Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: [1] 2

Author Topic: Subnet range within an enclosing wider range  (Read 4391 times)

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Subnet range within an enclosing wider range
« on: September 21, 2019, 08:36:28 PM »

Say I have a subnet IP address range a … b and call the subnet p say and within it somewhere suitable I position a sub-subrange of a small number of IP addresses, call that sub-subnet s.

If I set this up as two <subnet /> definitions appropriately in my router, will this work ? I’m hoping it will, because despite the clashing ranges the idea is that the most-specific / longest-prefix wins routing table algorithm will pick sub-subnet s in preference when it matches. Is this correct?
Logged

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Subnet range within an enclosing wider range
« Reply #1 on: September 21, 2019, 08:59:42 PM »

I suspect you are thinking of IPv6 addresses . . . just checking all the facts. As I really can't "get my head around" IPv6, I'm trying to picture it in terms of IPv4.

Would it be fairly simple for you to set up a test? A few experiments should give results that would lead to a definitive answer.
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: Subnet range within an enclosing wider range
« Reply #2 on: September 21, 2019, 09:26:17 PM »

That’s true a test would be easy. IPv6 is the same as IPv4 in many respects and I was actually thinking of IPv4.

I was wondering if implementing a guest network as a separate subnet mapped to a distinct VLAN would be a good option. I would be providing IPv4 for guests probably. As for IPv6 I wouldn’t overlap ranges as it’s a bit weird having some prefix longer than a /64 to me and in any case there’s no need because there’s no shortage of IPv6 address space - I have at least a /48, am using a single /64 in it for my main lan and that’s all so I could simply use a different /64 for guests, use 2001:8b0:weaver:0:*/64 for main lan and 2001:8b0:weaver:1:*/64 for guests say, again mapped to a different VLAN.

At the moment there’s no need because guest access is taken care of by L2 ACLs in the ZyXEL WAPs that I am using. The L2 ACL ‘isolation list’ lists the nodes that a guest is allowed to talk to, a list of MAC addresses, and everything else including wired nodes is blocked. Guests can’t access each other. The system works at L2 so guards all L2 traffic and guards all L3 protocols not just IP. A software update added this powerful feature to these WAPs some time after I got them, and it was a big secret, better makes sure customers don’t learn about such a good thing; anyway, many ZyXEL users might never have heard about L2 isolation lists, deeply buried in release notes.

If I ever have to say goodbye to these WAPs though I will possibly need a standards-based replacement. I don’t like the VLAN thing anywhere near as much as my current system somehow. Maybe just irrational dislike if the unfamiliar.
Logged

aesmith

  • Kitizen
  • ****
  • Posts: 1216
Re: Subnet range within an enclosing wider range
« Reply #3 on: September 23, 2019, 11:10:02 AM »

VLANs would be the standard way of doing this in a corporate environment, with the APs mapping SSID to VLAN.   By the way did you ever get your Cisco APs with Mobility Express into service?
Logged

johnson

  • Reg Member
  • ***
  • Posts: 838
Re: Subnet range within an enclosing wider range
« Reply #4 on: September 23, 2019, 11:39:25 AM »

VLANs would be the standard way of doing this in a corporate environment, with the APs mapping SSID to VLAN.

Have finally grappled with VLANs in the past week. Had no strong impetus until the recent acquisition of a chinese spy phone (xiaomi), not many guests and none that I wouldn't trust on the network.

Took a few evenings of reading to know posterior from elbow, but they are really neat. With a single managed switch downstream from router any number of isolated networks can be summoned with just clicks in openWRT.

Isolated wifi with guest credentials, an isolated single port for an untrusted device, tagged traffic on a port to my main machine so any of these can be accessed directly or from VMs.

Good fun!
Logged

aesmith

  • Kitizen
  • ****
  • Posts: 1216
Re: Subnet range within an enclosing wider range
« Reply #5 on: September 23, 2019, 12:04:53 PM »

That just reminded me sometime I must test some of the scenarios speculated about earlier.  For example what happens if a tagged frame is received by an access port - does it (a) drop it, (b) accept but only if the tag matches the access port VLAN or (c) accept even if wrong VLAN.  Clearly I would hope not to see (c)!
Logged

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: Subnet range within an enclosing wider range
« Reply #6 on: September 23, 2019, 12:24:33 PM »

@aesmith I just hit a brick wall with the Cisco WAPs. Didn’t know where to go. Shame because they would have been perfect for me according to the blurb. Might go with Aruba some day.
Logged

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Subnet range within an enclosing wider range
« Reply #7 on: September 23, 2019, 02:32:33 PM »

@aesmith I just hit a brick wall with the Cisco WAPs. Didn’t know where to go. Shame because they would have been perfect for me according to the blurb.

I'm surprised that we do not have a Cisco wizard as a member of the kitz community.  :(
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

j0hn

  • Kitizen
  • ****
  • Posts: 4093
Re: Subnet range within an enclosing wider range
« Reply #8 on: September 23, 2019, 03:09:34 PM »

Quote
Had no strong impetus until the recent acquisition of a chinese spy phone (xiaomi), not many guests and none that I wouldn't trust on the network.

