none
Supernetting

    Question

  • Technet has a December 2009 change to its documentation relating to Configuration Manager "Configuration Manager does not support supernets for site boundary configuration. This includes supernets that are defined directly in the Administrator console and supernets that are configured in Active Directory sites. When you define a site boundary as an Active Directory site, make sure that the Active Directory site does not contain supernets."  We are a fairly large shop with 30k clients many of our sites are supernets and defined as such in AD Sites and Services.  The change in the documentation has us concerned and we are not totally sure what changes we should make to eliminate the possible issues that this might cause.  Someone from the product team please respond with some clarification on why this was added last month in the technet documentaiton.
    Thursday, January 07, 2010 4:28 PM

Answers

  • I am from the product group, and will respond :-)

    All I can say is that this came up internally this week also, and the response is that it is not supported. That's all I can offer. The documentation incorrectly stated that it was supported, and recently discovered that it is not.
    Wally Mead
    Friday, January 08, 2010 5:14 AM

All replies

  • You are unlikely to get anyone from the Product team in the forum to reply to you. If you are a large company then you have a TAM, Talk to you TAM and get them to provide you with more details.


    http://www.enhansoft.com/
    Thursday, January 07, 2010 4:58 PM
  • We are currently trying every avenue to get clarification to include our TAM.  Thanks for the advice though......
    Thursday, January 07, 2010 5:31 PM
  • I am from the product group, and will respond :-)

    All I can say is that this came up internally this week also, and the response is that it is not supported. That's all I can offer. The documentation incorrectly stated that it was supported, and recently discovered that it is not.
    Wally Mead
    Friday, January 08, 2010 5:14 AM
  • Ok now that its not supported my group is looking at ways to work around this issue.  I open for suggestions from Microsoft on possible solutions.
    Monday, January 11, 2010 5:06 PM
  • IP subnets or IP address ranges are the only options obviously.

    Or remove supernets from AD.
    Wally Mead
    Tuesday, January 12, 2010 6:25 AM
  • IP subnets or IP address ranges are the only options obviously.

    Or remove supernets from AD.
    Wally Mead

    I tried posting this as a comment to http://blogs.technet.com/configmgrteam/archive/2009/12/21/known-issue-supernets-in-active-directory-sites-used-as-site-boundaries.aspx but I'm not sure they are accepting comments.  Anyway, here is the question....

    Could an "IP Address Range" site boundary be used in place of a supernet that is defined with AD site boundary?

    e.g. AD Site London:-
    London,172.28.4.0/22 <= a supernet

    London's physical subnets:-
    172.28.4.0/24
    172.28.5.0/24
    172.28.6.0/24
    172.28.7.0/24

    So, could the boundary be defined as an "IP Address Range" site boundary?:-
    172.28.4.1 - 172.28.7.254


    Regards,
    Tom Watson,
    E-Mail: Tom_...@...
    Blog: http://myitforum.com/cs2/blogs/tom_watson
    Tuesday, January 19, 2010 3:49 PM
  • That sounds like a supernet to me, just masked by an IP Address Range type :-) So I don't think that this will get around the issue.
    Wally Mead
    Thursday, January 21, 2010 3:25 AM
  • Thanks for the reply.

    I have a feeling that even if this did work (a big if), that it would only work for ConfigMgr clients.  We are mid migration, so still have SMS 2003 clients at some of our child sites.  I'd be pretty sure that they won't recognise "IP Address Range" boundaries anyway, since it's strictly a new ConfigMgr feature.
    Regards,
    Tom Watson,
    E-Mail: Tom_...@...
    Blog: http://myitforum.com/cs2/blogs/tom_watson
    Thursday, January 21, 2010 7:46 AM
  • Umm, SMS 2003 supports IP Address Ranges as boundaries also :-)
    Wally Mead
    Saturday, January 23, 2010 11:56 PM
  • So you are saying that we can not use the IP range 10.4.84.1 - 10.4.87.254 in place of 4 seperate IP ranges of 10.8.84.1-10.4.84.254 -,10.4.85.1-10.4.85.254, 10.4.86.1-10.4.86.254, 10.4.87.1- 10.4.87.254? No matter what the clients subnet mask is the answer stays the same? If we want to use IP ranges and we have multiple contiguous class C subnets that will be assigned to the same site we must break these down into individual boundaries 1 per class C subnet?













