Set subnet mask to allow connections to two different class c networks

  • Thread starter f95toli
  • Start date
  • #1
f95toli
Science Advisor
Gold Member
3,141
623
These days most measurement instruments in m,y lab are controlled via an ethernet connection.
In my lab the PCs that control the experiments therefore have two network cards: one is used of "normal" internet/intranet access the other is set to static IP address (typically 192.168.0.x) and is only used to communicate with the instruments. .
All the instruments as well the "local" network card are then connected to one switch (NOT a router). The instruments should NOT be connected to internet in any way so we don't e.g. need a gateway. Effectively this means that we have several small LANs running in the lab, one for each measurement setup (which can have more than one PC)

It used to be that we did not have that many instruments and we would just use 192.168.0.2-254 with a 255.255.255.0 subnet mask. Each instrument in the lab is assigned an unique static IP address when we get it; as long as we are careful about keeping track of these we can also move instruments between setups.

This worked well in the past, but now we have some many instruments that it is getting messy.

My question is if there is any reason why we shouldn't start using a bigger address space (e.g. 192.168.0.1 to 192.168.1. 255) by changing the subnet mask (to e.g. 255.255.254.0) on the PC network card?

That is, keep the 255.255.255.0 subnet mask on the instruments and only use a "wider" mask on the PC ( there is very rarely a reason for why different instruments would need to communicate; everything goes via the PC). This way we could keep different instruments on different subnets while still being able to control all of them from a single network card.

Are there any drawbacks to this solution? I guess I could just try it, but I know from experience that when it comes to network the fact that "it work" does not mean that you won't run into weird problems later.
 

Answers and Replies

  • #2
Vanadium 50
Staff Emeritus
Science Advisor
Education Advisor
26,809
10,468
I'm a little confused as to what you want. Do you want more subnets or do you want bigger subnets?
 
  • #3
f95toli
Science Advisor
Gold Member
3,141
623
A bit of both; we'd like to have more addresses but would also like have more subnets.
I guess my question is if it is possible/sensible to have several separate subnets (each with 254 possible addresses) connected to the same computer?
That is

Very simplified example:
To have
All DACs on 192.168.0.x
All ADC on 192.168.1.x
etc

where they are all connected to one PC with 255.255.254..0 subnet mask?


In a normal LAN with regular PCs this would be bad idea since you normally want all computers to be able to see each other, but instruments typically don't need to communicate (except with the PC) among them selves and keeping them separate would be nice
 
  • #4
315
170
So what IP will your PC use? If your PC uses a 192.168.0.x address with a .254 SM mask and you have an instrument using 192.168.1.x and 255.255.255.0 subnet then the PC can send data to the instrument but the instrument cant send it back. Why not just use the .254 SM everywhere?

To stop things getting out of the subnet you just don't configure a default gateway on those devices...simples.
 
  • #5
Vanadium 50
Staff Emeritus
Science Advisor
Education Advisor
26,809
10,468
I guess my question is if it is possible/sensible to have several separate subnets (each with 254 possible addresses) connected to the same computer?

Possible? Yes.
Sensible? Maybe.

First, computers don't have IP addresses. Interfaces do. So you could have two network cards on the PC, each connected to a different physical network, one for the ADCs and one for the TDCs. No problem there.

But if you have your ADCs and TDCs on the same physical network, giving them different IP subnets isn't going to prevent them from talking to each other. It will just make network configuration more difficult.

Second, while the ADCs and TDCs don't need to talk to each other, do you really need to make them unable to talk to each other?
 
  • #6
f95toli
Science Advisor
Gold Member
3,141
623
Second, while the ADCs and TDCs don't need to talk to each other, do you really need to make them unable to talk to each other?
Perhaps not. Some of our instruments are not very well behaved and sometimes they can flood the network. Some of them are also running old Windows versions which we can't really maintain properly, so keeping everything as separate a possible is quite good from a security point of view.

So what IP will your PC use? If your PC uses a 192.168.0.x address with a .254 SM mask and you have an instrument using 192.168.1.x and 255.255.255.0 subnet then the PC can send data to the instrument but the instrument cant send it back. Why not just use the .254 SM everywhere?

