Solved

Building a supernet

Posted on 2013-11-15
22
612 Views
Last Modified: 2014-01-28
Good day net-workers, I have been asked to make 15 subsets inside my plant to segregate some devices off that are causing issues as we grow.

Rather than build each route separately I was wondering how I could best go about doing this.
I remember my super-net stuff from school, kind of, but that was a very long time ago.

I have one more interface on my sonicwall, and It can be configured as whatever.

Currently we have a 10.10.x.x that is being routed by our ISP for branches etc etc, we point to their gateway for results. NOW with that said, all of these new routes are internal and should not go outside of my network.

Here is my proposal for a supernet on our last interface.

IP Range 10.227.0.0 - 10.227.15.255
Subnet 255.255.240.0
gate 10.227.0.254
THIS IS A SUPERNET OF 4094 DEVICES

Due to the nature of the data, Can I split it further into sub nets described below? with the gateway and subnets in questions, this was just a though as to control broadcast traffic within groups of machines.

Subnet13
IP Range 10.227.13.x
Subnet 255.255.255.0
Gate 10.227.0.254

Subnet14
IP Range 10.227.14.x
Subnet 255.255.255.0
Gate 10.227.0.254

I believe I can build the following.
10.227.0.x - 10.227.15.x
All with the same gateway but I am honestly unsure about the subnet mask.
IF i use .240 on all of them, I may run into brodcast storms?

Thoughts and opinions please.
Regards,
Wally
0
Comment
Question by:wlacroix
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 9
  • 3
  • +1
22 Comments
 
LVL 12

Expert Comment

by:Infamus
ID: 39651866
Why don't you use VLAN?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39652164
What are you trying to accomplish?

If  you have:

IP Range 10.227.0.0 - 10.227.15.255
Subnet 255.255.240.0
gate 10.227.0.254

And they try to configure

IP Range 10.227.13.x
Subnet 255.255.255.0
Gate 10.227.0.254

This may (most likely) break.  The problem is that you are saying that if a host with the address 10.227.13.x wants to talk to anything outside of its ip network to send it to 10.227.0.254.  The problem is with a mask of 255.255.255.0, 10.227.0.254 is outside of its ip network (10.227.13.1-254).

Now, OS's will allow you to configure this and some routers (I've seen L3 switches do this) will respond to the ARP and it will  work.

The problem is that in order for this to work, every host must be on the same L2 network, which means the same L2 broadcast domain.

So again, what are you trying to accomplish?
0
 
LVL 3

Author Comment

by:wlacroix
ID: 39652209
I am trying to isolate each subnet, this is PLC data and I dont know how much brodcasting it will do. So....Was just a thought. We are expecting 3-8 megs of traffic out of each group of PLC devices. I currently have 5 groups with 8 more planned. Suspected IP devices per group is 120+ (1500 IPs give or take)

The proper way to do this would be to put every host with the same subnet mask.
I have a sonicwall 3500 and dont know how to make it route without an interface. Part of this is isolation of the traffic on this subnet from everything else, security first. We dont control all of this network, its just attaching into ours, so we want to firewall it to boot.

The switches out there are L2 not L3.

So the official recommendation is to use the supernet as it sits, instead of trying to break it up?
0
Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.

 
LVL 12

Expert Comment

by:Infamus
ID: 39652211
What is the make and model of your switch and how many?

Never mind, I posted after you said they were L2
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39652258
I personally would invest in at least one L3 switch, create multiple smaller VLANs/IP Subnets.  If you going down to /24, but you would need to create them "logically".

Meaning if you have 200 servers and don't plan any growth, the could go in their own /24.

If you have 300 desktops you could create a single /25 or create two /24's and allocate the desktop based say on what floor they are or which end of the building they are located in.

It means you have to change the default route/gateway on just about every device, but it will reduce your broadcast domain and make things easier to manage and if needed to secure some networks from other networks.
0
 
LVL 25

Expert Comment

by:Diverse IT
ID: 39654403
Hi wlacroix,

I like giltjr's approach but I have some comments, see below.

I have a sonicwall 3500 and dont know how to make it route without an interface.
Can't you do this with Policy Based Routing (PBR) or at least Static Routes?

Part of this is isolation of the traffic on this subnet from everything else, security first. We dont control all of this network, its just attaching into ours, so we want to firewall it to boot.
You need Security Context if you truly want security from other portions of the network...subnets do not equal security whatsoever.

Let us know how it goes!
0
 
LVL 3

Author Comment

by:wlacroix
ID: 39657090
Hey guys,

Yes we can use PBR, which we do now, I was going to use my last interface on my sonicwall as the gateway (the devices will need to be worked on by various other companies and need internet at some point) so figured the last sonicwall interface was the best way to go about this.

Yes I have thought about doing smaller /24 subnets, this is why I was thinking the supernet and assigning them the gateway but thats not how it would normally work.

Gateways have to be inside the network to work. So I have to build a class B. But how do you split this up properly?

Dont the class C networks I am talking about, sit inside a class B?
0
 
LVL 3

Author Comment

by:wlacroix
ID: 39657125
I would agree, using class C networks to control broadcast would make sense, but what gateway IP do I use, and I only have 1 interface left to use as a gateway.

All of the subnets must be able to hit the internet, talk with some of my existing servers on other subnets, so this will require some routing.

SO at this point in the conversation were expecting 12-15 NEW subnets that would require a single gateway.
0
 
LVL 3

Author Comment

by:wlacroix
ID: 39657143
So I guess I dont understand how this works.

If i make a class A network of 10.10.0.0 with a subnet mask of 255.255.0.0
and build my class C subnets under this, what do you put as the gateway?
0
 
LVL 12

Expert Comment

by:Infamus
ID: 39657144
You have to create sub interfaces on the firewall (gateway port) for each subnet.

You are going to use vlan, right?
0
 
LVL 3

Author Comment

by:wlacroix
ID: 39657152
I had not planned on vlanning no, its a lot of vlans!

I do have some other routes in my sonicwall, and that is fine, they have gateways.
I dont know what to put as the gateway in this respect.

Perhaps I am having a terminology issue here.

Sub interfaces are routes?
0
 
LVL 12

Expert Comment

by:Infamus
ID: 39657186
15 vlan is not a lot....

Some companies have hundreds of vlans.

You can refer to "router on a stick", I'm sure your firewall has that option too.

This is used when your core switch is not layer 3.
0
 
LVL 12

Expert Comment

by:Infamus
ID: 39657188
0
 
LVL 3

Author Comment

by:wlacroix
ID: 39657225
My core switch is L3, 5412zl, but my plant switches are not. They are L2 light, I think.

3com 2624 pwr Plus

Yes I can vlan if that is what would be the best option.

My sonicwall is an NSA3500 Enhanced.
0
 
LVL 12

Expert Comment

by:Infamus
ID: 39657240
Sorry, I just quickly browsed this conversation so I might have missed this but are you plant switches connected to your core switch directly?

If that is the case, you don't need subinterfaces on your sonicwall as your core will handle to routing.

If they are not, how are they connecting to your core site?
0
 
LVL 3

Author Comment

by:wlacroix
ID: 39657510
Yes they are connected via a single link.

Core to Hop 1, hop 1 to 2, and hope 1 to 3

Hop 1 being the most important of that network.
0
 
LVL 3

Author Comment

by:wlacroix
ID: 39657518
Infamus,

So if I build say 172.0.1.x with a subnet of 255.255.255.0 for group 1
and 172.0.2.x with a subnet of 255.255.255.0
the ARP table should take care of it?

There would be in theory, no way to get from the 172.0.x.x network to my 10.10.10.x network without a gateway.

I thought that in order to transverse networks you had to go through a gateway.
0
 
LVL 12

Accepted Solution

by:
Infamus earned 500 total points
ID: 39657545
Are they connected using trunk ports, meaning all vlans are tagged?

Is the VTP configured on all the switches?

So if I build say 172.0.1.x with a subnet of 255.255.255.0 for group 1
and 172.0.2.x with a subnet of 255.255.255.0
the ARP table should take care of it?

Yes, layer 3 switch will handle the intervlan traffic.

There would be in theory, no way to get from the 172.0.x.x network to my 10.10.10.x network without a gateway.

The VLAN interface ip will be the gateway IP of each devices connected to vlans.

The layer 3 switch should have default route setup to the firewall.
0
 
LVL 3

Author Comment

by:wlacroix
ID: 39657902
Ah so I assign an IP to each vlan at the switch level. I have one on my core.

So on the devices inside the subnet, they get the IP that is assigned to the vlan on the switch.
0
 
LVL 12

Expert Comment

by:Infamus
ID: 39657913
Yes,

If you have a dhcp server then you need to add ip helper address (ip of the server) on each vlan (this is cisco command so not sure about HP).

You also need to create new subnet scopes on the dhcp server as well.
0
 
LVL 12

Expert Comment

by:Infamus
ID: 39657929
It is ip helper-address command.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39658158
Most L3 switches will allow you to code ACL's to prevent communications between two different IP subnets if you want.  This can be used to help secure a subnet without having to route traffic through a firewall.
0

Featured Post

Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question