[cisco-voip] OT: using subnet/wildcard mask for group within a group, issues?

Anthony Holloway avholloway+cisco-voip at gmail.com
Thu Feb 5 11:29:24 EST 2015


I'm no Route/Switch engineer, so I'm likely wrong here, but I'll give my
two cents anyway.

You didn't specifically state what you are doing though.  E.g., ACLs,
Interfaces, Routes, etc.

Let's pretend for a moment you wanted to carve out a new network in your
environment for this range.

I don't think you'll be allowed to configure this as different interfaces
within a single router.  It will tell you that the address on the interface
is overlapping with another interface, or something like that.  With that,
what you could do, is redesign your subnets for this range.  You will need
to go through the exercise of changing all of the subnet masks for the
hosts between .1 - .54.  However, it's likely not going to be that easy, as
you can see below, the new variable length subnet masks will chop up your
existing network into four new networks.  The fourth and last one is your
desired new network, so really you end up with three networks for the 50
potential hosts which exist in that lower range.

Current (host range) [count]:
192.168.45.0/26 (.1 - .62) [62]

New (host range) [count]:
192.168.45.0/27 (.1 - .30) [30] *
192.168.45.32/28 (.33 - .46) [14] **
192.168.45.48/29 (.49 - .54) [6] ***
192.168.45.56/29 (.57 - .62) [6]

*Because of the new broadcast address of .31, you'd have to re-ip the
current .31 host

**Because of the new network address of .32, you'd have to re-ip the
current .32 host.  Same for the broadcast address of .47, you'd have to
re-ip the current .47 host

***Because of the new network address of .48, you'd have to re-ip the
current .48 host.  Same for the broadcast address of .55, you'd have to
re-ip the current .55 host

To see this visually:
[image: Inline image 2]

If you did a router on a stick with sub interfaces for the four new
subnets, then the hosts communicating between subnets cannot talk at layer
2 anymore, and would need to be routed.  If you had them plugged into a
layer 3 switch that was doing routing, then I wouldn't suspect much would
change in terms of traffic patterns or network load.  This would be further
reduced if you addressed common servers contiguously.  E.g.,
CUCM+CUC+CER+IM&P as .5, .6, .7, and .8.

Routes to this router would not have to change, which is nice, but that's
only if your routes were nicely summarized to begin with.  I suspect they
are.  E.g,,  A route of 192.168.45.0/26 going to this router, which now has
four sub interfaces, one for each new subnet, would still work fine, and
would not need to change.  If I'm not mistaken, some/all routing protocols
would summarize these four networks into 192.168.45.0/26 anyway, for the
purpose of advertising to other routers.  You may have to turn on route
summarization however.

Now, let's pretend you actually just wanted to create an ACL to permit
those last 6 hosts to access some other subnet, and keep your existing
network intact.  Then, this is a whole lot less work and you simply need to
create an ACE for your ACL which permits the wild card match.  Let's assume
that your protected voice subnet was 192.168.46.0/26

permit ip 192.168.45.56 0.0.0.7 192.168.46.0 0.0.0.63

Or if not using wild card masks

permit ip 192.168.45.56 255.255.255.248 192.168.46.0 255.255.255.192

I don't know if that helped or not, but it was fun using subnet calculating
again.  Something I haven't done in quite a few years.  I think I did it
right.  ;)

On Thu Feb 05 2015 at 9:11:18 AM Lelio Fulgenzi <lelio at uoguelph.ca> wrote:

>
> This group is full of it. Knowledge, that is. So who better to ask these
> questions....
>
> I've got a subnet, say 192.168.45.0/26, of which I want to allow only a
> small group of that subnet to access a particular host. I'm able to reserve
> the top end, which falls into another subnet, 192.168.45.56/29.
>
> So, the first network, 192.168.45.0 has network id .0, first host .1, last
> host .62, b/cast .63
> And, the subgroup would be,  network id .56, first host .57, last host
> .62, b/cast .63
>
> I'm thinking, as long as I don't use 56 and 63, I can do this.
>
> The hosts I will be protecting will be voice gateways, and collaboration
> servers, e.g. callmanager, connection, etc.
>
> Would there be a time where the hosts being protected would interpret the
> incorrect broadcast address? I don't see how. But I could be missing
> something.
>
> Lelio
>
>
> ---
> Lelio Fulgenzi, B.A.
> Senior Analyst, Network Infrastructure
> Computing and Communications Services (CCS)
> University of Guelph
>
> 519‐824‐4120 Ext 56354
> lelio at uoguelph.ca
> www.uoguelph.ca/ccs
> Room 037, Animal Science and Nutrition Building
> Guelph, Ontario, N1G 2W1
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150205/27229f80/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 12740 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150205/27229f80/attachment.png>


More information about the cisco-voip mailing list