LAN Routing

New LAN Implementation on to existing network

Occasional Visitor

New LAN Implementation on to existing network

Hey Guys,

I kinda got stuck in a network mess at my new job. To give you some background info: Our dept is a sub dept of huge company. And our network was originally desgined to be a flat L2 network. Someway along the line some crafty network guru introduced VOIP and other private networks on the existing network. Now our situation is we are implementing a new private lan to the existing public lan /23 network because we are running out of ip addresses. Our core router is in another building and we cannot manage it. The network architect at our company's NOC gave us an "overlaid" network on the existing network to migrate to. 

The core switches have had an ip address given on the new subnet and to get the subnet working there has been a route made on our firewall for the new subnet to route through the ip address of This is causing multiple connectivity issues to servers that have their default gateway set to You can ping them, but you have issues connecting to websites our internal servers host and other bizarre issues. Not to mention congestion. Also having two subnets on the default VLAN creates two broadcasts. What are some solutions I could implement?


I am attaching a visio diagram I quickly made that explains what I'm dealing with. I can provide switch configs if necessary. 

Respected Contributor

Re: New LAN Implementation on to existing network

I'd try to get watchguard out of the loop for traffic between old and new subnet.
On watchguard, already start using IP in new range (10.15.100.x) and dump the old address
Use this as secondary address on the L3 switch already having IP address

To get rid of the double broadcast.....just finalize the migration.

Occasional Visitor

Re: New LAN Implementation on to existing network

Thanks for the reply.

The issue is I have a lot of app servers and I am not sure how they are designed to behave, so I want to keep the old scheme for my servers until I migrate them one by one. I can cut the users over to a new DHCP.  Some users are statically assigned, without using reservations. 

How would I implement the new lan while keeping interconnectivity between the old lan and the new lan? Right now I'm having some intermittent issues of computers not being able to access their network drives. And I believe it's because of the multiple broadcasts.

Honored Contributor

Re: New LAN Implementation on to existing network

The way I've done migrations like this is this:

1. Create a new VLAN on the network core and give it a new subnet. 

2. Trunk the new VLAN from the Core to one of the Access cabinets

3. Swap one of the PCs on this Access cabinet to the new VLAN, test DHCP & connectivity

4. If test succeeds, migrate all ports in this Access cabinet to the new VLAN.
(Often, I will leave a few hard-basket devices on the old VLAN, for various reasons).

5. Return to 1. and repeat for each Access cabinet in turn, giving each one its own /24 VLAN.

A few queries about what you've described.
 - why do they want you to use a /22 network? You've already learnt the hard way that segmentation is good, segment everything properly - by Access cabinet. It's not like you need to be stingy with 10.../24 subnets, there being 2^16 of them to choose from...(I once worked on the 3rd-biggest sub-company of the 2nd-biggest network in the world, all sharing the same 10.../8 space. We had ample subnets for our 50+ sites).
 - putting the new subnet on the same VLAN as the old flat L2 network. Crazy. Once you start segmenting using VLANs, it simplifies things immensely.
 - I doubt very much that broadcasts have anything to do with your connectivity problems. A flat network twice as big as yours would probably result in 10Mb interfaces failing. I've seen flat networks with many thousands of devices on them that still worked most of the time.
 - why is the routing being done on the firewall? Your Core switch should be doing it. Adding a new subnet/VLAN to the core switch then requires no fiddling with routing, except on the firewall which needs a route for each new subnet, pointing at the core. (Or better yet, an intelligent summary).
 - I don't really understand the routing you describe. If the new 10. network deosn't exist on the FW, then the FW should have a route pointing at the Core switch. You then describe having two L3 interfaces in the 172.. subnet. What's this all about? Each subnet should have one L3 interface. 
Reading between the lines, I am guessing the design flaw here is that the same 172.. subnet is being routed on both the Core and the FW. This is wrong. The FW and Core both being L3 devices, should have a point-to-point subnet linking them, with nothing else on it.

If the Network Core isn't under your control, you might want to take control of your own routing.

Ask for a block of 10.../24 subnets to use. Use one of these blocks as a point-to-point link between your "core" and the main parent company "Core". The main Core needs routes sending traffic for your block of subnets across that link.
Then, at your end, deploy those 10.../24 subnets as you please without the deficient design of the parent company being involved, migrating to them as per the process I outlined..

Occasional Visitor

Re: New LAN Implementation on to existing network

This subnet was given from the main office. I have no control of what they give me. I told them this is how many workstations I have and they gave me a /22. The original network was entirely L2 so they went with a firewall to connect a comcast line and use the firewall to provide comcast clients a way to the router. 

The 172 networks were desgined in house becuase of the IP dilemma. They will be eliminated once the new network is set up.