Subnetting Question

Budgie2 · June 5, 2015, 12:13am

I use several small subnets (30 usable host on each) with approximately half of the addresses used as fixed addresses on static devices and the rest available to DHCP server for wifi guests etc. I set fixed IPs on the devices so I know how to address them for maintenance etc.
Recently I have found that the DHCP server has been running out of addresses so I must increase the size of the subnet to 62 usable host addresses by editing the subnet mask on the router/DHCP server. Since the starting address will remain the same is it necessary to amend the subnet mask of the fixed IP devices or will they continue to work as a “sub subnet?” Hope this is clear.

ab · June 5, 2015, 1:25am

You should fix them, yes. If you do not, then your current boxes, when
trying to reach the new addresses just above their range, will try to get
the default gateway to route things, and I suppose that may work, but it
may also fail since the client will try to send data to the gateway
instead of using ARP to find the MAC address of the server directly. I’m
also not positive what will happen if the new boxes in the upper range try
to access those in the lower range. ARP is a layer two thing, so it may
work to get things going, but I’m just not sure since we’re dealing with
layer 2/3 issues.

In the future you may want to give out all address via DHCP but just
configure certain MAC addresses to be assigned to their preferred/static
IP addresses. This way you can easily reconfigure this in the future. If
you do so now, it also means that your steps to reconfigure the
currently-static boxes is to just make them use DHCP.

–
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…

tsu2 · June 5, 2015, 2:15am

To properly answer your question, you probably should post your configurations.

You may not understand exactly what is happening, so providing the raw information can lead to better advice.

First,
Although possible, I haven’t seen too many DHCP servers define the address range scope by subnet mask. It’s certainly possible and probably preferable but I usually see DHCP scopes defined simply as a starting address, and then an ending address. Of course, when a scope is defined this way the entire range of addresses have to be a subset of a subnet at least that size.

When you wish to define a DHCP scope and also configure fixed IP addresses within a same subnet, as you already seem to know they should be kept separate else DHCP might assign an address already configured for an existing machine causing conflict and collisions. Note though that the only real reason for both your DHCP scope and manually fixed addresses to be in the same overall subnet is for all your configured machines from both groups able to communicate with each other. If they don’t need to communicate with each other, they can be on entirely different subnets, still with configurations able to access your gateway router and Internet.

Also, don’t overlook ab’s suggestion to configure your fixed address machines as “fixed leases” which means that a fixed IP address is assigned any time DHCP detects a client machine with the specific MAC address connects and requests an address. The object is the best of both worlds, both the ability to push a network configuration remotely to a machine without touching it and also for that machine to be assigned a predictable and unchanging fixed ip address.

Some ideas which may or may not be possible because you didn’t post details,

Unless you configured a default Class A private network (10.0.0.0/8) which is very stupid (yet my local library system did just that), you can often “supernet” which means that you can use a subnet mask which combines multiple subnets you wish to support. Assuming you’re not dealing with public networks, this is entirely legal and still stay “private.”
Keeping in mind that DHCP scopes and networks are defined centrally by your DHCP server, it’s far easier to “move” or re-assign DHCP client machines rather than modify the network settings of your fixed address machines.
Always configure for the future. You’ve learned your lesson that unexpected growth can mean unnecessary future work. This time, configure 3x or more capacity. You can do this by supernetting, maybe choosing a different Private Class. A default Class C network (192.168.x.y/24) “only” has a total of 254 usable addresses. A Class B or Class A private network space typically has more capacity than any small to medium size network could practically use.

HTH,
TSU

Budgie2 · June 6, 2015, 12:45am

ab:

You should fix them, yes. If you do not, then your current boxes, when
trying to reach the new addresses just above their range, will try to get
the default gateway to route things, and I suppose that may work, but it
may also fail since the client will try to send data to the gateway
instead of using ARP to find the MAC address of the server directly. I’m
also not positive what will happen if the new boxes in the upper range try
to access those in the lower range. ARP is a layer two thing, so it may
work to get things going, but I’m just not sure since we’re dealing with
layer 2/3 issues.

In the future you may want to give out all address via DHCP but just
configure certain MAC addresses to be assigned to their preferred/static
IP addresses. This way you can easily reconfigure this in the future. If
you do so now, it also means that your steps to reconfigure the
currently-static boxes is to just make them use DHCP.

–
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…

Hi and thanks for the reply. I take the points and in due course would always correct the subnet masks on the fixed IP devices. Point of question is will fixed devices continue to work pending correction as I can change the subnet quickly at the router/DHCP server but don’t want all the fixed IP devices to fail as a result.

I know the preferred way of setting up fixed devices is by using mac addresses and tying them to IPs at the DHCP server but I haven’t worked out how I can do this on my particular DHCP server. Will keep trying!
Thanks again,
Budgie2

Budgie2 · June 6, 2015, 12:58am

tsu2:

To properly answer your question, you probably should post your configurations.

You may not understand exactly what is happening, so providing the raw information can lead to better advice.

First,
Although possible, I haven’t seen too many DHCP servers define the address range scope by subnet mask. It’s certainly possible and probably preferable but I usually see DHCP scopes defined simply as a starting address, and then an ending address. Of course, when a scope is defined this way the entire range of addresses have to be a subset of a subnet at least that size.

When you wish to define a DHCP scope and also configure fixed IP addresses within a same subnet, as you already seem to know they should be kept separate else DHCP might assign an address already configured for an existing machine causing conflict and collisions. Note though that the only real reason for both your DHCP scope and manually fixed addresses to be in the same overall subnet is for all your configured machines from both groups able to communicate with each other. If they don’t need to communicate with each other, they can be on entirely different subnets, still with configurations able to access your gateway router and Internet.

Also, don’t overlook ab’s suggestion to configure your fixed address machines as “fixed leases” which means that a fixed IP address is assigned any time DHCP detects a client machine with the specific MAC address connects and requests an address. The object is the best of both worlds, both the ability to push a network configuration remotely to a machine without touching it and also for that machine to be assigned a predictable and unchanging fixed ip address.

Some ideas which may or may not be possible because you didn’t post details,

Unless you configured a default Class A private network (10.0.0.0/8) which is very stupid (yet my local library system did just that), you can often “supernet” which means that you can use a subnet mask which combines multiple subnets you wish to support. Assuming you’re not dealing with public networks, this is entirely legal and still stay “private.”

Keeping in mind that DHCP scopes and networks are defined centrally by your DHCP server, it’s far easier to “move” or re-assign DHCP client machines rather than modify the network settings of your fixed address machines.

Always configure for the future. You’ve learned your lesson that unexpected growth can mean unnecessary future work. This time, configure 3x or more capacity. You can do this by supernetting, maybe choosing a different Private Class. A default Class C network (192.168.x.y/24) “only” has a total of 254 usable addresses. A Class B or Class A private network space typically has more capacity than any small to medium size network could practically use.

HTH,
TSU

Hi Tsu,
I think what I am proposing is what you call a “supernet” because if I leave the starting address as is and just increase the subnet from 32 addresses to 64 addresses then the existing subnet will become the first 32 addresses of the new subnet. As I explained briefly in reply to above post, my concern is trying to make the changes without bringing down the whole system. All the devices in the subnet must be able to communicate with each other and in due course I shall have to go into each device and change the subnet masks. Meanwhile I take your point about sizing the system but do have a reasonable excuse. In fact the growth has also presented security and privacy problems too and I am having to re plan the whole system using vlans to keep sections private. All a bit OT for here but many thanks for your help and advice. I shall keep working and return when I next get stuck!

tsu2 · June 6, 2015, 10:06pm

Budgie2:

Hi Tsu,
I think what I am proposing is what you call a “supernet” because if I leave the starting address as is and just increase the subnet from 32 addresses to 64 addresses then the existing subnet will become the first 32 addresses of the new subnet. As I explained briefly in reply to above post, my concern is trying to make the changes without bringing down the whole system. All the devices in the subnet must be able to communicate with each other and in due course I shall have to go into each device and change the subnet masks. Meanwhile I take your point about sizing the system but do have a reasonable excuse. In fact the growth has also presented security and privacy problems too and I am having to re plan the whole system using vlans to keep sections private. All a bit OT for here but many thanks for your help and advice. I shall keep working and return when I next get stuck!

Maybe supernetting is what you’re asking about.
But, how you increase your subnet may be important.
Addressing your specific concern whether the fixed ip address machines would be affeected… No, <if your new subnet includes your old subnet>. The critical configuration is at your gateway, nowhere else. You can make a mistake or even leave the original network configurations on existing machines, but your gateway’s configuration will determine whether they continue to be recognized as valid hosts on a supported network and whether they would be forwarded (ie your rules may need adjusting, too).

In general, excessively large networks (number of addresses) is not an important factor increasing your attack surface so I wouldn’t use it as a reason to define far more resources than you might ever conceivably need. Instead focus on other intrusion detection and prevention tools.

IMO,
TSU

Budgie2 · June 10, 2015, 12:24pm

tsu2:

Maybe supernetting is what you’re asking about. But, how you increase your subnet may be important. Addressing your specific concern whether the fixed ip address machines would be affeected… No, . The critical configuration is at your gateway, nowhere else. You can make a mistake or even leave the original network configurations on existing machines, but your gateway’s configuration will determine whether they continue to be recognized as valid hosts on a supported network and whether they would be forwarded (ie your rules may need adjusting, too). In general, excessively large networks (number of addresses) is not an important factor increasing your attack surface so I wouldn’t use it as a reason to define far more resources than you might ever conceivably need. Instead focus on other intrusion detection and prevention tools. IMO, TSU

Hi Tu, OK many thanks for that. I shall press on but meanwhile I have come across another problem concerning the management IP address of a device. I have come across the term “out of band” or similar. I take this to mean that I am using a management address not in the DHCP subnet address range. Is that correct? Regards, Budgie2

tsu2 · June 10, 2015, 3:59pm

Yes, remember when I stated that for whatever reason it’s SOP to configure a DHCP scope differently (without regard) to the network’s subnet mask? That’s likely what happened.

Start by enumerating your subnet’s addresses (yes, that Base2 calculation) before configuring your DHCP scope.

TSU