IP Ranges for Discovery - dmohrCS/DevInstance GitHub Wiki

IP Ranges or IP Networks, in the context of what we need for discovery, are used interchangeably, to an extent. It depends who you are talking to or where in the platform you are. I will refer to them as IP Ranges because that is what they are. They are ranges of IPs that we plan to run discovery against.

I am going to use a very generic scenario to illustrate. Company ABC has one location with a few buildings. They are a relatively small company and have a single, “summary”, IP Range.

Their Range is 10.0.0.0/16. This is 65,534 usable IP Address. Or at least, broken out this way it appears there is 65,534 available IPs but there is not. Let’s look at an online IP Calculator to see.

Wow. That is a lot of... stuff. Let’s break down what we care about and ignore the rest:

Our Network IP Range is 10.0.0.0/16 which is 10.0.0.0 – 10.0.255.255 (65,536 IPs). The first and last IP of each range are unusable. They are the Network and Broadcast addresses. The only thing you need to understand about those is you do not want to run discovery against Network and Broadcast addresses and the range looks more like 10.0.0.1 – 10.0.255.254.

In reality, network teams break down these larger networks (subnets) into many smaller, “specific”, networks/ranges/subnets (it all depends who you talk to for what they call them). For this email, we will not go into the why’s they do this, just what they need to do for discovery. ABC actually has broken their networks out like this:

10.0.0.0/24, 10.0.1.0/24, 10.0.2.0/24, 10.0.3.0/24, 10.0.4.0/25, 10.0.4.128/25, 10.0.5.0/26 And the list continues in this type of pattern. Each of these ranges have the network and broadcast address mentioned above.

They assign 10.0.0.0/24 to the basement, 10.0.1.0/24 to the first floor, 10.0.2.0/24 to the second floor. 10.0.3.0/24 & 10.0.4.0/24 are on the bank side of the house in building B. The entrance building is 10.0.4.0/25 and the back building is 10.0.4.0/25. Finally 10.0.5.0/26 is an old telephony segment.

Remember that we cannot use the first and last address of each of those ranges so let’s look at their respective break outs. 10.0.0.0/24 :: 10.0.0.1 – 10.0.0.254 usable address (The complete range is 10.0.0.0 – 10.0.0.255) 10.0.1.0/24 :: 10.0.1.1 – 10.0.1.254 usable address (The complete range is 10.0.1.0 – 10.0.1.255) 10.0.2.0/24 :: 10.0.2.1 – 10.0.2.254 usable address (The complete range is 10.0.2.0 – 10.0.2.255) 10.0.3.0/24 :: 10.0.3.1 – 10.0.3.254 usable address (The complete range is 10.0.3.0 – 10.0.3.255) 10.0.4.0/25 :: 10.0.4.1 – 10.0.4.126 usable address (The complete range is 10.0.4.0 – 10.0.4.127) 10.0.4.128/25 :: 10.0.4.129 – 10.0.0.254 usable address (The complete range is 10.0.4.128 – 10.0.4.255) 10.0.5.0/26 :: 10.0.5.1 – 10.0.5.62 usable address (The complete range is 10.0.5.0 – 10.0.5.63)

Hopefully you can see the pattern here. Each range has its own 2 IP Addresses we cannot use.

Ok why do we care? Can’t we just scan the /16 and be done ??? Yes, and no. You can scan the summary 10.0.0.0/16 range and be done but this can cause issues and is not best practice. First, you can now see all of the network and broadcast addresses we would be scanning.

To expand further, looking at our example, 10.0.3.0/24 & 10.0.4.0/24 are in the bank building and are not allowed traffic from the other buildings so we need to stand up their own MID Server. 10.0.5.0/26 is all old equipment and cannot be scanned with SSH because it will knock their devices offline, so we need to create a behavior that only uses SNMP. (We will get into behaviors later) Bottom line, we cannot do any of that if we just scan 10.0.0.0/16 as a whole.