Results 1 to 7 of 7

Thread: Supernetting - what do you think?

  1. #1
    Join Date
    Jun 2008
    Location
    Kansas City
    Posts
    60

    Default Supernetting - what do you think?

    A recent discussion in another thread brought up the idea of supernetting. This isn't SUSE specific but ya'all are my community so thought I'd ask what you think on the matter.

    I've been a net admin for approx 12 years and have operated under a general rule that a network larger than /24 should be split up if for no other reason than to control broadcast traffic.

    Another reason I like keeping my actual clients on classed networks is that my experience with BIND is that REVERSE zones are designated by classed boundaries, not subnet/supernet boundaries. i.e. I'm not aware that I can create a single reverse zone that exactly encompasses a /23 network.

    Now, I agree that classless notation makes sense in routing and firewall rules -- helps keep things tidy -- but in 12 years I've never personally seen a need for using classless addresses on any of my actual client machines.

    I do note however that my residential ISP issues a /20 netmask in it's DHCP leases. This leads me to wonder if an instance of when supernetting makes sense is when the traffic flow is primarily one way and/or when broadcasts are tightly controlled anyway. e.g. The only broadcasts I ever see on my cable modem are ARP and DHCP replies -- I have to believe on a /20 with 4078 potential clients that at least one of'em is a directly connected Windows box that's ill-configured enough to broadcast it's SMB info on it's Internet interface; I'd expect to see some DHCP REQUEST broadcasts too but I don't. I'm guessing my ISP is filtering out such broadcasts as there are obvious reasons why an ISP (and it's customers) wouldn't want just anybody being able to answer DHCP requests (insert evil grin). I can see then how restricting broadcasts would keep such a large network from becoming congested with broadcasts.

    Anyway, just thinking out loud and appreciate any feedback as I mull this over.
    Last edited by lccts1; 13-Jun-2008 at 10:44. Reason: typos
    --Khan St Preest

  2. #2
    ab@novell.com NNTP User

    Default Re: Supernetting - what do you think?

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    I think you're probably already on the right track. Supernetting is
    done here and I'm not sure we even block broadcasts across the /22
    network though I haven't bothered to find how many boxes are physically
    up on the network either. With that said a semi-intelligent switch
    should be able to restrict most of the blasting traffic from going all
    over the place since DHCP requests should only need to go to one box,
    ARP only needs to go to the box with the correct address (not that you'd
    ever want to force that on a switch), and most other broadcast traffic
    can probably be limited as well. With switches in place on a network
    where you are going to have thousands of boxes supernetting is probably
    nicer than having that many more networks to watch over. I guess it
    depends on your need and resources. If you have a network with 250
    boxes that will never grow it won't make sense or get you anything to
    use supernetting but if you have 500 boxes that are fairly quiet
    supernetting may save you some hardware expenses. Keep in mind that
    some "supernetting" with /22 may be to break down /16 more than it is to
    build up /24. Having one /16 network is possible but the number of
    boxes in an org with a /16 network would almost certainly be painful...
    plus security benefits having things isolated..... I'm just rambling now
    I think.

    Good luck.