    John Marcum | http://www.TrueSec.com/en/Training.htm | http://myitforum.com/cs2/blogs/jmarcum
    Monday, January 25, 2010 2:50 PM
  • So you are saying that we can not use the IP range 10.4.84.1 - 10.4.87.254 in place of 4 seperate IP ranges of 10.8.84.1-10.4.84.254 -,10.4.85.1-10.4.85.254, 10.4.86.1-10.4.86.254, 10.4.87.1- 10.4.87.254?
    It would be great if we could get some clarification here.
    Monday, January 25, 2010 3:54 PM
  • It would be great if we could get some clarification here.

    Agreed.


    John Marcum | http://www.TrueSec.com/en/Training.htm | http://myitforum.com/cs2/blogs/jmarcum
    Tuesday, January 26, 2010 12:30 AM
  • From what I know, and IP address range that spans multiple physical subnets is the same as a supernet of subnets, is it not? I don't see how it is any different.
    Wally Mead
    Wednesday, January 27, 2010 4:11 PM
  • I am not a networking expert but here's my understanding...

    A class subnets for instance first octect starts 1-126 so if I have a 10.x.x.x address range that is 255.255.0.0 

    I can subet it down to fewer hosts by changing the subet mask to something like 255.255.255.0 for example.

    In the opposite which is supernetting C class subnets first octets start with 192-223 as the first octet and have a 255.255.255.0. Keeping my examples simple here because simple is about all I udnerstand, I can combine multiple class C subnets into a supernet by going the other way with the subnet mask for instance 255.255.0.0

    So the difference in a subnetted class A or B and a supernetted class C in my examples here all depend upon the first three octets and the subnet mask.

    Now where the confusion comes in from what was added to the docs is... Is it supported to subnet down a class B into multiple subnets but then combine those subnets together in an AD site and use the AD site as a boundary. Here's an example....

    let say I have three floors in my building each floor uses the following IP addresses and subnet masks. Again I am not using real world numbers because that's would require a bunch of math that I am not good at ;-)

    Floor 1  10.4.12.1-10.4.12..254  subnet 255.255.255.0
    Floor 2  10.4.13.1-10.4.13..254  subnet 255.255.255.0
    Floor 3  10.4.14.1-10.4.14..254  subnet 255.255.255.0

    Technically that is a subnetted class A not a supernet.

    Now let's say I create the boundary using an IP range of 10.4.12.1-10.4.14..254   which emcompasses all of the above IP addresses. Are you saying that this is now unsupported? This addition to the docs essentially causes what many of us have been doing for years to come into question as possibly being unsupported or worse even may mean it won't work. For us to go back to our AD team and ask them to recreate or edit all of the AD sites is a huge undertaking. (I used ranges in my example but the same is true for AD Sites)

    I think it's most comon now that classless addresses are used. How does that play into this scenario?













    John Marcum | http://www.TrueSec.com/en/Training.htm | http://myitforum.com/cs2/blogs/jmarcum
    Thursday, January 28, 2010 12:52 AM
  • Umm, SMS 2003 supports IP Address Ranges as boundaries also :-)
    Wally Mead
    Yes, as "Roaming Boundaries".  But not "Site Boundaries". :-$

    Unless, there's maybe some way of doing it as a Site Boundary outside of the console.

    Regards,
    Tom Watson,
    E-Mail: Tom_...@...
    Blog: http://myitforum.com/cs2/blogs/tom_watson
    Thursday, January 28, 2010 7:52 AM
  • This seems to better explain things. According to this blog post it's only AD Sites not ranges that are not working. Of course I am still not clear on the differenece in a supernet and a subnet.

    http://blogs.technet.com/configmgrteam/archive/2009/12/21/known-issue-supernets-in-active-directory-sites-used-as-site-boundaries.aspx




    John Marcum | http://www.TrueSec.com/en/Training.htm | http://myitforum.com/cs2/blogs/jmarcum
    Thursday, January 28, 2010 2:36 PM
  • Yes, as "Roaming Boundaries".  But not "Site Boundaries". :-$

    That depends on the client (SMS 2003 legacy or advanced client). Advanced clients are always using roaming boundaries (that's why there's the checkbox "include site boundaries in roaming boundaries" or whatever it was called).

    @John: subnets are basically just class A, B and C networks (/8, /16, /24 or 255.0.0.0, 255.255.0.0, 255.255.255.0). Supernets are special "types" of subnets: they have octets that are neither 0 nor 255, for example 255.255.252.0. See http://en.wikipedia.org/wiki/Supernet, http://en.wikipedia.org/wiki/Classful_addressing and http://en.wikipedia.org/wiki/Classless_addressing.

    @Wally: "an IP address range that spans multiple physical subnets is the same as a supernet of subnets, is it not? I don't see how it is any different."

    That would be dependent on how ConfigMgr is doing the background maths IMHO. A client can calculate it's subnet ID (= boundary) based on the combination of its IP address and subnet mask. That can be compared the the boundaries (if subnets are used as boundaries): "Hey MP, I am client xyz and my subnet ID is 192.168.10.0. Am I inside any boundaries"?
    A client might also ask: "Hey MP, my IP address is 192.168.10.123. Is that inside any IP address range?" (so no subnet ID involved here).
    Thursday, January 28, 2010 5:00 PM
  • From what I know, and IP address range that spans multiple physical subnets is the same as a supernet of subnets, is it not? I don't see how it is any different.
    Wally Mead

    no, a supernet has to do with the subnet mask value on the client. a range that spans multiple subnets would not be the same.... that being said, the actual boundaries that get created in AD for an IP Range might not really be a range in the sense that they are From this number TO that number... they console might be taking the "Range" we enter and calculating the subnet value based on that... in which case a range spanning multiple subnets would get turned into a supernet... and if that was the case it would not match the ip address / netmask the client supplies...

    I mentioned long long ago that even though the console has the ability to enter a range, there is NOT a new type of boundary if you go into the systems management container and look at the actual boundary objects....

    Of course this might be different with the SLP. I do know I had many issues until I put the SLP role back on my central.
    Thursday, January 28, 2010 10:32 PM
  • Well if we can't all agree on but one thing can it be that this has caused mass confusion?



    John Marcum | http://www.TrueSec.com/en/Training.htm | http://myitforum.com/cs2/blogs/jmarcum
    Thursday, January 28, 2010 11:56 PM
  • I mentioned long long ago that even though the console has the ability to enter a range, there is NOT a new type of boundary if you go into the systems management container and look at the actual boundary objects....

    There are entries in the System Management container that are type "mSSMSRoamingBoundaryRange". They look like SMS-<SiteCode>-<decimalIPstart>-<decimalIPend>. So isn't that a "new type of boundary"? I do not see any subnet involved there or any "magic" done. Am I missing something?
    Friday, January 29, 2010 7:21 AM
  • I think if you open the System Management container in AD Explorer instead of Active Directory Users and Computers you can see more items. It's been awhile since I did that and I don't have one in front of me but I think that's the case.



