Superscope or Supernet? Need more IPs!

[ubelsteiner]

Greetings! I just started working for a company that has been seeing a bit of growth over the past year, and our DHCP server is running out of IPs to assign on an almost daily basis (which I've temporarily remedied by reducing lease time). I am looking for the quickest and most painless way of increasing the number of IPs available on the network, and, through my reading, have narrowed it down to configuring a superscope or supernet.

The existing network its 192.168.2.0 /24 and my original plan was to change the subnet mask to /23 to allow for 192.168.2.1-255 and 192.168.3.1-254 IPs to be assigned through DHCP. I know that the subnet mask would need to be changed to 255.255.254.0 in the router/gateway and my DHCP, DNS and other servers.

However, as I have been looking things over on the network, I am realizing just how many workstations, printers and other devices have statically assigned IPs. My biggest question now is: Will I have to go around to each and every device on the network with a static IP and change the subnet mask in order for these devices to still communicate on the network, or will they still be able to communicate as long as the router/servers mask have been updated and their IPs stay the same, within the original IP range?

I was thinking that, if it is necessary to go to each and every device and update the subnet mask, that maybe creating a superscope would be an easier option. But then I am thinking that all of the servers and network printers and such would need to be able to be configured with a second IP addess?

Any help/suggestions would be most appreciated.

 

[sdifox]

No easy fix. For windows pc you can change the network setting to dhcp through login script. Not sure you can do that with your printers.

 

[Gryz]

There are several ways to improve your situation. But everyone of them will have upsides and downsides.

The address space 192.168/16 is called "private address space". It has been defined in rfc 1918. You can use any address in that range. So you could just use 192.168/16 as one big subnet and give all your devices subnet mask 255.255.0.0 (=/16). And be done with it.

Or you could switch over to 10/8. That's from rfc 1918 too. This could be handy if you want a few subnets, and each subnet should handle over 255 addresses. Of course, if you are not scared of a little binary math, you don't need to put your netmasks on a 8-bit boundary (as you suggested yourself).

Not everything on your network needs to talk directly to each other. There could be a router in between. In other words: not every device at your site has to be in the same subnet. Devices in subnets can still talk to each other, only there will need to be a router in between.

So what you can do:
- You keep the old 192.168.2.0 /24. You keep all non-DHCP equipment on that network.
- You create a new network with a new subnet-address and subnet-mask. E.g. 192.168.16/20. Or 10.1/16. You connect all the devices that do DHCP to this network. You can keep adding new devices to this network as much as you want (10.1/16 can hold 64k devices).
- You only need to buy a router that will be in between these two subnets. That router will probably need some power, depending on how much communication there is between the two subnets.

You can do this by re-plugging cables in a patch-panel if you have it. Or, if you use switches, you can do this via VLANs. Just create two VLANs for the two subnets. This will require you to invest some time to configure each port to the correct VLAN. But you don't need to leave your machine room to physically hunt down machines.

Some switches can route between their own VLANs. In that case you don't even need a separate router.

I hope these ideas give you a strategy on how to approach the problem. Still, with less than 254 machines on your network, the simplest solution might actually be to just manually reconfigure all non-DHCP machines.

Good luck.

 

[sdifox]

There are several ways to improve your situation. But everyone of them will have upsides and downsides.

The address space 192.168/16 is called "private address space". It has been defined in rfc 1918. You can use any address in that range. So you could just use 192.168/16 as one big subnet and give all your devices subnet mask 255.255.0.0 (=/16). And be done with it.

Or you could switch over to 10/8. That's from rfc 1918 too. This could be handy if you want a few subnets, and each subnet should handle over 255 addresses. Of course, if you are not scared of a little binary math, you don't need to put your netmasks on a 8-bit boundary (as you suggested yourself).

Not everything on your network needs to talk directly to each other. There could be a router in between. In other words: not every device at your site has to be in the same subnet. Devices in subnets can still talk to each other, only there will need to be a router in between.

So what you can do:
- You keep the old 192.168.2.0 /24. You keep all non-DHCP equipment on that network.
- You create a new network with a new subnet-address and subnet-mask. E.g. 192.168.16/20. Or 10.1/16. You connect all the devices that do DHCP to this network. You can keep adding new devices to this network as much as you want (10.1/16 can hold 64k devices).
- You only need to buy a router that will be in between these two subnets. That router will probably need some power, depending on how much communication there is between the two subnets.

You can do this by re-plugging cables in a patch-panel if you have it. Or, if you use switches, you can do this via VLANs. Just create two VLANs for the two subnets. This will require you to invest some time to configure each port to the correct VLAN. But you don't need to leave your machine room to physically hunt down machines.

