11-14-2013 12:18 PM - edited 03-07-2019 04:36 PM
I work for a very old company that owns a class B IP range. I've been tasked with changing our lan ip addresses to class C as they plan to sell the class B addresses.
My plan was to add a new IP pool to our existing dhcp server (win 2008) for a new vlan that will use a class C range.
Then I can slowly move somevtest users over once I create new a new svi and update my GRE/ASA setup.
Its my understanding that dhcp relay for vlans "just works" so am I safe :)
Will workstations on the old vlan 41 using the class B range only get leases from the pool specified in the server for that subnet whilst the workstations in the new vlan 13 using class C addresses get leases for their respective subnet?
Thanks in advance.
Solved! Go to Solution.
11-14-2013 12:31 PM
Chris
Basically yes. When you create the new SVI you would add an "ip helper-address x.x.x.x" command where x.x.x.x is the DHCP server address. The DHCP request will come from that SVI so your DHCP server will know that it needs to hand out an address in that range.
Jon
11-14-2013 12:31 PM
Chris
Basically yes. When you create the new SVI you would add an "ip helper-address x.x.x.x" command where x.x.x.x is the DHCP server address. The DHCP request will come from that SVI so your DHCP server will know that it needs to hand out an address in that range.
Jon
11-14-2013 12:36 PM
Thanks.
After I have this setup I will then start to create essentially a new environment. New Active Directory forest,dns, etc etc
These lans are isolated as long as I don't have any routes setup from the old vlan/subnet to the new one, correct?
11-14-2013 12:40 PM
Whether they are isolated depends on where you are configuring the new vlan. You mentioned configuring a new SVI which suggests you are using a L3 switch ?
If you are and the same L3 switch has an SVI for the class B network then you may find they can route automatically. It really depends on the switch and whether it has ip routing enabled etc.
Can you provide a few more details ie. how is the current class B network routed, what device etc. and where are you confguring the new SVI ?
Jon
11-14-2013 12:49 PM
Our core is a 4500 and access switch is 3 x 3750 switches setup in a stack (connected via ether channel using 4 x 1gb connection)
We have hsrp setup on the 4500 with standby in the same device (not sure if there is any point having that stand by). ASA are 5500 series and GRE 2500 series.
So its my understanding that traffic flows like this (GRE part still learning);
Workstations > Core svi (default gateway) > ASA > internet
Or
Workstations > Core svi (default gateway) > ASA > GRE
11-14-2013 12:54 PM
So on your core switch you have an SVI for the class B vlan and you are proposing to add an SVI for the new class C vlan - is that correct ?
If that is correct and you want to make sure that the 2 networks cannot talk to each other you need to use acls on the SVIs to block traffic between them.
Can you confirm the above and also are you okay with the acl part or do you need a hand. If you do need help can you specify whether the new class C only needs to be blocked from the exisitng class B network but can still use the internet or whether you want to block the class C network from going anywhere.
Jon
11-14-2013 01:03 PM
Correct assumption regarding the svi's
My thinking was to block all traffic between the two vlans initially, as this will be a new test environment to start prior to becoming production.
Son I was was assuming I'd do it this way;
- acl to allow traffic to the asa for internet access
- block everything else
Then later simply take the acl out once the new AD is setup as I will probably need to create a trust and allow some users in the new environment access to the old until I can rebind everyone to the new forest.
I probably don't even need the acl to start with? I am just being cautious as I wasn't sure what (if anything) in the new DC's and DNS servers would broadcast to my old environment.
At some point though, workstations in one subnet will need to be able to access servers in the other as I can't migrate 200 users simultaneously from one domain to another.
11-14-2013 01:08 PM
Probably a good idea to initially use an acl initially on the new SVI when you test DHCP leases and internet access. As you say once this is done you can probably take it out when you need migrated clients to be able to talk to class B servers etc.
I can't really comment on the AD side of things ie. whether or not it is dangerous to have servers with a new AD being able to talk to servers with an old AD etc as i don't have any experience with that side of things.
Jon
11-14-2013 01:19 PM
Regarding AD, I don't believe it is. In fact think its going to be required to migrate them in a staggered manner.
The tricky part for me i think will be managing the change in the GRE tunnel setups once I get that far. This current config is just the Sydney office. I'll eventually need to do the same LAN WAN for Hong Kong, Taiwan, Singapore and India offices whilst maintaining connectivity with all our tunnels but think I will consult a CCIE for that.
Its turning out to be a great learning experience.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide