RE: IP renumbering vs. Stand-alone

["Burton Strauss" <Burton () FelisCatus org>]

If you can take some time and use DHCP addressing, you can probably do the
renumbering with minimal impact.

Modify your DHCP server to issue leases for a short period - 1-2 hours.  All
that does is cause a little extra traffic as they are renewed more
frequently.

The day of the change over, have all users shutdown their workstations as
they leave.

Then change the DHCP server to start issuing addresses in the new range
(with updated gateway and dns assignments if necessary) and manually
renumber any statically assigned IPs. 

When people come in the next day they'll get an address in the new range and
be good to go.


The only users who will have problems are those who are statically assigned
and you don't know about.  The easiest way to handle those is to set up a
sniffer (tcpdump) and look for packets with the old addresses.


-----Burton


-----Original Message-----
From: Mark Wilk [mailto:markwilk () gmail com] 
Sent: Tuesday, November 29, 2005 10:32 AM
To: security-basics () securityfocus com; pen-test () securityfocus com
Subject: IP renumbering vs. Stand-alone

Hello Group,

I work for a small office with around 100 users with two office buildings
connected by fiber.  The main office has two domain controllers and a Lotus
Notes server, all running Win2k3 and the Satellite office has one domain
controller running Win2k3.  All of the users are or will be running Win XP
and we use a PIX firewall.  The issue we have is we recently set up an
additional program (2 users) that is part of our organization but can also
be treated as a stand-alone office.  This separate office needs to VPN into
another location that has the same internal IP numbering scheme as us thus
causes a problem.

Our two options are to renumber our internal IP address or to treat the
office as a complete stand-alone and have them VPN into our network as well
as the other location.  The problem we run into with the stand-alone option
is that this same program might be set up in the satellite office as well
meaning they will have to VPN into 3 different locations.  Another issue is
the fact that both offices are located in the middle of nowhere, so the same
ISP we have in the main office isn't available in the satellite office.
What would be the best way to go about this?  Has anyone had to deal with
renumbering their network?  How much downtime should I expect if I take this
route?  How difficult is it to set up multiple VPN connections on the same
machine?

--
Mark


[Your Skills In Reading Have Improved +1]