Changing subnet mask?
-
@travisdh1 said in Changing subnet mask?:
@irj said in Changing subnet mask?:
@siringo said in Changing subnet mask?:
Sorry if this is a dumb question but ...
Inherited an old SBS network which has been upgraded, but is still using the 10.0.0.0 /8 setup.
I was thinking of changing the subnet to /24.
Currently all devices still have 10.0.0.x addresses.
Some of the their network gear is managed and I need to arrange with them to change settings within their Cisco gear to /24.
If I get the Cisco gear changed, prior to me changing the servers, PCs, printers etc to /24 will everything remain working??
For example, If I get the Cisco gear changed to /24 on weekend 1, will everything still communicate & work fine until I can change the other gear on weekend 2??
I know the subnets are different, but with all devices having 10.0.0.x addresses I'm thinking they still may be seen by the /24 devices????
Does that make sense?
Create /24 VLANs. Separate severs, printers, workstations with different VLANs. Then you can block workstations from even seeing server VLAN.
Seems like a lot of work with no business need from what we know.
Can you expand on this?
How is this alot of work and how is there no business need to segregate important data?
Because in my experience data security is pretty damn important from a business perspective.
-
@siringo said in Changing subnet mask?:
For example, If I get the Cisco gear changed to /24 on weekend 1, will everything still communicate & work fine until I can change the other gear on weekend 2??
I know the subnets are different, but with all devices having 10.0.0.x addresses I'm thinking they still may be seen by the /24 devices????
Does that make sense?
Anything in the larger subnet can talk to the smaller subnet.
The smaller subnet cannot talk to the larger subnet beyond its boundary.
No one cares about switches. They should be DHCP anyway.
- Export everything in your current DHCP scope to CSV and then update the DHCP scope to have a lease time < 24 hours. I like to use 8.
- Wait until the old lease expires. Sadly it may be a month if it was an old SBS Wizard.
Devices are supposed to try and renew at the halfway point, but you cannot count on it. - While you wait, set DHCP reservations for anything that needs a fixed address.
- While you wait, find everything on your network with
nmapand compare that to the things in DHCP. Change everything you find that is not in DHCP to DHCP or DHCP reservations.
About the only thing that will not be DHCP is the DC itself, the hypervisor(s), and the router. - Set your workstation with a static IP and a /8 subnet for the duration.
- Update the static devices, except the DC and the router, with the new /24 subnet.
- Continue waiting for the old lease time to go by, or reboot All.Of.The.Things
- Validate everything is now in DHCP with valid expiration dates.
- Change the hypervisor(s), router, and DC to the /24 subnet
- Change your workstation back to DHCP.
-
@irj said in Changing subnet mask?:
@travisdh1 said in Changing subnet mask?:
@irj said in Changing subnet mask?:
@siringo said in Changing subnet mask?:
Sorry if this is a dumb question but ...
Inherited an old SBS network which has been upgraded, but is still using the 10.0.0.0 /8 setup.
I was thinking of changing the subnet to /24.
Currently all devices still have 10.0.0.x addresses.
Some of the their network gear is managed and I need to arrange with them to change settings within their Cisco gear to /24.
If I get the Cisco gear changed, prior to me changing the servers, PCs, printers etc to /24 will everything remain working??
For example, If I get the Cisco gear changed to /24 on weekend 1, will everything still communicate & work fine until I can change the other gear on weekend 2??
I know the subnets are different, but with all devices having 10.0.0.x addresses I'm thinking they still may be seen by the /24 devices????
Does that make sense?
Create /24 VLANs. Separate severs, printers, workstations with different VLANs. Then you can block workstations from even seeing server VLAN.
Seems like a lot of work with no business need from what we know.
Can you expand on this?
How is this alot of work and how is there no business need to segregate important data?
Because in my experience data security is pretty damn important from a business perspective.
You're conflating VLANs with security. VLANs themselves provide zero additional security, just network segmentation. It takes seconds for someone with network access to scan for any active VLAN and tag packets with different ones.
If you want additional security, you need to move to a zero trust model.
-
@travisdh1 said in Changing subnet mask?:
@irj said in Changing subnet mask?:
@travisdh1 said in Changing subnet mask?:
@irj said in Changing subnet mask?:
@siringo said in Changing subnet mask?:
Sorry if this is a dumb question but ...