    John Marcum | http://www.TrueSec.com/en/Training.htm | http://myitforum.com/cs2/blogs/jmarcum
    Saturday, January 30, 2010 3:13 PM
  • We do use what the client sends us. The client does AND its IP address and subnet mask to determine the subnet it is on. It then provides that to the site for comparison.
    Wally Mead
    Sunday, January 31, 2010 6:21 AM
  • And that is fine, as that is all our clients use, Roaming Boundaries :-)


    Wally Mead
    Sunday, January 31, 2010 6:22 AM
  • I personally would assume that IP Address ranges should always work, even if they represent a "supernet". It represents a continous range of IP Addresses so the only math necessary is to check if a given IP Address is greater-or-equal as the lowest IP and less-or-equal than the highest IP. I`ve spent some time recently digging through the boundary informations ConfigMgr is storing in Active Directory as I needed to be able to interpret those values for any given client to find out the assigned site code (http://myitforum.com/cs2/blogs/maikkoster/archive/2009/12/16/ip-range-boundary-format-stored-in-active-directory-changed-with-sccm-2007-sp2.aspx).

    One of the main issues I had was to interpret the IP Subnet information. For some reason it is storing only a calculated subnet ID without any subnetmask information. That makes any calculation against this more or less guessing. Using a subnet ID like 10.53.16.0 works fine if you assume C-Class networks. But in the more often used classless networks, the same subnet ID would be used for clients with e.g. 10.53.17.50/23, 10.53.18.50/22, 10.53.22.50/21, 10.53.31.50/20 ... .  Same applies the other way round. The same Client has different Subnet IDs depending on what subnet mask he used to calculate.

    So even if the Client would send his IP Addres and Subnetmask information it wouldn't be enough, as the ConfigMgr dropped an important information when storing this. It would work the other way round, as the subnetmask wouldn't be necessarry on the client side as a stored IP Address and subnetmask information would be sufficient to calculate the IP Range. So everything works well as long as default C-Class networks (or B- and A-Class) are used, but for the rest it will result in wild guessing. That's probably why many experience this "sometimes works, sometimes not".

    Due to this, I would assume this is the way ConfigMgr is handling subnets internally. And that would explain, why it is not able to properly handle supernets stored Active Directory. As Thorsten mentioned already, you typically speak about a supernet if it has a subnetmask unequal to 0 or 255 (or the number of subnetmask bits is unequal 8, 16, 24). From logical point of view, also a B-Class network is some kind of "supernet" as it bundles a bunch of C-Class networks. So it's more kind of a definition. Looking into Active Directory the subnet information is stored in the attribute "siteObjectDL" of the Site itself, using the CIDR Notation (<SubnetID>/<NoOfSubnetMaskBits>). So it's always possible to calculate exactly if a specific IP Address is within this range. But there is one thing which makes this a bit more complex. The same IP Address can be covered by several (different) subnets defined in Active Directory. Active Directory will always use the most exact one. It's e.g. used to "catch" Clients, if a site subnet has been configured properly.

    As I have no clue how ConfigMgr is handling this internally, even if I assume that this has been implemented without Classless networks in mind, the main question is, "Are there any limitations on IP Ranges?". If we can't use supernets as IP Subnets and we also can't use AD Sites if they contain supernets, can we at least use IP Ranges covering these supernets? Or is this also not supported in any way?

    Regards

    Maik

    Sunday, January 31, 2010 9:54 AM
  • the main question is, "Are there any limitations on IP Ranges?". If we can't use supernets as IP Subnets and we also can't use AD Sites if they contain supernets, can we at least use IP Ranges covering these supernets? Or is this also not supported in any way?

    According to this, http://blogs.technet.com/configmgrteam/archive/2009/12/21/known-issue-supernets-in-active-directory-sites-used-as-site-boundaries.aspx it's only AD Sites that are affected. Of course AD sites are the preferred method for boundaries and they are the only option that is generally out of the control of the SCCM team.



    John Marcum | http://www.TrueSec.com/en/Training.htm | http://myitforum.com/cs2/blogs/jmarcum
    Sunday, January 31, 2010 2:42 PM
  • I see this topic is answered, but i'm still confused about a couple of things here.