Some switches can route between their own VLANs. In that case you don't even need a separate router.

I hope these ideas give you a strategy on how to approach the problem. Still, with less than 254 machines on your network, the simplest solution might actually be to just manually reconfigure all non-DHCP machines.

Good luck.

I doubt all the static ip ones are in the same switch.

 

[ubelsteiner]

Thanks for the responses guys.

The network right now is pretty much all just one subnet, just patch panels and dumb switches connected to one main router. I was thinking about changing to /23 just because that would be a simple way to double the number of IPs that can be assigned on the network, although we really only need 50 or so more, have 510 or so IPs instead of 254 would gives us plenty of wiggle room for in the future.

I'm sure it's obvious, but I'm not much of a networking guru, and this issue with running out of IP addresses is the only reason I'm having to do anything with it (I wish they'd just hire a full on network admin, but bosses are cheap). There are a lot of devices on the network (like surveillance cams, IP phones, devices in the cafeteria, printers/scanners) that have been in place since well before I was with this company, and most of them I haven't the first on clue how to access the configuration of. So this is why I'm hoping to find just an easy way to get more IPs.

So really, I just kinda wanted to get an idea of whether I can change the subnet mask from 255.255.255.0 to 255.255.254.0 in the router/servers, delete and recreate DHCP scope with that subnet and a range like 192.168.2.50 - 192.168.3.254 (the first 50 addresses are pretty much kept reserved for static IPs) without there being communication issues.

 

[Gryz]

So really, I just kinda wanted to get an idea of whether I can change the subnet mask from 255.255.255.0 to 255.255.254.0 in the router/servers, delete and recreate DHCP scope with that subnet and a range like 192.168.2.50 - 192.168.3.254 (the first 50 addresses are pretty much kept reserved for static IPs) without there being communication issues.

You can do that. Kinda. But it depends on the equipment you have (router and switches). And maybe also on the implementation of the TCP/IP stack on the regular devices on your network.

The problem is that "the network" will have 2 truths.
The old equipment with static IPs believe that the network is 192.168.2/24.
The routers and switches know that it really is 192.168.2/23.
That means they will do different things.
And they expect to see different things on the network.
And the devil is in the details.

E.g if device 192.168.2.10/24 needs to talk to 192.168.3.10/23, it thinks that device is on another subnet. So it will forward the packet to the router (as it should). The router though thinks that both source and destination are on the same subnet, so it will not like that. It might not forward the packet, or it might. It might generate warning messages. It might send an ICMP redirect message. There might be a performance penalty. "The network" could do all kinds of unexpected things, that you didn't think of, or that you didn't know of.

So in the end, as always, it is better to make a proper network design, and configure your devices according to the proper design. It might be a little extra work right now. But in the end, I guarantee you, it will save you a lot of headaches. Really. Kludges will always come back in the end, and bite you in the arse.

There is even a new term invented for your situation.
https://en.wikipedia.org/wiki/Technical_debt
You might save a few bucks (or a few drops of sweat now). But you will have to pay back double later. That is called Technical Debt. Just think of the guy after you, in a year or two, who will inherit your network design. If it is full of kludges, he will hate you. Be nice to that guy. (And you never know, you might be that guy yourself).

 

[ubelsteiner]

You can do that. Kinda. But it depends on the equipment you have (router and switches). And maybe also on the implementation of the TCP/IP stack on the regular devices on your network.

The problem is that "the network" will have 2 truths.
The old equipment with static IPs believe that the network is 192.168.2/24.
The routers and switches know that it really is 192.168.2/23.
That means they will do different things.
And they expect to see different things on the network.
And the devil is in the details.

E.g if device 192.168.2.10/24 needs to talk to 192.168.3.10/23, it thinks that device is on another subnet. So it will forward the packet to the router (as it should). The router though thinks that both source and destination are on the same subnet, so it will not like that. It might not forward the packet, or it might. It might generate warning messages. It might send an ICMP redirect message. There might be a performance penalty. "The network" could do all kinds of unexpected things, that you didn't think of, or that you didn't know of.

So in the end, as always, it is better to make a proper network design, and configure your devices according to the proper design. It might be a little extra work right now. But in the end, I guarantee you, it will save you a lot of headaches. Really. Kludges will always come back in the end, and bite you in the arse.

There is even a new term invented for your situation.
https://en.wikipedia.org/wiki/Technical_debt
You might save a few bucks (or a few drops of sweat now). But you will have to pay back double later. That is called Technical Debt. Just think of the guy after you, in a year or two, who will inherit your network design. If it is full of kludges, he will hate you. Be nice to that guy. (And you never know, you might be that guy yourself).

