How expand domain subnet?

Discussion in 'Server Networking' started by Newell White, Sep 19, 2006.

  1. Newell White

    Newell White Guest

    We currently have a 192.168.1/24 LAN with 2 fixed-IP Win2K3 DCs (AD
    integrated, both WINS and DHCP), a fixed-IP PIX firewall, and dynamic-IP XP
    workstations, and VPN clients (managed by PIX firewall).

    I want to expand this to a 192.168.0/26 LAN, and believe the necessary steps
    are:

    1) Configure the primary DC TCP/IP to use 255.255.252.0 mask, repeat for
    secondary DC.

    2) Configure DHCP on each DC to use 192.168.0/26 scope, with non-overlapping
    lease pools (192.168.2/24, 192.168.3/24)

    3) Expand inside subnet of PIX firewall to 192.168.0/26

    Is it this simple, or have I overlooked something?

    Later I wish to add further firewalls, each with own ADSL link. To assign
    users to a particular firewall, I assume easiest method is to assign them to
    OUs with different logon scripts, which overwrite the DHCP-assigned gateway
    by means of a 'route add 0.0.0.0' command.

    TIA,
     
    Newell White, Sep 19, 2006
    #1
    1. Advertisements

  2. No.

    Add a new segment. Don't create segments larger than /24. Keep the maximum
    number of hosts per segment to 250-300,...which is what the /24 does with
    254 hosts. Ethernet begins to loose efficiency with too many hosts.

    If you need more, create a new segment and place a LAN Router between the
    segments.
     
    Phillip Windell, Sep 19, 2006
    #2
    1. Advertisements

  3. Newell White

    Bill Grant Guest

    As an aside, that would be a 22-bit subnet, not a 26-bit. A 26-bit
    subnet would reduce the number of possible clients to 62 .

    192.168.1.0/24 represents the subnet containing the addresses
    192.168.1.1 through 192.168.1.254 . The 24-bit subnet mask is 255.255.255.0
    .. 192.168.1.0/26 represents the subnet containing the addresses 192.168.1.1
    through 192.168.1.62 . The subnet mask is 255.255.255.192 . An address like
    192.168.1.73 would be in the next IP subnet of 192.168.1.64/26 .

    I agree with Phillip. Stay with /24 . If you want groups of machines
    to use different gateways, put them in their own 24-bit subnet and and point
    them to a gateway in that subnet. If you want these groups to see each
    other, route between the segments/subnets.

     
    Bill Grant, Sep 20, 2006
    #3
  4. Newell White

    Newell White Guest

    Thanks for advice on best practice, and correcting my IP terminology.

    But if my LAN was going to contain less than 200 Ethernet nodes, would my
    proposed scheme work, and with reasonable efficiency?
    --
    Newell White


     
    Newell White, Sep 20, 2006
    #4
  5. Which particular part of the scheme? I don't think it is clear what you are
    even thinking.
     
    Phillip Windell, Sep 20, 2006
    #5
  6. Newell White

    Newell White Guest

    I merely wish to expand our domain subnet, not because we want 1000 nodes,
    but to allow:

    100% redundancy between the two DHCP servers - I have never seen how the
    oft-quoted 80-20 rule helps if a server goes down. Giving pool 192.168.2.x to
    one, and 192.168.3.x to the other achieves this.

    Ability to put fixed-IP devices on 192.168.1.x (accessible through the
    split-tunnel VPN defined in Cisco PIX) or 192.168.0.x (inaccessible).

    In a small company with 2 servers I do not have the resources to set up a
    laboratory LAN :-(, which would have allowed me to answer my own question.
     
    Newell White, Sep 20, 2006
    #6
  7. I never believed in 80/20. Use 50/50.
    Configure the two DHCPs indentically (...*identically*...).
    Use the Full IP Range in the Scope.
    Then use the Exclusions to adjust so that one machine gives out the first
    half of the addresses, while the second one gives out the second half of the
    addresses. If one DHCP dies and won't be backup for a while, you just
    remove the Exclusion on the "live" one so that it gives out all the
    addresses. When the other is fixed, put the Exclusion back again the way
    they were.
    **Note:** There is no Automatic Redundancy,...it doesn't exist,...you have
    to manually alter the Exclusions of one goes down, and then you have to
    manually put them back the way they were afterwards.
    Not it does not. Not at all. That creates two segments on the same wire
    (Multi-Net) and creates a situation where the Hosts on one cannot talk to
    the hosts on the other unless you configure a router to function between
    them. Without the Router every client would have to be manually configured
    to use its own IP# as the Default Gateway which you can't do with DHCP.
    Using their own IP# as the DFG causes them to take anything destined for
    another segment and just "drop it on the wire" and since everything is on
    the same wire the packet will be found. However this just takes one complex
    convoluted mess and makes a bigger complex convoluted mess.
    Have separate Exclusions (not those mentioned above) that are identical on
    both DHCP Servers for addresses that should never be given out by DHCP. The
    Exclusions would never be changed if one DHCP went down.
    I have no idea what you mean by that.
    VirtualPC and Virtual Server are free, but takes a fast CPU and about 2 gig
    of ram to create much of a "lab". But I don't know anyway to create much of
    a test for this with these products in this particular case.
     
    Phillip Windell, Sep 20, 2006
    #7
  8. Newell White

    Bill Grant Guest

    Yes, VPC or virtual server is a great tool for testing network
    configs. And 2G of memory is a realistic minimum figure for RAM (especially
    with Longhorn/Vista needing 512M to install). I am currently running two XP
    workstations with 2G RAM each to host 6 or 7 vms including Vista/Longhorn to
    test various network configs.
     