    lccts1 wrote:
    | A recent discussion in another thread brought up the idea of
    | 'supernetting' (http://en.wikipedia.org/wiki/Supernet). This isn't SUSE
    | specific but ya'all are my community so thought I'd ask what you think
    | on the matter.
    |
    | I've been a net admin for approx 12 years and have operated under a
    | general rule that a network larger than /24 should be split up if for
    | no other reason than to control broadcast traffic.
    |
    | Another reason I like keeping my actual clients on classed networks is
    | that my experience with BIND is that REVERSE zones are designated by
    | classed boundaries, not subnet/supernet boundaries. i.e. I'm not aware
    | that I can create a single reverse zone that exactly encompasses a /23
    | network.
    |
    | Now, I agree that supernet notation makes sense in routing and firewall
    | rules -- helps keep things tidy -- but in 12 years I've never personally
    | seen a need for using supernetting on any of my actual client machines.
    |
    | I do note however that my residential ISP issues a /20 netmask in it's
    | DHCP leases. This leads me to wonder if an instance of when
    | supernetting makes sense is when the traffic flow is primarily one way
    | and/or when broadcasts are tightly controlled anyway. e.g. The only
    | broadcasts I ever see on my cable modem are ARP and DHCP replies -- I
    | have to believe on a /20 with 4078 potential clients that at least one
    | of'em is a directly connected Windows box that's ill-configured enough
    | to broadcast it's SMB info on it's Internet interface; I'd expect to
    | see some DHCP REQUEST broadcasts too but I don't. I'm guessing my ISP
    | is filtering out such broadcasts as there are obvious reasons why an
    | ISP (and it's customers) wouldn't want just anybody being able to
    | answer DHCP requests (insert evil grin). I can see then how restricting
    | broadcasts would keep such a large network from becoming congested with
    | broadcasts.
    |
    | Anyway, just thinking out loud and appreciate any feedback as I mull
    | this over.
    |
    |
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.2 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFIUsIG3s42bA80+9kRAoE3AJ9JQXr516cCXrSIAPphEWlQiyuwdQCfUfYA
    t1Zm9YzYQSpniDC4iaYDx9I=
    =NHNG
    -----END PGP SIGNATURE-----

  3. #3
    Join Date
    Jun 2008
    Location
    Kansas City
    Posts
    60

    Default Re: Supernetting - what do you think?

    Thanks for the feedback ab.

    Keep in mind that some "supernetting" with /22 may be to break down /16...
    Wouldn't that be sub-netting? ;-)

    Seriously, I do see your point. I think one of my main aversions to subnets larger than /24 is rooted in my early days when networks were 10mbit half-duplex -- using hubs instead of switches -- when it was important to break up the broadcast and collision domains. Mulling that old paradigm over afresh I can see that switching makes that level of granularity a bit obsolete.
    --Khan St Preest

  4. #4
    Join Date
    Jun 2008
    Location
    Kansas City
    Posts
    60

    Default Re: Supernetting - what do you think?

    ken said on the thread that started this one:
    The historical class C subnet is not special in any way now, unless the software is badly retarded. It's just a /24 subnet. A /22 subnet, which is 1022 usable address, isn't really that large.
    Badly retarded, you mean like Windows? --> Issues with using supernetted IP address ranges
    --Khan St Preest

  5. #5
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,683
    Blog Entries
    4

    Default Re: Supernetting - what do you think?

    There's no problem creating reverse zone files for a /22, you just need 4 /24 reverse maps. Bear in mind that this is partly due to the way BIND is organised. A different nameserver implementation could make it possible to manage the /22 reverse maps as a single block.

  6. #6
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,683
    Blog Entries
    4

    Default Re: Supernetting - what do you think?

    Quote Originally Posted by lccts1 View Post
    ken said on the thread that started this one:


    Badly retarded, you mean like Windows? --> Issues with using supernetted IP address ranges
    Another point against Windows . However this can be worked around by configuring the DHCP server not to give out any *.255 addresses dynamically.

  7. #7
    Join Date
    Jun 2008
    Location
    Kansas City
    Posts
    60

    Default Re: Supernetting - what do you think?

    Quote Originally Posted by ken
    A different nameserver implementation could make it possible to manage the /22 reverse maps as a single block.
    Gasp... use something other than BIND? You really ARE trying to break all my paradigm's now aren't you? You make a good point and I agree -- my experience with BIND's way of organizing reverse zones has no doubt impaired... er... impacted me. I've long been aware that you can address a supernet with multiple reverse maps; but that's my point, it breaks the tidy 1:1 relationship. Not a ahowstopper by any stretch though -- I'm coming to see the light of supernetting and have read some good articles about it since you got my wheels turnin' a couple of days ago.

    Quote Originally Posted by ken
    Another point against Windows. However this can be worked around by configuring the DHCP server not to give out any *.255 addresses dynamically.
    Yeah, I thought you'd like that bit about Windows tripping over the .255 supernet addresses. It's trivial to work around but I think it's kinda funny that Windows machines even NEED a workaround. Unfortunately our work network is predominantly Windows -- so dealing with "badly retarded" software is par for the course!
    Last edited by lccts1; 14-Jun-2008 at 12:00. Reason: typos
    --Khan St Preest

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •