networking 101 question? :)

[[OUPA]MrNutz]

Hi Guys

yes yes my subnetting and all that is way below what it should be but thats why i came here to ask for help

i've got a 192.168.0.x mask 255.255.255.0 gw 192.168.0.200 dns 192.168.0.21

my network is maxed out - i'm out of ips have 220 users , the rest are network printers and time&attendance equipment (ip based)

i need to add 9 pcs to the network..

we use TMG with GFI as firewall....

i've tried doing a 192.168.2.x with mask 255.255.0.0 or 255.255.248.0 with normal gw/dns but then i can't ping/access anything.

any suggestions are welcome..thanks

 

[zamicro]

if you want to use 192.168.0.0-192.168.2.255 as one network, your mask must be 255.255.253.0

But I am not sure if you can join 192.168 networks. These are class C, which only contain 256 ip addresses. I think you need to migrate your network to either 10.0.0.0 (Class A) where you can have 16777216 ip addresses or 172.16.0.0 (Class B) where you can have 65536 ip addresses. All these are private ranges.

So you can use 172.16.0.0-176.16.2.255 with mask 255.255.253.0 which will give you 256*3 ip addresses.

 

[MR Winter]

What you need is a router or a layer 3 switch, your network has no idea how to route the information from the 192.168.0.x network to the 192.168.2.x network. Otherwise what you will need to do is change the subnet mask to 255.255.253.0 (/22) this will allow you to make use of the following IP address range 192.168.0.0 - 192.168.3.255. If you need more information let me know.

 

[stricken]

although subnet isolation with selective routing can be useful.

 

[RoganDawes]

although subnet isolation with selective routing can be useful.

This.

If you have too many machines for a single class C, you should consider separating them onto different networks.

For example, put your servers and printers on one network, time and attendance machines on another, clients on a third, and add a router to direct packets between the networks.

 

[Elimentals]

This.

If you have too many machines for a single class C, you should consider separating them onto different networks.

For example, put your servers and printers on one network, time and attendance machines on another, clients on a third, and add a router to direct packets between the networks.

This

Because a good network admin fix the problem way before it even is one, and in that same line, maybe its a good time to start looking at IPv6

 

[[OUPA]MrNutz]

i've joined the company in question in the last few weeks - and their IP distribution is a disaster...

no DHCP - only static - but no control.

its a win2k8r2 environment.

is there a way i can ask the DC to pull me a list of say the last 14-21 days of IP connections to the DC?

or any utility that can show me "dead" hosts (so that i can sit and manually draw up excel sheet) to get the empty IPs for now.

i agree with the idea of putting time and attendance in another range aswell as other non pc related devices..

thanks for the info sofar!

 

[Elimentals]

Long time ago, about 5+ years when I looked after Windows network I used a product call GFI LANgaurd. I dont know if they still around but it use to be able to audit both hardware and software security on my network with an agent that use to build up a log of IP's on the network

Might help you.

Today I would just right a script in cron that does a ping every hour to the whole subnet and >> output to a textfile that I would datamine.

 

[syntax]

if you want to use 192.168.0.0-192.168.2.255 as one network, your mask must be 255.255.253.0

But I am not sure if you can join 192.168 networks. These are class C, which only contain 256 ip addresses. I think you need to migrate your network to either 10.0.0.0 (Class A) where you can have 16777216 ip addresses or 172.16.0.0 (Class B) where you can have 65536 ip addresses. All these are private ranges.

So you can use 172.16.0.0-176.16.2.255 with mask 255.255.253.0 which will give you 256*3 ip addresses.

A class c has 254 viable hosts.
you cannot have a 255.255.253.0 subnet mask. It does not exist. For what you are talking about, it needs to be a 255.255.252.0 subnet mask.
You would then have 192.168.0.1 - 192.168.3.254 as the same network

What you need is a router or a layer 3 switch, your network has no idea how to route the information from the 192.168.0.x network to the 192.168.2.x network. Otherwise what you will need to do is change the subnet mask to 255.255.253.0 (/22) this will allow you to make use of the following IP address range 192.168.0.0 - 192.168.3.255. If you need more information let me know.

Again, its 255.255.252.0 (253 does not exist). But yeah, a router could be used, or simply just change the netmask

You could use the TMG to route between different networks as well. Even if you have a single interface, you can add subinterfaces and let it do the routing for you. ( I dont use MS products but I am 100% certain TMG will do this for you)

 

[Grep]

agreed, a 252 subnet is the answer! That will give you a whack load of addresses again and i dont agree that you need a router, a windblowz or linux box can do exactly the same function and give you the same result.

 

[Elimentals]

You know what I find real scary. Is the fact that 90% of the admins out there have no clue what IPv6 is or even how it works.

The worse part is we approaching the end of the line of IPv4 faster than most people think. This is not aimed at any person here its more in regard to network equipment and actual setup's in most companies. Just go read http://en.wikipedia.org/wiki/IPv4_address_exhaustion out of interest

In a setup like the OP's problem, if he was running IPv6 it would even be a problem.

 

[tortured]

You know what I find real scary. Is the fact that 90% of the admins out there have no clue what IPv6 is or even how it works.

The worse part is we approaching the end of the line of IPv4 faster than most people think. This is not aimed at any person here its more in regard to network equipment and actual setup's in most companies. Just go read http://en.wikipedia.org/wiki/IPv4_address_exhaustion out of interest

In a setup like the OP's problem, if he was running IPv6 it would even be a problem.

To be honest you still don't need IPv6. With the right network setup that is.

 

[bubbatentoe]

I doubt that we'll experience a problem.
As governments, large corporates & ISP's (in time) move over to IP6, IP4 addresses will again become available.
ISP's are still dishing out IP4 addresses like there's no tomorrow.
ask for 4 and you get 10 or more.

 

[ambo]

As governments, large corporates & ISP's (in time) move over to IP6, IP4 addresses will again become available.

No true. Even once an organisation has fully rolled out IPv6 they will still need to keep their IPv4 addresses so that they can connect to the IPv4 Internet. If they genuinely have spare, they are unlikely to give them away. They will sell them and the prices are likely to be high.

ISP's are still dishing out IP4 addresses like there's no tomorrow. ask for 4 and you get 10 or more.

In Africa we still have IPv4 addresses available. We need to roll out IPv6 though. It will be a little pointless to only be connected to the IPv4 Internet once the rest on the planet is using IPv6.

 

[ponder]

You know what I find real scary. Is the fact that 90% of the admins out there have no clue what IPv6 is or even how it works.

The worse part is we approaching the end of the line of IPv4 faster than most people think. This is not aimed at any person here its more in regard to network equipment and actual setup's in most companies. Just go read http://en.wikipedia.org/wiki/IPv4_address_exhaustion out of interest

You are assuming every single device on the OPs network is IPv6 capable which I doubt is the case.

Using private address ranges does not contribute to IPv4 address exhaustion seeing his traffic is probably natted when leaving for the great big yonder.
In the OP's scenario vlsm & classless routing would be the simplest solution for his current issues.
If the LAN gets very big I would recommend separate subnets as some people here have suggested but this could also have pitfalls in that inter subnet routing will place extra strain on the router and if the router only has a low speed interface could potentially create a bottleneck.
Ideally the OP should perform a full network audit and look at the current design and see where things can be improved. Things aren't cut and dried and there is no single solution that fits all scenarios (unless you are prepared to spend mega $$$ and do a overkill solution) so it would be best to evaluate each scenario independently.

Having everything on IPv6 would be nice but I suspect not exactly practical right now for him.

 

[Elimentals]

....If the LAN gets very big I would recommend separate subnets as some people here have suggested but this could also have pitfalls in that inter subnet routing will place extra strain on the router and if the router only has a low speed interface could potentially create a bottleneck.
Ideally the OP should perform a full network audit and look at the current design and see where things can be improved. Things aren't cut and dried and there is no single solution that fits all scenarios (unless you are prepared to spend mega $$$ and do a overkill solution) so it would be best to evaluate each scenario independently.

Having everything on IPv6 would be nice but I suspect not exactly practical right now for him.

At post #6 I said the same thing, I am just mentioning in a perfect world people would start looking at IPv6, but then if anything 2000 taught me its that people in IT wait till the last minute to do anything

 

[bubbatentoe]

In a NAt'd environment you can do what you feel like.
As long as all hosts have the same subnet mask.

Layer2 switches (the normal stuff you buy for R300) ) don't forward packets based on the IP address, they use the MAC address (they don't care what the IP is).
Some layer2 switches might have an IP of their own but that's merely for management purposes.

if i was you:

network: 10.0.0.0/16
start address: 10.0.0.1
end address: 10.0.255.254
subnet mask: 255.255.0.0

PLENTY addresses.
1 subnet - easy peasy.

your IP calculator might not like it but Windows (and all other devices) won't mind.
don't use addresses: 10.0.0.0 & 10.0.255.255.

Substitute "10.0" for "192.168" if you like - that way you get to keep your default gateway & DNS & whatnot, just remember to change the subnet mask for all hosts.
Would obviously need to change your DNS & DHCP server settings as well.

PS: The router only "routes" if the target IP is "outside" the LAN.
PC's talking to servers = all hosts are "inside" the LAN = the router merely "forwards" the packets = router doesn't utilize CPU cycles for routing calculations.
Any old router will suffice.

 

[syntax]

In a NAt'd environment you can do what you feel like.
As long as all hosts have the same subnet mask.

Layer2 switches (the normal stuff you buy for R300) ) don't forward packets based on the IP address, they use the MAC address (they don't care what the IP is).
Some layer2 switches might have an IP of their own but that's merely for management purposes.

if i was you:

network: 10.0.0.0/16
start address: 10.0.0.1
end address: 10.0.255.254
subnet mask: 255.255.0.0

PLENTY addresses.
1 subnet - easy peasy.

your IP calculator might not like it but Windows (and all other devices) won't mind.
don't use addresses: 10.0.0.0 & 10.0.255.255.

Substitute "10.0" for "192.168" if you like - that way you get to keep your default gateway & DNS & whatnot, just remember to change the subnet mask for all hosts.
Would obviously need to change your DNS & DHCP server settings as well.

PS: The router only "routes" if the target IP is "outside" the LAN.
PC's talking to servers = all hosts are "inside" the LAN = the router merely "forwards" the packets = router doesn't utilize CPU cycles for routing calculations.
Any old router will suffice.

A router wouldnt answer or forward anything for traffic on the local lan. Thats what a switch is for

 

[ponder]

arp arp arp

 

[Elimentals]

How can people get to 200+ network ip's without splitting them?

The collisions on the poor network equipment must be worse than rush hour in JHB.