Running out of IP Addresses 1

[mishbaker]

I have begun to receive the Event Log Warning that my current Subnet is running low on IP Addresses to hand out. I've looked at SuperScoping and Supernetting. I think Superscope looks like what I want so I've tried to set it up.

I created a superscope and put my 192.168.2.0 and 192.168.3.0 scopes within it. I've added the ip addresses to my NIC (server IP's are now 192.168.2.101 and 192.168.3.101). The gateway (router) is 192.168.2.1 and 192.168.3.1.

Problem. When I try to access shares from a 3.xxx client on a 2.xxx client it says I cannot connect. (And vice versa). I can ping those computers by name and IP Address successfully.

I can connect to internet on them and access shares on the servers (2.1 and 3.1), just not clients.

I'm sure I missed a step or something somewhere along the line. All computers are on the same physical LAN.

All lessons learned from the School of Hard Knocks........at least tuition is cheap.

 

[WhoKilledKenny]

I've added the ip addresses to my NIC (server IP's are now 192.168.2.101 and 192.168.3.101). The gateway (router) is 192.168.2.1 and 192.168.3.1.

Has your physical network be changed to support this setup? Is ther actually a router interface 192.168.3.1?

 

[WhoKilledKenny]

What type of Network are you running? Please describe the physical setup.

What is your IP scheme?
IP - 192.168.0.0
SM - ???.???.???.???

Superscope - What are your thoughts regarding this as your solution?

What is your DHCP Scope setup? How many IP Addresses in your Pool? If you are running out of addresses, how many devices are on your physical network?

The most important info we need right now is the Subnet mask and your DHCP Scope and Address Pool configuration.

 

[mishbaker]

The only function our Router has is maintain a VPN to a router at another location and provides the gateway out into the WAN. It was originally 192.168.2.1 and I have added 192.168.3.1 to it as another IP Address so it can be seen by the new subnet.

Our server runs the DNS & DHCP functions for the network. (192.168.2.101 and 192.168.3.101)

Also, I've just noticed that I can connect to other clients if I use their IP Address instead of their DNS name. Possibly a DNS issue? Not sure what I can do about that. Would using a Superscope require me to make any changes in my DNS Settings??

All lessons learned from the School of Hard Knocks........at least tuition is cheap.

 

[mishbaker]

Subnetmask 255.255.255.0

Superscope
Scope1 = 192.168.2.1 to 192.168.2.254
Scope2 = 192.168.3.1 to 192.168.3.254

Domain controller IP is 192.168.2.101 and 192.168.3.101 (same machine two IP's assigned to that Local Area Connection Device).

Physcial Network:

WAN -------Router------Switches-----Clients/Server

I currently have 227 devices on the 2.xxx subnet with about 10 IP's reserved for future devices (network printers on static, digital senders, etc...)

We are about to add around 140 new laptops when we open the wing of the building. I thought the Superscope was a good way to add additional IP Addresses to my network (seemlessly) according to what I read around the net.


All lessons learned from the School of Hard Knocks........at least tuition is cheap.

 

[WhoKilledKenny]

Scope1 = 192.168.2.1 to 192.168.2.254
Scope2 = 192.168.3.1 to 192.168.3.254

My first concern is that you have two subnets on the same wire.

WAN -------Router------Switches-----Clients/Server

I'm not going to assume which kind of router your are using, so I am just going to pose a question and give you two suggestions for this network. On the Router can you create another subnet either on its own interface or by using a sub interface?

My first option would be to create two VLANs on the Switches. VLAN1 = 192.168.2.1\24 and VLAN2 = 192.168.3.1\24. Use the router to route between these two subnets.
On DHCP I would keep your current scope for 2.1 and create a new scope for 3.1. Since your DCHP server is on the 2.1 network, you are going to have to allow DHCP broadcasts to traverse the router. In CISCO speak this is know as an IP Helper Address. This would be the most common setup I have seen and used myself.

Option 2: If you are not able to setup the router and switches in the above fashion then you will have to re-mask your network to allow for more host addresses to be used.
For example, currently you are using 192.168.2.1\24 (SM=255.255.255.0), This allow for a total of 254 hosts on that network. By borrowing a bits from the subnet mask you can allow for more hosts on that network. If you re-mask to 192.168.2.1\23 (SM=255.255.254.0) this will allow a total of 510 hosts on your network.
You IP range would be:
192.168.2.1 - 192.168.3.254
Subneting the mask is what it looks like you are trying to accomplish. If you choose this option, make sure you change the SM on all devices, but not the WAN side of your router. You will also change your DHCP scope option for the subnet mask. You will only have 2.1 as the gateway.

Hope that helped...

 

[WhoKilledKenny]

Domain controller IP is 192.168.2.101 and 192.168.3.101 (same machine two IP's assigned to that Local Area Connection Device).

I'm really not liking this as well... I would only do this if the Server was also a being used as a router (RRAS). This can cause issues... I would be curious to see the servers routing table.

If you use one of the options above, your server should have only one IP address - 192.168.2.101 (If not being used for RRAS).

