I think the only thing here is confusion over what a supernet is.
Your example is correct. You have a subnet that has a mask of 255.255.252.0 and covers a range from 10.1.1.0 to 10.1.3.255 with the gateway at 10.1.1.0. That is a subnet, not a supernet. An example of a supernet might be that you have two subnets 10.1.1.0/22 and 10.1.4.0/22 and you think “why not just specify 10.1.1.0/21 in the SCCM boundary instead and cover then both?” That would be where you would run into trouble. You would need to specify both subnets 10.1.1.0/22 AND 10.1.4.0/22 and not the “supernet” of 10.1.1.0/21 Or maybe you have 256 subnets 10.1.0.0, 10.1.1.0, 10.1.2.0 …. 10.1.255.0 and you think “Hey, I’ll just specify the boundary as 10.1.0.0/16 and cover all my addresses with one line. You can’t do that. If you did this, the clients in 10.1.0.0 would work since their subnet is listed in SCCM, and the other 254 subnets would not since their subnets are not listed. You could however specify a single address RANGE of 10.1.0.0-10.1.255.255 and be done. So, it is easier to maintain a single range rather than define 256 subnets (powershell not included.) Also, when the computer tries to check its boundary, if you have 256 ranges, it needs to look through more data to figure out if it is in scope. If you had a single range defined, it would only look at one piece of data. I think these arguments are less important now with easy to create boundaries and fast AD clusters. Another reason that you might avoid subnets as boundaries is that it is not always the case that the computer’s IP address is configured correctly. Someone might misconfigure the IP information on a client and then the subnet might be computed incorrectly, although hopefully that is unlikely if you are using DHCP. The computer’s subnet is computed by the client so if the IP information is incorrect, the client might compute its subnet incorrectly. (I am about 90% confident of this answer – I am not a network engineer) From: [email protected] [mailto:[email protected]] On Behalf Of David Jones Sent: Thursday, February 26, 2015 7:47 AM To: [email protected] Subject: [mssms] Old Subject: Boundary Subnets I've spent the last few days reading as much as I could find on the old fun topic of boundary subnets vs. ranges. It get both arguments. Just reading them would lead one to believe that "best practice" on this topic is based on ones interpretation of the many articles. Such as, If the subnet is a /24, then entering it as a ‘subnet’ is best. If it is a supernet of some kind, then entering it as a ‘range’ seems to be better. So I did some testing and now I have a question about my findings. Test is based on this partial comment in one of the articles online... ----For instance, assume the network 10.100.240.0. If a machine with the address 10.100.241.15 attempts to connect, is it in the boundary? --- The answer is YES provided the subnet mask of the computer is 255.255.254.0 If the mask is 255.255.255.0, the client will have the subnet calculated as 10.200.241.0. I looked for a supernet on our network and used a /22 boundary where the DHCP gave out addresses across 4 'class C' subnets. I looked in DHCP and found a computer that was issued an address from each subnet. Then I looked each up in the SCCM console and looked at their properties. In all 4 cases the device property 'IP Subnets' showed the correct subnet entry that was created in the boundary when we used the subnet mask 255.255.252.0. Example: Create Boundary as a Subnet: 10.1.1.0, mask 255.255.252.0 results in Subnet ID=10.1.0.0 DHCP issues IP's from : 10.1.0.1 to 10.1.3.254 Find computer name for IP's: 10.1.0.100, 10.1.1.100, 10.1.2.100, and 10.1.3.100 Look up all 4 computers in SCCM and find their device property 'IP Subnets' is the same on all 4: 10.1.0.0 So... I am making the assumption that the property 'IP Subnets' in the device properties is what is used by the client to determine the boundary and is compared to the boundary Subnet ID. Am I a correct or not? If that is correct than I don't see where putting in a boundary as a supernet is a problem as the partial comment I used above would indicate. Dave ________________________________ Notice: This UI Health Care e-mail (including attachments) is covered by the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521, is confidential and may be legally privileged. If you are not the intended recipient, you are hereby notified that any retention, dissemination, distribution, or copying of this communication is strictly prohibited. Please reply to the sender that you have received the message in error, then delete it. Thank you. ________________________________
