Solved

Building a supernet

Posted on 2013-11-15
22
583 Views
Last Modified: 2014-01-28
Good day net-workers, I have been asked to make 15 subsets inside my plant to segregate some devices off that are causing issues as we grow.

Rather than build each route separately I was wondering how I could best go about doing this.
I remember my super-net stuff from school, kind of, but that was a very long time ago.

I have one more interface on my sonicwall, and It can be configured as whatever.

Currently we have a 10.10.x.x that is being routed by our ISP for branches etc etc, we point to their gateway for results. NOW with that said, all of these new routes are internal and should not go outside of my network.

Here is my proposal for a supernet on our last interface.

IP Range 10.227.0.0 - 10.227.15.255
Subnet 255.255.240.0
gate 10.227.0.254
THIS IS A SUPERNET OF 4094 DEVICES

Due to the nature of the data, Can I split it further into sub nets described below? with the gateway and subnets in questions, this was just a though as to control broadcast traffic within groups of machines.

Subnet13
IP Range 10.227.13.x
Subnet 255.255.255.0
Gate 10.227.0.254

Subnet14
IP Range 10.227.14.x
Subnet 255.255.255.0
Gate 10.227.0.254

I believe I can build the following.
10.227.0.x - 10.227.15.x
All with the same gateway but I am honestly unsure about the subnet mask.
IF i use .240 on all of them, I may run into brodcast storms?

Thoughts and opinions please.
Regards,
Wally
0
Comment
Question by:wlacroix
  • 9
  • 9
  • 3
  • +1
22 Comments
 
LVL 12

Expert Comment

by:Infamus
ID: 39651866
Why don't you use VLAN?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39652164
What are you trying to accomplish?

If  you have:

IP Range 10.227.0.0 - 10.227.15.255
Subnet 255.255.240.0
gate 10.227.0.254

And they try to configure

IP Range 10.227.13.x
Subnet 255.255.255.0
Gate 10.227.0.254

This may (most likely) break.  The problem is that you are saying that if a host with the address 10.227.13.x wants to talk to anything outside of its ip network to send it to 10.227.0.254.  The problem is with a mask of 255.255.255.0, 10.227.0.254 is outside of its ip network (10.227.13.1-254).

Now, OS's will allow you to configure this and some routers (I've seen L3 switches do this) will respond to the ARP and it will  work.

The problem is that in order for this to work, every host must be on the same L2 network, which means the same L2 broadcast domain.

So again, what are you trying to accomplish?
0
 
LVL 3

Author Comment

by:wlacroix
ID: 39652209
I am trying to isolate each subnet, this is PLC data and I dont know how much brodcasting it will do. So....Was just a thought. We are expecting 3-8 megs of traffic out of each group of PLC devices. I currently have 5 groups with 8 more planned. Suspected IP devices per group is 120+ (1500 IPs give or take)

The proper way to do this would be to put every host with the same subnet mask.
I have a sonicwall 3500 and dont know how to make it route without an interface. Part of this is isolation of the traffic on this subnet from everything else, security first. We dont control all of this network, its just attaching into ours, so we want to firewall it to boot.

The switches out there are L2 not L3.

So the official recommendation is to use the supernet as it sits, instead of trying to break it up?
0
 
LVL 12

Expert Comment

by:Infamus
ID: 39652211
What is the make and model of your switch and how many?

Never mind, I posted after you said they were L2
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39652258
I personally would invest in at least one L3 switch, create multiple smaller VLANs/IP Subnets.  If you going down to /24, but you would need to create them "logically".

Meaning if you have 200 servers and don't plan any growth, the could go in their own /24.

If you have 300 desktops you could create a single /25 or create two /24's and allocate the desktop based say on what floor they are or which end of the building they are located in.

It means you have to change the default route/gateway on just about every device, but it will reduce your broadcast domain and make things easier to manage and if needed to secure some networks from other networks.
0
 
LVL 24

Expert Comment

by:diverseit
ID: 39654403
Hi wlacroix,

I like giltjr's approach but I have some comments, see below.

I have a sonicwall 3500 and dont know how to make it route without an interface.
Can't you do this with Policy Based Routing (PBR) or at least Static Routes?

Part of this is isolation of the traffic on this subnet from everything else, security first. We dont control all of this network, its just attaching into ours, so we want to firewall it to boot.
You need Security Context if you truly want security from other portions of the network...subnets do not equal security whatsoever.

Let us know how it goes!
0
 
LVL 3

Author Comment

by:wlacroix
ID: 39657090
Hey guys,

Yes we can use PBR, which we do now, I was going to use my last interface on my sonicwall as the gateway (the devices will need to be worked on by various other companies and need internet at some point) so figured the last sonicwall interface was the best way to go about this.

Yes I have thought about doing smaller /24 subnets, this is why I was thinking the supernet and assigning them the gateway but thats not how it would normally work.

Gateways have to be inside the network to work. So I have to build a class B. But how do you split this up properly?

Dont the class C networks I am talking about, sit inside a class B?
0
 
LVL 3

Author Comment

by:wlacroix
ID: 39657125
I would agree, using class C networks to control broadcast would make sense, but what gateway IP do I use, and I only have 1 interface left to use as a gateway.

All of the subnets must be able to hit the internet, talk with some of my existing servers on other subnets, so this will require some routing.

SO at this point in the conversation were expecting 12-15 NEW subnets that would require a single gateway.
0
 
LVL 3

Author Comment

by:wlacroix
ID: 39657143
So I guess I dont understand how this works.

If i make a class A network of 10.10.0.0 with a subnet mask of 255.255.0.0
and build my class C subnets under this, what do you put as the gateway?
0
 
LVL 12

Expert Comment

by:Infamus
ID: 39657144
You have to create sub interfaces on the firewall (gateway port) for each subnet.

You are going to use vlan, right?
0
 
LVL 3

Author Comment

by:wlacroix
ID: 39657152
I had not planned on vlanning no, its a lot of vlans!

I do have some other routes in my sonicwall, and that is fine, they have gateways.
I dont know what to put as the gateway in this respect.

Perhaps I am having a terminology issue here.

Sub interfaces are routes?
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 12

Expert Comment

by:Infamus
ID: 39657186
15 vlan is not a lot....

Some companies have hundreds of vlans.

You can refer to "router on a stick", I'm sure your firewall has that option too.

This is used when your core switch is not layer 3.
0
 
LVL 12

Expert Comment

by:Infamus
ID: 39657188
0
 
LVL 3

Author Comment

by:wlacroix
ID: 39657225
My core switch is L3, 5412zl, but my plant switches are not. They are L2 light, I think.

3com 2624 pwr Plus

Yes I can vlan if that is what would be the best option.

My sonicwall is an NSA3500 Enhanced.
0
 
LVL 12

Expert Comment

by:Infamus
ID: 39657240
Sorry, I just quickly browsed this conversation so I might have missed this but are you plant switches connected to your core switch directly?

If that is the case, you don't need subinterfaces on your sonicwall as your core will handle to routing.

If they are not, how are they connecting to your core site?
0
 
LVL 3

Author Comment

by:wlacroix
ID: 39657510
Yes they are connected via a single link.

Core to Hop 1, hop 1 to 2, and hope 1 to 3

Hop 1 being the most important of that network.
0
 
LVL 3

Author Comment

by:wlacroix
ID: 39657518
Infamus,

So if I build say 172.0.1.x with a subnet of 255.255.255.0 for group 1
and 172.0.2.x with a subnet of 255.255.255.0
the ARP table should take care of it?

There would be in theory, no way to get from the 172.0.x.x network to my 10.10.10.x network without a gateway.

I thought that in order to transverse networks you had to go through a gateway.
0
 
LVL 12

Accepted Solution

by:
Infamus earned 500 total points
ID: 39657545
Are they connected using trunk ports, meaning all vlans are tagged?

Is the VTP configured on all the switches?

So if I build say 172.0.1.x with a subnet of 255.255.255.0 for group 1
and 172.0.2.x with a subnet of 255.255.255.0
the ARP table should take care of it?

Yes, layer 3 switch will handle the intervlan traffic.

There would be in theory, no way to get from the 172.0.x.x network to my 10.10.10.x network without a gateway.

The VLAN interface ip will be the gateway IP of each devices connected to vlans.

The layer 3 switch should have default route setup to the firewall.
0
 
LVL 3

Author Comment

by:wlacroix
ID: 39657902
Ah so I assign an IP to each vlan at the switch level. I have one on my core.

So on the devices inside the subnet, they get the IP that is assigned to the vlan on the switch.
0
 
LVL 12

Expert Comment

by:Infamus
ID: 39657913
Yes,

If you have a dhcp server then you need to add ip helper address (ip of the server) on each vlan (this is cisco command so not sure about HP).

You also need to create new subnet scopes on the dhcp server as well.
0
 
LVL 12

Expert Comment

by:Infamus
ID: 39657929
It is ip helper-address command.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39658158
Most L3 switches will allow you to code ACL's to prevent communications between two different IP subnets if you want.  This can be used to help secure a subnet without having to route traffic through a firewall.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

AWS has developed and created its highly available global infrastructure allowing users to deploy and manage their estates all across the world through the use of the following geographical components   RegionsAvailability ZonesEdge Locations  Wh…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now