Web Development

Networking checklist: Five of the most overlooked configuration items

No matter how much documentation is available, even the sharpest IT pros will forget something from time to time. IT pro Rick Vanover shares the things that he finds himself running into issues with frequently.

I don’t know about you, but I find myself forgetting the same things over and over, a case of déjà vu and amnesia at the same time: “I think I forgot this before!”  When it comes to networking configuration, small configuration errors happen most frequently. Here is a checklist of my most encountered networking configuration errors and what I am doing to reduce the chances of them happening again.

  1. Subnets other than 24-bit: How many subnets do you have that are something other than a 24-bit netmask (255.255.255.0)? I don’t work with many subnets other than the standard class C network, but every time I do, I have to double-check myself to make sure the correct subnet mask is applied. I’m trying to find reasons to use subnets other than the venerable 24-bit mask, but the reasoning becomes uncertain in most internal IP address spaces with non-routable IP addresses.
  2. DNS suffix lists: Having a complicated list of DNS suffixes and missing one or more of the entries can make name resolution a little less than pleasant. The good news is that we can fix this via Windows Group Policy to set a primary suffix and suffix search-order for each computer account.
  3. Default gateway other than .1: Each time a static IP address is configured on a network that has a default gateway other than .1, I get a little confused and have to double-check the configuration. For subnets smaller than 255 hosts (a class C subnet), the chances are higher that the last octet of the IP address space will not permit a .1 default gateway. The fix can be to standardize on class C subnets for internal networks, even if there are wasted IP addresses at the end of the range.
  4. DNS IP addresses: If I had it my way, every DNS server at every site would have the same IP address structure of every other site. That way, I would only have to determine the first two or three positions of the IP address and the DNS servers would be easy to determine. Anything that I can do to standardize, I am game for. For example, if every network has a .1 default gateway .2 can be the DNS server for that network. That, I can remember.
  5. WINS in all of its glory: I can ping the server by fully qualified domain name, but can’t access just the NetBIOS name. A number of things can be wrong including WINS configuration. Frequently, a properly configured set of DNS suffixes and search orders can address this. But, one way to avoid the issue is to implement the globalnames zone with Windows Server 2008’s DNS engine.

These are the little things in networking that get me more frequently that I’d like. What little things get in the way for your networking administration? More importantly, what tips do you have to avoid them from a repeat appearance on your irritation list?

About

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

32 comments
ccie5000
ccie5000

/24 subnets and class C networks have 256 addresses, of which 254 (not 255) are usable for hosts. A /24 is not the same as a Class C. The great majority of /24s in use are subnets of class A and B space. And most /24s in RFC 1918 space are subnets of the Class A 10.0.0.0/8 or Class B 172.16.0.0/12 space. IMO, it is poor IPv4 address management to standardize on /24 subnets everywhere. /24s are a useful size for user and server VLANs, and a reasonable choice as a maximum size for broadcast domains, but a "/24s everywhere" rule is not good practice. There are lots of good reasons to use subnets other than /24s, assuming you're running a modern routing protocol which accommodates variable-length subnet masking (VLSM) such as OSPF, IS-IS or EIGRP. For example, point-to-point links should be /30s (or /31s), and loopback interfaces should be /32s. One good (not "best") practice is to use the first usable IP address in every subnet (often, but not always .1) as the default gateway. In a redundant network this will usually be the VRRP address or HSRP standby group address. A typical implementation on a /24 would have .1 as an HSRP address, .2 as the address of the first router, and .3 as the address of the second router. But it really doesn't matter what standard you use in your network, as long as you pick a standard and apply it consistently. Rather than DNS servers at every site having the same IP address structure of every other site, why not use Anycast DNS? Assuming the information contained in the DNS servers is identical, give every DNS server the same IP address. If the closest (as defined by your routing protocol) DNS server goes down, DNS requests will route to the next-closest "up" DNS server. (You need to enable some form of dynamic routing of the Anycast addresses to make this work, of course. And you'll also want a distinct service IP address on each DNS server, so you'll be able to manage a specific server, rather than whichever server is closest.) Proprietary solutions such as Windows Group Policy, WINS, NetBIOS, NBT and globalnames zones are point solutions at best. What are you going to do with the rest of the network? Standards-compliant solutions (e.g. DNS) apply across vendor boundaries, and provide simpler architecture, higher reliability, and lower TCO. Thank you, Jerry J. Anderson, CCIE #5000

DNSB
DNSB

We have several sites where we use the equivalent of 8 Class C subnets (/21 or 255.255.248.0) -- these sites require more than the 254 addresses in a /24 subnet to handle the number of workstations, printers, etc. The remainder of the sites get a /24 subnet. The gateway lives at the last address in the address block -- just as easy as the .1 address to remember. OTOH, the firewall external link gets a /30 subnet -- it's address, the router and nothing else allowed in there. DNS servers at each site? We have 3 internal DNS servers and 1 in the DMZ. Not sure why we would want a DNS server at each site unless a very slow link is involved. WINS? Barf. 'Nuff said.

RTHJr
RTHJr

Especially in virtual and lab environments, it is smart to name network adapters to just what is the purpose of the network connection. Something descriptive like "External" or "Internet" or "VMNet8" vs. "Internal" or "Local Network". This saves some confusion and provides ready reference at first brush especially if you or another technician have to come back and troubleshoot a server. I also run into trouble with these multi-homed computers as I find Network Location Awareness can be flaky and developes a DNS affinity problem where DNS resolution is going up the wrong network adapter such as the Internet external connection when I want it to look at the internal adapters DNS.

delphi9_1971
delphi9_1971

...than the number of hosts. If you just toss out /24s without much regard, you're going to lose the ability to effectively aggregate routes to control routing updates. Plus you may start to run out of address space if you implement a lot of VLANs. You do use VLAN's don't you? 254 /24 networks sounds like a lot, but when you start segregating your Servers, voice traffic, different departments, printers, video conferencing and other traffic types when you multiple office locations you can quickly run out of address space. While a 5 host network was an extreme example, it may make sense to subnet a class C down to /25 or /26 for smaller offices with VoIP, a couple of Servers and other needs for multiple VLANs. Besides, hopefully your business/employer is growing, your going to need address space for that too!

mafergus
mafergus

The biggest problem I have seen is when none or very little of this is documented! I don't care what the structure is if there is a need for it and it is documented.

ray
ray

1) Depends on how many separate LANs a company will need to be divided into. If you need 1000 of them, then you might want to think about less than /24. 3) You get confused if your default gateway is not .1? I guess you are easily confused. 4) An ISP, is likely to have hundreds of /24 IP ranges. Now I need hundreds of nameservers or have to waste hundreds of IP addresses so I don't confuse you?

jrchristman
jrchristman

I've always found the register this connection's address in DNS to a pain. Fills up the DNS sever logs with machines trying to register over and over.

prezbedard
prezbedard

Who uses WINS anymore? I stopped WINS after moving from NT/2000 to server 2003.

misterdufus
misterdufus

if you make your networks all 192.168.1 or 192.168.16 or 192.168.0 networks or something all similar to the outside internet, client VPN connections to those well known networks won't work, because you can't connect from a network on the outside with the same network numbering.

TheSwabbie
TheSwabbie

To back up your configurations! :)

TheProfessorDan
TheProfessorDan

I teach a technical training school and lists like these are good for professionals that are just starting out in the IT field.

lhehe
lhehe

Though not known to most people, Windows XP SP3 introduced an additional security layer that can create network slowdowns. We started noticing connectivity problems with multiple shared servers in our 800+ client network. As we got more clients updated to SP3, the more problems we encountered. The 802.1x authentication feature is turned on by default, and caused so much traffic, it was interfering with normal operations. As we turned off 802.1x in each department, our connectivity problems subsided.

NB04
NB04

I have to say I have to disagree with your stance when it comes to subnetting. It may take some more planning and certainly extra to properly implement but selecting the proper subnet strategy certainly pays dividends. Defaulting to /24 in most cases is at the least a waste of valuable IP estate and in the worst represents a potential security risks to corporate networks. Yes you will have to think more carefully as to what the host IP addresses are - isn't that what we are paid to do?

DNSB
DNSB

is a debateable point. There are implementations of the TPCIP stack that allow using the .0 address -- quite a few Unixes for example. Common practice to not use the first and last addresses in a block but one bonehead implementation I ran into blocked some users who had addresses an a B sized block ending in .255 or .0 from being able to connect to any external websites. You mean 172.10.120.255 isn't a broadcast address? was pretty much the response.

jswiger
jswiger

Or in the case when you are an entity of another corp. and they give you a block of addressing to work with. There is nothing more frustrating when your predecessor carves up only /24's out of a /21 and you run out of addresses in server or VoIP VLAN. It's easier to do this on the frontend and plan properly. Always provide more hosts than you'll need for a 10 year growth pattern, /22 and /23 can be your best friend, and also break the /24's into /25's or smaller for areas that you know will stay small. Then, nothing is wasted. It is not that confusing if you take the time to learn how to subnet correctly. If you don't, bring in an expert who does, you will be thankful in the long run. Just my 1.5 cents.....

RTHJr
RTHJr

I don't know about Exchange 2010, but 2007 still had a NetBIOS dependency. Unless you want to rely on NetBIOS broadcast chatter, you want WINS to cut down traffic. I also reasoned on a regular 2008 domain I could do away with WINS; but I found that using Group Policy to disable NetBIOS over TCP/IP (a.k.a., NTP) that such came at a loss of VPN NetBIOS resolution and broke Remote Desktop. Remote Desktop from XP machines kept getting an error of "The RPC Server cannot be found." So Microsoft still had a number of dependencies on NetBIOS going on that prompted me to keep WINS for awhile longer. It keeps getting better with each new build of server/workstation release from Microsoft but a complex environment may still require WINS as best case rather than leave NetBIOS chatter on your network just for network performance sake.

dave
dave

Straight DNS

elrico-fantastica
elrico-fantastica

so.. 1 to 1 NAT entries on your tunnel routes removes the problem overlapping subnets.. or NAT-T as the chap above said.. ... using x.x.x.1 for all gateways, i had to chuckle a bit ;)

prezbedard
prezbedard

I agree. I have several networks using /16 one was converted as it initially was setup with a public IP range! which was before my time.

robert
robert

I am not a subnetting wiz kid and I don't have to do it very often so I made myself a spreadsheet for class C subnetting. Quick and easy to refer to. Throwing out /24 in 10.x.x.x certainly is fast and easy but not very thoughtful...

jdavis
jdavis

I have to say that is a very simplistic view of the IP landscape. It is not a one-size-fits all world. I work in a large enterprise and mostly with globally unique addresses. Simplifies acquisitions and mergers. In fact, my company was one of those acquisitions, and at the time I used 1he 10.x/16 addresses internally. I remember when I went to that scheme I had a huge broadcast problem. Turns out it was an HP utility that some users had installed. It scanned the entire subnet looking for printers each time it started - and that meant an ARP for each of those 65K+ addresses. Some of my networks are larger than /24. I suppose I could put pockets of users into smaller /24 networks and route between them, but why? This means multiple DHCP scopes, trying to figure out who goes into what /24 subnet, etc. A headache I don't need. And the statement about the DNS server being the same address within each subnet is a little confusing to me too. Since when does each subnet have a locally hosted name server? The whole premise of this article seems to be a product of working with small businesses or home networks.

b4real
b4real

If we have a virtually endless pool of addresses, I would prefer consistency.

b4real
b4real

I had Exchange 2007 without WINS just fine. We had DNS configured well, and I think that helped us.

kevaburg
kevaburg

If you are referring to a LAN in its own right then fine: Assign a /24 mask if you have less than 254 hosts. It's a waste and certainly amateur practice but as long as it works.... But is this something you really want to do on a point-to-point link where only 2 addresses are required and a /30 mask is more appropriate. Not only that but it makes administering WAN / routed links easier to maintain. The whole point of having a means to subnet within IPv4 is to conserve address space and make management easier and more logical. If you want to assign a /24 mask to a network with only 5 hosts then fine, but expect people to wonder if you really know what you are talking about.

RTHJr
RTHJr

Ahhh,...but you still have NetBIOS traffic encapsulated as NTP. How did you cut down on NeTBIOS broadcast traffic then to cut down chatter?

gechurch
gechurch

Security through obscurity is not a reason to make things unpredictable and harder for every one of your IT staff. Security is obviously important, and I believe in defense-in-depth, but extending that to choosing obscure subnet masks doesn't make sense. You are making things more difficult for everyone, not just would-be hackers. And any hacker worth their salt wouldn't be stopped by this. So why is it you are making things harder again?

kevaburg
kevaburg

I see your point but at which point does "accounting for growth" become lazy design practice? Bearing in mind that LANs can be routed environments as well, sensible addressing schemes such as those that have been mentioned so far, make a network much easier to maintain and locate resources for.....and hack. All it takes is the right person with a packet sniffer to see that a default subnet mask is in place with only a handful of hosts, unsecured switch ports (on the internal network), unnecessarily large DHCP scopes and so on; and you see a security hole as obvious as the nose on your face. I see both sides of the argument but prefer my solution in honesty. It is more complex to install and maintain for certain, but if we know our own network and still find it complex, how does that bode for anyone trying to get in from the outside?

Gilbertr14
Gilbertr14

Keeping things the same across all domains

Gilbertr14
Gilbertr14

I work the same, the further subdivide So switches and routing 10.1.1.1 The servers .2 then printers .3 etc This way tech support can also overlap

efehling57
efehling57

Implemented the "Perfect 10" network when I was managing the IT Dept for a global pharma company. Very organized and simple.

garnerl
garnerl

You can certainly use 10.1.2.0/29 on your 5-host network if you like, with room to grow by one. What happens when you need another? Add yet another /29 VLAN? Or, since you only need one more you could even add a /31 (in theory, never tried it). I also think that the article was referring to LAN addressing, so although I agree with your approach to P-P links, it isn't relevant here. Private addresses aren't a scarce resource. My own design, which I've subsequently found at a few global companies that I've worked for, is simple: Each location gets a /16: LA is 10.1.x.x, Boston is 10.2.x.x, etc. Router loopbacks and such reside in the 10.x.0 subnet at each office. After that it's a simple matter to dedicate VLANs for servers, printers, workstations, DMZ's, etc. In the end, you can tell where a device is located and what it is by looking at its IP address. Not only that, but it makes route summarization simple.

Editor's Picks