • #12
                        Re: Changing DHCP - Process?

                        OK, Biggles. I'll write up a document and post it. The fact that you suspect something hinky makes me glad I asked again. Give me a little time and I'll post some more detailed info for you.

                        Thanks!

                        Comment


                        • #13
                          Re: Changing DHCP - Process?

                          Hi again Biggles,

                          OK, see the attached file, please. Hopefully it will give you a reasonably detailed insight into my current LAN, as well as what I hope to accomplish in changing the IP scheme.

                          It certainly seems to me like it'll work!

                          So tell me what you think. And one other question I have... Will this create broadcast problems or slow network traffic?

                          Thanks a million for all your help!

                          Chris
                          Attached Files

                          Comment


                          • #14
                            Re: Changing DHCP - Process?

                            Hi again,

                            Have you had a chance to review the file, Biggles? Thank you very, very much!

                            Chris

                            Comment


                            • #15
                              Re: Changing DHCP - Process?

                              My apologies WorldBuilder but I lost the thread. Have downloaded the Word file and will look at it later today (it is now 4.02am) and get back to you later today.
                              1 1 was a racehorse.
                              2 2 was 1 2.
                              1 1 1 1 race 1 day,
                              2 2 1 1 2

                              Comment

                              Working...
                              X