To stop things getting out of the subnet you just don't configure a default gateway on those devices...simples.
That is a very good point. I had not realised that the not configuring the gateway would keep them separated. So setting the same .254 subnet mask for everyone might be more sensible.
 
  • #7
Vanadium 50
Staff Emeritus
Science Advisor
Education Advisor
26,809
10,468
so keeping everything as separate a possible is quite good from a security point of view.

Then you should isolate them on their own physical network. Changing IPs won't fix this.
 
  • #8
315
170
If you have devices which can flood the network then make sure you are using switches and not plain old hubs. A hub will just replicate anything coming into 1 port to all the other ports. A switch will only send data to the port it's destined for. Naturally by design they are also better for security.
 
  • #9
f95toli
Science Advisor
Gold Member
3,141
623
Then you should isolate them on their own physical network. Changing IPs won't fix this.
They are one their own physical network. Part of the question was if it would be possible to keep some separation between e.g. two sets of instruments where some are running Windows while still controlling both sets from the same PC. The PC is of course kept up-to-date with anti-virus etc.
It shouldn't matter since nothing should be able to get to the instruments; and we try to avoid using memory sticks if at all possible. But if there a way to add some isolation without affecting the functionally then this is of course a bonus.
 
  • #10
f95toli
Science Advisor
Gold Member
3,141
623
If you have devices which can flood the network then make sure you are using switches and not plain old hubs. A hub will just replicate anything coming into 1 port to all the other ports. A switch will only send data to the port it's destined for. Naturally by design they are also better for security.
Yes, we often rely on pretty fact data transfer so we use gigabit switches.
One reason I started thinking about subnets was that we just bought some new kit and I had to turn off the IGMP snooping in the switch to get things working, the instruments use multicast for discovery and this was being blocked by the switch.
 
  • #11
315
170
Hard to talk of isolation without more knowledge of the existing setup...

I see you mentioned old Windows management boxes, if it's just 1 management box per instrument then another potential route is to use multiple network cards in those management boxes. 1 Connected directly to each instrument and the other to the main network. That way each instrument can only talk to it's management box and only the management boxes can talk to the rest of the network which still allows you to collect all the data on your regular PC.

There's always a way, it just depends how much hassle you want to go through.
 
  • #12
Vanadium 50
Staff Emeritus
Science Advisor
Education Advisor
26,809
10,468
They are one their own physical network.

I was unclear. One network for ADCs and TDCs? Or two networks, one for ADCs and one for TDCs?
 
  • #13
f95toli
Science Advisor
Gold Member
3,141
623
I was unclear. One network for ADCs and TDCs? Or two networks, one for ADCs and one for TDCs?
In my simplified example one network for each.
In reality there isn't of course a clear distinction where we only use one type of instrument in each network; but it is generally true that we have different setups different measurement tasks and the instruments do not really need to interact in any way.

But again, the main idea of using different subnets would be to organise things a bit better iwhen we need to increase the number of possible IP addresses we can. Some extra security would just be a bonus.,
 
  • #14
Vanadium 50
Staff Emeritus
Science Advisor
Education Advisor
26,809
10,468
There's no reason you can't use a /16 subnet with 192.168.x.x. That will give you 64,000 addresses. How many addresses do you need? :wink:

It sounds like you want 192.168.1.x to indicate one class of instruments, 192.168.2.x to indicate another, and so on. There is no problem doing this if they are on one great big network. Set the netmask to /16 (255.255.0.0) and it will just work.

Since these are all on the same physical network, making 256 smaller subnets instead of one big one won't do anything to improve security. It will, however, make administering the network much harder.
 

Related Threads on Set subnet mask to allow connections to two different class c networks

  • Last Post
Replies
2
Views
18K
  • Last Post
Replies
16
Views
2K
Replies
3
Views
2K
Replies
1
Views
2K
  • Last Post
Replies
4
Views
3K
Replies
2
Views
3K
  • Last Post
Replies
1
Views
4K
Replies
6
Views
3K
Replies
3
Views
3K
Top