Changing subnet mask?
-
Sorry if this is a dumb question but ...
Inherited an old SBS network which has been upgraded, but is still using the 10.0.0.0 /8 setup.
I was thinking of changing the subnet to /24.
Currently all devices still have 10.0.0.x addresses.
Some of the their network gear is managed and I need to arrange with them to change settings within their Cisco gear to /24.
If I get the Cisco gear changed, prior to me changing the servers, PCs, printers etc to /24 will everything remain working??
For example, If I get the Cisco gear changed to /24 on weekend 1, will everything still communicate & work fine until I can change the other gear on weekend 2??
I know the subnets are different, but with all devices having 10.0.0.x addresses I'm thinking they still may be seen by the /24 devices????
Does that make sense?
-
wow a /8 - did they really need 16k devices lol. How many devices you currently got and is there any potential to grow? /24 will give you 254 devices. /23 will give you 512 and /22 will give you 1024. Have you anticipated any growth. are all your devices on DHCP or are some servers and printer static and how far across the subnet are they?
-
@stuartjordan The old SBS servers used to set up that way, way back in 2003/2008, you filled in a wizard and it built itself.
254 devices is more than enough.
-
@siringo Move everything into the /24 range and then set the subnet to /24. depending on how many devices you have. I always leave a gap for dhcp and static addresses. or you can static map through most business routers, that means you can leave servers and printers on dhcp but the router will set the same address. Entirely up to you how you approach this or how the current setup is.
-
@siringo said in Changing subnet mask?:
Sorry if this is a dumb question but ...
Inherited an old SBS network which has been upgraded, but is still using the 10.0.0.0 /8 setup.
I was thinking of changing the subnet to /24.
Currently all devices still have 10.0.0.x addresses.
Some of the their network gear is managed and I need to arrange with them to change settings within their Cisco gear to /24.
If I get the Cisco gear changed, prior to me changing the servers, PCs, printers etc to /24 will everything remain working??
For example, If I get the Cisco gear changed to /24 on weekend 1, will everything still communicate & work fine until I can change the other gear on weekend 2??
I know the subnets are different, but with all devices having 10.0.0.x addresses I'm thinking they still may be seen by the /24 devices????
Does that make sense?
Create /24 VLANs. Separate severs, printers, workstations with different VLANs. Then you can block workstations from even seeing server VLAN.
-
@irj said in Changing subnet mask?:
@siringo said in Changing subnet mask?:
Sorry if this is a dumb question but ...
Inherited an old SBS network which has been upgraded, but is still using the 10.0.0.0 /8 setup.
I was thinking of changing the subnet to /24.
Currently all devices still have 10.0.0.x addresses.
Some of the their network gear is managed and I need to arrange with them to change settings within their Cisco gear to /24.
If I get the Cisco gear changed, prior to me changing the servers, PCs, printers etc to /24 will everything remain working??
For example, If I get the Cisco gear changed to /24 on weekend 1, will everything still communicate & work fine until I can change the other gear on weekend 2??
I know the subnets are different, but with all devices having 10.0.0.x addresses I'm thinking they still may be seen by the /24 devices????
Does that make sense?
Create /24 VLANs. Separate severs, printers, workstations with different VLANs. Then you can block workstations from even seeing server VLAN.
Seems like a lot of work with no business need from what we know.
-
@siringo said in Changing subnet mask?:
@stuartjordan The old SBS servers used to set up that way, way back in 2003/2008, you filled in a wizard and it built itself.
I do not remember seeing SBS ever create a /8 but yeah, so many bad things came out of people clicking next through everything in SBS.
-
@siringo said in Changing subnet mask?:
If I get the Cisco gear changed, prior to me changing the servers, PCs, printers etc to /24 will everything remain working??
For example, If I get the Cisco gear changed to /24 on weekend 1, will everything still communicate & work fine until I can change the other gear on weekend 2??
I know the subnets are different, but with all devices having 10.0.0.x addresses I'm thinking they still may be seen by the /24 devices????
Does that make sense?
From what i remember
no they won't talk to each other once they are on a /24
e.g. 10.0.1.X/24 wont talk to 10.0.2.X/24Have you checked the devices are using different IPs? 10.X.X.X? if your lucky they might all be on 10.0.X.X/24
-
@travisdh1 said in Changing subnet mask?:
@irj said in Changing subnet mask?:
@siringo said in Changing subnet mask?:
Sorry if this is a dumb question but ...
Inherited an old SBS network which has been upgraded, but is still using the 10.0.0.0 /8 setup.
I was thinking of changing the subnet to /24.
Currently all devices still have 10.0.0.x addresses.
Some of the their network gear is managed and I need to arrange with them to change settings within their Cisco gear to /24.
If I get the Cisco gear changed, prior to me changing the servers, PCs, printers etc to /24 will everything remain working??
For example, If I get the Cisco gear changed to /24 on weekend 1, will everything still communicate & work fine until I can change the other gear on weekend 2??
I know the subnets are different, but with all devices having 10.0.0.x addresses I'm thinking they still may be seen by the /24 devices????
Does that make sense?
Create /24 VLANs. Separate severs, printers, workstations with different VLANs. Then you can block workstations from even seeing server VLAN.
Seems like a lot of work with no business need from what we know.
Can you expand on this?
How is this alot of work and how is there no business need to segregate important data?
Because in my experience data security is pretty damn important from a business perspective.
-
@siringo said in Changing subnet mask?:
For example, If I get the Cisco gear changed to /24 on weekend 1, will everything still communicate & work fine until I can change the other gear on weekend 2??
I know the subnets are different, but with all devices having 10.0.0.x addresses I'm thinking they still may be seen by the /24 devices????
Does that make sense?
Anything in the larger subnet can talk to the smaller subnet.
The smaller subnet cannot talk to the larger subnet beyond its boundary.
No one cares about switches. They should be DHCP anyway.
- Export everything in your current DHCP scope to CSV and then update the DHCP scope to have a lease time < 24 hours. I like to use 8.
- Wait until the old lease expires. Sadly it may be a month if it was an old SBS Wizard.
Devices are supposed to try and renew at the halfway point, but you cannot count on it. - While you wait, set DHCP reservations for anything that needs a fixed address.
- While you wait, find everything on your network with
nmapand compare that to the things in DHCP. Change everything you find that is not in DHCP to DHCP or DHCP reservations.
About the only thing that will not be DHCP is the DC itself, the hypervisor(s), and the router. - Set your workstation with a static IP and a /8 subnet for the duration.
- Update the static devices, except the DC and the router, with the new /24 subnet.
- Continue waiting for the old lease time to go by, or reboot All.Of.The.Things
- Validate everything is now in DHCP with valid expiration dates.
- Change the hypervisor(s), router, and DC to the /24 subnet
- Change your workstation back to DHCP.
-
@irj said in Changing subnet mask?:
@travisdh1 said in Changing subnet mask?:
@irj said in Changing subnet mask?:
@siringo said in Changing subnet mask?:
Sorry if this is a dumb question but ...
Inherited an old SBS network which has been upgraded, but is still using the 10.0.0.0 /8 setup.
I was thinking of changing the subnet to /24.
Currently all devices still have 10.0.0.x addresses.
Some of the their network gear is managed and I need to arrange with them to change settings within their Cisco gear to /24.
If I get the Cisco gear changed, prior to me changing the servers, PCs, printers etc to /24 will everything remain working??
For example, If I get the Cisco gear changed to /24 on weekend 1, will everything still communicate & work fine until I can change the other gear on weekend 2??
I know the subnets are different, but with all devices having 10.0.0.x addresses I'm thinking they still may be seen by the /24 devices????
Does that make sense?
Create /24 VLANs. Separate severs, printers, workstations with different VLANs. Then you can block workstations from even seeing server VLAN.
Seems like a lot of work with no business need from what we know.
Can you expand on this?
How is this alot of work and how is there no business need to segregate important data?
Because in my experience data security is pretty damn important from a business perspective.
You're conflating VLANs with security. VLANs themselves provide zero additional security, just network segmentation. It takes seconds for someone with network access to scan for any active VLAN and tag packets with different ones.
If you want additional security, you need to move to a zero trust model.
-
@travisdh1 said in Changing subnet mask?:
@irj said in Changing subnet mask?:
@travisdh1 said in Changing subnet mask?:
@irj said in Changing subnet mask?:
@siringo said in Changing subnet mask?:
Sorry if this is a dumb question but ...
Inherited an old SBS network which has been upgraded, but is still using the 10.0.0.0 /8 setup.
I was thinking of changing the subnet to /24.
Currently all devices still have 10.0.0.x addresses.
Some of the their network gear is managed and I need to arrange with them to change settings within their Cisco gear to /24.
If I get the Cisco gear changed, prior to me changing the servers, PCs, printers etc to /24 will everything remain working??
