Kitz Forum

Internet => General Internet => Topic started by: Weaver on September 21, 2019, 08:36:28 PM

Title: Subnet range within an enclosing wider range
Post by: Weaver on September 21, 2019, 08:36:28 PM
Say I have a subnet IP address range a … b and call the subnet p say and within it somewhere suitable I position a sub-subrange of a small number of IP addresses, call that sub-subnet s.

If I set this up as two <subnet /> definitions appropriately in my router, will this work ? I’m hoping it will, because despite the clashing ranges the idea is that the most-specific / longest-prefix wins routing table algorithm will pick sub-subnet s in preference when it matches. Is this correct?
Title: Re: Subnet range within an enclosing wider range
Post by: burakkucat on September 21, 2019, 08:59:42 PM
I suspect you are thinking of IPv6 addresses . . . just checking all the facts. As I really can't "get my head around" IPv6, I'm trying to picture it in terms of IPv4.

Would it be fairly simple for you to set up a test? A few experiments should give results that would lead to a definitive answer.
Title: Re: Subnet range within an enclosing wider range
Post by: Weaver on September 21, 2019, 09:26:17 PM
That’s true a test would be easy. IPv6 is the same as IPv4 in many respects and I was actually thinking of IPv4.

I was wondering if implementing a guest network as a separate subnet mapped to a distinct VLAN would be a good option. I would be providing IPv4 for guests probably. As for IPv6 I wouldn’t overlap ranges as it’s a bit weird having some prefix longer than a /64 to me and in any case there’s no need because there’s no shortage of IPv6 address space - I have at least a /48, am using a single /64 in it for my main lan and that’s all so I could simply use a different /64 for guests, use 2001:8b0:weaver:0:*/64 for main lan and 2001:8b0:weaver:1:*/64 for guests say, again mapped to a different VLAN.

At the moment there’s no need because guest access is taken care of by L2 ACLs in the ZyXEL WAPs that I am using. The L2 ACL ‘isolation list’ lists the nodes that a guest is allowed to talk to, a list of MAC addresses, and everything else including wired nodes is blocked. Guests can’t access each other. The system works at L2 so guards all L2 traffic and guards all L3 protocols not just IP. A software update added this powerful feature to these WAPs some time after I got them, and it was a big secret, better makes sure customers don’t learn about such a good thing; anyway, many ZyXEL users might never have heard about L2 isolation lists, deeply buried in release notes.

If I ever have to say goodbye to these WAPs though I will possibly need a standards-based replacement. I don’t like the VLAN thing anywhere near as much as my current system somehow. Maybe just irrational dislike if the unfamiliar.
Title: Re: Subnet range within an enclosing wider range
Post by: aesmith on September 23, 2019, 11:10:02 AM
VLANs would be the standard way of doing this in a corporate environment, with the APs mapping SSID to VLAN.   By the way did you ever get your Cisco APs with Mobility Express into service?
Title: Re: Subnet range within an enclosing wider range
Post by: johnson on September 23, 2019, 11:39:25 AM
VLANs would be the standard way of doing this in a corporate environment, with the APs mapping SSID to VLAN.

Have finally grappled with VLANs in the past week. Had no strong impetus until the recent acquisition of a chinese spy phone (xiaomi), not many guests and none that I wouldn't trust on the network.

Took a few evenings of reading to know posterior from elbow, but they are really neat. With a single managed switch downstream from router any number of isolated networks can be summoned with just clicks in openWRT.

Isolated wifi with guest credentials, an isolated single port for an untrusted device, tagged traffic on a port to my main machine so any of these can be accessed directly or from VMs.

Good fun!
Title: Re: Subnet range within an enclosing wider range
Post by: aesmith on September 23, 2019, 12:04:53 PM
That just reminded me sometime I must test some of the scenarios speculated about earlier.  For example what happens if a tagged frame is received by an access port - does it (a) drop it, (b) accept but only if the tag matches the access port VLAN or (c) accept even if wrong VLAN.  Clearly I would hope not to see (c)!
Title: Re: Subnet range within an enclosing wider range
Post by: Weaver on September 23, 2019, 12:24:33 PM
@aesmith I just hit a brick wall with the Cisco WAPs. Didn’t know where to go. Shame because they would have been perfect for me according to the blurb. Might go with Aruba some day.
Title: Re: Subnet range within an enclosing wider range
Post by: burakkucat on September 23, 2019, 02:32:33 PM
@aesmith I just hit a brick wall with the Cisco WAPs. Didn’t know where to go. Shame because they would have been perfect for me according to the blurb.

I'm surprised that we do not have a Cisco wizard as a member of the kitz community.  :(
Title: Re: Subnet range within an enclosing wider range
Post by: j0hn on September 23, 2019, 03:09:34 PM
Quote
Had no strong impetus until the recent acquisition of a chinese spy phone (xiaomi), not many guests and none that I wouldn't trust on the network.

Interesting comment.

My son's Xiaomi Pocophone F1 is probably the best value smartphone I've ever bought.

