On 10/4/2009 12:06 AM, Kenneth Burgener wrote: > Hi fellow PLUGers, > > Hopefully a quick basic Network Management question: > > I have a private network behind a NAT switch with a 10.0.0.0 network > address and a 255.255.255.0 subnet mask. I wish to expand the subnet to > 255.255.0.0. If on the NAT switch I were to just expand out the subnet, > would it break anything? > > My expectation is the current servers would continue to function as is. > I could then add new servers, with the expectation that they wouldn't be > able to speak to servers with the old subnet mask, until updated. I > could then slowly update the old configured servers as needed. All > servers would then continue to work as expected, and will continue to > have Internet access. > > Would this break anything else? Or is my expectation correct? > >
in theory this could work. the only place i can see problems would be with any ip broadcasts between the gateway and the old subnet. dhcp and are will still work since they use ethernet broadcasts which are independent of the ip networks on top. but if you have much else using broadcast, it might break. there is a catch in that 10.0.0.255 would be a valid address in the new subnet but you wouldn't be able to use it until you migrated everything on the old subnet. you might want to do a tcp dump on the network and see if much traffic is going to the broadcast address and then try to figure out if traffic to the broadcast breaking will cause application problems. may i also make a recommendation? don't use a 255.255.0.0 (aka /16) subnet unless you really need close to 65000 hosts in one subnet. CIDR removes the need for classed subnet masks and having a /16 is really big. we used a /16 for a network at work and it has caused headaches in the past. I would recommend doing something like a /23 (255.255.254.0) or /22 (255.255.252.0). if you need more hosts than that, you should consider splitting your network into multiple subnets and routing traffic between them. i don't know if you will ever have to worry about a security audit, but giant broadcast domains with everything in them have a tendency to scare security guys. hopefully that provided some useful information. mike /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
