|
|
 FAQ
 Search
 Memberlist
 Usergroups
 Register
 Profile
 Private messages
 Log in
|
|
| Author |
Message |
Guest
|
 Posted: Sat Apr 22, 2006 8:49 pm Post subject: Subnetting, private networks & default routes |
 |
|
I'm (still) having a little trouble wrapping my head around the concept
of subnet masks; specifically in a large private network.
I administer a bunch of machines and networks, most of them beginning
with 172.16 but a couple starting with 172.30. They are all connected
via circuits: T1s, Frame Relays and VPNs. The core network is
172.16.1.0, and one example remote network is 172.16.130.0. The trouble
is that, despite the two nets being connected via Frame Relay, the core
net can ping the remote net but the remote net can't ping hosts in the
core net.
All devices in the core net (172.16) have netmasks of 255.255.0.0, but
the machines in the remote net have netmasks of 255.255.255.0. Is this
part of the problem that I'm facing? I inherited this job only
recently, and as such I didn't make the initial routing & subnetting
decisions. Because I have machines in 172.16 and 172.30 networks, and I
want all machines to be able to communicate with each other, should I
just convert all netmasks into 255.0.0.0 to eliminate the problems I'm
facing?
TIA and HAND,
Chris |
|
| Back to top |
|
 |
|
|
Barry Margolin
Guest
|
| Posted: Sat Apr 22, 2006 10:47 pm Post subject: Re: Subnetting, private networks & default routes |
|
|
In article <1145724557.071321.14240@e56g2000cwe.googlegroups.com>,
chriswaltham@gmail.com wrote:
| Quote: | I'm (still) having a little trouble wrapping my head around the concept
of subnet masks; specifically in a large private network.
I administer a bunch of machines and networks, most of them beginning
with 172.16 but a couple starting with 172.30. They are all connected
via circuits: T1s, Frame Relays and VPNs. The core network is
172.16.1.0, and one example remote network is 172.16.130.0. The trouble
is that, despite the two nets being connected via Frame Relay, the core
net can ping the remote net but the remote net can't ping hosts in the
core net.
All devices in the core net (172.16) have netmasks of 255.255.0.0, but
the machines in the remote net have netmasks of 255.255.255.0. Is this
part of the problem that I'm facing? I inherited this job only
recently, and as such I didn't make the initial routing & subnetting
decisions. Because I have machines in 172.16 and 172.30 networks, and I
want all machines to be able to communicate with each other, should I
just convert all netmasks into 255.0.0.0 to eliminate the problems I'm
facing?
|
When you use network mask 255.255.0.0, you're telling all those machines
that all 172.16.x.y addresses are on the same network. So the
172.16.1.y machines try to talk directly to the 172.16.130.y machines,
rather than sending to the router. You need to change their masks to
255.255.255.0 so that they'll understand that they need to go through
the router for 172.16.x.y addresses where x isn't the same as their
address.
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group *** |
|
| Back to top |
|
|
Guest
|
| Posted: Sun Apr 23, 2006 12:37 am Post subject: Re: Subnetting, private networks & default routes |
|
|
Barry Margolin wrote:
| Quote: | When you use network mask 255.255.0.0, you're telling all those machines
that all 172.16.x.y addresses are on the same network. So the
172.16.1.y machines try to talk directly to the 172.16.130.y machines,
rather than sending to the router. You need to change their masks to
255.255.255.0 so that they'll understand that they need to go through
the router for 172.16.x.y addresses where x isn't the same as their
address.
|
There are 3 or 4 172.16.x networks that are all connected to the same
switch (e.g. 172.16.1, 172
..16.10, 172.16.11) but there's also a handful of 172.16.x networks that
are in remote locations and thus connected by routers. Which is why I
get confused..! :-\
Then there is the 172.16.30 net which is a DMZ, physically in the same
location as 172.16.1 etc but logically separate. That's probably just
confusing the issue though...
I guess my question is, which machines do I need to change netmasks on?
All of them?