Inherited an old SBS network which has been upgraded, but is still using the 10.0.0.0 /8 setup.
I was thinking of changing the subnet to /24.
Currently all devices still have 10.0.0.x addresses.
Some of the their network gear is managed and I need to arrange with them to change settings within their Cisco gear to /24.
If I get the Cisco gear changed, prior to me changing the servers, PCs, printers etc to /24 will everything remain working??
For example, If I get the Cisco gear changed to /24 on weekend 1, will everything still communicate & work fine until I can change the other gear on weekend 2??
I know the subnets are different, but with all devices having 10.0.0.x addresses I'm thinking they still may be seen by the /24 devices????
Does that make sense?
Create /24 VLANs. Separate severs, printers, workstations with different VLANs. Then you can block workstations from even seeing server VLAN.
Seems like a lot of work with no business need from what we know.
Can you expand on this?
How is this alot of work and how is there no business need to segregate important data?
Because in my experience data security is pretty damn important from a business perspective.
You're conflating VLANs with security. VLANs themselves provide zero additional security, just network segmentation. It takes seconds for someone with network access to scan for any active VLAN and tag packets with different ones.
If you want additional security, you need to move to a zero trust model.
How do you move to zero trust model without network segmentation?
-
@travisdh1 said in Changing subnet mask?:
@irj said in Changing subnet mask?:
@travisdh1 said in Changing subnet mask?:
@irj said in Changing subnet mask?:
@siringo said in Changing subnet mask?:
Sorry if this is a dumb question but ...
Inherited an old SBS network which has been upgraded, but is still using the 10.0.0.0 /8 setup.
I was thinking of changing the subnet to /24.
Currently all devices still have 10.0.0.x addresses.
Some of the their network gear is managed and I need to arrange with them to change settings within their Cisco gear to /24.
If I get the Cisco gear changed, prior to me changing the servers, PCs, printers etc to /24 will everything remain working??
For example, If I get the Cisco gear changed to /24 on weekend 1, will everything still communicate & work fine until I can change the other gear on weekend 2??
I know the subnets are different, but with all devices having 10.0.0.x addresses I'm thinking they still may be seen by the /24 devices????
Does that make sense?
Create /24 VLANs. Separate severs, printers, workstations with different VLANs. Then you can block workstations from even seeing server VLAN.
Seems like a lot of work with no business need from what we know.
Can you expand on this?
How is this alot of work and how is there no business need to segregate important data?
Because in my experience data security is pretty damn important from a business perspective.
You're conflating VLANs with security. VLANs themselves provide zero additional security, just network segmentation. It takes seconds for someone with network access to scan for any active VLAN and tag packets with different ones.
If you want additional security, you need to move to a zero trust model.
Pretty sure it was assumed when he said VLANs he meant also setting firewall rules between them.
-
@irj said in Changing subnet mask?:
How do you move to zero trust model without network segmentation?
Using a VLAN does not have anything to do with zero trust. Actually, using a VLAN implies you are still using a LAN trust model for the things within the VLAN.
-
@travisdh1 said in Changing subnet mask?:
You're conflating VLANs with security.
You need to realize who you are talking to.
@IRJ is probably the most skilled security person on the community.
-
@stacksofplates Yup...
-
@jaredbusch said in Changing subnet mask?:
You need to realize who you are talking to.
@IRJ is probably the most skilled security person on the community.
Just checking is that sarcasm or the truth
-
@hobbit666 said in Changing subnet mask?:
@jaredbusch said in Changing subnet mask?:
You need to realize who you are talking to.
@IRJ is probably the most skilled security person on the community.
Just checking is that sarcasm or the truth
Truth.
-
@jaredbusch said in Changing subnet mask?:
@irj said in Changing subnet mask?:
How do you move to zero trust model without network segmentation?
Using a VLAN does not have anything to do with zero trust. Actually, using a VLAN implies you are still using a LAN trust model for the things within the VLAN.
Yeah, ideally each application would be separated. In enterprise, it's done on each tier within the application. Also you would just want to whitelist specific traffic needed and allow nothing else.
I didn't recommend zero trust in my first response due to amount of effort. I did recommend not having a flat network and using simple VLANs and firewall. At a minimum separate your servers and block access there.
