[isalist] Re: Extending a subnet
- From: Jerry Young <jerrygyoungii@xxxxxxxxx>
- To: isalist@xxxxxxxxxxxxx
- Date: Wed, 29 Sep 2010 11:03:42 -0400
Steve,
If you changed the network configuration on the server's NIC, you'd probably
have to modify the configuration of all network devices behind it.
It sounds like you now only have one wirless subnet, 192.168.11.0/24. What
is the default gateway you're currently using for that?
This is important because if you "expand" the subnet on your internal NIC to
a /21, traffic destined for anything in that range will never be routed
to the default gateway on the 192.168.11.0/24 network by the server, thus
the need for the persistent static route.
On Wed, Sep 29, 2010 at 10:04 AM, Reimer, Mark <mark.reimer@xxxxxxxxxxx>wrote:
> Steve,
>
>
>
> If you are using a /23 subnet on a 192.168.11.x range, it will include
> everything in the 192.168.10.x range, not the 192.168.12.x range. If you
> want/need 192.168.11.x and 192.168.12.x in the same subnet, you will need to
> use a /21 subnet, which will then include 192.168.8.x up to 192.168.15.x.
> This is for the NIC.
>
>
>
> Mark
>
>
>
> *From:* isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
> *On Behalf Of *Steven Comeau
> *Sent:* Wednesday, September 29, 2010 6:29 AM
>
> *To:* isalist@xxxxxxxxxxxxx
> *Subject:* [isalist] Re: Extending a subnet
>
>
>
> I guess the simplest question is, how do I modify the ISA server to utilize
> a /23 subnet on 1 NIC?
>
>
>
> Steve Comeau
>
> Associate Director of IT Rutgers Athletics
>
> 83 Rockafeller Road
>
> Piscataway, NJ 08854
>
> 732-445-7802
>
> 732-445-4623 (fax)
>
> www.scarletknights.com
>
>
>
> [image: Description: rutgers100px.gif]
>
> [image: Description:
> C:\Users\scomeau.SK\AppData\Roaming\Microsoft\Signatures\Steve21.jpg]
>
>
>
> *From:* isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
> *On Behalf Of *Steven Comeau
> *Sent:* Tuesday, September 28, 2010 6:21 PM
> *To:* isalist@xxxxxxxxxxxxx
> *Subject:* [isalist] Re: Extending a subnet
>
>
>
> My ISA server has 5 NICs = 1 External, 4 Internal. The 4 internal NICs
> separate out Staff, Students, Wireless, and Photographers. The wireless
> network is growing immensely – I need to enlarge the subnet. I would rather
> not add yet another NIC if I don’t have to (would be less of an issue with
> Virtualization, though).
>
>
>
> To the NIC properties on the box, I added the additional IP address of
> 192.168.12.1 with a subnet mask of 255.255.255.0. I added that range in ISA
> to the Network that had only 192.168.11.1 on it. I just need now for the
> machines in 192.168.11.X to communicate (any and all protocols) to/from
> 192.168.12.X. Like you mentioned, I probably have to add the Route Add
> command, but I was hoping that I could just change something in ISA to
> correct that (using routes in ISA). That is why I thought about adding a
> second network name, on the same NIC, using the new range and then routing
> between them with a Policy to allow all traffic.
>
>
>
> Steve Comeau
>
> Associate Director of IT Rutgers Athletics
>
> 83 Rockafeller Road
>
> Piscataway, NJ 08854
>
> 732-445-7802
>
> 732-445-4623 (fax)
>
> www.scarletknights.com
>
>
>
> [image: Description: rutgers100px.gif]
>
> [image: Description:
> C:\Users\scomeau.SK\AppData\Roaming\Microsoft\Signatures\Steve21.jpg]
>
>
>
>
>
> *From:* isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
> *On Behalf Of *Jerry Young
> *Sent:* Tuesday, September 28, 2010 5:26 PM
> *To:* isalist@xxxxxxxxxxxxx
> *Subject:* [isalist] Re: Extending a subnet
>
>
>
> Steve,
>
>
>
> So, it sounds like you only have one NIC on that ISA box? Or are there
> multiple NICs, one for each network you have (internal, external, edge) and
> you simply wanted to change the "size" of the internal network?
>
>
>
> By adding 192.168.12.1 in the Advanced tab of the Network IP Properties of
> the NIC, you really only added a virtual IP address to that NIC, not a range
> (what subnet mask did you use, though?). When you say you're trying to
> communicate between those two IP address (I assume 192.168.11.1 and
> 192.168.12.1), to which specific kind of communication are you referring?
>
>
>
> In any case, if you added another internal network to which you want
> traffic from other legs of the ISA server to communicate with, usually
> that's just a matter of adding the range to the Internal Network Element in
> ISA and configuring a static persistent route on the server at the OS level.
>
>
>
> Usually, that means I would expect to see something like the following:
>
>
>
> 192.168.11.0/24 is the network on which the server's internal interface
> resides.
>
> You add 192.168.12.0 to 192.168.12.255 to the ISA Internal Network Element
> (or increase the range from 192.168.11.0-192.168.11.255 to
> 192.168.11.0-192.168.12.255).
>
> You add a persistent static route that points traffic destined to the
> 192.168.12.0/24 to the default gateway for the internal interface.
>
>
>
> Example
>
> Internal Interface IP Address: 192.168.11.10
>
> Internal Interface Subnet Mask: 255.255.255.0
>
> Internal Interface Default Gateway: 192.168.11.1
>
>
>
> route add -p 192.168.12.0 mask 255.255.255.0 192.168.11.1
>
>
>
> That route add command would create a persistent static route in the
> server's routing table that would route all traffic destined for the
> 192.168.12.0/24 network to your default gateway.
>
>
>
> This assumes, of course, that you have a separate NIC for each network
> connected to the ISA server and not just one. If, however, you only have 1
> NIC to which all networks are bound, first, shame on you; I believe Tom
> calls that Bork Mode. :) Be that as it may, though, we should then try to
> understand what kind of communication you want to occur between the specific
> IP addresses and take it from there (note that there may be some things that
> simply just won't work).
>
>
>
> On Tue, Sep 28, 2010 at 4:59 PM, Steven Comeau <scomeau@xxxxxxxxxxxxxxxxxx>
> wrote:
>
> Thanks Jerry. I did try to expand the subnet by changing the 3rd octet
> (from 255.255.255.0 to 255.255.254.0) for the Subnet Mask on the NIC and
> making the IP range larger, but that didn’t work either. In ISA, I also had
> changed the Network range from 192.168.11.0-192.168.11.255 to
> 192.168.11.0-192.168.12.255 with the larger subnet mask. Since that didn’t
> work, I tried the dual homed method.
>
>
>
> Yes, you caught me and my bad spelling – dual homed the NIC to 192.168.11.1
> and added 192.168.12.1 in the Advanced tab of the Network IP Properties of
> the NIC. On ISA, I just added the 2nd Range of IPs to the one Named
> Network in Networks configuration.
>
>
>
> Perhaps I need to create a distinct Named Network with the new range of IPs
> (same NIC as the other Named Network) and then create a Network Rule Route
> between the two with Policy to allow all traffic between the two Networks.
> Just thinking out loud. Any help is greatly appreciated!
>
>
>
> Steve Comeau
>
> Associate Director of IT Rutgers Athletics
>
> 83 Rockafeller Road
>
> Piscataway, NJ 08854
>
> 732-445-7802
>
> 732-445-4623 (fax)
>
> www.scarletknights.com
>
>
>
> [image: Description: rutgers100px.gif]
>
> [image: Description:
> C:\Users\scomeau.SK\AppData\Roaming\Microsoft\Signatures\Steve21.jpg]
>
>
>
>
>
> *From:* isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
> *On Behalf Of *Jerry Young
> *Sent:* Tuesday, September 28, 2010 4:17 PM
> *To:* isalist@xxxxxxxxxxxxx
> *Subject:* [isalist] Re: Extending a subnet
>
>
>
> Steve,
>
>
>
> I'm not sure a 24-bit subnet mask is "standard", although it is probably
> the most often used, and, technically speaking there are only 254 usable IP
> addresses in that block (I know, I got a bit pedantic like Jim tends to). :)
>
>
>
> For the purposes of this discussion, though, you'll probably have to get
> fairly specific with how you've carved up your networks and the IP addresses
> you've added. The next largest block you can use is a 23-bit subnet mask
> but that essentially doubles the total number of usable IP addresses.
>
>
>
> In general, though, you usually need to think in terms of IP address ranges
> and then map backwards to required subnets.
>
>
>
> So, when you say you've dual honed (I think you mean dual homed?) one
> particular NIC to add an additional range of IP addresses, how did you
> configure that NIC?
>
> On Tue, Sep 28, 2010 at 3:57 PM, Steven Comeau <scomeau@xxxxxxxxxxxxxxxxxx>
> wrote:
>
> ISA 2006, on Win 2k3.
