2nd DHCP Scope?

Discussion in 'Server Networking' started by Stranger, Dec 21, 2005.

  1. Stranger

    Stranger Guest

    There is one other item I forgot to mention. Not sure if this will help.

    If I do a ping to 172.20.9.10 which is the IP I've added to the nic on the
    DHCP server, I get a TTL expired in transit.

    If I do a tracert to that IP, I see if going to 172.20.4.1(Gateway) then to
    172.20.4.2 (Firewall) then back and fourth between the 2.


    "Ace Fekay [MVP]"
     
    Stranger, Dec 27, 2005
    #21
    1. Advertisements

  2. Stranger

    Stranger Guest

    I see what you are saying. I removed the static route in the firewall and
    then tried the tracert. It goes to the router (172.20.4.1) then to the
    firewall (172.20.4.2) this part looks ok, then it goes out to the internet.
    So, I think I need to somehow tell the firewall that the 172.20.9.x is an
    internal range. Not sure how to do that one if that is what it is. It was
    easy to do this with the other IP ranges since they were coming from other
    buildings.


    "Ace Fekay [MVP]"
     
    Stranger, Dec 27, 2005
    #22
    1. Advertisements

  3. In
    The firewall appears to be a bridge, and not a router in your scenario
    beacuse it has a 4 interface as well as the "gateway". Is that intentional??
    I'm totally confused. Your drawing is confusing.

    If the firewall is just bridged, then nothing needs to be done, however, if
    it were not bridged, and it has a different IP, then the static rules apply
    to it just as if it were a regular old non-firewall router. Follow my
    example, in this case the firewall would be like Router A, where as the
    "router" is Router B.

    Internal net --- Router --- Firewall -- Internet

    Internal net is 172.20.9.0, where these machines are sitting on 172.20.4.0.
    "Router" above would need nothing sine I am assuming the one of it's
    interfaces is on the 172.20.9.0 side, and the other interface would be on
    the 172.20.4.0 side, but the firewall is.

    Ace
     
    Ace Fekay [MVP], Dec 27, 2005
    #23
  4. Stranger

    Stranger Guest

    I know when I go into the configuration of the firewall, there is a tab
    called router. There is a static route in there for the 172.20.5.x network.

    For the other networks 172.20.8.x, .7.x, .4.x, there are policies under the
    firewall tab. Of course the 7 and 8 network are connected via the IPSEC
    tunel.

    Since I'm adding the 9.x network "on top" of the .4.x network and the
    firewall only has an ip on the lan side for the 4.x network, I wonder if I
    need to add another ip for the 9.x network. I know that the firewall can
    also act as a layer 3 router if adding virutal lans to it. I do have a call
    into the manufacturer to see what they say.

    I would think that adding an ip range would not be this difficult. It is
    the first time I'm trying it. :)



    "Ace Fekay [MVP]"
     
    Stranger, Dec 27, 2005
    #24
  5. In
    I still think it's a route design issue and not necessarily a manufacturer's
    issue. If the router has multiple NICs, what is the default gateway of that
    router? Whatever router that is, should have a static route to the other
    internal NICs if they are upstream. What type if firewall is it?

    Can you re-do your drawing for a more quasi-logical (and I hate to use the
    term 'logical' when talking about subnets) and their actual Ip addresses
    similar to my drawing to get a clearer picture? Maybe that will help to
    understand what direction and what Ips are where in relation to what device.
    When depicting the VLANs on your switches, show them as networks (subnets)
    as the "bar" shows a subnet in my drawing. Does that make sense?

    Ace
     
    Ace Fekay [MVP], Dec 28, 2005
    #25
  6. Stranger

    Jack H Guest

    I think so.

    I only have one subnet. All the rest are different IP ranges depending on
    the location.

    I will make something like you are talking about.

    As far as the router, there is an eithernet port with the IP of 172.20.4.1.
    The serial port is 172.20.6.1 and that interfaces to the router on the .5.x
    at the other building.

    the firewall is a Fortigate 100.



    "Ace Fekay [MVP]"
     
    Jack H, Dec 28, 2005
    #26
  7. Stranger

    Jack H Guest

    I may have got it. Does this sound right?

    I added a static route under router in the firewall of
    172.20.9.0/255.255.255.0 Gateway 172.20.4.1 (Cisco router)

    Then in the Cisco router 172.20.4.1, I added a statuc route of 172.20.9.10
    which is the DHCP server that is serving both IP's 4.x and 9.x. I had put
    an additional IP in each nic of 172.20.9.10 and 172.20.9.11 and I can ping
    both of them from a 172.20.4.72 machine.

    the one thing I notice is that it does not return the name of the machine
    that is on the 9.x like it does when you ping one on the 4.x but i asume
    that is because it is probably not registered in DNS.

    Does the above sound correct? If it does, do i need to do anything with
    DNS?



    "Ace Fekay [MVP]"
     
    Jack H, Dec 28, 2005
    #27
  8. Stranger

    Jack H Guest

    Ignore this one. I got excited but it doesn't exactly work. :)
     
    Jack H, Dec 28, 2005
    #28
  9. In
    Ok, good. That will describe to the router how to get to the .9 network.
    A static route will describe what network to go to, not a specific IP
    address, as you did here. We need to describe a network path. Adding IPs
    will just make it worse.
    Probably because of WINS or lack of. NetBIOS names do not traverse subnets,
    however, the system, if configured with the correct search suffix, will
    sufffix the domain name and look it up in DNS and give you the FQDN and the
    IP and then ping it.
    Is the record in DNS?

    Ace
     
    Ace Fekay [MVP], Dec 29, 2005
    #29
  10. In
    .....
     
    Ace Fekay [MVP], Dec 29, 2005
    #30
  11. In
    Why would you connect a port configured on the .4 network to a switch on the
    ..6 network, unless that port is actually one of your VLAN ports???

    Based on the drawing you emailed me, and which I may suggest to post it to
    your website so others can follow the thread, here was my reply:
    ___________________________
    I assume the default gate on the Dell Power Connect 5324 (172.20.4.33) is
    172.20.4.1 in the middle of the drawing, but you have it shown twice??? You
    should have just left it in the middle and connected a line to the boiler
    room. Make sense? Drawings can make or break the understanding of an
    infrastructure, hence my original confusion.

    I assume the DHCP server at the top with the two scopes has connected with
    an IP address on both the .4 and the .9 network and it's default gateway is
    172.20.4.1.

    The power connect 3048 (finance) has an IP of 172.20.9.4, but why does it
    have a gateway of 4.1?? If the IT 5324 switch has the VLANs and one of the
    VLANs is .9, then since it is connected to that port, it's gateway should be
    9.1, assuming the VLAN port you configured on the 5324 is 9.1. Make sense?

    Since the 5324 switch is directly connected to the .9 network, there is no
    need to configure a static route to get to it since it is aware of it,
    assuming you configured it properly. Make sense?

    Did you post this to the groups too? I should post this to as well to keep
    anyone else following the thread a chance to jump in and comment.

    Ace
     
    Ace Fekay [MVP], Dec 29, 2005
    #31
  12. Stranger

    Stranger Guest

    I'll be posting an update soon. :)


    "Ace Fekay [MVP]"
     
    Stranger, Dec 31, 2005
    #32
  13. In
    Ok.
     
    Ace Fekay [MVP], Dec 31, 2005
    #33
  14. Stranger

    Stranger Guest

    Stranger, Jan 3, 2006
    #34
  15. In
    Thanks.

    Did you create the VLAN on the 5324 (center of the diagram) or on the 3048
    switch (bottom of diagram)?

    On the switch in the bottom of the picture, (if it was created here), in
    it's configuration (and not sure how to do that in those boxes), I believe
    either you need stipulate it, or configure one of the ports to be 9.1, which
    the 9.x subnet (VLAN) machines will be using for their gateway.

    If on the 5324 (where I actually assume the 9.x VLAN was created), In the
    4.1 router, you need to define a static route to the 9.x subnet using the
    4.x address of that switch (whichever it is) so it knows, and essentially
    everything knows, how to get to the 9.x subnet.

    This way when you ping from 9 to 4, the VLAN will send that, but the
    machines on 4 will send their responses to 4.1 but looking at it's static
    route, it knows where to send that packet to get to the 9.x network.

    Make sense?
    Ace
     
    Ace Fekay [MVP], Jan 4, 2006
    #35
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.