A recent discussion in another thread brought up the idea of supernetting. This isn’t SUSE specific but ya’all are my community so thought I’d ask what you think on the matter.
I’ve been a net admin for approx 12 years and have operated under a general rule that a network larger than /24 should be split up if for no other reason than to control broadcast traffic.
Another reason I like keeping my actual clients on classed networks is that my experience with BIND is that REVERSE zones are designated by classed boundaries, not subnet/supernet boundaries. i.e. I’m not aware that I can create a single reverse zone that exactly encompasses a /23 network.
Now, I agree that classless notation makes sense in routing and firewall rules – helps keep things tidy – but in 12 years I’ve never personally seen a need for using classless addresses on any of my actual client machines.
I do note however that my residential ISP issues a /20 netmask in it’s DHCP leases. This leads me to wonder if an instance of when supernetting makes sense is when the traffic flow is primarily one way and/or when broadcasts are tightly controlled anyway. e.g. The only broadcasts I ever see on my cable modem are ARP and DHCP replies – I have to believe on a /20 with 4078 potential clients that at least one of’em is a directly connected Windows box that’s ill-configured enough to broadcast it’s SMB info on it’s Internet interface; I’d expect to see some DHCP REQUEST broadcasts too but I don’t. I’m guessing my ISP is filtering out such broadcasts as there are obvious reasons why an ISP (and it’s customers) wouldn’t want just anybody being able to answer DHCP requests (insert evil grin). I can see then how restricting broadcasts would keep such a large network from becoming congested with broadcasts.
Anyway, just thinking out loud and appreciate any feedback as I mull this over.
I think you’re probably already on the right track. Supernetting is
done here and I’m not sure we even block broadcasts across the /22
network though I haven’t bothered to find how many boxes are physically
up on the network either. With that said a semi-intelligent switch
should be able to restrict most of the blasting traffic from going all
over the place since DHCP requests should only need to go to one box,
ARP only needs to go to the box with the correct address (not that you’d
ever want to force that on a switch), and most other broadcast traffic
can probably be limited as well. With switches in place on a network
where you are going to have thousands of boxes supernetting is probably
nicer than having that many more networks to watch over. I guess it
depends on your need and resources. If you have a network with 250
boxes that will never grow it won’t make sense or get you anything to
use supernetting but if you have 500 boxes that are fairly quiet
supernetting may save you some hardware expenses. Keep in mind that
some “supernetting” with /22 may be to break down /16 more than it is to
build up /24. Having one /16 network is possible but the number of
boxes in an org with a /16 network would almost certainly be painful…
plus security benefits having things isolated… I’m just rambling now
I think.
Good luck.
lccts1 wrote:
| A recent discussion in another thread brought up the idea of
| ‘supernetting’ (http://en.wikipedia.org/wiki/Supernet). This isn’t SUSE
| specific but ya’all are my community so thought I’d ask what you think
| on the matter.
|
| I’ve been a net admin for approx 12 years and have operated under a
| general rule that a network larger than /24 should be split up if for
| no other reason than to control broadcast traffic.
|
| Another reason I like keeping my actual clients on classed networks is
| that my experience with BIND is that REVERSE zones are designated by
| classed boundaries, not subnet/supernet boundaries. i.e. I’m not aware
| that I can create a single reverse zone that exactly encompasses a /23
| network.
|
| Now, I agree that supernet notation makes sense in routing and firewall
| rules – helps keep things tidy – but in 12 years I’ve never personally
| seen a need for using supernetting on any of my actual client machines.
|
| I do note however that my residential ISP issues a /20 netmask in it’s
| DHCP leases. This leads me to wonder if an instance of when
| supernetting makes sense is when the traffic flow is primarily one way
| and/or when broadcasts are tightly controlled anyway. e.g. The only
| broadcasts I ever see on my cable modem are ARP and DHCP replies – I
| have to believe on a /20 with 4078 potential clients that at least one
| of’em is a directly connected Windows box that’s ill-configured enough
| to broadcast it’s SMB info on it’s Internet interface; I’d expect to
| see some DHCP REQUEST broadcasts too but I don’t. I’m guessing my ISP
| is filtering out such broadcasts as there are obvious reasons why an
| ISP (and it’s customers) wouldn’t want just anybody being able to
| answer DHCP requests (insert evil grin). I can see then how restricting
| broadcasts would keep such a large network from becoming congested with
| broadcasts.
|
| Anyway, just thinking out loud and appreciate any feedback as I mull
| this over.
|
|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
Keep in mind that some “supernetting” with /22 may be to break down /16…
Wouldn’t that be sub-netting?
Seriously, I do see your point. I think one of my main aversions to subnets larger than /24 is rooted in my early days when networks were 10mbit half-duplex – using hubs instead of switches – when it was important to break up the broadcast and collision domains. Mulling that old paradigm over afresh I can see that switching makes that level of granularity a bit obsolete.
The historical class C subnet is not special in any way now, unless the software is badly retarded. It’s just a /24 subnet. A /22 subnet, which is 1022 usable address, isn’t really that large.
There’s no problem creating reverse zone files for a /22, you just need 4 /24 reverse maps. Bear in mind that this is partly due to the way BIND is organised. A different nameserver implementation could make it possible to manage the /22 reverse maps as a single block.
Gasp… use something other than BIND? You really ARE trying to break all my paradigm’s now aren’t you? You make a good point and I agree – my experience with BIND’s way of organizing reverse zones has no doubt impaired… er… impacted me. I’ve long been aware that you can address a supernet with multiple reverse maps; but that’s my point, it breaks the tidy 1:1 relationship. Not a ahowstopper by any stretch though – I’m coming to see the light of supernetting and have read some good articles about it since you got my wheels turnin’ a couple of days ago.
Yeah, I thought you’d like that bit about Windows tripping over the .255 supernet addresses. It’s trivial to work around but I think it’s kinda funny that Windows machines even NEED a workaround. Unfortunately our work network is predominantly Windows – so dealing with “badly retarded” software is par for the course!