 

[mishbaker]

WhoKilledKenny, I set that up just as I read from a "How To..." on the net. It made sense to me since I'm no uber-network super guru. I'll remove the other IP address from the NIC and see how it works.

Option 2 (SuperNetting) is what I was trying to avoid. Going around and changing the SM on all those machines is going to be VERY time consuming. Unless perhaps it can be pushed to all clients via Global Policy??

I was under the impression that by using Superscoping this could be avoided. For the record, the router is a Linksys VPN Router (RV042). The switches are 3COM 24 and 48 port switches used right out of the box and distributed around the facility.

Strange though. I can connect to a client on another Subnet now, but only by IP. If I type \\client01 I get a cannot connect message, but if I type \\192.158.2.99 I get to it just fine. But I can goto the cmd prompt and ping client01. That seems paradoxical to me.

All lessons learned from the School of Hard Knocks........at least tuition is cheap.

 

[WhoKilledKenny]

Option 2 (SuperNetting) is what I was trying to avoid. Going around and changing the SM on all those machines is going to be VERY time consuming. Unless perhaps it can be pushed to all clients via Global Policy??

Subnet mask can be pushed out to DHCP Clients via a DHCP scope option.

Strange though. I can connect to a client on another Subnet now, but only by IP. If I type \\client01 I get a cannot connect message, but if I type \\192.158.2.99 I get to it just fine. But I can goto the cmd prompt and ping client01. That seems paradoxical to me.

Issues cause by having multiple subnets within the same braodcast domain (VLAN). Very strange things can occur with the way you have attempted to set up your network.

Option 2 sound like were you want to be.

Supernetting is usually found in ISP environments where they have a block of IP's that need to distrubute to their customers. Setup can get complicated and really not were you need to go with your environment.

 

[WhoKilledKenny]

FYI - This is not the definition of SuperNetting. This is just configuring a subnet mask that allows for more hosts on you single network.

Option 2 (SuperNetting) is what I was trying to avoid. Going around and changing the SM on all those machines is going to be VERY time consuming. Unless perhaps it can be pushed to all clients via Global Policy??

 

[mishbaker]

Thanks, looks like I'll be trying some Supernetting then.

Let me get this right...
1. Remove the superscope and scope 3.xxx
2. Add SM to scope1 (2.xxx) 255.255.254.0
3. Make sure only one IP on server with proper subnet and SM

I'll have to check my router and see if it accepts a SM other than 255.255.255.xxx

Thanks guys!

All lessons learned from the School of Hard Knocks........at least tuition is cheap.

 

[Serbtastic]

What is the exact message you get when you try to connect to \\client01?

If you can ping it and access it via \\192.168.2.99 then routing is working correctly. Do you have netbios enabled over tcpip? This is required when accessing a share on a different subnet with older OS's.

Also, a question for WhoKilledKenny, you said you were concerned that there are two subnets on the same wire. Why? Assuming he's using switches, there shouldn't be a problem with this. Also, each client listens for either its own IP or broadcasts, so traffic from the other subnet would simply be ignored.

 

[WhoKilledKenny]

If you can ping it and access it via \\192.168.2.99 then routing is working correctly. Do you have netbios enabled over tcpip? This is required when accessing a share on a different subnet with older OS's.

I'm confused, how could routing be working correctly If no routing is going on. All his machines are in the same broadcast domain (same wire). When he pings, of course he gets an answer. For Example, if you changed the subnetmask on a PC, it would still be able to ping within it's VLAN (BC Domain). It would not be able to ping machines outside of it's vlan because the router would not route the traffic.

Yes, I would say NetBIOS is enabled as he is able the UNC whether by name or IP.

Also, a question for WhoKilledKenny, you said you were concerned that there are two subnets on the same wire. Why? Assuming he's using switches, there shouldn't be a problem with this. Also, each client listens for either its own IP or broadcasts, so traffic from the other subnet would simply be ignored.

So what is your point? Because he uses switches his current setup should work fine?
He still needs to route traffic between both subnets, the switch isn't going to do that for him.

 

[mishbaker]

The error I receive when trying to connect to \\client01 is

\\client01 is not accessible.  You might not have permission to use this netowrk resource. Contact the administrator of this server to find out if you have access permissions.

Logon Failure: The target account name is incorrect.

Works fine if I use the client01 IP Address instead....

All lessons learned from the School of Hard Knocks........at least tuition is cheap.

 

[Serbtastic]

I'm confused, how could routing be working correctly If no routing is going on. All his machines are in the same broadcast domain (same wire). When he pings, of course he gets an answer. For Example, if you changed the subnetmask on a PC, it would still be able to ping within it's VLAN (BC Domain). It would not be able to ping machines outside of it's vlan because the router would not route the traffic.

Yes, I would say NetBIOS is enabled as he is able the UNC whether by name or IP.

How could routing not be going on if he's able to successfully ping and UNC into an IP from 192.168.2.x to 192.168.3.x, using SM 255.255.255.0? Of course routing is happening, and happening correctly.

So what is your point? Because he uses switches his current setup should work fine?
He still needs to route traffic between both subnets, the switch isn't going to do that for him.

