Before I joined the company I work at, someone decided to make use of the 10.150.0.0/16 range for the company LAN (despite the company not having nearly that many devices). I think their idea at the time was to use the 3rd IP byte (10.150.X) to separate various infrastructure types while keeping them all on the same network. As such, critical hardware components (routers, APs, main HyperV hosts) are on 10.150.0.X, main servers are on 10.150.1.X, secondary servers seem to be on 10.150.2.X, and then there's the DHCP which assigns IPs from 10.150.3.1 to 10.150.4.254.
That's a pretty wide range, and quite frankly, it's a bit of a mess. Especially with the DHCP assigning IPs to everything from PCs, laptops, to mobile phones and even development servers.
I was hoping I could try and clean things up a bit. I'd like to make use of the NPS to set up various policies (so, for example, main domain servers would have a different policy than development servers and these would have a different policy from WiFi connected devices) and then use that information to assign different IP ranges. Except, I'm not sure if this is at all possible, given the wide net mask. Simply trying to set up a second DHCP scope for another IP range (say, 10.150.6.1-10.150.6.254) with the same netmask throws an error in Windows DHCP, which makes sense in a general way.
So, is what I'm trying to do at all possible? Or is my only course of action redesigning and reconfiguring the entire network?
You are correct that
/16
with 65,536 IP addresses is an awfully huge subnet for your purposes. If it's ok to have every device on the same subnet, every IP address mentioned here fits within10.150.0.0/21
with 2,048 addresses. That would be relatively easy variable to change, at first. Just remember to change it everywhere at once.If you need to separate the networks and use more than one DHCP scopes, you'd use
/24
and/23
subnets and arrange routing between them. That enables you to make router level firewall rules and intrusion detection between servers/clients and wired/wireless without accessing their configuration and even with BYOD. For this, with W2008R2 DHCP, you have two options: