please help with mask changing

Hello

Please could someone help me to explane me about changing mask on dc?
Is it a risk as it is with changing IP?

Now i have network 10.0.0.0 and mask 255.255.255.128
As i undertand correct i need to change mask when i want to use ips from
10.0.x.x - 10.4.x.x

Thank you in advance

Hi,

If I understand you question, you will have to change your current subnet
mask on all your network devices from 255.255.255.128 to 255.0.0.0.

I changed IP addresses and even subnet masks on few occasion on domain
controllers and there were no problems... The only problem with changing
subnet mask is -- you have to do it on all your devices (e.g. including
routers). If you don't -- some of these devices will fail to communicate
with other devices on the network and/or internet.

--
Mike
Microsoft MVP - Windows Security

"guzzi" <guzzi@_DOT_yandex.ru> wrote in message
news:OrBRN$(E-Mail Removed)...
> Hello
>
> Please could someone help me to explane me about changing mask on dc?
> Is it a risk as it is with changing IP?
>
> Now i have network 10.0.0.0 and mask 255.255.255.128
> As i undertand correct i need to change mask when i want to use ips from
> 10.0.x.x - 10.4.x.x
>
> Thank you in advance

"guzzi" <guzzi@_DOT_yandex.ru> wrote in message
news:OrBRN$(E-Mail Removed)...
> Now i have network 10.0.0.0 and mask 255.255.255.128
> As i undertand correct i need to change mask when i want to use ips from
> 10.0.x.x - 10.4.x.x

Stay with a 24bit mask (255.255.255.0). Keep the segments below 250-300
hosts, which is what the 24bit mask does. It gives you 245 hosts,...if you
need more than that add a new segment for another 254 hosts.

Follow Miha Pihler's recommendations concerning the other details.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Phillip Windell wrote / napi'sal(a):
> "guzzi" <guzzi@_DOT_yandex.ru> wrote in message
> news:OrBRN$(E-Mail Removed)...
>> Now i have network 10.0.0.0 and mask 255.255.255.128
>> As i undertand correct i need to change mask when i want to use ips from
>> 10.0.x.x - 10.4.x.x
>
> Stay with a 24bit mask (255.255.255.0). Keep the segments below 250-300
> hosts, which is what the 24bit mask does. It gives you 245 hosts,...if you
> need more than that add a new segment for another 254 hosts.
>
> Follow Miha Pihler's recommendations concerning the other details.
>
Thanks guyz

My thought are:

10.0.0.0 - workstations
10.1.0.0 - servers
10.2.0.0 - network devices (switch,hub,network printer...)
10.3.0.0 - 1st dmz
10.4.0.0 - 2nd dmz

so as i understood, i should not going that way?
i have about 100 ip reserved, right now

"guzzi" <guzzi@_DOT_yandex.ru> wrote in message
news:(E-Mail Removed)...
> 10.0.0.0 - workstations
> 10.1.0.0 - servers
> 10.2.0.0 - network devices (switch,hub,network printer...)
> 10.3.0.0 - 1st dmz
> 10.4.0.0 - 2nd dmz

No.
1. There are too many (potential) hosts per subnet.
2. There is no point in breaking it up like that. You are creating
needless
complexity that has no point to it and will most likely be cause you
problems.
3. There is almost never an need for a second DMZ, and there are even
quite few *real* needs for even 1 DMZ to start with.
4. You are wasting IP#s like there is no tomorrow

The purpose of segmenting is two things:
1. Protect agains excessive broadcast.
2. Security enhancement by providing ALCs onthe routers between
segments.

You can't possibly have #1 unless there are more than 250-300 hosts on
segment.
I can see no real reason for #2 either at this point. Real security does not
require it.
Proper Application security and proper NTFS secuity pretty much negate the
need
for ACLs between subnets. ACLs between subnets are the last method you would
use
and they are the least granular and the least flexable.

Try this, all one subnet:
(Avoid heavily over-used IP Ranges)
10.1.10.0 -- 10.1.10.255

10.1.10.1 - Internet Sharing Device
10.1.10.2-10.1.10.20 - Servers, Hubs, Switches, Printers, etc.
10.1.10.21-10.1.10.50 - Statically assigned workstations
10.1.10.51-10.1.10.225 - DHCP Assign hosts
10.1.10.226-10.1.10.254 - Any left over Statically assigned devices

DHCP Scope:
Scope Full Range 10.1.10.1-10.1.10.254
Exclusions: 10.1.10.1-10.1.10.50
10.1.10.226-10.1.10.254
Active range: 10.1.10.51-10.1.10.225
Router: 10.1.10.1
DNS: <server IP#>
WINS: <server IP#>


If you have more than 254 hosts total then add a LAN Router and another
subnet. The above does *not* change other than you add another Scope to the
DHCP (following the same pattern) for the new subnet.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Thanks a lot
Greetz


Phillip Windell wrote / napi'sal(a):
> "guzzi" <guzzi@_DOT_yandex.ru> wrote in message
> news:(E-Mail Removed)...
>> 10.0.0.0 - workstations
>> 10.1.0.0 - servers
>> 10.2.0.0 - network devices (switch,hub,network printer...)
>> 10.3.0.0 - 1st dmz
>> 10.4.0.0 - 2nd dmz
>
> No.
> 1. There are too many (potential) hosts per subnet.
> 2. There is no point in breaking it up like that. You are creating
> needless
> complexity that has no point to it and will most likely be cause you
> problems.
> 3. There is almost never an need for a second DMZ, and there are even
> quite few *real* needs for even 1 DMZ to start with.
> 4. You are wasting IP#s like there is no tomorrow
>
> The purpose of segmenting is two things:
> 1. Protect agains excessive broadcast.
> 2. Security enhancement by providing ALCs onthe routers between
> segments.
>
> You can't possibly have #1 unless there are more than 250-300 hosts on
> segment.
> I can see no real reason for #2 either at this point. Real security does not
> require it.
> Proper Application security and proper NTFS secuity pretty much negate the
> need
> for ACLs between subnets. ACLs between subnets are the last method you would
> use
> and they are the least granular and the least flexable.
>
> Try this, all one subnet:
> (Avoid heavily over-used IP Ranges)
> 10.1.10.0 -- 10.1.10.255
>
> 10.1.10.1 - Internet Sharing Device
> 10.1.10.2-10.1.10.20 - Servers, Hubs, Switches, Printers, etc.
> 10.1.10.21-10.1.10.50 - Statically assigned workstations
> 10.1.10.51-10.1.10.225 - DHCP Assign hosts
> 10.1.10.226-10.1.10.254 - Any left over Statically assigned devices
>
> DHCP Scope:
> Scope Full Range 10.1.10.1-10.1.10.254
> Exclusions: 10.1.10.1-10.1.10.50
> 10.1.10.226-10.1.10.254
> Active range: 10.1.10.51-10.1.10.225
> Router: 10.1.10.1
> DNS: <server IP#>
> WINS: <server IP#>
>
>
> If you have more than 254 hosts total then add a LAN Router and another
> subnet. The above does *not* change other than you add another Scope to the
> DHCP (following the same pattern) for the new subnet.
>