Chris |
|
| Back to top |
|
|
Barry Margolin
Guest
|
| Posted: Sun Apr 23, 2006 4:21 am Post subject: Re: Subnetting, private networks & default routes |
|
|
In article <1145738242.930383.60710@z34g2000cwc.googlegroups.com>,
chriswaltham@gmail.com wrote:
| Quote: | Barry Margolin wrote:
When you use network mask 255.255.0.0, you're telling all those machines
that all 172.16.x.y addresses are on the same network. So the
172.16.1.y machines try to talk directly to the 172.16.130.y machines,
rather than sending to the router. You need to change their masks to
255.255.255.0 so that they'll understand that they need to go through
the router for 172.16.x.y addresses where x isn't the same as their
address.
There are 3 or 4 172.16.x networks that are all connected to the same
switch (e.g. 172.16.1, 172
.16.10, 172.16.11) but there's also a handful of 172.16.x networks that
are in remote locations and thus connected by routers. Which is why I
get confused..! :-\
|
Well, that's just bad design. You need to configure the address ranges
to match the network topology. Different subnets should be connected by
routers, same subnets should be connected by switches.
| Quote: |
Then there is the 172.16.30 net which is a DMZ, physically in the same
location as 172.16.1 etc but logically separate. That's probably just
confusing the issue though...
I guess my question is, which machines do I need to change netmasks on?
All of them?
|
You also need to rearrange the addressing. The remote networks
shouldn't be 172.16.x.
However, you can probably get what you have to work by configuring
proxy-arp on all the routers.
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group *** |
|
| Back to top |
|
|
java321
Guest
|
| Posted: Sun Apr 23, 2006 4:40 am Post subject: Re: Subnetting, private networks & default routes |
|
|
You should be able to route traffic between subnets with different mask. For
example172.16.x.x/16 in the core and 172.30.x.x/24 in DMZ or remote
locations.
You can also divide 172.16.x.x into subnets and assign different masks.
However, you cant have 172.16.x.x/16 and 172.16.x.x/24 in the same network.
This will cause routing issues.
If you are looking for a quick fix, NAT at remote locations may be a
solution. For example NAT 172.16.64.x/24 to 10.10.10.x/24 should work.
Good luck |
|
| Back to top |
|
|
Guest
|
| Posted: Sun Apr 23, 2006 9:51 am Post subject: Re: Subnetting, private networks & default routes |
|
|
Barry Margolin wrote:
| Quote: | There are 3 or 4 172.16.x networks that are all connected to the same
switch (e.g. 172.16.1, 172
.16.10, 172.16.11) but there's also a handful of 172.16.x networks that
are in remote locations and thus connected by routers. Which is why I
get confused..! :-\
Well, that's just bad design. You need to configure the address ranges
to match the network topology. Different subnets should be connected by
routers, same subnets should be connected by switches.
|
That's where I get confused though, I'm not real sure of the best
practise in this case. Seeing as I just inherited it and all...
I would be happy with 172.16 being location A, and 172.17 being
location B; but unfortunately (at the moment) .16 is a mix of several
locations. I don't see what's so bad, though, if 172.16.1 and 172.16.2
are in different locations?
| Quote: | You also need to rearrange the addressing. The remote networks
shouldn't be 172.16.x.
|
Okay
| Quote: | However, you can probably get what you have to work by configuring
proxy-arp on all the routers.
|
I'll need to look this up.  I know what ARP is, but haven't
considered it to solving this set of problems.
java321 wrote:
| Quote: | You should be able to route traffic between subnets with different mask. For
example172.16.x.x/16 in the core and 172.30.x.x/24 in DMZ or remote
locations.
|
But if I want the two nets to communicate, shouldn't the two masks be
the same? In a perfect world, anyway.
| Quote: | You can also divide 172.16.x.x into subnets and assign different masks.
However, you cant have 172.16.x.x/16 and 172.16.x.x/24 in the same network.
This will cause routing issues.
|
Ah-ha. What kind of routing issues? I think this is exactly what is
happening now...
| Quote: | If you are looking for a quick fix, NAT at remote locations may be a
solution. For example NAT 172.16.64.x/24 to 10.10.10.x/24 should work.
|
Given the size of this network & it's importance, I'd really rather get
it done once and done right.