    Bill Grant, Sep 21, 2006
    #8
  9. I run 2gig on my workstation and I get about 5 copies of Server2003 and 1 or
    2 workstation running at the same time without problems. I don't think I
    pushed it much beyond that. Mainly I keep all my various copies of ISA
    Server on it for working in the ISA Server Newsgroup which is the main group
    I deal with.

    At home I don't have as good of hardware but I run and extra copy of XP in
    it so I can use it for the Internet browsing and can dump it without saving
    changes (undo disks) if it gets infected with spyware,...helps keep my main
    machine clean.
     
    Phillip Windell, Sep 21, 2006
    #9
  10. Newell White

    Newell White Guest

    Gentlemen,
    I understand that you are encouraging me to follow what is generally
    regarded as best practice, and I thank you for your time. But you seem to
    ignore some points of my plan.
    1) The LAN will occupy the IP-space 192.168.0.0 to 192.168.3.255, defined in
    the server subnet masks and the IDENTICAL DHCP scopes.
    2) The DHCP servers are configured to dish out non-overlapping pools of 253
    addresses each. So if a server goes down, DHCP does not need reconfiguring
    until I get back from holiday.
    3) Because PIX firewall is set up to configure a Cisco VPN client that
    contacts it to route traffic for 192.168.1.x ONLY through the tunnel, only a
    portion of the LAN is accessible to VPN clients - good.

    So really my question boils down to this:
    Although it is unusual to have a segment of TCP/IP LAN without internal
    routers bigger than 256 potential nodes, is it feasible?
    And using W2k3 DCs, is it only the subnet mask of fixed-IP DCs, external
    routers/firewalls, and the DHCP scope, that need revising to expand from 256
    potential nodes to 1024?

    Using this much IP-space for only 200 hosts may seem profligate, but the
    beauty of non-routable addresses is I am not squandering a shared resource.
    But it is important to restrict the aperture of the VPN tunnel, not just on
    security grounds, but if the VPN client is on a 192.168.x.x LAN it uses up
    their resource.

    Regards
     
    Newell White, Sep 21, 2006
    #10
  11. I'm not ignoring those points,...I'm telling you to stop doing them if you
    want this to work right. Being "feasible" isn't the question for me and I am
    not going to play it that way. "Two-Cans-and-a-string" is feasible, but I'm
    not going to tell anyone to use that.

    If you want the machines to "hang on" until you get into the office then use
    the default DHCP Lease period of 8 days. That gives you about 4 days to get
    in to fix it. If that isn't enough then make it thirty days which gives you
    15 days. The reason of the "half period" is because DHCP Clients attempt
    to renew their lease at 50% of the Lease.

    Creating a disaster of a LAN design just because you want to have the
    machines not be affected by a down DHCP until you get back in the office
    is...well...I don't know how to say it in a good way. LAN design is
    primary,...DHCP schemes are secondary (not the other way around).

    If you want one DHCP to keep it all running indefinately if one goes
    down,..do this...
    1. If you have 200 Hosts, then use two separate segments of 254 each. (/24)
    2. Have 100 hosts in each.
    3. Identically configure two DHCP boxes as I described before and divide
    them up with Exclusions. Remember to configure two Scopes on each to
    represent each segment.
    4. Configure the LAN router to forward DHCP Queries to the two DHCP Servers.
    5. Add a static Route to the Pix so that it knows to use the LAN Router as
    the path to the segment on the far side of the router. Correct the Local
    Addess Table on the PIX to include both LAN IP Ranges

    Now there will be less than half the avialable address in use in either
    segment,...which means that just one DHCP Server by itself will have enough
    addresses to keep thing going indefinately,...and you are not violating
    proper LAN design in the process of doing so.

    If I think of anything else,..I'll post agan.
     
    Phillip Windell, Sep 21, 2006
    #11
  12. Newell White

    Bill Grant Guest

    I will have a stab at the VPN routing question you raise. I think that
    you are making an assumption which is not really true.

    You seem to assume that, it you set up your LAN as 192.168.0.0/22, VPN
    clients with 192.168.1.x/24 addresses will only be able to access LAN
    machines which have 192.168.1.x addresses, and not be able to access
    machines with, say, 192.168.2.x addresses.

    IP routing doesn't work like that. 192.168.1.30/24 is not the same thing
    as 192.168.1.30/22 . A machine in a subnet with a 24-bit subnet can route to
    all of the machines in a subnet with a 22-bit subnet mask.

    I believe that you will have trouble with your VPN if you change the
    subnet mask on the LAN. If the LAN and the remotes are using addresses in
    the same IP subnet, it is not using normal IP routing. It is using some sort
    of proxy ARP (ie the server is doing proxy ARP on the LAN to receive packets
    addressed to the remote clients) , and it will fail if you change the LAN
    subnet mask.
     
    Bill Grant, Sep 22, 2006
    #12
  13. Newell White

    Newell White Guest

    Thanks Bill.

    Don't forget this is split-tunnel VPN terminating in the Cisco Pix.

    It is my understanding that if I configure the Pix for split-tunnel using
    192.168.1.x/24, then when the VPN Client software in the remote client asks
    to open the tunnel, the Pix tells it to configure the PPP adapter on the
    client to encapsulate and send traffic for 192.168.1.x/24 only. Other IP
    destinations now default to the routing rules of the Ethernet LAN adapter
    next down the binding order.

    It is also my belief that I can configure the PIX to use a different i.e.
    tighter split-tunnel subnet mask that that of its' LAN-side Ethernet adapter.

    Or have I got something wildly wrong?
     
    Newell White, Sep 25, 2006
    #13
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.