TCP/IP Settings 4

[tylerdurdan66]

Not sure what to title this question. I have a network with a win 2000 small business server, and a netgear firewall for internet access. All the printers, servers, firewall, WAPs, and workstations all start with 192.168.1.X. I want to give certain workstation different numbering schemes such as nursing departmnet 192.168.2.X, accounting 192.168.3.x Etc... When I try this they cannot access the server. What am I doing wrong? I am using 192.168.1.x because I was told this is not routable and provides greater security to the network.

 

[Serbtastic]

What subnet mask are you using? Assuming you are using a mask of 255.255.255.0, then IP 192.168.2.x is on a different network than 192.168.1.x and will require routing in order to communicate with the server.

As for 192.169.1.x being non-routable, that is not true, what is true is that most ISPs won't router private IPs (like 192.168).

And the part about greater security on the network is also false, I'm not even sure what you mean by this.

 

[tylerdurdan66]

yes I am using 255.255.255.0 as a subnet.

 

[tylerdurdan66]

If I make my subnet 255.255.0.0 on a workstation using 192.168.2.x will this allow it acess to devices using 192.168.1.x.

 

[cyberspace]

tyler - no that will not work. All you are doing there is setting it to a default class B subnet mask. You actually need routing between the subnets in order for them to talk to eachother.

Serbtastic - You say that this does not improve security. However, your comment is not correct. A major point of private IP addresses, aswell as conservation of network addresses, is to provide greater security to hosts on the inside of the network, as this will be used in conjuntion with NAT/PAT. The inner machines are more "hidden" than they are if they were assigned a public IP address and thus less accessible.

I have always read that private adresses are considered non-routable because they are clearly defined, standard, private network addresses and ISPs and indeed hardware by default will not route these addresses.

Tyler - What exactly are you trying to achieve by altering the network configuration? How many hosts are there in the network? What do you expect the results to be?

Systems Administrator
BSc Network Computing, CCNA. Both in training!

 

[tylerdurdan66]

My question has two reasons:
1. We are about to give internet access to our residents (I work at a retiremnet community with about 175 residents)
I am going to set up a net gear firewall on 192.168.1.X with DHCP for residents only, and change all current ips to 192.168.2.x. I thought there could be a way to do this graudually if 192.168.1.x could access 192.168.2.x.

2. Just wondering how a business with 300 workstations would set up there network.

 

[cyberspace]

Ah I see, then yes what you want to do does make sense. If you only use say 192.168.1.x then you can only have 253 usable hosts so its not at all scaleable. You could set the router to issue DHCP but I do not know how to do it so that only certain machines are issued IP addresses dynamically.

That will be useful to know however so I am sure someone will be able to tell us.

As for your second question, I should imagine a network with that many hosts will typicall use DHCP but don't quote me on that! It certainly makes life easier for the admins. However, I am now curious myself how you can differentiate between subnets when using this asides from using MAC authentication.

Systems Administrator
BSc Network Computing, CCNA. Both in training!

 

[Zen37]

Not 100% sure, but i don't think you can do what you want to do with the equipment you have right now. You need either a layer 3 switch or a router. What kind of switches do you have at your location right now? are they vlan aware? Do you already have a router at your location(other than the Netgear)?

To answer your question cyberspace, the Netgear will only be able to give DHCP to one vlan. I don't think it has the capability for multiple DHCP configuration. If the DHCP is on the server then it will answer DHCP request from its own segment, unless the request is coming from a router that was able to determine which segment it wants because it know from which vlan it came from. It then simply says to the server "give me an addresse on segment X.X.X.0 for mac address YY:YY:YY:YY:YY:YY"

 

[Serbtastic]

cyberspace - If tylerdurdan66 makes his subnet mask 255.255.0.0 on all workstations and his Netgear firewall, it WILL allow devices using 192.168.2.x to access devices using 192.168.1.x, this is subnet mask would make all 192.168.x.x IPs on the same network.

Also, it would not improve security as there was no mention of NAT/PAT, and using a private IP address scheme will not inherently make it more secure.

Finally, private IP addresses ARE routable, there's nothing in the RFC spec that says they are not. ISPs normally choose not to route them.

tylerdurdan66, assuming a business with 300 workstations wanted to put all their machines on a single subnet, they would use a broader subnet mask (like 255.255.0.0).

 

[cyberspace]

Indeed they are routable, i said that they are simply considered non-routable because they are set aside for private use!

The following quote is from the the RFC1918 Spec:

"Routers in networks not using private address space, especially those of Internet service providers, are expected to be configured to reject (filter out)routing information about private networks."

Yes this says expected to, but I doubt they will specify otherwise when it's a clearly defined standard.

Also - The security issue - if you are using private IP's on the internal network - what other option but NAT is there? I've always thought the tho worked together.

Thanks for correcting me on the subnet mask though, I didn't know that was the case, I thought a route to the network would have to be specifically configured on the router.

Systems Administrator
BSc Network Computing, CCNA. Both in training!

 

[tylerdurdan66]

Ok I changed the subnet on my workstation and on the file server, but other workstations lost connection. When I change subnet is it changing the network? Thanks for all the help so far. I guess I will have to wait till after hours and change the subnet on everything including printers, server, firewall and workstation.

 

[tylerdurdan66]

One more thing my network consist of
one 2000 SB server
one net gear firewall VPN 318
a lot of 3com switches
a couple of negear switches
a couple linksys wireless access points
workstaions
printerservers
our network is only 30 workstaions but since we are in a nursinghome they are verr spread out

 

[KiscoKid]

I would expect other users to have lost access to the server if you'd also given the server an address that doesn't begin with 192.168.1.x when you made your change.

If you want to deploy a flat network as outlined above, arguably an adequate migration strategy would be to firstly ensure all devices with an IP address utilise the 192.168.1.x address with a 255.255.255.0 mask - which is what I think you have currently.

If you then change the subnet mask only of the server to 255.255.0.0 as you've outlined but keep the 192.168.1.x address, people should be able to continue to access it. You haven't mentioned what everyone's default gateway is. I would assume it's likely to be the Netgear firewall. I would also change this device at the same time (giving it a 192.168.1.x address with a 255.255.0.0 mask)

You should then hopefully be able to migrate users at your pace by allocating them any 192.168.x.x address with a 255.255.0.0 mask.

 

[tylerdurdan66]

I have a netgear firewall set up as the default gateway and didn't change the subnet on this, that must be why some worstations lost the server. Thanks everyone for you help I have really learn a lot.!!!!

 

[cyberspace]

So when you altered the subet mask on the router, did this then allow the workstations to gain access again?

Glad you asked the question actually as I too have learned some valuable information! Great post KiscoKid.



Systems Administrator
BSc Network Computing, CCNA. Both in training!

 

[tylerdurdan66]

I change my subnet on my firelwall to 255.255.0.0 which I use as the gateway for workstations to get internet and intranet. Then I changed the gateway for the file server to 255.255.0.0. The was a slight disconnection during the change between the two but after the change everything worked. Then I changed my workstation to 192.168.2.x and everthing worked. I can run and ip program (angry ip scanner) and see 192.168.1.x address and then run it again to see 192.168.2.x no problems. Thanks everyone.

 

[cyberspace]

Great, looks like you are sorted then

Systems Administrator
BSc Network Computing, CCNA. Both in training!