My security cameras are all Yi Cams (owned by Xiaomi)

My smart bulbs are mainly Yeelight's (owned by Xiaomi).

My Mi Band 4 that I wear 24 hours a day is also owned by Xiaomi.

Fantastic company that make excellent value for money products.
I have as little concern over their security as I do with the plethora of Huawei devices I use personally or that my data goes over.
Title: Re: Subnet range within an enclosing wider range
Post by: dee.jay on September 23, 2019, 03:26:12 PM
I'm surprised that we do not have a Cisco wizard as a member of the kitz community.  :(

I am a CCIE...

To answer the original question: -

Quote
Say I have a subnet IP address range a … b and call the subnet p say and within it somewhere suitable I position a sub-subrange of a small number of IP addresses, call that sub-subnet s.

If I set this up as two <subnet /> definitions appropriately in my router, will this work ? I’m hoping it will, because despite the clashing ranges the idea is that the most-specific / longest-prefix wins routing table algorithm will pick sub-subnet s in preference when it matches. Is this correct?

It won't work this way, no - you can't have sub ranges within a subnet overlap - I doubt your router would like that very much.

You would need to either split the "main" subnet down with a larger subnet mask, and use a smaller mask for the subnet you want to add, but you are limited how you do this because of binary math.

If you take a /24 for example, this is 255.255.255.0 in decimal notation.

Using 192.168.0.0 as the network - you get 192.168.0.0 is the "network" address, and 192.168.0.255 is the "broadcast" address, leaving .1 -> .254 for hosts within that subnet.

If you used /25 - this would halve the /24, thus 192.168.0.0 -> 192.168.0.127 is the /25 address range (including the network and broadcast address)

192.168.0.128 upwards, would be free, but you could then subdivide this further, i.e. 2 x /26's would fit where the /25 was, but the boundary addresses must be adhered to, i.e you can't then decide to put a /26 at 192.168.0.0 and a /25 where the /26 ends - it doesn't work like that...

Title: Re: Subnet range within an enclosing wider range
Post by: aesmith on September 23, 2019, 04:27:26 PM
In theory there's no reason why it shouldn't work if the configuration was accepted, but as dee.jay said many routers will refuse the configuration.  I have seen "in the wild" a router with a directly connected /24 being over-ridden by a dynamically learned /32 from that same subnet.  In Cisco world the longest match takes precedence.
Title: Re: Subnet range within an enclosing wider range
Post by: johnson on September 23, 2019, 04:32:33 PM
My son's Xiaomi Pocophone F1 is probably the best value smartphone I've ever bought.

Absolutely no disagreement from me. Xiaomi products are sold at cost or less, they are the some the best value devices around.

The process of unlocking the bootloader however requires - mobile data connection not wifi, use of a proprietary unlock program, a 360 hour (15 day) cool down period in which if you dont use the phone for normal tasks more time is added, registration with email and phone number and a sinister string in the unlock program: "Unlock failed, too few or too dark portraits".

Xiaomi started with people making the MIUI custom roms... their production of smart phones is a vehicle to get MIUI into peoples pockets.
Title: Re: Subnet range within an enclosing wider range
Post by: aesmith on September 23, 2019, 04:42:48 PM
@aesmith I just hit a brick wall with the Cisco WAPs. Didn’t know where to go. Shame because they would have been perfect for me according to the blurb. Might go with Aruba some day.
That's a pity.  I just remembered because one of the guys at work has recently installed a couple of Cisco 1815 APs with Mobility Express for his home network.
Title: Re: Subnet range within an enclosing wider range
Post by: dee.jay on September 23, 2019, 04:50:46 PM
@aesmith I just hit a brick wall with the Cisco WAPs. Didn’t know where to go. Shame because they would have been perfect for me according to the blurb. Might go with Aruba some day.

Which Cisco WAP's? I've configured them in the past.
Title: Re: Subnet range within an enclosing wider range
Post by: burakkucat on September 23, 2019, 06:51:31 PM
Which Cisco WAP's? I've configured them in the past.

Helping out Weaver with a couple of forum searches . . .

They are Cisco 1830 WAPs.

The two following links will have the full back-story --
Title: Re: Subnet range within an enclosing wider range
Post by: dee.jay on September 23, 2019, 08:58:18 PM
Interesting. I can certainly help with the WAP's and VLAN's, though.

You desperately need a console cable (rollover cable) so you can get access to the console of the devices - though typically you'd need a laptop alongside to configure them.

However, I do believe you can configure a Raspberry Pi as a Cisco Console Server, as you have a USB to serial dongle within which you connect the Cisco "rollover" / "console" cable to, SSH to the pi, then access the console from the command line of the pi.

