Home
Join

Best way to extend LAN IP subnet?

Posted by Labsy
Needs answer
General Networking DHCP & IPAM

Hi,

again looking for suggestions.

Customer has LAN subnet 192.168.1.0/24 and has grown to over 200 devices, and new are comming in. So I need to extend their IP subnet.

BUT, there are gozzilion of non-DHCP devices and configs, which need attention, for example:

  • monitoring devices from various vendors and various caretakers, like medication coolers, HVAC system, access control devices, EEG, EKG, blood analyzers and simmilar medical equipment. Those are configured either via DHCP reservations or Static IP and for many of them I do NOT have access to configuration interface. Many equipment was soled and configured years ago, there's no contract maintenance and there's no device admin known.
  • VPN links to central Government agencies and locations; I guess our local LAN IP and subnet are also configured on remote side, so will it work, if I only change VPN config locally? I guess only devices on existing IP subnet will be able to talk through VPN... or event they will not?

Main problem is that it is phisicaly not possible to go through ALL devices in one weekend + coordinate ALL external davice admins to be available during weekend for all them to change LAN parameters at once.

So I will need to do it in steps. So my idea is:

  1. Extend IP subnet to something like 192.168.0.0/22, so to include existing subnet 192.168.1.0/24 on all SERVERS and ROUTERS
  2. Then move all STATIC IPs to new subnet, lik to upper part 192.168.2.0-254 in order to free up old subnet, so DHCP could keep running in existing subnet.
Ideas?
Spice (10) Reply (6)
Labsy

Popular Topics in General Networking

Switch Recommendations? SNMP traps from PureStorage array into HPE Insight Control (SIM) Point-to-Point Wireless Recommendations - 2022 Static route to bridged routermodem Certificate issue with Wired 802.1x using Windows NPS View all topics

6 Replies

  • The best way is to add a completely new subnet and move devices in a controlled manner. It gives time to test and resolve problems for the challenging devices - even leaving some as they are if they cannot be changed.

    But you might also consider other criteria for example: fastest, cheapest, cost effective with some risk etc.
    Your idea of expanding the current to a /22 can work but the potential risks/complexities are:
    the use of 192.168.0. and 192.168.1 should generically be avoided to clash with other default installations on routers etc.
    make sure you new range is compatible with VPNs and external parties you connect with.
    Keep the default gateway device in the 192.168.1.x range so that the current devices can communicatee with it before their subnet mask is changed. This also allows a device to not change their mask if you cannot access it.
    You must use a router/firewall as your default gateway that allows hairpin (in and out same interface) - so that during migration devices with the /24 mask can communicate with devices on new /22 mask. This is the most challenging bit.

    Spice (4) flagReport
    1 found this helpful thumb_up thumb_down

  • Personally I would create a new subnet (or subnets) with DHCP where necessary for all the devices you can reconfigure and move what you can to that subnet.

    Leave the old subnet in place for the kit you can't reconfigure and over time as that kit is retired eventually the old subnet will become redundant.

    Definitely try to get as much as possible off of 192.168.0.x or 192.168.1.x as that is usually default addresses for any consumer routers that may make their way on to the network and can cause issues.

    Spice (2) flagReport
    2 found this helpful thumb_up thumb_down

  • I would second Kenny8416​ suggestion as it is so much easier and immediate to move machines on DHCP to another subnet just by changing the DHCP settings but I would move them to a much larger subnet and start using IP addresses from the other end as not to clash with existing & new ones.

    - 192.168.1.xxx /24 for current machines with static IPs
    - 192.168.2.xxx /22 for new machines
    - 192.168.4.xxx /22 for DHCP (250 addresses)

    Was this post helpful? thumb_up thumb_down

  • I suggest you move devices that you can off of the current subnet. Having all of those various critical and unsupported devices in the same network is a security nightmare.

    I am a bit surprised that the VPN works, given the fact that you are on 192.168.1.0/24. You likely cannot just configure VPN in your side. You need to review the VPN configuration, as there are different ways to make VPN work. There could be NAT involved, IPsec proxy ID, who knows what else.

    Move things off the current subnet that don't need VPN access. Printers, Wi-Fi clients, IP phones, etc.

    Was this post helpful? thumb_up thumb_down

  • Hello Labsy.

    What does your VPN peers need access to on your LAN? It can't be everything, including access control devices and your facility HVAC equipment.

    Any devices you move to new subnets will no longer be reachable over the VPN, something that may be undesirable if that's a regulatory requirement so you will need to coordinate with all your VPN peers to make corresponding changes to both sides of the tunnel.

    I would advise that you separate medical equipment from your own facility equipment on different subnets. If the medical devices still exceed a /24 subnet then you can move them to a /23 subnet and coordinate with your VPN peers to update the VPN tunnel config.

    I concur with others here that you should move off the 192.168.1.0 /24 subnet. It could present a problem in the future.

    You would configure your router with new subnets or VLAN interfaces depending on your network topology. Then configure DHCP pools for the computers and facility devices. You can then manage IP allocation using reservations where applicable and normal DHCP assignment for computers.

    Plan first, prepare and document then execute.

    Start by moving all devices that don't need VPN access off the main LAN and you will buy some time to get the different admins to make the required changes.

    All the best.

    Greetings from Nairobi.

    Was this post helpful? thumb_up thumb_down

  • Suppose you have a large group of similar devices (laptops, PCs, cameras, etc.). In that case, you may just move those to a new different subnet, freeing IP addresses in the existing one and connecting both subnets via routing. That might be another option between extending the existing one and creating a new one for everything.

    Was this post helpful? thumb_up thumb_down

or sign up to reply to this topic.

Didn't find what you were looking for? Search the forums for similar questions or check out the General Networking forum.

Read these next...