[SOLVED] Help with network restructuring.

Jan 17, 2020
16
0
10
0
Goodnight.

I have little time working as an assistant IT administrator in a company.
And I have been having problems with the client PCs, they lose the dhcp IP constantly and when i'm changing them to static, they still do not have Internet access sometimes because there is IP conflict, after a few days i change them.

Then a few weeks ago it started now to assign IP from another network (vlan 192.168.0.1-254): which is the one that works as backup internet output, when the fiber optic output fails; when the connection is lost again via IP. and in that network there is nothing assigned, so it is to have to go to change the ip to the network where there are printers, copiers and servers (vlan 192.168.1.1-254)

I have no idea why is happening this.

Could you help me to see how I could determine the fault in order to correct it?

And taking advantage of the post I also have the network currently exposed, slowing activities and also vulnerable to attacks and viruses.


The structure is currently like this:
1-fiber optic internet provider and copper cable internet provider
2-router vigor 3900
3- gigabite vigor manageable switch (I don't have the model at hand)
4- N number of gigabit and 10/100 non-administrable switches (tp-link brand mostly)
5- unmanageable wifi antennas operating as hotspot (tp-link too)
6- network of surveillance cameras interconnected by antennas with each other and the vigor switch (# 3)

(If u need model and brand of the hardware i can post it later)

I have read in this forum some ideas about how the composite network should be, but it is not very clear yet to me.

https://community.spiceworks.com/topic/460251-how-to-build-a-secure-network-for-an-enterprise-organisation

Ty in advance for the help.
 

kanewolf

Titan
Moderator
OK, you need to ask your boss if you can spend some money, IMO. Unmanaged WIFI access points is bad. You can't have guest WIFI or segregate user's phones from other business devices. Those APs need to be replaced with something that is multi-SSID and VLAN aware. Those would be typical "business class" features.
You have a managed core switch. But you say you have a bunch of unmanged switches also. That might be OK. But again, a small capital purchase of managed switches will allow you CONTROL of your network. Standard business security would recommend that you administratively disable switch ports that are not in use. That prevents random devices from being added to your network without coordination.

I think you also need to verify that you have just one DHCP server on the network. Your DHCP and internet problems sound like multiple DHCP server conflict to me. Or depending on how many total devices you have on the network, you may be running out of a standard class C DHCP range.

This is where VLANs can help by segregating your network. The corporate WIFI could have one IP range, the dekstops a second, employees personal devices a third and guest a fourth.
 

kanewolf

Titan
Moderator
OK, you need to ask your boss if you can spend some money, IMO. Unmanaged WIFI access points is bad. You can't have guest WIFI or segregate user's phones from other business devices. Those APs need to be replaced with something that is multi-SSID and VLAN aware. Those would be typical "business class" features.
You have a managed core switch. But you say you have a bunch of unmanged switches also. That might be OK. But again, a small capital purchase of managed switches will allow you CONTROL of your network. Standard business security would recommend that you administratively disable switch ports that are not in use. That prevents random devices from being added to your network without coordination.

I think you also need to verify that you have just one DHCP server on the network. Your DHCP and internet problems sound like multiple DHCP server conflict to me. Or depending on how many total devices you have on the network, you may be running out of a standard class C DHCP range.

This is where VLANs can help by segregating your network. The corporate WIFI could have one IP range, the dekstops a second, employees personal devices a third and guest a fourth.
 
Jan 17, 2020
16
0
10
0
You should be able to define the range of ip addresses the router gives out via dhcp. You would just set it to say only give out address 100-254 this make the addresses below 100 available to assign to devices via static ip.
yeah, it does; from 192.168.1.100 to 192.168.1.200 its DHCP server enabled on the drytek router
 
Jan 17, 2020
16
0
10
0
OK, you need to ask your boss if you can spend some money, IMO. Unmanaged WIFI access points is bad. You can't have guest WIFI or segregate user's phones from other business devices. Those APs need to be replaced with something that is multi-SSID and VLAN aware. Those would be typical "business class" features.
You have a managed core switch. But you say you have a bunch of unmanged switches also. That might be OK. But again, a small capital purchase of managed switches will allow you CONTROL of your network. Standard business security would recommend that you administratively disable switch ports that are not in use. That prevents random devices from being added to your network without coordination.

I think you also need to verify that you have just one DHCP server on the network. Your DHCP and internet problems sound like multiple DHCP server conflict to me. Or depending on how many total devices you have on the network, you may be running out of a standard class C DHCP range.

This is where VLANs can help by segregating your network. The corporate WIFI could have one IP range, the dekstops a second, employees personal devices a third and guest a fourth.

Kk, ill ask for buying some switches to change the unmanaged ones.
ill check the wifi antennas and the rest of the network, for extra active DHCP server activity.
btw, i dont undestand what u mean with " running out of a standard class C DHCP range"? Can u elaborate, please?

i have a general vlan (192.168.1.1-253) [drytek DHCP server 192.168.1.100-192.168.1.200]
the second internet modem vlan (192.168.0.1-253) [DHCP enabled too, i think, need to check]
and the cameras vlan (10.10.11.1-253) [need to check too]
 

kanewolf

Titan
Moderator
i dont undestand what u mean with " running out of a standard class C DHCP range"? Can u elaborate, please?
If you have more devices than you have DHCP addresses available. A "class C" address has 1 - 254 available -- https://en.wikipedia.org/wiki/Classful_network#Classful_addressing_definition
So it would be possible to run out of address space if you have more than 100 devices (based on your statement above). That could happen with devices connecting to the WIFI.
 