It's called a rollover cable because the pins are "rolled over" between the RJ45 and the serial end, pin 1->8, 2->7, 3->6 and so on. (I think)
Title: Re: Subnet range within an enclosing wider range
Post by: burakkucat on September 23, 2019, 09:37:25 PM
Re. a Cisco console cable. I presume either this (https://www.ebay.co.uk/itm/FTDI-USB-Cisco-Rollover-RS232-to-RJ45-cable-USB-serial-to-RJ45-adapter-cable/112119458859?ssPageName=STRK%3AMEBIDX%3AIT&_trksid=p2060353.m1438.l2649) or this (https://www.ebay.co.uk/itm/1-x-Cisco-Console-Cable-usb-1-8m-FTDI-RJ45-Cable-Cisco-Routers-CAT-5-New-RS232/222982330666?ssPageName=STRK%3AMEBIDX%3AIT&_trksid=p2060353.m1438.l2649) will be appropriate?  :-\

USB plug into the R-Pi and the 8P8C plug into the Cisco WAP console port. Log into the R-Pi as normal, then invoke "screen -U /dev/ttyUSB0" (possibly with the speed of the console port appended to the "screen" command line).

Edited to add (some hours later), for Weaver's benefit: The "screen" session can be terminated by issuing a <Ctrl-A>K key sequence.
Title: Re: Subnet range within an enclosing wider range
Post by: dee.jay on September 23, 2019, 10:17:41 PM
I think so. I have a rollover cable and separate USB adapter, those appear to combine both of these into a single device. Might get one myself! Assuming they work (no reason why not) then that would be perfect for the Pi to get at the console.

Username and password, once into box are usually cisco/cisco.

Depending on the configuration placed on it by your contact - the device can also be configured to accept telnet or SSH connections.
Title: Re: Subnet range within an enclosing wider range
Post by: Weaver on September 24, 2019, 10:28:52 PM
I got nowhere before because i) I didn’t know what I was doing and ii) didn’t have the correct software installed in the WAPs as far as I can tell, but it’s been a long time. There was some detail about the sorry story in those threads which Burakkucat kindly dig out for me.

That would be my dream WAP hardware because they claim a very high end 802.11ac wave 2 spec and also claim to be deeply in love with Apple iOS too so roaming is supposed to work.
Title: Re: Subnet range within an enclosing wider range
Post by: dee.jay on September 25, 2019, 08:27:27 AM
Would love to help you out with them, this is what I do for a living.
Title: Re: Subnet range within an enclosing wider range
Post by: Weaver on September 25, 2019, 11:55:15 AM
@dee.jay wow fantastic - I’m asking a lot tho. I got two of these WAPs from eBay. Given my physical limitations - I’m semi bed-bound these days - I would need to post them off to a volunteer. And the pain I’m in, plus all the pain drugs, means my concentration is limited too. I bought them advertised on eBay as ‘with mobility express’ software and they had the right part code for that, but as far as I can tell they do not have the correct software load. I’m telling myself they need reflashing and I don’t have anything to reflash them with anyway.

I was wanting something that is faster more up to date and has superb roaming with Apple kit and no less high spec than my current very old top of the range - in their day - ZyXEL NWA 3560-N. I have multiple SSIDs set up and an isolated guest SSID with the ZyXELs. They are used by my wife in her tourist accommodation business so security is a big deal.
Title: Re: Subnet range within an enclosing wider range
Post by: dee.jay on September 25, 2019, 12:25:27 PM
If you want to ship them to me - I can have a crack and see what I can do with them?

If I can get them up and running then we can talk via here about how you would like them configured, then I'll ship them back
Title: Re: Subnet range within an enclosing wider range
Post by: aesmith on September 27, 2019, 08:59:37 AM
One of our guys has a couple of Mobility Express devices at home and didn't seem to have any issues, so I think if the correct image can be obtained and loaded it should be straightforward enough.  One thing I notice is that Cisco seems to have locked down access to the Mobility Express downloads in a way that they haven't in general for other products. 
Title: Re: Subnet range within an enclosing wider range
Post by: Weaver on September 27, 2019, 06:51:43 PM
@dee.jay that’s absolutely amazing. I’ll ask my wife to see if she can dig them out. I’m hoping she hasn’t lost them.
Title: Re: Subnet range within an enclosing wider range
Post by: dee.jay on September 27, 2019, 08:32:46 PM
My pleasure!
Title: Re: Subnet range within an enclosing wider range
Post by: dee.jay on October 02, 2019, 02:03:45 PM
Mobility Express is definitely want you want. If they are "lightweight" AP's then they will need to be paired with a WLC (Wireless LAN Controller) which will be expensive. I believe the Mobility Express will mean they are standalone access points, and capable of acting as such.
Title: Re: Subnet range within an enclosing wider range
Post by: gt94sss2 on October 02, 2019, 02:41:48 PM
Absolutely no disagreement from me. Xiaomi products are sold at cost or less, they are the some the best value devices around.

The process of unlocking the bootloader however requires - mobile data connection not wifi, use of a proprietary unlock program, a 360 hour (15 day) cool down period

I also have a Pocophone F1 that I use daily - it is an excellent device. The waiting period to unlock a Poco device is only a couple of days  (unlike other Xiaomi devices) though I have not done so as I'm not really sure of the benefits of doing so (unlike my previous Android devices)