>
>
>
> I have a situation where I need to add more IPs to a particular Internal
> Network than the standard 256. On our ISA server, I’ve dual honed the one
> particular NIC to add an additional range of IP addresses. I’ve also
> changed the network parameter in ISA to account for the additional IP
> range. Finally, I setup a Super Scope in DHCP to accommodate the new IP
> range. From my other sites (Dial Up VPN), and even from the other legs of
> the ISA server, there’s no issues bi-directionally getting to clients in the
> new IP range. However, I can’t seem to communicate between the two IP
> ranges on the same NIC. Is there some sort of routing thingy I need to do
> on the ISA box?
>
>
>
> Thanks in advance.
>
>
>
> Steve Comeau
>
> Associate Director of IT Rutgers Athletics
>
> 83 Rockafeller Road
>
> Piscataway, NJ 08854
>
> 732-445-7802
>
> 732-445-4623 (fax)
>
> www.scarletknights.com
>
>
>
> [image: Description: rutgers100px.gif]
>
> [image: Description:
> C:\Users\scomeau.SK\AppData\Roaming\Microsoft\Signatures\Steve21.jpg]
>
>
>
>
>
> *** This message contains confidential information and is
>
> intended only for the individual named. If you are not the
>
> named addressee, you should not disseminate, distribute or
>
> copy this e-mail. Please notify the sender immediately by
>
> e-mail if you have received this e-mail by mistake and delete
>
> this e-mail from your system. E-mail transmission cannot be
>
> guaranteed to be secure or error-free as information could be
>
> intercepted, corrupted, lost, destroyed, arrive late or
>
> incomplete, or contain viruses. The sender therefore does not
>
> accept liability for any errors or omissions in the contents of
>
> this message, which arise as a result of e-mail transmission.
>
> If verification is required please request a hard-copy version.
>
> Rutgers University - DIA
>
> 83 Rockafeller Road
>
> Piscataway, NJ 08854
>
> www.scarletknights.com ***
>
>
>
>
>
>
> --
> Cordially yours,
> Jerry G. Young II
> Microsoft Certified Systems Engineer
> Young Consulting & Staffing Services Company - Owner
> www.youngcss.com
>
> *** This message contains confidential information and is
>
> intended only for the individual named. If you are not the
>
> named addressee, you should not disseminate, distribute or
>
> copy this e-mail. Please notify the sender immediately by
>
> e-mail if you have received this e-mail by mistake and delete
>
> this e-mail from your system. E-mail transmission cannot be
>
> guaranteed to be secure or error-free as information could be
>
> intercepted, corrupted, lost, destroyed, arrive late or
>
> incomplete, or contain viruses. The sender therefore does not
>
> accept liability for any errors or omissions in the contents of
>
> this message, which arise as a result of e-mail transmission.
>
> If verification is required please request a hard-copy version.
>
> Rutgers University - DIA
>
> 83 Rockafeller Road
>
> Piscataway, NJ 08854
>
> www.scarletknights.com ***
>
>
>
>
>
>
> --
> Cordially yours,
> Jerry G. Young II
> Microsoft Certified Systems Engineer
> Young Consulting & Staffing Services Company - Owner
> www.youngcss.com
>
> *** This message contains confidential information and is
>
> intended only for the individual named. If you are not the
>
> named addressee, you should not disseminate, distribute or
>
> copy this e-mail. Please notify the sender immediately by
>
> e-mail if you have received this e-mail by mistake and delete
>
> this e-mail from your system. E-mail transmission cannot be
>
> guaranteed to be secure or error-free as information could be
>
> intercepted, corrupted, lost, destroyed, arrive late or
>
> incomplete, or contain viruses. The sender therefore does not
>
> accept liability for any errors or omissions in the contents of
>
> this message, which arise as a result of e-mail transmission.
>
> If verification is required please request a hard-copy version.
>
> Rutgers University - DIA
>
> 83 Rockafeller Road
>
> Piscataway, NJ 08854
>
> www.scarletknights.com ***
>
>
>
> *** This message contains confidential information and is
>
> intended only for the individual named. If you are not the
>
> named addressee, you should not disseminate, distribute or
>
> copy this e-mail. Please notify the sender immediately by
>
> e-mail if you have received this e-mail by mistake and delete
>
> this e-mail from your system. E-mail transmission cannot be
>
> guaranteed to be secure or error-free as information could be
>
> intercepted, corrupted, lost, destroyed, arrive late or
>
> incomplete, or contain viruses. The sender therefore does not
>
> accept liability for any errors or omissions in the contents of
>
> this message, which arise as a result of e-mail transmission.
>
> If verification is required please request a hard-copy version.
>
> Rutgers University - DIA
>
> 83 Rockafeller Road
>
> Piscataway, NJ 08854
>
> www.scarletknights.com ***
>
>
>
>
--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer
Young Consulting & Staffing Services Company - Owner
www.youngcss.com
Other related posts:
