Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 632
  • Last Modified:

Building a supernet

Good day net-workers, I have been asked to make 15 subsets inside my plant to segregate some devices off that are causing issues as we grow.

Rather than build each route separately I was wondering how I could best go about doing this.
I remember my super-net stuff from school, kind of, but that was a very long time ago.

I have one more interface on my sonicwall, and It can be configured as whatever.

Currently we have a 10.10.x.x that is being routed by our ISP for branches etc etc, we point to their gateway for results. NOW with that said, all of these new routes are internal and should not go outside of my network.

Here is my proposal for a supernet on our last interface.

IP Range 10.227.0.0 - 10.227.15.255
Subnet 255.255.240.0
gate 10.227.0.254
THIS IS A SUPERNET OF 4094 DEVICES

Due to the nature of the data, Can I split it further into sub nets described below? with the gateway and subnets in questions, this was just a though as to control broadcast traffic within groups of machines.

Subnet13
IP Range 10.227.13.x
Subnet 255.255.255.0
Gate 10.227.0.254

Subnet14
IP Range 10.227.14.x
Subnet 255.255.255.0
Gate 10.227.0.254

I believe I can build the following.
10.227.0.x - 10.227.15.x
All with the same gateway but I am honestly unsure about the subnet mask.
IF i use .240 on all of them, I may run into brodcast storms?

Thoughts and opinions please.
Regards,
Wally
0
wlacroix
Asked:
wlacroix
  • 9
  • 9
  • 3
  • +1
1 Solution
 
InfamusCommented:
Why don't you use VLAN?
0
 
giltjrCommented:
What are you trying to accomplish?

If  you have:

IP Range 10.227.0.0 - 10.227.15.255
Subnet 255.255.240.0
gate 10.227.0.254

And they try to configure

IP Range 10.227.13.x
Subnet 255.255.255.0
Gate 10.227.0.254

This may (most likely) break.  The problem is that you are saying that if a host with the address 10.227.13.x wants to talk to anything outside of its ip network to send it to 10.227.0.254.  The problem is with a mask of 255.255.255.0, 10.227.0.254 is outside of its ip network (10.227.13.1-254).

Now, OS's will allow you to configure this and some routers (I've seen L3 switches do this) will respond to the ARP and it will  work.

The problem is that in order for this to work, every host must be on the same L2 network, which means the same L2 broadcast domain.

So again, what are you trying to accomplish?
0
 
wlacroixAuthor Commented:
I am trying to isolate each subnet, this is PLC data and I dont know how much brodcasting it will do. So....Was just a thought. We are expecting 3-8 megs of traffic out of each group of PLC devices. I currently have 5 groups with 8 more planned. Suspected IP devices per group is 120+ (1500 IPs give or take)

The proper way to do this would be to put every host with the same subnet mask.
I have a sonicwall 3500 and dont know how to make it route without an interface. Part of this is isolation of the traffic on this subnet from everything else, security first. We dont control all of this network, its just attaching into ours, so we want to firewall it to boot.

The switches out there are L2 not L3.

So the official recommendation is to use the supernet as it sits, instead of trying to break it up?
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
InfamusCommented:
What is the make and model of your switch and how many?

Never mind, I posted after you said they were L2
0
 
giltjrCommented:
I personally would invest in at least one L3 switch, create multiple smaller VLANs/IP Subnets.  If you going down to /24, but you would need to create them "logically".

Meaning if you have 200 servers and don't plan any growth, the could go in their own /24.

If you have 300 desktops you could create a single /25 or create two /24's and allocate the desktop based say on what floor they are or which end of the building they are located in.

It means you have to change the default route/gateway on just about every device, but it will reduce your broadcast domain and make things easier to manage and if needed to secure some networks from other networks.
0
 
Blue Street TechLast KnightsCommented:
Hi wlacroix,

I like giltjr's approach but I have some comments, see below.

I have a sonicwall 3500 and dont know how to make it route without an interface.
Can't you do this with Policy Based Routing (PBR) or at least Static Routes?

Part of this is isolation of the traffic on this subnet from everything else, security first. We dont control all of this network, its just attaching into ours, so we want to firewall it to boot.
You need Security Context if you truly want security from other portions of the network...subnets do not equal security whatsoever.

Let us know how it goes!
0
 
wlacroixAuthor Commented:
Hey guys,

Yes we can use PBR, which we do now, I was going to use my last interface on my sonicwall as the gateway (the devices will need to be worked on by various other companies and need internet at some point) so figured the last sonicwall interface was the best way to go about this.

Yes I have thought about doing smaller /24 subnets, this is why I was thinking the supernet and assigning them the gateway but thats not how it would normally work.

Gateways have to be inside the network to work. So I have to build a class B. But how do you split this up properly?

Dont the class C networks I am talking about, sit inside a class B?
0
 
wlacroixAuthor Commented:
I would agree, using class C networks to control broadcast would make sense, but what gateway IP do I use, and I only have 1 interface left to use as a gateway.

All of the subnets must be able to hit the internet, talk with some of my existing servers on other subnets, so this will require some routing.

SO at this point in the conversation were expecting 12-15 NEW subnets that would require a single gateway.
0
 
wlacroixAuthor Commented:
So I guess I dont understand how this works.

If i make a class A network of 10.10.0.0 with a subnet mask of 255.255.0.0
and build my class C subnets under this, what do you put as the gateway?
0
 
InfamusCommented:
You have to create sub interfaces on the firewall (gateway port) for each subnet.

You are going to use vlan, right?
0
 
wlacroixAuthor Commented:
I had not planned on vlanning no, its a lot of vlans!

I do have some other routes in my sonicwall, and that is fine, they have gateways.
I dont know what to put as the gateway in this respect.

Perhaps I am having a terminology issue here.

Sub interfaces are routes?
0
 
InfamusCommented:
15 vlan is not a lot....

Some companies have hundreds of vlans.

You can refer to "router on a stick", I'm sure your firewall has that option too.

This is used when your core switch is not layer 3.
0
 
wlacroixAuthor Commented:
My core switch is L3, 5412zl, but my plant switches are not. They are L2 light, I think.

3com 2624 pwr Plus

Yes I can vlan if that is what would be the best option.

My sonicwall is an NSA3500 Enhanced.
0
 
InfamusCommented:
Sorry, I just quickly browsed this conversation so I might have missed this but are you plant switches connected to your core switch directly?

If that is the case, you don't need subinterfaces on your sonicwall as your core will handle to routing.

If they are not, how are they connecting to your core site?
0
 
wlacroixAuthor Commented:
Yes they are connected via a single link.

Core to Hop 1, hop 1 to 2, and hope 1 to 3

Hop 1 being the most important of that network.
0
 
wlacroixAuthor Commented:
Infamus,

So if I build say 172.0.1.x with a subnet of 255.255.255.0 for group 1
and 172.0.2.x with a subnet of 255.255.255.0
the ARP table should take care of it?

There would be in theory, no way to get from the 172.0.x.x network to my 10.10.10.x network without a gateway.

I thought that in order to transverse networks you had to go through a gateway.
0
 
InfamusCommented:
Are they connected using trunk ports, meaning all vlans are tagged?

Is the VTP configured on all the switches?

So if I build say 172.0.1.x with a subnet of 255.255.255.0 for group 1
and 172.0.2.x with a subnet of 255.255.255.0
the ARP table should take care of it?

Yes, layer 3 switch will handle the intervlan traffic.

There would be in theory, no way to get from the 172.0.x.x network to my 10.10.10.x network without a gateway.

The VLAN interface ip will be the gateway IP of each devices connected to vlans.

The layer 3 switch should have default route setup to the firewall.
0
 
wlacroixAuthor Commented:
Ah so I assign an IP to each vlan at the switch level. I have one on my core.

So on the devices inside the subnet, they get the IP that is assigned to the vlan on the switch.
0
 
InfamusCommented:
Yes,

If you have a dhcp server then you need to add ip helper address (ip of the server) on each vlan (this is cisco command so not sure about HP).

You also need to create new subnet scopes on the dhcp server as well.
0
 
InfamusCommented:
It is ip helper-address command.
0
 
giltjrCommented:
Most L3 switches will allow you to code ACL's to prevent communications between two different IP subnets if you want.  This can be used to help secure a subnet without having to route traffic through a firewall.
0

Featured Post

Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.

  • 9
  • 9
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now