    1. In our HQ we have over 100 subnets 10.x.x.x/24.
    2. In AD we added a subnet 10.x.x.x/16 which summarizes all the above and assigned it to the AD Site: HQ
    This is according to a Cisco article I found Supernetting: "To learn how to supernet a network, let's look at another example. Let's say we have four IP subnets on the four LAN interfaces of our router: 1.1.0.0/24, 1.1.1.0/24, 1.1.2.0/24, and 1.1.3.0/24. We want to summarize these networks into a single route. We could summarize these routes with this supernet IP address: 1.1.0.0/22."
    3. We defined the AD Site HQ as boundary for the SCCM Site HQ1

    So this is not supported, OK?

    Now my confusion.

    According to the documentation:
    - Clients are unable to discover and to automatically assign to the correct site -> Never had an issue.
    - Clients fail to download packages because they are not given the expected distribution points -> Never had an issue.

    Correct my if I'm wrong:
    Client PC goes to AD, says here's my IP. What's my AD site? -> HQ
    Give me the MP for AD Site HQ? -> HQ1
    Give me the DP's for HQ1? ...
    So imo this should work and ... it does at our HQ.

    PS: both workarouds provided are 'not practical because of high administrative overheads'.

    Cheers,
    Serge

    Tuesday, March 02, 2010 8:36 PM
  • I have to agree with Serge here. I have also done this and never seen a problem. I guess the idea is "if it works for you then that's great but if it doesn't then move to a supported scenario"

    I also agree that the workarounds create enormous administrative overhead that is often out of control of the SCCM team.





    John Marcum | http://www.TrueSec.com/en/Training.htm | http://myitforum.com/cs2/blogs/jmarcum
    Wednesday, March 03, 2010 1:29 AM
  • Correct, using an AD site as a Configuation Manager boundary, when that AD site is supernetting IP subnets, it not supported.

    If you want to use it, you certainly can. However if you encounter an issue, and CSS can't resolve it with the unsupported solution, they may request that you convert to a supported solution in order to further assist. Of course, they'd only tell you to do that if there is suspicion that the unsupported solution is causing the issue.
    Wally Mead
    Wednesday, March 03, 2010 2:09 AM
  • Was it supported in SMS 2003?

    According to this, http://technet.microsoft.com/en-us/library/cc181572.aspx it might be supported.

    from the above link,

    "To take advantage of any subnet grouping technologies in SMS, such as supernetting, you must use Active Directory site names for your site boundaries instead of IP subnets."

    what does this mean? if any one can clarify please

    tx
    peer

    Tuesday, February 14, 2012 7:04 AM
  • It is all about the client subnet mask… What subnet mark do you have and what is the subnet mask of you boundary?

    Why not use IP Ranges, it solves all of the issue with supernets.



    http://www.enhansoft.com/

    Tuesday, February 14, 2012 11:47 AM
  • Hi,

    This with supernetting should give use less administration, and it would not be necessary for the net folks to tell us that they have deployed a new subnet.

    Is AD site supernetting with SCCM 2007 stable, if it works it stay working? Or suddenly one day the client have problem to download the content?


    /SaiTech


    • Edited by SaiTech Friday, April 06, 2012 4:28 PM
    Sunday, April 01, 2012 4:47 PM
  • I always recommend that you use IP Range. IMO it
    is the best option.

    http://www.enhansoft.com/

    Sunday, April 01, 2012 4:56 PM
  • What about eg./26 subnets

    Is it supported to create an IP range boundry that covers all four subnets?

    Wednesday, April 25, 2012 11:46 AM
  • You can have a range that spans anything you want it to. No worries there.


    John Marcum | http://myitforum.com/cs2/blogs/jmarcum/|

    Wednesday, April 25, 2012 11:57 AM
  • Thank you, John! :)
    Wednesday, April 25, 2012 8:22 PM