Recently I received the following question from someone trying to work out a subnetting exercise for a class.

QUESTION

My project needs 6 subnets but each department has different numbers of host. I have to reserve extra hosts for future growth.

(click image for larger)

 

 

Here is a picture of the topology (click image for larger):

I’m stuck at this part… So what are the IP’s, subnet mask, & network address?

ANSWER

The easy answer that most people go with is to turn a class A network staring in the 10x.x.x (a.k.a. /8) range into a class C (a.k.a. /24) with 254 per network. For example a /24 such as this would do the trick:

(click image for larger)

But looking at your network it appears to me someone wants you to understand how Classless Inter-Domain Routing (CIDR a.k.a. Suppernetting) works where you combine 2 subnets into one. Using a 6 step approach to subnetting lets first get the easy part out of the way. 

 

1) How Many Sub-Networks Do You Need?

6 (as shown in the image)

 

2) How Many Bits Did You Have To Use?

If you double up by counting bit places you need to use 3 bits 2, 4, 8. You need 6 but you actually get 8.

(click image for larger)

 

3) What Is Your Subnet Mask?

You have 2 extra subnets which will come into play later. Adding the place values up 128+64+32=224. Your mask is 224 for all these subnets below.

(click image for larger)

4) What Is Your Block-Size?

The block size is always the lowest number in the mask, in this case 32. It also happens to be the total number of hosts you can have per subnet -2. So each of the above subnets will get 30 hosts, this is how you know you have enough possible hosts to accommodate the exercise.

(click image for larger)

 

All of the below will accommodate 30 hosts except the last 2 subnets

(click image for larger)

 

5) What Are Your Subnets?

Because you need to combine 4 subnets into 2 larger subnets, for the sake of conversation lets first lay out what the subnets are and then we will figure out which can merged into 1 subnet.

Our first subnet is 0 + your block size and you continue adding your block size to each answer until you have reached the mask itself.

(click image for larger)

Before moving onto step 6 we need to do some CIDER, unfortunately you have to look at subnets in binary to be able to determine which can be retracted and merged most easily. This is the stickiest part of subnetting. You’re going to take 4 of your 224 subnets with 30 hosts each and turn pull them back into a 192 subnet with 62 hosts per subnet merging them into two subnets. In order to retract a subnet into a larger block of hosts you need to make sure the mask in binary is identical for the 2 merging subnets. It's the only way to keep the hosts in one subnet.

Here is how it would look in binary, you could do this in the other subnets as well but for the sake of this I picked the first 2 and the last 2.

(click image for larger)

 

Here is your graphic back with the scenario applied

(click image for larger)

 

6) What Are The Number Of Hosts And IP Ranges For Each Subnet?
You cant use the subnets itself (0, 32, 64, 96, 128, etc.) and you can't use the broadcast or last host in the range (31, 63, 96, 126, etc.) so your ranges would look like:

Your first subnet is 0 and 32 subnets merged into a 62 host range using a 192 mask, your host ranges are 1-62
The next 32 start at the 64 subnet and are 65-94
The next 32 start at the 96 subnet and are 97-126
The next 32 start at the 128 subnet and are 129-158
The next 32 start at the 160 subnet and are 161-190
The last subnet is 192 and 224 and are 32 subnets merged into a 62 host range using a 192 mask, your host ranges are 193-254

The two 192's can be applied to:
Manufacturing dep 40 host Future: 52 total
Marketing dep 30 host Future: 36 total

Some wonder why you can't use the first or last IP address in each subnet. With the exception of the 1st octet you technically can in the network side of the IP address, the 2 n-2 applies to the host side where routers use 0 or the broadcast (255) in the routing tables. I think the easiest way to think of it in the physical world is to look at the 0 and broadcast (255) IP's each as a side in a cubical wall separating host computers inside each subdivided/subnetted area. Each wall of course has two sides, the same is true with TCP/IP walls except each wall of a subdivided/subnetted area is a wall of zero's (such as .0000) or a wall of ones (such as .1111) and the computer hosts fit in between.

Hope that helps

If you stopped by here from my YouTube channel first I must apologize, I'm sorry for not doing more videos, work has kept me pretty busy. I am however planning on doing more videos and writing more here on IT related topics. If there is a topic you would like me to cover and I have the skill in me bag-O-tricks I'll do my best to cover it. I plan to cover a number of topics going forward which go beyond the textbooks for people new to the field of information technology. I don't teach as a profession anymore but I did for 6 years part (and full) time so I still often think of what it was like for me when I was trying to get a grasp on being a system administrator. There are a number of expensive toys you simply can’t play with unless you land a job letting you into the server room. Unfortunately many things in the server room never get taught and too often your peers assume you know or should know these things out of the box.

My background started in networking from representing 3Com I the mid-90’s, onto the .com’s as a system engineer in a mostly Microsoft environment and I have since moved into systems security with a growing focus on Linux. My goal is to cover a number of topics with real world examples to help bridge the gap you won’t and really can’t get from a class room or a book. My approach will be to cover areas in a way that will make it easier for anyone who has little IT experience. A few of the topics off the top of my head I plan to cover in pieces (as time permits) are:

• Learn how to shell script, use the command line in a Windows domain setting and make your code really work for you. This will help you be worth more in the field.
• Designing an n-tier DMZ zone architecture that will pass the DoD DISA STIGs. In other words how plan a network security model from the perimeter to the server.
• How to pass a compliance audit, SAS70, ISO, SOX, or even a government audit. These can be daunting and down right scary if you have never been through one. The knowledge is invaluable to have on your resume.
  • What to cover in a disaster recovery plan
  • Change control documentation
  • EnterpriseVulnerability Management (EVM)
  • IT and physical controls
  • IT best practices auditors look for.
• Storage Area Network – The basics on setting up and EMC SAN, RAID groups, Storage Groups, LUN’s, Meta-LUN’, physical setup, configurations etc.
• Cryptography in the network – SSL, SSH, Whole Disk Encryption, PGP Universal Server and more…

If you have any topics you would like to see covered please drop me a lineΩ

Even in a well run network it’s easy to let things slip through the cracks; scheduled tasks in Windows are one of those things that can get out of hand. You set them and forget them until one day you change the password on a service account that keeps getting locked out to your frustration and then you discover the culprit was a long lost automated job that did something important a computer-eon ago.

If you have a good tool such as Hyena by System Tools you can run a report using Exporter Pro but if you are on a beer budget or are a contractor going site to site then a good script is your weapon of choice. Running Windows command line SCHTASKS is a powerful means to task automation on a number of levels. Having a view of all the tasks running inside an Active Directory (AD) domain is valuable to any admin and a must know for any system security expert. With a little extra coding effort you can generate a clean report encompassing all Windows systems, the below script flips the tables and on this unexciting work like this, another great way of buying time by workin’ them tasks.

Workin' Them Tasks

All you need to make this script run is to define the root of the search by modifying LDAP variable at the top of the script to search your domain. This script uses built-in Windows commands so no extra utilities are needed. In nutshell computer names are pulled from AD using DSQUERY, then the list is cleaned up buy removing disabled computer accounts. You can further refine the list by adding computer names to a file called _Exclude.dat (return carriage format) you want exploded from the report. To save time the script further refines the list to run against by pinging each one first, those that are available are checked and a report is spit out in CSV format so you can open it easily in a spreadsheet.

Recommendations

To start using the script modify the _srcroot variable as shown below:

Modify the variable as follows in light green:

REM Set variables for the root of your LDAP search
REM **********************************************
set _srcroot=DC=yourdomain,DC=com

• Download Workin' Them Tasks

Possible Errors

It’s best to run the script manually at least the first few times because you may run into computers that deny you access, sometimes schtasks bombs out on the target system and generates an error, you may also hit a machine disjoined from the domain which prompts you for credentials and the script will not continue until it's given an entry. Worry not the script will finish regardless, as annoying as this may seem you are getting good information. No centrally controlled computer should deny you access with the exception of outdated Windows OS’s, such issues are telling you which computers are not acting properly or security may have been modified on.

(server names are blurred)

The goal of every administrator is become lazy. Through elf’n magic and a batch file you can get others to do your job, as they should. Administrators and ISSO’s need to coordinate with HR and department heads to go regularly through the bone yard of disabled and active user accounts in active directory to ensure enabled and disabled employee user accounts are accurate. So having grown tired of doing this mundane task too many times manually I created a script that does that. With a hint of self amusement and some butcherious hack, haaack code you can make a batch file send an email via the command line in Windows via an adjunct SMTP enabled IIS web server.

There are only two files:

_Exclude.dat
Using return carriage format enter names you don’t want showing up in your report such as service accounts, administrative accounts, template accounts, etc.

ADuserList.cmd
Modify the variables to suit your needs and then schedule a task pointing to this file as you need, once a week works for me .

No special utilities are needed, the workhorse is DSQUERY, a few FOR statements, and a healthy dose of ECHO piped into a file. As always I do me best to set variables at the top of the file so you need not worry about the code below. They are as follows in light green:

set _emailto=To@yourdomain.com
set _emailfr=From@yourdomain.com
set _Subject=Your Company User Account Report for %date%
set _dropdir=c:InetpubmailrootPickup
(or a UNC path WebServerc$InetpubmailrootPickup)
set _srcroot=OU=Your Employees,DC=YourDomain,DC=COM
set _emailHD=Help_Desk@yourdomain.com

Variables Explained

_emailto – email address of Person or distribution group email is being sent to
_emailfr – who email is coming from, this email address does not need to exist on the mail server as long as the mail server accepts emails from the same domain for example if your domain was @yourdomain.com it can come from and also be sent to @yourdomain.com and the mail server won't reject it.
_Subject – Something inspiring to get those responsible to read your email
_dropdir – The drop directory on an SMTP enabled IIS web server, the default is usually C:InetpubmailrootPickup but you can schedule a task to run this batch file another server and use a UNC path such as WebServerc$InetpubmailrootPickup so you have no issues it's easiest to run the task using an account with Domain Admin permissions.
_srcroot – LUV'ly LDAP, you can narrow the scope of accounts returned by placing all user accounts in a root OU that way you don't have service accounts or built-in accounts show up and confuse department heads with scary technical things.
_emailHD – Your help desk's email address mentioned in the body of the email below.

• Download – Email active & disabled users in AD (2KB)

Not the preferred method for shutting down Windows servers; but if you have a power outage and too many servers and too little battery life on your UPS this is better than having them shutdown hard. This script I have dubbed Shut-em-down uses PSshutdown, yes using Windows built shut down command would do the trick as well but it's what I picked.

The code is short and to the point. Ω

@echo off
color 0c
echo THIS WILL SHUT DOWN ALL SERVERS LISTED IN SERVERS.TXT!
echo IF THIS IS NOT WHAT YOU INTEND TO DO CLOSE THIS WINDOW OUT NOW!
echo.
echo OTHERWISE...

pause
cls
echo FIRE!
FOR /F "tokens=*" %%a in (servers.txt) do psshutdown -f -k -t 1 %%a

• Download Shut-em-down

So was I and at the time our IT budget wasn't there for loftier tools such as a nice KACE KBOX. At times like this your best friend is ye-old command line utilities, but these tools often only give a current view of what is on the network. The only way to put command line tools on steroids is to write a useful batch file. Who’s On does exactly that, a ready to use batch file which generates automated static HTML and CSV reports making use two very nice free command line utilities. One is taken from the PSTools arsenal, "PSloggedon" created by Sysinternal’s Mark Russinovich and Bryce Cogswell (now acquired by Microsoft), and Microsoft’s Robocopy, created to compete with XXCopy.

• Download Who's On

PSTools is available here:
http://www.sysinternals.com or here

http://technet.microsoft.com/en-us/sysinternals/default.aspx

Robocopy was included natively beginning in Windows Vista and Server 2008. If you are running earlier versions of Windows then you can acquire it by installing Windows Server 2003 Resource Kit Tools which can be procured here http://www.microsoft.com/downloads/details.aspx…. Ω