[cisco-voip] OT: using subnet/wildcard mask for group within a group, issues?
Matthew Ballard
mballard at otis.edu
Thu Feb 5 14:07:35 EST 2015
Are you trying to protect the routers from other hosts within the same network, or just from other networks?
If the latter, then what you’re trying to do is simple, and broadcast/not using the addresses you mentioned at the beginning isn’t an issue, as every address in the grouping can be used (subnets in ACLs is just to specify a set of IPs, not defining a subnet in the traditional networking sense).
If the former, you’d be better off with subnets and a layer 3 switch/router to route between the subnets.
Matthew Ballard
Network Manager
Otis College of Art and Design
mballard at otis.edu<mailto:mballard at otis.edu>
CONFIDENTIALITY NOTICE: This electronic message transmission contains information from Otis College of Art and Design, which may be confidential. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the content of this information is prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the original message and any attachment without reading or saving in any manner.
From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Lelio Fulgenzi
Sent: Thursday, February 05, 2015 8:35 AM
To: Cisco-voip (cisco-voip at puck.nether.net)
Subject: Re: [cisco-voip] OT: using subnet/wildcard mask for group within a group, issues?
Thanks Anthony!
I should have included that I would be looking at ACLs only, nothing like modifying router interfaces or anything like. Using DHCP reserved addresses, the clients in question would get the appropriate IP address and be allowed through.
---
Lelio Fulgenzi, B.A.
Senior Analyst, Network Infrastructure
Computing and Communications Services (CCS)
University of Guelph
519‐824‐4120 Ext 56354
lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>
www.uoguelph.ca/ccs<http://www.uoguelph.ca/ccs>
Room 037, Animal Science and Nutrition Building
Guelph, Ontario, N1G 2W1
________________________________
From: "Anthony Holloway" <avholloway+cisco-voip at gmail.com<mailto:avholloway+cisco-voip at gmail.com>>
To: "Lelio Fulgenzi" <lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>>, "Cisco-voip (cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>)" <cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>>
Sent: Thursday, February 5, 2015 11:29:24 AM
Subject: Re: [cisco-voip] OT: using subnet/wildcard mask for group within a group, issues?
I'm no Route/Switch engineer, so I'm likely wrong here, but I'll give my two cents anyway.
You didn't specifically state what you are doing though. E.g., ACLs, Interfaces, Routes, etc.
Let's pretend for a moment you wanted to carve out a new network in your environment for this range.
I don't think you'll be allowed to configure this as different interfaces within a single router. It will tell you that the address on the interface is overlapping with another interface, or something like that. With that, what you could do, is redesign your subnets for this range. You will need to go through the exercise of changing all of the subnet masks for the hosts between .1 - .54. However, it's likely not going to be that easy, as you can see below, the new variable length subnet masks will chop up your existing network into four new networks. The fourth and last one is your desired new network, so really you end up with three networks for the 50 potential hosts which exist in that lower range.
Current (host range) [count]:
192.168.45.0/26<http://192.168.45.0/26> (.1 - .62) [62]
New (host range) [count]:
192.168.45.0/27<http://192.168.45.0/27> (.1 - .30) [30] *
192.168.45.32/28<http://192.168.45.32/28> (.33 - .46) [14] **
192.168.45.48/29<http://192.168.45.48/29> (.49 - .54) [6] ***
192.168.45.56/29<http://192.168.45.56/29> (.57 - .62) [6]
*Because of the new broadcast address of .31, you'd have to re-ip the current .31 host
**Because of the new network address of .32, you'd have to re-ip the current .32 host. Same for the broadcast address of .47, you'd have to re-ip the current .47 host
***Because of the new network address of .48, you'd have to re-ip the current .48 host. Same for the broadcast address of .55, you'd have to re-ip the current .55 host
To see this visually:
[Inline image 2]
If you did a router on a stick with sub interfaces for the four new subnets, then the hosts communicating between subnets cannot talk at layer 2 anymore, and would need to be routed. If you had them plugged into a layer 3 switch that was doing routing, then I wouldn't suspect much would change in terms of traffic patterns or network load. This would be further reduced if you addressed common servers contiguously. E.g., CUCM+CUC+CER+IM&P as .5, .6, .7, and .8.
Routes to this router would not have to change, which is nice, but that's only if your routes were nicely summarized to begin with. I suspect they are. E.g,, A route of 192.168.45.0/26<http://192.168.45.0/26> going to this router, which now has four sub interfaces, one for each new subnet, would still work fine, and would not need to change. If I'm not mistaken, some/all routing protocols would summarize these four networks into 192.168.45.0/26<http://192.168.45.0/26> anyway, for the purpose of advertising to other routers. You may have to turn on route summarization however.
Now, let's pretend you actually just wanted to create an ACL to permit those last 6 hosts to access some other subnet, and keep your existing network intact. Then, this is a whole lot less work and you simply need to create an ACE for your ACL which permits the wild card match. Let's assume that your protected voice subnet was 192.168.46.0/26<http://192.168.46.0/26>
permit ip 192.168.45.56 0.0.0.7 192.168.46.0 0.0.0.63
Or if not using wild card masks
permit ip 192.168.45.56 255.255.255.248 192.168.46.0 255.255.255.192
I don't know if that helped or not, but it was fun using subnet calculating again. Something I haven't done in quite a few years. I think I did it right. ;)
On Thu Feb 05 2015 at 9:11:18 AM Lelio Fulgenzi <lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>> wrote:
This group is full of it. Knowledge, that is. So who better to ask these questions....
I've got a subnet, say 192.168.45.0/26<http://192.168.45.0/26>, of which I want to allow only a small group of that subnet to access a particular host. I'm able to reserve the top end, which falls into another subnet, 192.168.45.56/29<http://192.168.45.56/29>.
So, the first network, 192.168.45.0 has network id .0, first host .1, last host .62, b/cast .63
And, the subgroup would be, network id .56, first host .57, last host .62, b/cast .63
I'm thinking, as long as I don't use 56 and 63, I can do this.
The hosts I will be protecting will be voice gateways, and collaboration servers, e.g. callmanager, connection, etc.
Would there be a time where the hosts being protected would interpret the incorrect broadcast address? I don't see how. But I could be missing something.
Lelio
---
Lelio Fulgenzi, B.A.
Senior Analyst, Network Infrastructure
Computing and Communications Services (CCS)
University of Guelph
519‐824‐4120 Ext 56354<tel:519%E2%80%90824%E2%80%904120%20Ext%2056354>
lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>
www.uoguelph.ca/ccs<http://www.uoguelph.ca/ccs>
Room 037, Animal Science and Nutrition Building
Guelph, Ontario, N1G 2W1
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150205/25078268/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 12740 bytes
Desc: image001.png
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150205/25078268/attachment.png>
More information about the cisco-voip
mailing list