[drewgraham]

I'm setting up a network and it's conceivable that my DHCP server will need to assign more than the 220-odd spare addresses (after reserved IPs for the network kit) in the way I normally set up networks.

I have, therefore, set it up with a 24-bit (10.23.0.0) rather than 16-bit block (192.168.23.0).

I've never grasped binary, and therefore IP addresses and subnets.

Should the subnet mask of my 10.23.0.0 network be 255.255.255.0 or, as I want to assign more than just the last byte as differing, should it be something different?

I can set the DHCP pool starting address (10.23.0.1) and size (currently 253) - how can I safely assign more into the pool?

[drewgraham]

Having read and read on this:

If I set the subnet mask of the network to 255.255.0.0 then it gives me a single network (which I can split via 802.1 Q VLANs) with 65536 addresses.

It's overkill, but it works.

Can anyone advise me against / towards this?

[Pookie]

the beauty of subnetting is that u dont need to go on even 8 bits. how many addresses do u need or want and ill set u up a range and mask in a matter of seconds.

having 65k addresses in your pool is only bad because u have to track all your ips and the more avail in your scope the more avail to crakers to try and exploit, that and its a waste of ip addresses.

ie on my home network I run a scope of 255.255.255.248 so there are only 6 hosts ,1 network and 1 broadcast. if you only use 2 network addresses u can use .252

2 laptops 2 desktops and a Wii with 1 open slot for anyone else who might come over and want to surf from their lappy.

255.255.255.0 is 254 hosts
255.255.252.0 is 510 hosts
255.255.248.0 is 1022 hosts
and so on.

hope this helps

[drewgraham]

The situation is this:

I have a network whose master router was going to supply 4 VLANs with IP addresses, but it can only handle 254 IPs. So I've now got the main router (10.23.0.254 with a subnet of 255.0.0.0) handling the 'secure' VLAN1 and connected to that, another ethernet router (VLAN2) with WAN IP of 10.23.0.245, 255.0.0.0).

I had wanted to set the VLAN2 router to give out addresses in the 10.23.1.0 range, but it won't allow WAN connectivity if I do. If I set it to distribute addresses from 192.168.24.0 with a subnet of 255.255.255.0, and it works.

It's obviously an IP / subnetting issue that I don't understand, or possible a RIP / Multicast issue, neither of which I'm on top of (if someone wants to explain...)

If I want the main router to have the IP of 10.23.0.254, give out addresses in the 10.23.0.0 range and the routers coming from that to give out address in the 10.23.1.0 (VLAN2), 10.23.2.0 (VLAN3) and 10.23.3.0 (VLAN4) ranges, what do I do?

I don't need or want the VLANs to have access to each other but, as VLAN1 is coming into the main router, it will have access to all.

[zx10guy]

For the router handling VLAN2, you can't set your inside addresses to 10.23.1.0 using a 255.0.0.0 mask. With that subnet mask, you're saying everything from 10.x.x.x down are all on the same network. The router won't route because there's nothing to route when you set your internal addresses in the 10.23.1.0 area. BTW in this scheme 10.23.1.0 is a valid IP.

It will also be helpful if you put up a network diagram of how you expect all these various subnets hanging off routed interfaces to connect to each other.

[drewgraham]

Here's a network diagram showing how I'd like it to work. 10.23.X.0 refers to a network rather than an address.

VLAN1 is the secure VLAN where all management will happen from.

VLAN2 is for wireless internet-only access, VLAN3 is for wired internet-only access and VLAN4 is a seperate network.

The VLANs are set up correctly on the switches - there is also a port on Switch B in isolation connected to VLAN1 for management.

None of the VLANs should have access to each other, although it would be good if VLAN1 could manage the wireless access points on VLAN2.

Currently:
Router 1 is running 10.23.0.0 with a subnet of 255.255.255.0
Router 2 is running 192.168.24.0 with a subnet of 255.255.255.0
Router 3 is running 192.168.25.0 with a subnet of 255.255.255.0
Router 4 is running 192.168.26.0 with a subnet of 255.255.255.0

Is it possible for me to segment the network to give and restrict the access required using IPs and subnets?

[zx10guy]

The first question I have for you is what routers are you using and are they 802.1q capable? Yes, you can make your scheme work and probably even simplify it even more where you only have one router and one managed switch with the port density to support the number of physical devices you are plugging in. But again it depends on the type of routers you are planning on using.

[drewgraham]

I'm not using 802.1q VLANs. I'm using port based VLANs, primarily to allow me to control access between various network points.

The main router is a Vigor 2930. The other routers are currently ZyXel P660s as it's all I had in my parts bin when the kit I was going to use failed to be delivered. The switches are ZyXel 20204PWRs, and the WAPs are ZyXel G3000Hs.

To answer your question, the routers are not 802.1q capable, although the switches are.

[zx10guy]

So how are you planning on getting the routers to respond to two different subnets? Is there a physical management port on the routers which you can assign a management IP to?

[drewgraham]

The routers are set up to accept management from the WAN, not the LAN ports so only people on VLAN1, the secure VLAN, can manage them.

[zx10guy]

Ok. So I'm a bit confused by the IP addressing you are using on the back end icons for what appears to be servers, workstations, and printers. Are these resources on the private side of the routers or on the outside sitting on the subnet space where the router's outside (WAN) ports are connecting to the edge router?

[zx10guy]

On more thing I want to clarify. When you use port based VLANs or tagged VLANs, you're just doing a virtual isolation of layer 2 traffic. To have traffic move outside of this layer 2 boundary, you need a router with an interface on the VLAN. Just want to make sure we're clear on this aspect.

[drewgraham]

zx10guy,

My notifications on this thread stopped - sorry for the late reply.

The servers, workstations and printers are on the outside of the subnet space. They are all coming from the LAN rather than WAN ports of their respective routers. On all of the routers, the WAN port is 'above' on the diagram, and the LAN ports 'below'. I hope that's clear?

Router 1 will dispense addresses to VLAN1, as well as the WAN ports of the other routers.

That is my knowledge of VLANs as well, and how it's set up. VLAN2 is server by Router 2, VLAN 3 by Router 3 and VLAN4 by Router 4.

Is it possible to segment this network without resorting to firewall rules, but by using subnets and ip addresses?

[zx10guy]

What model routers are you using?

The only way I can see this working properly and to maintain some sort of security for the interior routers (routers 2-4) is to implement ACLs where you can specify traffic going in and out of the router's interface.

In the Cisco world, a sample rule would be something like:

ip access-list extended FileSharingAllowedIn
permit tcp 192.168.24.0 0.0.0.255 eq 139 192.168.25.0 0.0.0.255 established
deny any any

ip access-list extended FileSharingAllowedOut
permit tcp 192.168.25.0 0.0.0.255 192.168.24.0 0.0.0.255 eq 139
deny any any

Then I would apply these to the inside routed interface like this:

interface ethernet 0/1
ip access-group FileSharing AllowedIn in
ip access-group FileSharingAllowedOut out

That's the jist of setting up an ACL and there might be some traffic flows I didn't account for in my example as it's just off the top of my head and I'm foggy right now from an allergy attack. Also, higher grade routers will allow additional ACL functionality like reflexive and stateful access list control.

[Wanderer2]

You don't need routers 2,3 and 4. Put a second lan interface in router 1 and create sub interfaces on each lan interface you want ip on to connect to your switches. You are only adding overhead/hops with this config. I would suggest you also have an exact replacement for Router 1 and with a preloaded config of the existing so if the router fails you just swap it and boot it.