-
@irj said in Changing subnet mask?:
@jaredbusch said in Changing subnet mask?:
@irj said in Changing subnet mask?:
How do you move to zero trust model without network segmentation?
Using a VLAN does not have anything to do with zero trust. Actually, using a VLAN implies you are still using a LAN trust model for the things within the VLAN.
Yeah, ideally each application would be separated. In enterprise, it's done on each tier within the application. Also you would just want to whitelist specific traffic needed and allow nothing else.
I didn't recommend zero trust in my first response due to amount of effort. I did recommend not having a flat network and using simple VLANs and firewall. At a minimum separate your servers and block access there.
Well, you did forget to mention the firewall, but meh...
Then comes the question - does he have the gear needed to do that?
-
@jaredbusch said in Changing subnet mask?:
Anything in the larger subnet can talk to the smaller subnet.
The smaller subnet cannot talk to the larger subnet beyond its boundary.Thanks @JaredBusch that ^^^ was all the info I was after. I really appreciate everyones help.
-
@dashrender said in Changing subnet mask?:
Then comes the question - does he have the gear needed to do that?
the answer is no, the answer to whether I have the desire or need is also no.
Thanks everyone for the help it is greatly appreciated.
-
@siringo said in Changing subnet mask?:
@dashrender said in Changing subnet mask?:
Then comes the question - does he have the gear needed to do that?
the answer is no, the answer to whether I have the desire or need is also no.
That's a very sad answer IMO
-
@jaredbusch said in Changing subnet mask?:
@travisdh1 said in Changing subnet mask?:
You're conflating VLANs with security.
You need to realize who you are talking to.
@IRJ is probably the most skilled security person on the community.
I know this, and statements like he made give me headaches after having to explain to other people that VLAN does nothing for security if you don't have firewall/access rules as well.
The types of places @IRJ has worked at, I agree that it would be insane to have a flat network.
-
@travisdh1 said in Changing subnet mask?:
@jaredbusch said in Changing subnet mask?:
@travisdh1 said in Changing subnet mask?:
You're conflating VLANs with security.
You need to realize who you are talking to.
@IRJ is probably the most skilled security person on the community.
I know this, and statements like he made give me headaches after having to explain to other people that VLAN does nothing for security if you don't have firewall/access rules as well.
The types of places @IRJ has worked at, I agree that it would be insane to have a flat network.
This is my thoughts - most small businesses don't need/want more complexity than a flat network.
-
@dashrender said in Changing subnet mask?:
@travisdh1 said in Changing subnet mask?:
@jaredbusch said in Changing subnet mask?:
@travisdh1 said in Changing subnet mask?:
You're conflating VLANs with security.
You need to realize who you are talking to.
@IRJ is probably the most skilled security person on the community.
I know this, and statements like he made give me headaches after having to explain to other people that VLAN does nothing for security if you don't have firewall/access rules as well.
The types of places @IRJ has worked at, I agree that it would be insane to have a flat network.
This is my thoughts - most small businesses don't need/want more complexity than a flat network.
Most small businesses don't want to deal with ransomware. What they want is immaterial. They should be doing what they need.
-
@stacksofplates said in Changing subnet mask?:
@dashrender said in Changing subnet mask?:
@travisdh1 said in Changing subnet mask?:
@jaredbusch said in Changing subnet mask?:
@travisdh1 said in Changing subnet mask?:
You're conflating VLANs with security.
You need to realize who you are talking to.
@IRJ is probably the most skilled security person on the community.
I know this, and statements like he made give me headaches after having to explain to other people that VLAN does nothing for security if you don't have firewall/access rules as well.
The types of places @IRJ has worked at, I agree that it would be insane to have a flat network.
This is my thoughts - most small businesses don't need/want more complexity than a flat network.
Most small businesses don't want to deal with ransomware. What they want is immaterial. They should be doing what they need.
Yep, and most small businesses shouldn't be running their own server in the first place, and most of our clients are actually moving to all hosted services. So no need to segment the network.
-
@travisdh1 I wouldn't host with Microsoft's Azure due to their costs, well accept for 365 for small businesses.
But there are many other server hosting places that are reliable including amazon, digital ocean and vultr for VM's and OVH, Hestner for dedicated. hell you can even colo in the uk for about £50-60 per 1u. I've seen a 5u rack for about £100 the other day.