Interesting comment.

My son's Xiaomi Pocophone F1 is probably the best value smartphone I've ever bought.

My security cameras are all Yi Cams (owned by Xiaomi)

My smart bulbs are mainly Yeelight's (owned by Xiaomi).

My Mi Band 4 that I wear 24 hours a day is also owned by Xiaomi.

Fantastic company that make excellent value for money products.
I have as little concern over their security as I do with the plethora of Huawei devices I use personally or that my data goes over.
Logged
Talktalk FTTP 550/75 - Speedtest - BQM

dee.jay

  • ISP Rep
  • Reg Member
  • *
  • Posts: 953
Re: Subnet range within an enclosing wider range
« Reply #9 on: September 23, 2019, 03:26:12 PM »

I'm surprised that we do not have a Cisco wizard as a member of the kitz community.  :(

I am a CCIE...

To answer the original question: -

Quote
Say I have a subnet IP address range a … b and call the subnet p say and within it somewhere suitable I position a sub-subrange of a small number of IP addresses, call that sub-subnet s.

If I set this up as two <subnet /> definitions appropriately in my router, will this work ? I’m hoping it will, because despite the clashing ranges the idea is that the most-specific / longest-prefix wins routing table algorithm will pick sub-subnet s in preference when it matches. Is this correct?

It won't work this way, no - you can't have sub ranges within a subnet overlap - I doubt your router would like that very much.

You would need to either split the "main" subnet down with a larger subnet mask, and use a smaller mask for the subnet you want to add, but you are limited how you do this because of binary math.

If you take a /24 for example, this is 255.255.255.0 in decimal notation.

Using 192.168.0.0 as the network - you get 192.168.0.0 is the "network" address, and 192.168.0.255 is the "broadcast" address, leaving .1 -> .254 for hosts within that subnet.

If you used /25 - this would halve the /24, thus 192.168.0.0 -> 192.168.0.127 is the /25 address range (including the network and broadcast address)

192.168.0.128 upwards, would be free, but you could then subdivide this further, i.e. 2 x /26's would fit where the /25 was, but the boundary addresses must be adhered to, i.e you can't then decide to put a /26 at 192.168.0.0 and a /25 where the /26 ends - it doesn't work like that...

« Last Edit: September 23, 2019, 03:31:18 PM by dee.jay »
Logged
Starlink and AAISP L2TP combo routed by opnSense on proxmox

aesmith

  • Kitizen
  • ****
  • Posts: 1216
Re: Subnet range within an enclosing wider range
« Reply #10 on: September 23, 2019, 04:27:26 PM »

In theory there's no reason why it shouldn't work if the configuration was accepted, but as dee.jay said many routers will refuse the configuration.  I have seen "in the wild" a router with a directly connected /24 being over-ridden by a dynamically learned /32 from that same subnet.  In Cisco world the longest match takes precedence.
Logged

johnson

  • Reg Member
  • ***
  • Posts: 838
Re: Subnet range within an enclosing wider range
« Reply #11 on: September 23, 2019, 04:32:33 PM »

My son's Xiaomi Pocophone F1 is probably the best value smartphone I've ever bought.

Absolutely no disagreement from me. Xiaomi products are sold at cost or less, they are the some the best value devices around.

The process of unlocking the bootloader however requires - mobile data connection not wifi, use of a proprietary unlock program, a 360 hour (15 day) cool down period in which if you dont use the phone for normal tasks more time is added, registration with email and phone number and a sinister string in the unlock program: "Unlock failed, too few or too dark portraits".

Xiaomi started with people making the MIUI custom roms... their production of smart phones is a vehicle to get MIUI into peoples pockets.
Logged

aesmith

  • Kitizen
  • ****
  • Posts: 1216
Re: Subnet range within an enclosing wider range
« Reply #12 on: September 23, 2019, 04:42:48 PM »

@aesmith I just hit a brick wall with the Cisco WAPs. Didn’t know where to go. Shame because they would have been perfect for me according to the blurb. Might go with Aruba some day.
That's a pity.  I just remembered because one of the guys at work has recently installed a couple of Cisco 1815 APs with Mobility Express for his home network.
Logged

dee.jay

  • ISP Rep
  • Reg Member
  • *
  • Posts: 953
Re: Subnet range within an enclosing wider range
« Reply #13 on: September 23, 2019, 04:50:46 PM »

@aesmith I just hit a brick wall with the Cisco WAPs. Didn’t know where to go. Shame because they would have been perfect for me according to the blurb. Might go with Aruba some day.

Which Cisco WAP's? I've configured them in the past.
Logged
Starlink and AAISP L2TP combo routed by opnSense on proxmox

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Subnet range within an enclosing wider range
« Reply #14 on: September 23, 2019, 06:51:31 PM »

Which Cisco WAP's? I've configured them in the past.

Helping out Weaver with a couple of forum searches . . .

They are Cisco 1830 WAPs.

The two following links will have the full back-story --
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.
Pages: [1] 2