Network Upgrade/Reconfiguring

[gmc8757]

After a month of being at my job, I've been put to the task of really looking into our network. We have about 300-350 PC's and VoIP. We are spread out over a wide area, but still physically connected(for example, we lease a fiber line on the telephone poles to connect to the other side of the highway). Right now we have 5 major locations, all plugged into a layer 3 switch. Each location is on it's own VLAN. So we have Vlan 1 with address from 192.168.0.0-192.168.1.255 with a mask of 255.255.254.0 and gateway of 192.168.1.1. Vlan 20 has IP's of 192.168.20.0/255.255.254.0 gateway of 192.168.20.1, VLan 30 has 192.168.30.0/255.255.254.0 gateway of 192.168.30.1, VLan 40 has 192.168.30.0/255.255.254.0 gateway of 192.168.40.1, VLan 50 has 192.168.50.0/255.255.254.0 gateway of 192.168.50.1. The gateway of the layer 3 switch is 192.168.1.1(obviously a problem if someone decides to plug in a linksys or any other home device but thats besides the point). We are currently an all static network, another headache.

So the problem: from my computer 192.168.0.5, I can not ping some PC's on my same VLan. Even though they are up, connecting to the email server etc in the server room which is on the same switch i'm in. I'm not even sure VLans are necessary here. Maybe subnetting would be just fine. They do plan on big growth in the future, so whatever we do, we need to be ready for expansion. Right now, VoIP and PC's are on the same VLan anyway. I would like to make the phones on 1 vlan and the pc's on the other. Any ideas where to begin trying to figure out why I can't ping some PC's but can ping others? I mean, these pc's are even in the same building and i can ping one but not the one right next to it.

 

[InlineFive]

Get a consultant, make sure to get references before you hire them.

And I don't think that you should do away with the segregation of networks. It's not a bad method of helping to control an outbreak, should one occur.

 

[gmc8757]

Yea, we thought about a consultant, but we'd like to do it ourselves. I do like the idea of VLans, as long as I can get to ever machine. I'm not sure what's holding me back from doing so.

 

[nweaver]

probably firewall (software) stopping pings.

don't just jump into changes, make sure you plan out every step, and document what's required, what risks are involved, and move it into managable chunks.


And if someone plugs a SOHO router/WAP into your network, fire them!

 

[gmc8757]

Haha, we would have to fire a couple of people already. I plan on visiting every switch and seeing what configs they have. Most shouldn't be managed. But let me ask this, even though they are not managed do they need an IP address/mask or can they be completely unmanaged?

 

[jlazzaro]

Originally posted by: gmc8757
Haha, we would have to fire a couple of people already. I plan on visiting every switch and seeing what configs they have. Most shouldn't be managed. But let me ask this, even though they are not managed do they need an IP address/mask or can they be completely unmanaged?

remember, switches operate at layer 2 and use mac addresses only. that is unless your talking about a layer 3 switch 😉 the ip address is for management purposes only.

if your switches are capable of management, why not set them up with ip's? Its all about making it easier on YOU. Would you rather have to go to each switch, console in to see the config or do it all from your desk? 🙂

 

[gmc8757]

i know they're at layer 2, but I don't understand how two pc's connected to the same switch can't communicate with e/o. I wasn't sure if I had to give them an IP or not.

Management wise it's much easier. but if they're unmanaged, i guess they don't need an IP.

 

[nweaver]

if you are running vlans, then you are (virtuall) on other switches, so you need those 2 connected, either with a cable (same subnet) or router (different subnet)

 

[gmc8757]

Originally posted by: nweaver
if you are running vlans, then you are (virtuall) on other switches, so you need those 2 connected, either with a cable (same subnet) or router (different subnet)

I'm sorry, i don't really follow. For example, i have a nortel switch, no ip, no configuration at all.....basically it came out of the box and they plugged it in. now there are a few pc's plugged into this switch, and i can't ping from one to the other. they both get out to www etc. is there something at a minimum i should configure on the switch? they're all on the same vlan.

 

[spidey07]

Well it would be best to configure the switches and put all the ports into the correct VLAN. While you can get away with leaving everything in the default, it can cause you problems down the road and interoperability issues.

 

[gmc8757]

ok, which is probably what i have a problem with now. So i think i need to go to every switch and make sure they're on the correct vlan.

 

[nweaver]

have you checked software firewalls, and made sure they are in the same subnet (ip wise)?

 

[gmc8757]

yea, firewalls aren't an issue and some PC's had a mask of 255.255.255.0 while others had 255.255.254.0 After changing them all to 255.255.254.0, there's still some issues.

I need to get a dhcp server up and running to hand out the correct info. Which linux distro do you like the best for this?

 

[nweaver]

any....installing a dhcp server is deadly simple for anyone with a little experience. It all comes down to preference. I'm a debian guy myself, but Gentoo, Redhat, Fedora, Suse, Slack......all comes down to what you like/know.

 

[netsysadmin]

Well with 300 to 350 computers I am going to take a stab and say that you must have a few servers? Are you running AD?

John

 

[gmc8757]

Originally posted by: netsysadmin
Well with 300 to 350 computers I am going to take a stab and say that you must have a few servers? Are you running AD?

John

Hi John, yea we have 13 servers, 3 domain controllers running AD. Mostly all servers are win 2k3 poweredge dells.

I have a fedora 5 box and installed the DHCP component but the service won't start. I'm going to have to look into this. How would I go about giving different ip addresses to different vlans? I'm not familiar with providing different scopes, also something i'm going to look into.

Thanks,
Joe

 

[netsysadmin]

If you are already running AD why are you going to setup a linux box for DHCP? Just use the Win2003 servers and setup DHCP on there. It works great with AD and DNS and you can split it up for the diffeent scopes! Also if your DC's are setup at multiple sites you can split up the DHCP with the sites.

John

 

[netsysadmin]

If you are not that familar with DHCP on a windows box just go to the link below. The word doc that you can download on the right side towards the middle of the page goes over everything including specifying scopes for your different subnets.

http://www.microsoft.com/technet/itsolutions/network/dhcp/dhcp.mspx

John

 

[gmc8757]

that's great, thanks a lot. I suggested putting DHCP on one of our current servers, and my boss' want to have dhcp be the only thing running on the server. I'm sure I can change his mind. So you suggest putting it on one of out DC's? All three DC's are in the same room, in vlan 1.

 

[spidey07]

Originally posted by: gmc8757
that's great, thanks a lot. I suggested putting DHCP on one of our current servers, and my boss' want to have dhcp be the only thing running on the server. I'm sure I can change his mind. So you suggest putting it on one of out DC's? All three DC's are in the same room, in vlan 1.

In all seriousness, whatever your boss says from here on out is bullcrap. If he doesn't understand something as basic as this and wants it on it's own server = he's an idiot.

Load up DHCP, a process that will take like .00000000001% of a server's resources. The thing that you'll need to do is in your router (layer3 switch) is have a DHCP relay agent. This willl pick up the layer2 dhcp requests and forward them to your DHCP server.

 

[gmc8757]

haha...my boss really is an idiot....didn't take much to convince you i guess.

I'm going to look into whether my 3com 4070 layer 3 switch will do this DHCP relay. I'm already disappointed in this switch because it won't do multicast filtering between vlans, so no confrence calling between vlans.

 

[netsysadmin]

What I would do is figure out the scopes you want to use and set up DHCP on two differents DC's splitting the scopes across both servers for redundancy. If you lose one server DHCP will stil be functioning. Just make sure you have room on each scope to serve up IP's for the whole scope in case one of the servers goes down.

PS...As Spidey says DHCP take up the tiniest bit if resources on a server. Put in on the DC's like i said before.

John

 

[gmc8757]

netsysadmin, can you just clarify for me? You would have two DHCP servers, what do you mean split the scopes, would you have for ex scopes 192.168.0.0 - 192.168.1.254, 192.168.20.0 and 192.168.30.0 on DHCP server1 and the rest on DHCP server2, or would you have each servers give out ip's for all scopes?

 

[netsysadmin]

I would take each subnet you need to hand out and split half on one server and half on the other. This way if one DC goes down for some reason you wont lose all DHCP.

John

 

[gmc8757]

That makes a lot of sense. Is that generally the standard practice?