You stated you had a problem with having 2 subnets on the same wire, and I asked why. His setup should work fine because he IS routing between the 2 subnets (as evidenced by the ping/UNC to the IP above). Why do you believe no routing is happening?

mishbaker, are machines on both subnets using the same DNS server, and are dns records correct for each host? The error you are getting (Logon Failure: The target account name is incorrect) indicates a problem with name resolution. Try this test:

nbtstat -a <hostname>
nbtstat -A <IP address>

Where <hostname> is the actual hostname of client01 and <IP address> is the actual IP of client01.

 

[WhoKilledKenny]

You stated you had a problem with having 2 subnets on the same wire, and I asked why. His setup should work fine because he IS routing between the 2 subnets (as evidenced by the ping/UNC to the IP above). Why do you believe no routing is happening?

Mish stated that "For the record, the router is a Linksys VPN Router (RV042). The switches are 3COM 24 and 48 port switches used right out of the box and distributed around the facility."
Looking at the router spec - The LAN side of the router is hard coded to 192.168.1.x and only support 253 hosts. Since I don't have a model number on the switch, and the fact that they are distributed "out of the box" - I can assume they are layer 2 switches. For these two reasons, I don't see how the router is routing between two subnets, as the router doesn't give you the option to route two or more LANs. The reason, I believe that PING and UNC (to the IP/not hostname) are working is because they are within the same broadcast domain (same wire). If you take a standard hub and two PC's, configured with different subnets. Pinging each other will still work, doesn't mean routing is occuring.

Mish also stated, "The only function our Router has is maintain a VPN to a router at another location and provides the gateway out into the WAN."
Well, looking at the specs of the router he has it set up as dual WAN. The options are Dual WAN or WAN/DMZ. Again, this setup is on the WAN side which has no affect on whether the LAN can support multiple subnets. It can't, as far as the documentation states. So, from my initial posts, it look like Mish was trying to use DHCP to subnet his network - which is not the design DHCP was intended for. I hope that clears up why I'm troubleshooting the issue in the fashion that I am.

Mish,
After going through the Router Docs, It looks like your router infrustucture needs to be upgraded to support more than 253 hosts. Using DHCP in option 2 will not work as the routers subent address (for the LAN side) is hard coded to 255.255.255.0, so unfortunatily there is no way to expand the subnet (255.255.254.0).

This conclusion is just based on the Documentation of the Lynksys router.

 

[mishbaker]

Kenny,

I noticed the same thing. These routers the company purchased are pretty crappy (but the switches are pretty nice, and far more sophisticated than we needed????)

I can change the subnet mask on the router to anything other than 255.255.255.x, but I can add another IP to it. The new firmware upgrade has the ability to give it 192.168.2.1 and 192.168.3.1. That part was working fine since clients on both subnets were able to identify the router and connect to the internet.

The problem is I am currently restricted to this router because our other facilities use it at their sites. If I change out this one, they too will have to change. (Not that I am adverse to this, but you know, company $$$). So if I cant Supernet because of the crappy router's inability to do so, I was hoping Superscoping would solve my problem.

It looks like I may have to write up a justification for new routers. Ugh...

So what use is Superscope? And do you guys have any advice on how I should go about getting more IP Addresses when I get a router with the proper capabilities?

Thanks guys

All lessons learned from the School of Hard Knocks........at least tuition is cheap.

 

[WhoKilledKenny]

I can change the subnet mask on the router to anything other than 255.255.255.x, but I can add another IP to it. The new firmware upgrade has the ability to give it 192.168.2.1 and 192.168.3.1. That part was working fine since clients on both subnets were able to identify the router and connect to the internet.

Mish,
There are two sides to your router WAN and LAN. Changing the subnet mask or adding 2.1 - 3.1, can it be done on the LAN side? You have 4 LAN ports, so can you assign 1.1 to one port, 2.1 to the second, and 3.1 to the third port. From the doc, it looks like the 4 LAN ports where hard coded to the 192.168.1.x subnet. At this point I am assuming that the Firmware upgrade is allowing you to configure a separate IP address for the DMZ/WAN port, would you please confirm where (LAN or WAN) you can make this config changes. Also, it would be helpful if you could supply a link to any new documentation for the router.

 

[mishbaker]

I didn't find any new documentation for it. I was using the almighty Google and found the Linksys Forums where they discussed the addition of that little gem into the firmware. So I DL'ed the new firmware.

Looking at it now it actually does allow me to add a new IP AND a new subnet mask. The additional subnet mask it allows me to enter is openly typed (not like the combo box for the normal way)

Normal Way

Additional Way

But it appears as though (for some unknown reason) I can still only select 255.255.255.x for my initial (original) Subnet Mask.

All lessons learned from the School of Hard Knocks........at least tuition is cheap.

 

[Serbtastic]

mishbaker, do me a favour, and run a sanity check so I know I ain't crazy.

From a 192.168.2.x client, run

tracert 192.168.3.x (use a .3 address of an actual host that has a share)

Please post results.

What WhoKilledKenny describes above is not possible. If you can ping and UNC to an address on a different subnet, something has to be routing, it just doesn't work like he describes it.