11-10-2006, 10:04 AM
|
#1 |
|
Rear Admiral Upper Half
  
Join Date: Feb 2001
Posts: 3,654
|
IP Subnetting question
Got a quick question for anyone who might be able to answer *coughKEVSTERcough*
Let's say I'm using these IP subnets: 199.193.202.0 /23 199.193.202.0 /24 199.193.203.0 /24 Now, the guy who handled AD before me had it set up this way. This is obviously overlapping, so my question is, having it set up this way is it causing any conflicts? I see the issues with it, and I am trying to get it changed but we all know how politics can go in large companies. |
|
|
|
11-10-2006, 12:05 PM
|
#2 |
|
Vice Admiral
Join Date: Aug 2000
Location: StL
Posts: 4,300
 |
Thinking about this out loud:
The first subnet will give you: IP addys 199.193.202.1 to 199.193.202.255 199.193.203.0 to 199.193.203.254 The broadcast for that address is 199.193.203.255. The second subnet will give you: IP addys 199.193.202.1 to 199.193.202.254 the broadcast address is 199.193.202.255 The third subnet will give you: IP addys 199.193.203.1 to 199.193.203.254 the broadcast address is 199.193.203.255 So, my issue is that your broadcast address on one subnet is a valid IP on another. In addition, if a PC on the tries to communicate to 199.193.202.255 from a different subnet, the arp won't have a clue how to resolve the IP with a location. The router won't know which subnet to forward the packets to. Nothing on subnet 2 will be able to communicate to a machine on subnet 1 with the IP 199.193.202.255. It may even broadcast all kinds of traffic to it's own LAN even if it is able to find 199.193.202.255. (Which, I would think is a security concern among poor setup sapping your bandwidth.) The reverse would be that 199.193.202.255 is getting another subnets broadcast traffic as well as traffic meant for only it. I would think that would be a bad thing for protocols that use broadcasting, as it can cause things like DHCP to get confused. A final point. How does a router with inbound traffic know which subnet to send said traffic? If it knows of all the subnets, and it needs to send it to 199.193.202.10, will it send the traffic to subnet 1 and 2, or just one or the other? That could be a huge obscure support problem should an issue arise from that. I'm too new to my job to be able to tell you if that's a theoretical problem or a real one. by the way... ftp://ftp.solarwinds.net/pub/SolarWi...Calculator.exe REALLY useful.
__________________
"I know the pieces fit, cause I watched them fall away." "Cold silence has A tendancy to Atrophy any Sense of compassion." MJK Last edited by gwilks98 : 11-10-2006 at 12:08 PM. |
|
|
|
|
11-10-2006, 12:54 PM
|
#3 |
|
Rear Admiral Upper Half
Join Date: Feb 2001
Posts: 3,654
|
You touched on every topic I have been arguing about. Thank you. I'm just looking for some support so I know mentally that I'm not wrong here.
The reason being, the guy who implemented this got a promotion within the company and will obviously argue (without any conclusive evidence) that he is right and I am wrong and just attempting to make him look bad. And yes, the Solar Winds calc is a handy little tool.  |
|
|
|
|
11-10-2006, 06:03 PM
|
#4 |
|
Admiral
Join Date: Jan 2002
Location: NorCal
Posts: 6,124
 |
Gwilks98 brings up some good points, and I have a few additional questions:
On the individual .202 and 203 subnets, are these handled by DHCP servers? What routers or switches are setup with these subnets? What he is trying to do is isolate two subnets (and their resources, like printers and servers) while allowing some hosts to communicate between the two. Does this guy have an IP plan for which hosts are allowed in each subnet and who is allowed in the supernet (the /23 mask)?
__________________
I think over again My small adventures, my fears. The small ones that seemed so big, For all the vital things I had to get and to reach. And yet there is only one great thing, the only thing: To live to see the great day that dawns, And the light that fills the world. -old Inuit song |
|
|
|
|
11-10-2006, 08:12 PM
|
#5 | ||
|
Rear Admiral Upper Half
Join Date: Feb 2001
Posts: 3,654
|
Quote:
Quote:
|
||
|
|
|
|
11-11-2006, 03:43 PM
|
#6 |
|
Vice Admiral
Join Date: Aug 2000
Location: StL
Posts: 4,300
|
After thinking a bit more on it, I suggest a VLAN setup with 3 subnets, with filters or ACLs applied to them to lock down or open up each as needed.
Instead of reporting that this setup is a problem and making the other guy look bad, I would approach it as an upgrade, to allow for more stability, less support and less administrative overhead. That way, you don't trash his work and you promote your own usefullness. |
|
|
|
|
11-11-2006, 08:34 PM
|
#7 | |
|
Rear Admiral Upper Half
Join Date: Feb 2001
Posts: 3,654
|
Quote:
I can't approach from that angle without being asked why or what's wrong with the current setup so I am preparing for the questions.  |
|
|
|
|
|
11-13-2006, 05:47 AM
|
#8 |
|
Fleet Admiral
Join Date: Mar 2000
Location: Michigan
Posts: 9,390
 |
I'd suggest requesting a meeting with the guy who designed it, yourself & at least one other employee. Tell him you've got some questions about the IP setup & would like for him to explain it to you. That way 1) he gets the idea that you're trying to learn & will be less threatened by your questions; 2) he can explain exactly what he was trying to do so you understand where he's coming from; and 3) you have a witness in the room to back you up if you ask him some questions he doesn't have a good answer for.
I've seen people do seemingly silly things like this in the past, and occasionally it's not because they did it wrong, but because someone else is requesting something that's difficult or impossible to configure, and they're doing their best to accomodate it. |
|
|
|
Linear Mode