Chris |
|
| Back to top |
|
|
java321
Guest
|
| Posted: Sun Apr 23, 2006 6:53 pm Post subject: Re: Subnetting, private networks & default routes |
|
|
| Quote: | I don't see what's so bad, though, if 172.16.1 and 172.16.2
are in different locations?
|
Barry's first reply has the answer to this questions. You can have 172.16.1
abd 172.16.2 in different locations so long as they have same subnet mask.
| Quote: | But if I want the two nets to communicate, shouldn't the two masks be
the same? In a perfect world, anyway.
|
So long as you have well defined subnet boundaries, you can subnet your
network in a variety of ways. |
|
| Back to top |
|
|
|
|
Chris
Guest
|
| Posted: Sun Apr 23, 2006 8:06 pm Post subject: Re: Subnetting, private networks & default routes |
|
|
java321 wrote:
| Quote: | I don't see what's so bad, though, if 172.16.1 and 172.16.2
are in different locations?
Barry's first reply has the answer to this questions. You can have 172.16.1
abd 172.16.2 in different locations so long as they have same subnet mask.
|
I guess what I need to do is figure out how to apply his advise to my
network. I've tried to break it down like this:
172.16.1, .10 and .11 have masks of /16 and are local
172.16.120, 172.16.130 have masks of /24 and are different remotes
172.16.25, .26, .27 and .28 have masks of /24 and are different remotes
172.16.4 has a mask of /16 and is local
172.16.5 has a mask of /24 and is bridged to 172.16.4
172.20.1, .2, .3, .4 and .5 have masks of /24 and are different remotes
172.30.1 has a mask of /24 and is the local dmz
| Quote: | So long as you have well defined subnet boundaries, you can subnet your
network in a variety of ways.
|
Without wanting to sound like a fool *g* I guess that I'm missing the
fundamental point; in so far as I'm not sure how I'm supposed to be
defining & bounding them. So, if you could sum it up in a nutshell, I'd
be all ears!
Essentially I want every net to be able to talk to the other nets with
the least amount of trouble.
Chris |
|
| Back to top |
|
|
java321
Guest
|
| Posted: Mon Apr 24, 2006 2:03 am Post subject: Re: Subnetting, private networks & default routes |
|
|
Without knowing the details about the network it is impossible to suggest a
IP scheme. That said, here are some suggestions
1- The problem is with the 172.16.x.x addresses.
2- One solution is to change the subnet mask of networks 172.16.1, .4, .10
and .11 to /24.
3- Another solution is to move 172.16.120, .130, .25, .26, .27, .28 to a
different network for example change the devices in remote network
172.16.130.x/24 to 172.17.130.x. You should be able to test the connectivity
by pinging from both ends |
|
| Back to top |
|
|
Chris
Guest
|
| Posted: Mon Apr 24, 2006 3:23 am Post subject: Re: Subnetting, private networks & default routes |
|
|
java321 wrote:
| Quote: | Without knowing the details about the network it is impossible to suggest a
IP scheme. That said, here are some suggestions
1- The problem is with the 172.16.x.x addresses.
2- One solution is to change the subnet mask of networks 172.16.1, .4, .10
and .11 to /24.
3- Another solution is to move 172.16.120, .130, .25, .26, .27, .28 to a
different network for example change the devices in remote network
172.16.130.x/24 to 172.17.130.x. You should be able to test the connectivity
by pinging from both ends
|
If I go with solution 2, and change every 172.16.1 device's subnet from
/16 to /24, is there any potential for breakage? It would be nice if I
could use your second suggestion and move the remote networks out of
the 172.16 range, but I'm not sure if that will be practical :-\ |
|
| Back to top |
|
|
Barry Margolin
Guest
|
| Posted: Mon Apr 24, 2006 3:47 am Post subject: Re: Subnetting, private networks & default routes |
|
|
In article <1145771488.306405.59950@v46g2000cwv.googlegroups.com>,
chriswaltham@gmail.com wrote:
| Quote: | Barry Margolin wrote:
There are 3 or 4 172.16.x networks that are all connected to the same
switch (e.g. 172.16.1, 172
.16.10, 172.16.11) but there's also a handful of 172.16.x networks that
are in remote locations and thus connected by routers. Which is why I
get confused..! :-\
Well, that's just bad design. You need to configure the address ranges
to match the network topology. Different subnets should be connected by
routers, same subnets should be connected by switches.
That's where I get confused though, I'm not real sure of the best
practise in this case. Seeing as I just inherited it and all...
I would be happy with 172.16 being location A, and 172.17 being
location B; but unfortunately (at the moment) .16 is a mix of several
locations. I don't see what's so bad, though, if 172.16.1 and 172.16.2
are in different locations?
|
If the subnet mask is 255.255.0.0, then they will not send to a router
to communicate with each other, because they think they're on the same
subnet.
| Quote: |
You also need to rearrange the addressing. The remote networks
shouldn't be 172.16.x.
Okay
However, you can probably get what you have to work by configuring
proxy-arp on all the routers.
I'll need to look this up. I know what ARP is, but haven't
considered it to solving this set of problems.
|
Proxy-arp means that the router will respond to ARP requests for any
remote subnets. So if a machine on the LAN has its subnet mask too
large, and thinks that remote subnets are local, the router will make up
for the mistake.
| Quote: |
java321 wrote:
You should be able to route traffic between subnets with different mask. For
example172.16.x.x/16 in the core and 172.30.x.x/24 in DMZ or remote
locations.
But if I want the two nets to communicate, shouldn't the two masks be
the same? In a perfect world, anyway.
|
Different networks can certainly have different subnet masks.
172.16.x.x/16 means that all 172.16.*.* addresses are on the local
subnet, so 172.30.x.* are remote. 172.30.x.y/24 means all 172.30.x.*
addresses are on the local subnet, so 172.16.*.* are remote.
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group *** |
|
| Back to top |
|
|
Barry Margolin
Guest
|
| Posted: Mon Apr 24, 2006 3:51 am Post subject: Re: Subnetting, private networks & default routes |
|
|
In article <1145808414.795906.80720@j33g2000cwa.googlegroups.com>,
"Chris" <chriswaltham@gmail.com> wrote:
| Quote: | java321 wrote:
I don't see what's so bad, though, if 172.16.1 and 172.16.2
are in different locations?
Barry's first reply has the answer to this questions. You can have 172.16.1
abd 172.16.2 in different locations so long as they have same subnet mask.
I guess what I need to do is figure out how to apply his advise to my
network. I've tried to break it down like this:
172.16.1, .10 and .11 have masks of /16 and are local
172.16.120, 172.16.130 have masks of /24 and are different remotes
172.16.25, .26, .27 and .28 have masks of /24 and are different remotes
172.16.4 has a mask of /16 and is local
172.16.5 has a mask of /24 and is bridged to 172.16.4
172.20.1, .2, .3, .4 and .5 have masks of /24 and are different remotes
172.30.1 has a mask of /24 and is the local dmz
So long as you have well defined subnet boundaries, you can subnet your
network in a variety of ways.
Without wanting to sound like a fool *g* I guess that I'm missing the
fundamental point; in so far as I'm not sure how I'm supposed to be
defining & bounding them. So, if you could sum it up in a nutshell, I'd
be all ears!
|
It sounds like you really need to read a tutorial on how subnet masks
are used.
A /16 subnet mask means that all addresses with the same first two
octets as yourself are on your own subnet. So machines on the 172.16.1
subnet think that the 172.16.120 machines can be reached directly,
without going through a router.
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group *** |
|
| Back to top |
|
|
Chris
Guest
|
| Posted: Mon Apr 24, 2006 4:06 am Post subject: Re: Subnetting, private networks & default routes |
|
|
Barry Margolin wrote:
| Quote: | I would be happy with 172.16 being location A, and 172.17 being
location B; but unfortunately (at the moment) .16 is a mix of several
locations. I don't see what's so bad, though, if 172.16.1 and 172.16.2
are in different locations?
If the subnet mask is 255.255.0.0, then they will not send to a router
to communicate with each other, because they think they're on the same
subnet.
|
Okay, and therefore some of the packets will be dropped because some of
the 172.16s are actually remote... right?
| Quote: | Proxy-arp means that the router will respond to ARP requests for any
remote subnets. So if a machine on the LAN has its subnet mask too
large, and thinks that remote subnets are local, the router will make up
for the mistake.
|
Yep, I found it in the IOS manual on Cisco's site. Seeing as it
requires zero configuration it actually looks like it might be a good
fix, albeit a temporary one. Provided it does't break anything in the
process, of course...
| Quote: | But if I want the two nets to communicate, shouldn't the two masks be
the same? In a perfect world, anyway.
Different networks can certainly have different subnet masks.
172.16.x.x/16 means that all 172.16.*.* addresses are on the local
subnet, so 172.30.x.* are remote. 172.30.x.y/24 means all 172.30.x.*
addresses are on the local subnet, so 172.16.*.* are remote.
|
Right, I know that normally that's the case; but in this case where
some of them happen to be remote -- which is why I get confused. :-)
| Quote: | It sounds like you really need to read a tutorial on how subnet masks
are used.
|
It does. And, I did look up a bunch; but they were either quite too
basic or /way/ too complicated. Counting out network addresses into
binary does not interest me 8-)
| Quote: | A /16 subnet mask means that all addresses with the same first two
octets as yourself are on your own subnet. So machines on the 172.16.1
subnet think that the 172.16.120 machines can be reached directly,
without going through a router.
|
Okay. So in my case, some of the 172.16s are remote; and therefore
reachable only by routers. Which means I get the three options:
proxy-arp as a temporary fix, moving the networks around as a permanent
fix (no thanks), or changing subnets masks to /24. Correct?
Chris |
|
| Back to top |
|
|
Guest
|
| Posted: Mon Apr 24, 2006 4:34 am Post subject: Re: Subnetting, private networks & default routes |
|
|
| Quote: | Various IP addressing and routing issues.
|
Chris (OP) said:
| Quote: | Counting out network addresses into
binary does not interest me 8-)
|
In order to assist you _someone_ will have to.
If you don't want to understand IP addressing
(a perfectly reasonable position to have in life) then
you need to hire someone who does if you want
your network to work.
Making such architecural changes as you have
indicated without fully understanging the operation
of the network and the systems that use it is
very likely to result in further problems.
For example the 172.16 machines may actually be
in the same broadcast domain and changing the
mask to /24 from /16 could break existing
function.
It is also very odd that you have pings
working one way and not the other. Ping requires
bi-directional comms in order to work at all, irrespective
of which end the request originated from.
Maybe there is some sort of policy routing
configured? ACLs?
If your reports are sufficiently detailed and complete then
the existing problems are present due to a
faiulre to understand IP addressing and routing.
It is going to be hard to fix them without fixing the
understanding first.
Good luck. |
|
| Back to top |
|
|
|
|
Chris
Guest
|
| Posted: Mon Apr 24, 2006 5:55 am Post subject: Re: Subnetting, private networks & default routes |
|
|
anybody43@hotmail.com wrote:
| Quote: | Various IP addressing and routing issues.
Chris (OP) said:
Counting out network addresses into
binary does not interest me 8-)
In order to assist you _someone_ will have to.
If you don't want to understand IP addressing
(a perfectly reasonable position to have in life) then
you need to hire someone who does if you want
your network to work.
|
I was mostly being facetious about the counting in binary, I do want to
obtain a deeper understanding of classless subnetting & routing than I
already do; I just find it amusing that understanding subnet masks
comes down (in part) to counting in binary. :-)
| Quote: | Making such architecural changes as you have
indicated without fully understanging the operation
of the network and the systems that use it is
very likely to result in further problems.
|
Yes, it is possible; however in order to troubleshoot the existing
network problems I need to at least make changes somewhere. Perhaps
using proxy-arp on some of the routers to alleviate problems
temporarily whilst I try and understand this better...
| Quote: | For example the 172.16 machines may actually be
in the same broadcast domain and changing the
mask to /24 from /16 could break existing
function.
|
How would I be able to investigate that, though? Being on the same
broadcast domain
| Quote: | It is also very odd that you have pings
working one way and not the other. Ping requires
bi-directional comms in order to work at all, irrespective
of which end the request originated from.
Maybe there is some sort of policy routing
configured? ACLs?
|
I'm also trying to discern that as I go, but there's nothing
immediately obvious -- yet.
| Quote: | If your reports are sufficiently detailed and complete then
the existing problems are present due to a
faiulre to understand IP addressing and routing.
It is going to be hard to fix them without fixing the
understanding first.
|
At the moment I only have symptoms of problems (e.g. passing pings in
one direction); and I wasn't clear on having two subnet masks for the
same network range so I posted here. But, yes, I would like to
understand it more. If you have any resources you'd like to point me
to...
Chris |
|
| Back to top |
|
|
|
|