For example, If I get the Cisco gear changed to /24 on weekend 1, will everything still communicate & work fine until I can change the other gear on weekend 2??
I know the subnets are different, but with all devices having 10.0.0.x addresses I'm thinking they still may be seen by the /24 devices????
Does that make sense?
Create /24 VLANs. Separate severs, printers, workstations with different VLANs. Then you can block workstations from even seeing server VLAN.
Seems like a lot of work with no business need from what we know.
Can you expand on this?
How is this alot of work and how is there no business need to segregate important data?
Because in my experience data security is pretty damn important from a business perspective.
You're conflating VLANs with security. VLANs themselves provide zero additional security, just network segmentation. It takes seconds for someone with network access to scan for any active VLAN and tag packets with different ones.
If you want additional security, you need to move to a zero trust model.
How do you move to zero trust model without network segmentation?
-
@travisdh1 said in Changing subnet mask?:
@irj said in Changing subnet mask?:
@travisdh1 said in Changing subnet mask?:
@irj said in Changing subnet mask?:
@siringo said in Changing subnet mask?:
Sorry if this is a dumb question but ...
Inherited an old SBS network which has been upgraded, but is still using the 10.0.0.0 /8 setup.
I was thinking of changing the subnet to /24.
Currently all devices still have 10.0.0.x addresses.
Some of the their network gear is managed and I need to arrange with them to change settings within their Cisco gear to /24.
If I get the Cisco gear changed, prior to me changing the servers, PCs, printers etc to /24 will everything remain working??
For example, If I get the Cisco gear changed to /24 on weekend 1, will everything still communicate & work fine until I can change the other gear on weekend 2??
I know the subnets are different, but with all devices having 10.0.0.x addresses I'm thinking they still may be seen by the /24 devices????
Does that make sense?
Create /24 VLANs. Separate severs, printers, workstations with different VLANs. Then you can block workstations from even seeing server VLAN.
Seems like a lot of work with no business need from what we know.
Can you expand on this?
How is this alot of work and how is there no business need to segregate important data?
Because in my experience data security is pretty damn important from a business perspective.
You're conflating VLANs with security. VLANs themselves provide zero additional security, just network segmentation. It takes seconds for someone with network access to scan for any active VLAN and tag packets with different ones.
If you want additional security, you need to move to a zero trust model.
Pretty sure it was assumed when he said VLANs he meant also setting firewall rules between them.
-
@irj said in Changing subnet mask?:
How do you move to zero trust model without network segmentation?
Using a VLAN does not have anything to do with zero trust. Actually, using a VLAN implies you are still using a LAN trust model for the things within the VLAN.
-
@travisdh1 said in Changing subnet mask?:
You're conflating VLANs with security.
You need to realize who you are talking to.
@IRJ is probably the most skilled security person on the community.
-
@stacksofplates Yup...
-
@jaredbusch said in Changing subnet mask?:
You need to realize who you are talking to.
@IRJ is probably the most skilled security person on the community.
Just checking is that sarcasm or the truth
-
@hobbit666 said in Changing subnet mask?:
@jaredbusch said in Changing subnet mask?:
You need to realize who you are talking to.
@IRJ is probably the most skilled security person on the community.
Just checking is that sarcasm or the truth
Truth.
-
@jaredbusch said in Changing subnet mask?:
@irj said in Changing subnet mask?:
How do you move to zero trust model without network segmentation?
Using a VLAN does not have anything to do with zero trust. Actually, using a VLAN implies you are still using a LAN trust model for the things within the VLAN.
Yeah, ideally each application would be separated. In enterprise, it's done on each tier within the application. Also you would just want to whitelist specific traffic needed and allow nothing else.
I didn't recommend zero trust in my first response due to amount of effort. I did recommend not having a flat network and using simple VLANs and firewall. At a minimum separate your servers and block access there.
-
@irj said in Changing subnet mask?:
@jaredbusch said in Changing subnet mask?:
@irj said in Changing subnet mask?:
How do you move to zero trust model without network segmentation?
Using a VLAN does not have anything to do with zero trust. Actually, using a VLAN implies you are still using a LAN trust model for the things within the VLAN.
Yeah, ideally each application would be separated. In enterprise, it's done on each tier within the application. Also you would just want to whitelist specific traffic needed and allow nothing else.
I didn't recommend zero trust in my first response due to amount of effort. I did recommend not having a flat network and using simple VLANs and firewall. At a minimum separate your servers and block access there.
Well, you did forget to mention the firewall, but meh...
Then comes the question - does he have the gear needed to do that?