Jan 17, 2020
16
0
10
0
Jan 17, 2020
16
0
10
0
It is good that you have VLANs, but remember that unmanaged devices won't respect them. Maybe your managed core switch limits things enough, but be careful with unmanged switches and VLANs.
Got this:


U mean i shoud desactivate DHCP server on the other lans? And only keep DHCP server on the main vlan (red admon)
 
Jan 17, 2020
16
0
10
0
Hi.

Checked the core switch.

From ports 1-12 "vlan 100" (192.168.1.1-254) [General lan, printers,copiers,pcs,cels,tablets, etc.]
From ports 13-16 "vlan 200" (10.10.11.1-254) [CCTV cameras and NVRs]
From ports 17-23 "vlan1" (192.168.0.1-254) [nothing in it]
Port 24 "bridge" (think that´s how´s called) [sees all 3 vlans and goes to WAN]
From switch´s 24th port to LAN in drytek router, then to WAN1 (optic fiber) and WAN2 (copper cable).
 

kanewolf

Titan
Moderator
Hi.

Checked the core switch.

From ports 1-12 "vlan 100" (192.168.1.1-254) [General lan, printers,copiers,pcs,cels,tablets, etc.]
From ports 13-16 "vlan 200" (10.10.11.1-254) [CCTV cameras and NVRs]
From ports 17-23 "vlan1" (192.168.0.1-254) [nothing in it]
Port 24 "bridge" (think that´s how´s called) [sees all 3 vlans and goes to WAN]
From switch´s 24th port to LAN in drytek router, then to WAN1 (optic fiber) and WAN2 (copper cable).
The fact that you have only a single VLAN per port on your managed switch means that any small switches hanging of the core switch don't HAVE to be VLAN aware because that is handled at the core switch.
 
Jan 17, 2020
16
0
10
0
The fact that you have only a single VLAN per port on your managed switch means that any small switches hanging of the core switch don't HAVE to be VLAN aware because that is handled at the core switch.
Kk, so the configuration it´s alright?
Even with DHCP enabled in every VLAN. It shouldn´t conflict each other.

Besides i´m gonna put a MAC Filter on my TP-LINK´s Antennas, because supposedly there´s only room for 3 tablets, 2 pcs, 1 printer and 9 chronometers. But in the omada controller, i got 34 active clients. So i got 19 extra connections.
 

kanewolf

Titan
Moderator
Kk, so the configuration it´s alright?
Even with DHCP enabled in every VLAN. It shouldn´t conflict each other.

Besides i´m gonna put a MAC Filter on my TP-LINK´s Antennas, because supposedly there´s only room for 3 tablets, 2 pcs, 1 printer and 9 chronometers. But in the omada controller, i got 34 active clients. So i got 19 extra connections.
You can definitely test your DHCP servers. Verify you can only ping one of them from downstream of selected ports. Make sure the netmask is appropriate also in your DHCP servers.
 
Jan 17, 2020
16
0
10
0
You can definitely test your DHCP servers. Verify you can only ping one of them from downstream of selected ports. Make sure the netmask is appropriate also in your DHCP servers.
All 3 got the same mask.







And i did a ping to all 3 gateways from a pc in the 192.168.1.xx LAN.

 
Last edited:
Jan 17, 2020
16
0
10
0
Your last image is bad. That would say that 192.168.1.x device could get a DHCP request from any of the three servers. Seems like that Vigor router is allowing traffic between VLANs.
Ok, i see.

My boss want the VLANS to comunicate each other. Should i section the VLANS to isolate info.? And to correct my IP conflicts problmes.
 

kanewolf

Titan
Moderator
Ok, i see.

My boss want the VLANS to comunicate each other. Should i section the VLANS to isolate info.? And to correct my IP conflicts problmes.
Is it unlimited connectivity between them? If so, then VLANs don't really accomplish alot. Cuts down on the multicast traffic.
I think you are going to need more info on what is desired. For example, why does the camera VLAN need a DHCP server? Seems like that would all be static IPs.
 
Jan 17, 2020
16
0
10
0
Is it unlimited connectivity between them? If so, then VLANs don't really accomplish alot. Cuts down on the multicast traffic.
I think you are going to need more info on what is desired. For example, why does the camera VLAN need a DHCP server? Seems like that would all be static IPs.
What u mean by "unlimited connectivity"?
And yeah, it really doesnt need a DHCP server on the cam VLAN, all are static IPs. So, i shall disable the DHCP server setting on the cam LAN, w/o problems on the other VLANS?.
 
Jan 17, 2020
16
0
10
0
I would look closely at how your patching has been done, I wouldnt be surprised if you have a loop somewhere. Your configuration looks ok, this could be a physical problem.
Yeah i already did that and seems all ok. No loops in the network, in any of the 3 LANS.
 
Jan 17, 2020
16
0
10
0
What devices are supposed to have access to the 192.168.0.xx network ? You called it a "modem" VLAN above.
None.
Ya, it's the VLAN containing just the second Internet Router, in case the first fails down, so we keep a internet connection going on.
 

ASK THE COMMUNITY

TRENDING THREADS