IP Address and Network Segment Priority

krohmag
New Contributor

I'm curious as how a machine falls into a particular network segment.

I'm working with a client whose LAN IP range could potentially conflict with consumer IP ranges, which would result in some policy failures. To get around that, instead of using the LAN IP range for the network segment, we're using the WAN IP, which machines report as their IP address as the JSS lives in AWS.

We ran into an issue though where users on a Guest network were experiencing policy failures as the local distribution point isn't available on the Guest network (nor should it be) and a Cloud Distribution Point can't be used for failover.

Given that policy execution is alphabetical, we tried adding a network segment for the Guest IP range, assigning it the CDP as its default DP, and ensuring that it came before the Network Segment using the WAN IP. It worked, which is great, but it called into question what takes precedence.

Does IP or Reported IP take priority? Is it an alphabetical check against the Network Segments list to see which gets a hit first using both IP and Reported IP or is it something else entirely?

4 REPLIES 4

analog_kid
Contributor

I'm definitely curious about this as well since we're increasingly using private IP ranges.

arandall
New Contributor

I'd definitely like some visibility into this too. And depending on what the answer is, likely some slightly finer grain control over it as well.

Josh_Smith
Contributor III

I don't know about the IP v reported IP, but i know when deciding which network segment to use when there are multiple matches for a given IP address the JSS chooses the smaller IP range. Names don't matter in this case like they do for policies/packages/scripts.

Example:
You have 3 Network Segments defined:
1.1.1.1 - 255.255.255.254
10.0.0.0 - 10.200.0.0
10.0.0.0 - 10.0.0.255

If the client's IP is 10.0.0.1 then all 3 segments match, but the JSS chooses the last option because it is the smallest IP range.

krohmag
New Contributor

@Josh.Smith

I don't know about the IP v reported IP, but i know when deciding which network segment to use when there are multiple matches for a given IP address the JSS chooses the smaller IP range. Names don't matter in this case like they do for policies/packages/scripts.

This doesn't seem to be in line with my experience though. I have a segment designated using the WAN IP, so the IP range is just one address. I also have a network segment with the IP range of a guest network that uses the same WAN IP, I'm successfully able to get machines using the guest segment's default distribution point (AWS CDP in this case). Every other machine that's on the internal network uses the segment that has the WAN address for the range, which utilizes the local distribution point.

I made the Guest segment come first in the list, but without knowing if IP/Reported IP plays a role, I can't be positive whether it's a name thing or an IP priority thing.