kracksmith
join:2004-07-14
Fullerton, CA
| running out of IP addresses
We are running out of IP addresses as the company is growing very quickly. that means all 254 addresses will be gone shortly.
what are my options to add more IP addresses to my network so everyone can see each other?
another router having 2 networks and make this router have the 2 network talk to each other?
super subnetting??
what else can I do to add more nodes to the network when almost all 254 IP addresses is used |
|
keason
Premium
join:2002-05-02
Ann Arbor, MI
| Are you speaking of public or private IP addresses?
If public, you can get another block from your ISP.
If you are running out of private addresses, change your subnet mask from 255.255.255.0 to 255.255.0.0 and you'll have 64516 possible addresses.
e.g. if you are on a 10.1.1.0 network
you will be on a 10.1.0.0 network.
There is a point when you'll want to route inside of your network. Trying to diagnose problems can be very difficult with subnets that are too large. |
|
kracksmith
join:2004-07-14
Fullerton, CA
| reply to kracksmith
ok if I go from 255.255.255.0 to 255.255.0.0
and i use 192.168.0.1 through 192.168.0.254
now what happens if i used up all 1 through 254 IP addresses?
how does changing the subnet mask like you mention add more ip??
does it mean that by changing my subnet mask to 255.255.0.0 will allow 192.168.0.1 network to talk to 192.168.1.1?? |
|
TomS_
debugger it
Premium,MVM
join:2002-07-19
Australia
edit:
September 24th, @03:20AM
| reply to kracksmith
Changing the subnet mask from 255.255.255.0 to 255.255.0.0 gives you 65280 more IP's to use on your network (65536 in total including your current 256).
255.255.0.0 (or /16) lets you use 192.168.0.0 through to 192.168.255.255 on a single network.
BUT, the next questions is, if you are getting this big, why not seperate the network into logical groups of computers, i.e. have all of the admin/accounts computers on one subnet/vlan, all of the support computers on another, etc etc.
You do then need a router so that each subnet can access the others.
It is definately worth looking at and I would highly recommend it!  |
|
kracksmith
join:2004-07-14
Fullerton, CA
| reply to kracksmith
ok so by changing our subnet mask to 255.255.0.0 i am able to have 65,000 plus nodes on 1 network.
so just to confirm i can have some workstations 192.168.0.10 talk to other workstation 192.168.20.10 right?
we are not getting super big. but we are getting big enough to go through 254 ip numbers.
so basically we need a router if talking to different subnet mask. but we don't need a router if everyone is on subnet mask 255.255.0.0 right?
just curious as to why it's good to separate the network into logical groups of computers by department? security? faster networking? |
|
TomS_
debugger it
Premium,MVM
join:2002-07-19
Australia
| reply to kracksmith
Security, yes depending on certain circumstances.
Faster, yes - to an extent.
Consider this scenario:
Sorry about the big post
You break your LAN up into 3 logical groups:
* Administration and accounts
* Tech support and system/network admins
* Managers/board members etc
Admin and accounts may have certain applications on their PC's such as banking, excel spreadsheets with financial information etc.
Tech support and sys/net admins will have their various tools.
Managers etc will have other documents like future company plans, legal documents etc.
Generally you would want to keep this type of information within its respective groups.
Tech support guys dont need to know the financial status of the company, and probably dont need to know anything about the companies legal dealings.
Generally if a manager or board member wants financial information they dont go digging through someones computer, they will go and ask them for it
By breaking the LAN up into these groups you increase security in that respect.
Theres also the fact that if some poor support guy opens an email from a customer which happens to contain a virus which spreads via the network, only the support PC's are going to be infected. If this virus happens to spread itself by mailing itself to everyone in your address book, im sure the Boss' business contacts wouldnt be too pleased about getting viruses and spreading it on to their contacts
In regards to speed, lets say this virus goes wacko and decides to hammer every computer trying to propogate itself and spread through email. Only the support network (or one of the others if it happens to be the one infected) will suffer, leaving the admin and accounts people to collect money and ensure bills are paid, and most certainly keep the boss happy.
So while the support network has been infected you only have one group of computers to look after. And in the mean time you can patch the other computers to ensure they dont suffer the same problems.
Depending on the structure of your company you might have more or less logical groups.
Of course, all of this means you either need seperate physical switches to break them up, or you need switches which support VLANs. In any case you will need a router so that each network *CAN* get to the others. I say *CAN* because you can still access the others via their IP addresses, however, if you implement some access-lists on the router you can restrict what types of traffic can get through to each LAN.
Servers would need a couple of network cards, depending on how many lans they need to be accessible from.
You could always opt for a DHCP solution to assign IP's, that way when you need to expand you can increase the size of the pool rather than reconfiguring each computer manually.
Thats some food for thought. Its not to say you HAVE to do it, it would be a big configuration task, but if you get in early and configure these things before you skyrocket it will make your life easier in the future, or you can quit and leave someone else to do it  |
|
kracksmith
join:2004-07-14
Fullerton, CA
| OK you are hired!
I'm going to go through what you said and explain it to my boss to see if she'll buy it.
right now we have 1 large LAN for production and 1 LAN for Accounting. they don't want to have it on one network for now. unless i can explain what you explained to me.
but within our production LAN we have many department. instead of having different logical group of subnet mask like you mention which is a security measure to avoid different department accessing other department files. but that is what NTFS permission is for right?
Within the following weeks to come, I'm planning to implement 255.255.0.0 for our production LAN so we can overcome the max 254 IP numbers.
since our production LAN is all hooked up by daisy chain style switches, i should add a router between 2 switches and control the access with ACLs for security (like you mentioned). with this router in place it will be more secure, but will this setup be faster or slower? with this all being switches broadcasting is everywhere but with a router in place information going from 1 segment to another will need to go through another layer, layer 3 instead of just staying at layer 2.
lastly if i implement 255.255.0.0 for everyone in our production LAN. technically i don't need a router right?
so the network only looks at the 1st 2 octecs but don't care for the last 2 octecs which can be anything, right? |
|
PA23
join:2001-12-12
East Hanover, NJ
| reply to kracksmith
be careful changing the netmask for a class C address (102.168.x.x is a class c). Although the cisco router will support classless addressing, your workstations may not.
--
It's the end of the world as we know it, and I feel fine |
|
TomS_
debugger it
Premium,MVM
join:2002-07-19
Australia
| reply to kracksmith
Inter-vlan performance will depend on the router you have stuck in the middle of them.
If its just a basic Cisco 2611 you wont get alot of performance, but if you say stick a 7301 (expensive!) in there with gigabit to each LAN you will get alot better performance.
As the old rule goes, you should aim to keep 80% of each users traffic local. Therefore the only traffic that should need to leave each LAN would be internet traffic, and anything else that isnt local to the LAN (for example, a network admin might initiate a Remote Desktop session to one of the accounts computers to fix something up).
Ive drawn up a quick diagram to show you exactly what ive been talking about. Each of the 3 LANs is a logical group, say for example the 3 I mentioned earlier.
»www.snnap.net/bbr/lans.png
Hope that helps |
|
sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Budd Lake, NJ
 ·Optimum Online
| reply to kracksmith
said by kracksmith  :lastly if i implement 255.255.0.0 for everyone in our production LAN. technically i don't need a router right? Remember that there is a middle ground between a /24 (255 addresses) and a /16 (65536 addresses). Have you considered a /23 (255.255.254.0) or /22 (255.255.252.0)? |
|
TomS_
debugger it
Premium,MVM
join:2002-07-19
Australia
| reply to kracksmith
Oh yeah, I should have mentioned something like that :)
Continuing on from what sporkme said, there are many different subnet sizes inbetwen /24 and /16.
For example:
CIDR Subnet Mask IP Range # of IPs
---- ----------- -------- --------
/24 255.255.255.0 192.168.0.0-192.168.0.255 256
/23 255.255.254.0 192.168.0.0-192.168.1.255 512
/22 255.255.252.0 192.168.0.0-192.168.3.255 1024
/21 255.255.248.0 192.168.0.0-192.168.7.255 2048
/20 255.255.240.0 192.168.0.0-192.168.15.255 4096
/19 255.255.224.0 192.168.0.0-192.168.31.255 8192
/18 255.255.192.0 192.168.0.0-192.168.63.255 16384
/17 255.255.128.0 192.168.0.0-192.168.127.255 32768
/16 255.255.0.0 192.168.0.0-192.168.255.255 65536 |
|
kracksmith
join:2004-07-14
Fullerton, CA
| thanks guys. that diagram is PERFECT for my presentation.
i think i'm going to do my subnet mask in the 1024 range. i don't believe we will go beyond this anytime soon.
i believe the configuration for the subnet mask I need to make is to the 1600 cisco router which is our gateway to the Internet, NAT (sonic wall) and DHCP (win2k3). clients are all DHCP.
anything else i'm missing? |
|
TomS_
debugger it
Premium,MVM
join:2002-07-19
Australia
| reply to kracksmith
A Cisco 1600 wont give you alot of performance for inter-lan routing, its only got a 10mbit half duplex interface IIRC.
You say you have a sonic wall box? I would probably look at configuring this with a couple more 100mbit interfaces and using that as your router between lans.
Without realling knowing how your network is setup at the moment its hard to make suggestions on what you should put where, etc. |
|
kracksmith
join:2004-07-14
Fullerton, CA
| Here is my topology for a better understanding of what we have.
Internet -> 1600 -> sonic -> switch - segment - switch -segment - switch - segment - switch - segment -switch - segment - fiber switch -> fiber switch - segment
all of our switches are non manage 100mbps top speed. Fiber switch (1000mbps)is for our segment across the street.
the 1600 cisco is transparent to our LAN. We configured our Sonic to do NAT and mapping IPs from outside to inside.
no VLANs in our network. don't think we are going to go this route either.
since our switches are daisy chained like this does it mean we are broadcasting everytime something is requested?
they are planning to add another switch or 2 more, that is why i need more IP addresses.
What can i sugguest to them besides adding routers between switches to avoid broadcasting and security?
and exact where i need to make the subnet mask configuration besides what I said earlier? |
|
lockedout
join:2004-06-02
| Im trying to understand your existing equipment and set up a little better.
What brand switches and how many ports on each switch?
How many switches do you actually have in your current set up?
Are they all located within the same room or closet?
What model sonic wall and how many internal interfaces can you configure it for?
Aprox how many pc's are on each of your production and accounting segment's? |
|
csalazarv
Premium
join:2004-01-21
Costa Rica | reply to kracksmith
these IP addresses I hope are not public (routable) IP's, they are private right?
you can use a different subnet mask and simply "get" more IPs if they are private (non routable IPs such as 192.168.etc ) |
|
kracksmith
join:2004-07-14
Fullerton, CA
| reply to lockedout
brand of all switches are Dlink. Each switch has 24 ports
We have 6 of these switches 4 of them next to the server and 2 out in the LAN. Our fiber switch is one of the 4 next to the server that connects directly to a segment accross the street.
we don't have a closet just 4 switches like i mention that is next on top of each other which is next to the server.
sonic is a pro 4060. so far we only do nating on it and port forwarding. some logging.
about 25 per segment i believe.
i think we never mind accounting for now. account has another ISP. i know we can put them on a different subnet or even a different port on the firewall but i'll talk to management later about this.
yea. i'm talking about pvt IP and not public.
so let's hear about some sugguestions to make our network better without having to purchase expensive equipments. i really like to use what we have but we can purchase a couple of new things to make it more better. |
|
kracksmith
join:2004-07-14
Fullerton, CA
| I'm kinda getting off the subject here.
back to running out of IP addresses.
I'm going to change our entire network of 167 users to 255.255.254.0 this week so we can have 512 ip addresses minus 1st and last of course.
So anything static (printers, certain workstations) I'm going to change the subnet mask to 255.255.254.0
DHCP server will change to 254
NAT (which is our SonicFirewall from public to pvt) to 254
router (our gateway to the Internet) also will change to 254
hmmm, i believe that's it right? anything else I need to change to 254?
This needs to be done as our outside vendor wants to sell us a 10,000.00 USD IP Router. it's not my call but I would say a cheap used cisco 2514 from ebay would do fine.
but instead of a router for now I'm just going to change our subnet mask scheme to 254. |
|
aryoba
Premium,MVM
join:2002-08-22
| kracksmith,
FYI, you need to watch the possible broadcast storm when you have a large network in one subnet.
Usually in one department (Finance, Technical Support, or else); a 254 IP address block in more than enough. Using anything larger than that might cause problematic broadcast storm.
You said yourself that there are 167 users. Is it 167 users in one department or in whole company? |
|
Angralitux
join:2004-05-20
DO
edit:
September 26th, @03:50PM
| reply to kracksmith
why would you want to use a 2514 in your network??? why don't you look at more current equipment, and not one that would hold your network back such as the 2514?
the sonicwall 4060 pro is WAY more capable than your 1600 or a 2514, and even support VLAN, so if you want, you may get some other switch that suppport .1q frame tagging, cisco 2950 for example, but if you want to go cheap, you could go to ebay and get some dell or other switch that support VLAN's.
I would suggest to better get some help outside if you are a bit clueless about a new network design; I mean, in the forums, but also in-site. |
|
