IP Address forcing/grouping

Tags:
Active Directory
DHCP
DNS
Networking services
I know this may sound odd, but I am having a severe problem with IP addresses at the school district that I work for. Our IP ranges are: 192.168.200.x 192.168.201.x 192.168.204.x Here is the problem: the 192.168.204.x was put in place when a previous technician started implementing the VoIP system on our network. Now, computers which draw up this range can hit network (file) resources, can hit the internet, but cannot print to network printers unless forced to a static IP in the 192.168.200.x or 192.168.201.x ranges. Is there a way to force the machines to only pull from one of those first two IP ranges? On a related note, I was curious if there were a way to limit certain IP addresses within those ranges? For instance, the school district is separated into four schools and a district office - I would like to have computers at school A to use only IP addresses within the addresses of 192.168.200.100 to 192.168.200.200, etc., I know that I could do this through static IP addressing, but the feasibility of doing so and headache of maintaining static pools is not an option at this time. If the solution lies within Active Directory, our current organizational structure for the computers seperates the computers first by building (Primary, Elementary, Middle, High, and District), then by role (Student, Teacher, Administrator), then by room number, allowing AD and Websense to work hand in hand on being able to cut rooms off from internet access on a room-by-room basis upon teacher's request. Thanks in advance for any help that you can give.

Answer Wiki

Thanks. We'll let you know when a new response is added.

It sounds like there is a routing problem with the 192.168.204.x subnet. Not enough info.
Need to know what the subnet mask is for the ip address ranges, also is there going to be site/DC server for each school, and how the routing is setup now between the ip ranges.

Regards,
Joe

Discuss This Question: 5  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • GeekDaddy665
    Sorry - you're right... I did forget the subnet in my message. It's 255.255.254.0 No plans as of yet for a DC for each school, but been thinking about it, as we do have a few server2000 licensees come available when we upgraded to server2003.
    0 pointsBadges:
    report
  • 0ct0pus
    the first problem sounds like a routing issue. I assume you're using subnet mask of 255.255.255.0? What's the gateway in 192.168.204.x subnet? You might want to check the routing table of that gateway. To segregate the IPs you can use DHCP. With that you can assign certain IP range to certain site or for specific computers. are all infrastructure servers running on windows ?
    0 pointsBadges:
    report
  • Astronomer
    This sounds depressingly like the problem I found when I was hired as the network engineer at our college. The students and staff "nets" use distinct address spaces but run on the same wire. This is the reason we don't run DHCP in our environment. If we ran DHCP for each network, there would be no way to determine what subnet a client would get an address for. With a properly partitioned net, the DHCP clients can only get address configurations for the correct network. The right way to fix this is to divide up the network into separate LANs, (a good way to implement this is to use VLANs within each campus), and provide router interfaces and DHCP server scopes to service each separate network. The other problem seems to be a routing issue. Whatever router is functioning as the default gateway for the 204 net doesn't know how to forward packets to the network the printers are on, or the printer router doesn't know about the 204 net. Another possibility is the printers don't have a default gateway so can't respond to requests from other nets. We haven't yet dealt with the flat net here. The issue is the size of the IT department. Four desktop techs dealing with 2000 boxes are already overstretched. Right now, they don't have to be concerned with a port being mapped to the correct VLAN when they hook up a box. Any port will work with either net. As soon as I partition up the network for proper security, they will have to keep track of what network every port is mapped to. Because this would add significantly to their load I have been investigating dynamic VLANs using 802.1x so the port will automatically map to the correct net during login. Once you have the network properly partitioned, it should be trivial to set up the scopes you described. Can I assume each school has its own subnets, routers, and DHCP servers? For limiting internet access, you can do it using IPs and the firewall , or a combination of firewall, proxy, and active directory groups. If you set up separate VLANs for each classroom, (this isn't as hard as it may seem), then the firewall can limit what each network can see. The method we use is to firewall the students from any direct access to the internet, (with a couple of exceptions). In order to get to the internet they have to go through our proxy server. Active directory groups are used to configure the web browser at login. Some groups are set to point to the proxy server and other groups point to the void and can't browse to anything. We used this method because our IP assignments were all over the map with no logic connected to actual use, (someday I would also like to address this), kind of like you would get with DHCP on a shared network. The other advantage to this model is our ability to use the squid proxy server to throttle large downloads, (mainly music), and block any web requests with a header containing the string myspace.com. Hopefully this gives you a place to start. rt
    15 pointsBadges:
    report
  • petkoa
    Hi GeekDaddy665, Couple of answers suggested a routing problem, and asked about the gateway to "192.168.204.x", but from your second posting about your netmask (255.255.255.254) I would assume that all three your address spaces are located on a single LAN and your problem is inadequate netmask. If this is the situation - i.e., all your hosts are in a single LAN and they have to "speak" directly to each other (not through a router) - then you'll have to configure DHCP daemon to offer network address 192.168.200.0 and netmask 255.255.255.248. This means that hosts will not seek the gateway for addresses in the range 192.168.200.0 - 192.168.207.255 (eight class C networks, ca. 2048 addresses). More "economic" netmask 255.255.255.252 (four class C networks, ca. 1024 addresses, range 192.168.200.0 - 192.168.203.255) will not work with your current address ranges. BR and good luck Petko
    3,120 pointsBadges:
    report
  • Paul144hart
    RE: Is there a way to force the machines to only pull from one of those first two IP ranges? Yes - Sounds like everything is on the same physical network. Have the VoIP devices use the 204 DHCP gateway, set the other machines to point one of the other networks for its default gateway. Or, physically separate them with a router between them. Then no config to the machines will be needed (which might be impractical). If your switches support VLANs, then you can avoid the rewiring. VLANs give virutal separated networks on the same physical network. RE: On a related note, I was curious if there were a way to limit certain IP addresses within those ranges? Yes - you should be able to specify the range of address for a DHCP device will allocate. I assume you'll have one DHCP per school. (As side note, when will you run out of addresses in the Class C network? May drive you to move to segregate buildings into separate Class C nets) AD is not a network level solution, but would give the access control you are looking for your last comment. Lastly, I would recommend you get the Cisco network simulator software - it would allow to build your network virtually before investing time or money. (or course with cisco devces) When I got it was about $100-150. (With the CCNA books). BR, Paul
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following