Thanks for clarification and suggestions. I agree with you about the technical debt thing, unfortunately the decision making on how much time/money is to be invested in doing things right the first time is not my decision to make. I'm just a salary worker who gets to stay late on a Friday night after everyone goes home and try to gain some more IPs on the network lol.

Based on your information, I think I am going to try go around and change as many of the static devices on the network as I can to try to prevent future issues as much as I can. I can do most of the workstations at least. It's really just things like IP phones, cameras and printers that were configured by an outside company that I might be unable to access settings on to change the subnet mask.

And speaking of SNM... If I were to try to get a head start on things tomorrow afternoon and go around to as many workstations as I can and change them over to 255.255.254.0, would this cause any sort of connectivity issues for the people using those workstations for the rest of the workday?

 

[Gryz]

And speaking of SNM... If I were to try to get a head start on things tomorrow afternoon and go around to as many workstations as I can and change them over to 255.255.254.0, would this cause any sort of connectivity issues for the people using those workstations for the rest of the workday?

If you make sure all devices use an ip address between 192.168.2.1 and 192.168.2.254, I think you can configure some with /24 and some with /23. The unpredictable things might start happening when you have 1 or more devices start using and address larger than 192.168.3.1 ...

 

[matricks]

And speaking of SNM... If I were to try to get a head start on things tomorrow afternoon and go around to as many workstations as I can and change them over to 255.255.254.0, would this cause any sort of connectivity issues for the people using those workstations for the rest of the workday?

This is the wrong fix. What you should be doing is:
1. Configure DHCP server with static leases* for everything except servers that should/must have predictable IP addresses.
2. Configure devices that are now static to use DHCP.
3. Reboot all the things, and let DHCP sort things out.

Anything else (besides well planned subnetting, which is probably out of your time budget) is not a fix, it is a postponement of your problem. If you don't fix it now, it'll be even more work fixing (or further postponing) it next time.

* Static leases mean that a device (identified by its MAC address) will always receive the same IP address from the DHCP server, instead of a random one. This means the devices always have the same address, just like with static addresses. Great for printers, cameras and anything else you want to be predictable. Static leases can be configured with a longer lease time too, so things don't go to hell if DHCP is down for a few hours.

 

[mxnerd]

I'm bad at subnetting, so I used the IP Calc here


http://jodies.de/ipcalc?host=192.168.2.0&mask1=24&mask2=23

does this mean OP can just reconfig the DHCP server to hand out new IP addresses from 192.168.2.1 to 192.168.3.254 to accommodate 510 PC without routing and still able to talk to each other? All he needs is to reboot all devices/PCs to get a new subnet mask & IP address?

====
Edit

according to the table, there should be 511 PC from 192.168.2.1 to 192.168.2.255 & 192.168.3.1 to 192.168.3.254, why 510 on screen?

====
Edit

My bad, my calculation was wrong, it should be 510, 192.168.2.1 to 192.168.2.255 & 192.168.3.0 to 192.168.2.254 (255+255=510)

and according to Gryz, people should not use all ones and all zeros, so 192.168.2.255 & 192.168.3.0 should be out.

 

[Gryz]

192.168.2.0 till 192.168.3.255 are 512 addresses.
You never want to use the "all zeros" address, because that one means "the network itself".
And you don't want to use the "all ones" address, because that's the broadcast address.
512 - 2 = 510.

And even then, I wouldn't use 192.168.2.255 and 192.168.3.0. Even though in theory it should be no problem, you better make sure you try to avoid bugs. If you still have some devices with statically configured /24 subnetmask, then you are guaranteed some of them will barf when they see 192.168.2.255 or 192.168.3.0.

If you want to know the answer to your question, read the stuff I posted here earlier.

 

[mxnerd]

@Gryz

Thanks. I got it.

 

[atty26]

hmm very interesting topic. i learn a few things today.

ubelsteiner i know exactly your feelings man. been in these kinda situations on a few occasions. Based on what has been posted so far, in terms of the least amount of work/time u have to put in, i think matricks' suggestion of static leasing may be your solution. I'm not sure if it'll work since I haven't tried it before, but it does sound logical.

Another advantage of doing that is you don't really have to fiddle with the stuff you are not familiar with (surveillance cams/ip phones etc) but you do need to find out their MAC address. Shouldn't be too hard though.

Whatever you decide do let us know the outcome. I for one would be interested to know how this works out.