starred/netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2026-01-11 21:10:29 +01:00
Code Issues 273 Packages Projects Releases 10 Wiki Activity

Don't allow the creation of IP addresses on already allocated prefixes, from within its parent prefix #6599

New Issue
Closed
opened 2025-12-29 19:42:50 +01:00 by adam · 20 comments
adam commented 2025-12-29 19:42:50 +01:00
Owner
Copy Link

Originally created by @BrunoBlanes on GitHub (Jun 27, 2022).

NetBox version

v3.2.4

Feature type

Change to existing functionality

Proposed functionality

When a prefix is created don't allow the creation of IP addresses for that prefix, from its parent prefix, for example:

Parent prefix: 10.0.0.0/24
Child prefix: 10.0.0.0/30

The IP addresses 10.0.0.0 - 10.0.0.4 should only be allowed to be created from within the child prefix. That way, it avoids the assignment of duplicate IP addresses beforehand.

Use case

We allocate a lot of prefixes as an ISP and eventually need to allocate 32 bit length subnet-mask IP addresses to our clients as well. Since prefixes and IP addresses don't share a common logic from within the prefix page, Netbox will allow (and suggest) to create a /32 IP address from an already assigned prefix.
This causes some headaches as we have to double check every IP assignment so that we don't assign an IP to client A when it is part of the prefix already assigned to client B.

Database changes

I don't think any is applicable.

External dependencies

None.

Originally created by @BrunoBlanes on GitHub (Jun 27, 2022). ### NetBox version v3.2.4 ### Feature type Change to existing functionality ### Proposed functionality When a prefix is created don't allow the creation of IP addresses for that prefix, from its parent prefix, for example: Parent prefix: `10.0.0.0/24` Child prefix: `10.0.0.0/30` The IP addresses `10.0.0.0 - 10.0.0.4` should only be allowed to be created from within the child prefix. That way, it avoids the assignment of duplicate IP addresses beforehand. ### Use case We allocate a lot of prefixes as an ISP and eventually need to allocate 32 bit length subnet-mask IP addresses to our clients as well. Since prefixes and IP addresses don't share a common logic from within the prefix page, Netbox will allow (and suggest) to create a `/32` IP address from an already assigned prefix. This causes some headaches as we have to double check every IP assignment so that we don't assign an IP to client `A` when it is part of the prefix already assigned to client `B`. ### Database changes I don't think any is applicable. ### External dependencies None.
adam added the type: featurepending closure labels 2025-12-29 19:42:50 +01:00
adam closed this issue 2025-12-29 19:42:50 +01:00
adam commented 2025-12-29 19:42:50 +01:00
Author
Owner
Copy Link

@empusas commented on GitHub (Jul 4, 2022):

That won't really work well and put unnecessary restrictions on netbox IP management. One feature of netbox is that it can deal with duplicate IPs to some degree, which is common requirement in a provider network where every customer is using private RFC1918 IP address space and you have to deal with IP overlap and duplicates.
I suggest you mark your parent prefixes as "container", the child prefixes as "active" and tell people only to assign IPs in "active" prefixes.

@empusas commented on GitHub (Jul 4, 2022): That won't really work well and put unnecessary restrictions on netbox IP management. One feature of netbox is that it can deal with duplicate IPs to some degree, which is common requirement in a provider network where every customer is using private RFC1918 IP address space and you have to deal with IP overlap and duplicates. I suggest you mark your parent prefixes as "container", the child prefixes as "active" and tell people only to assign IPs in "active" prefixes.
adam commented 2025-12-29 19:42:50 +01:00
Author
Owner
Copy Link

@BrunoBlanes commented on GitHub (Jul 4, 2022):

I suggest you mark your parent prefixes as "container", the child prefixes as "active" and tell people only to assign IPs in "active" prefixes.

The "tell people" part doesn't seem the ideal solution, also I don't see how this wouldn't work well. It doesn't impose unnecessary restrictions since you'd still be able to do everything you can do now; it would just be moved to safer spaces.

Netbox can really deal with duplicate IP addresses, but not when the address is not specified, which is my point, since I cannot specify where my client is using said IP, so I have to rely on the prefix itself.

@BrunoBlanes commented on GitHub (Jul 4, 2022): > I suggest you mark your parent prefixes as "container", the child prefixes as "active" and tell people only to assign IPs in "active" prefixes. The "tell people" part doesn't seem the ideal solution, also I don't see how this wouldn't work well. It doesn't impose unnecessary restrictions since you'd still be able to do everything you can do now; it would just be moved to safer spaces. Netbox can really deal with duplicate IP addresses, but not when the address is not specified, which is my point, since I cannot specify where my client is using said IP, so I have to rely on the prefix itself.
adam commented 2025-12-29 19:42:51 +01:00
Author
Owner
Copy Link

@empusas commented on GitHub (Jul 4, 2022):

You currently have two choices to identify a prefix by adding the site or the tenant information. That does not work for you?
Not sure how you use netbox, by using the API with your own provisioning/automation it should not be a big problem to add a check if an IP is free or not in the right prefix, before one is assigned.
If users assign them, then I guess a proper work instruction and selectively given the access to do so is the right way.

I have seen tools like Netbrain completely fail in an environment where the customer always used the same private network for the HA clusters build from a build template. So same site, same tenant, always the same IP prefix. That never caused a technical problem, but then they had to spend thousands of hours to change all HW cluster network to unique ones, just to make netbrian work. This is the kind of restrictions I would not like to see in netbox.

@empusas commented on GitHub (Jul 4, 2022): You currently have two choices to identify a prefix by adding the site or the tenant information. That does not work for you? Not sure how you use netbox, by using the API with your own provisioning/automation it should not be a big problem to add a check if an IP is free or not in the right prefix, before one is assigned. If users assign them, then I guess a proper work instruction and selectively given the access to do so is the right way. I have seen tools like Netbrain completely fail in an environment where the customer always used the same private network for the HA clusters build from a build template. So same site, same tenant, always the same IP prefix. That never caused a technical problem, but then they had to spend thousands of hours to change all HW cluster network to unique ones, just to make netbrian work. This is the kind of restrictions I would not like to see in netbox.
adam commented 2025-12-29 19:42:51 +01:00
Author
Owner
Copy Link

@BrunoBlanes commented on GitHub (Jul 4, 2022):

Mate, it doesn't matter how we identify prefixes, identifying them doesn't fix the problem.

If users assign them, then I guess a proper work instruction and selectively given the access to do so is the right way.

Currently we have users assign them and you clearly haven't worked with people. They make mistakes, we're only human. I'm trying to avoid them.

@BrunoBlanes commented on GitHub (Jul 4, 2022): Mate, it doesn't matter how we identify prefixes, identifying them doesn't fix the problem. > If users assign them, then I guess a proper work instruction and selectively given the access to do so is the right way. Currently we have users assign them and you clearly haven't worked with people. They make mistakes, we're only human. I'm trying to avoid them.
adam commented 2025-12-29 19:42:51 +01:00
Author
Owner
Copy Link

@empusas commented on GitHub (Jul 19, 2022):

I had a look at the NB data model. There is no direct relationship between the IP address and the prefix. And that would be necessary to avoid blocking the IP creating if there a duplicate IPs for a good reason(multi tenant, different VRFs etc)

The lookup between prefix and IP addresses is purely done by matching the IP to the prefix with this code:

def get_child_ips(self):
       """
       Return all IPAddresses within this Prefix and VRF. If this Prefix is a container in the global table, return
       child IPAddresses belonging to any VRF.
       """
       if self.vrf is None and self.status == PrefixStatusChoices.STATUS_CONTAINER:
           return IPAddress.objects.filter(address__net_host_contained=str(self.prefix))
       else:
           return IPAddress.objects.filter(address__net_host_contained=str(self.prefix), vrf=self.vrf)

So enforcing that no duplicate IP could be created within a prefix requires either

a) to force all prefixes and IP must be assigned to a VRF(VRF then becomes then the common denominator between IP address and prefix)
b) change the database model to have a relation between IP address and prefix.

@empusas commented on GitHub (Jul 19, 2022): I had a look at the NB data model. There is no direct relationship between the IP address and the prefix. And that would be necessary to avoid blocking the IP creating if there a duplicate IPs for a good reason(multi tenant, different VRFs etc) The lookup between prefix and IP addresses is purely done by matching the IP to the prefix with this code: ``` def get_child_ips(self): """ Return all IPAddresses within this Prefix and VRF. If this Prefix is a container in the global table, return child IPAddresses belonging to any VRF. """ if self.vrf is None and self.status == PrefixStatusChoices.STATUS_CONTAINER: return IPAddress.objects.filter(address__net_host_contained=str(self.prefix)) else: return IPAddress.objects.filter(address__net_host_contained=str(self.prefix), vrf=self.vrf) ``` So enforcing that no duplicate IP could be created within a prefix requires either a) to force all prefixes and IP must be assigned to a VRF(VRF then becomes then the common denominator between IP address and prefix) b) change the database model to have a relation between IP address and prefix.
adam commented 2025-12-29 19:42:51 +01:00
Author
Owner
Copy Link

@BrunoBlanes commented on GitHub (Jul 21, 2022):

a) to force all prefixes and IP must be assigned to a VRF(VRF then becomes then the common denominator between IP address and prefix)

By default aren't they already assigned to the global VRF?

@BrunoBlanes commented on GitHub (Jul 21, 2022): > a) to force all prefixes and IP must be assigned to a VRF(VRF then becomes then the common denominator between IP address and prefix) By default aren't they already assigned to the `global` VRF?
adam commented 2025-12-29 19:42:52 +01:00
Author
Owner
Copy Link

@DorianBourgeoisat commented on GitHub (Aug 14, 2022):

The problem with restricting possible entries is that it might hinder another usecase even though it makes it better for yours.
I would instead suggest making it possible to have user-defined validation rules.
Or at the very least make it a warning like the duplicate IP address warning.

@DorianBourgeoisat commented on GitHub (Aug 14, 2022): The problem with restricting possible entries is that it might hinder another usecase even though it makes it better for yours. I would instead suggest making it possible to have user-defined validation rules. Or at the very least make it a warning like the duplicate IP address warning.
adam commented 2025-12-29 19:42:52 +01:00
Author
Owner
Copy Link

@BrunoBlanes commented on GitHub (Aug 14, 2022):

The problem with restricting possible entries is that it might hinder another usecase even though it makes it better for yours.

Could you give me an example of a use case where this might break?

Or at the very least make it a warning like the duplicate IP address warning.

I am ok with a warning, but I still think it could be fully implemented.

@BrunoBlanes commented on GitHub (Aug 14, 2022): > The problem with restricting possible entries is that it might hinder another usecase even though it makes it better for yours. Could you give me an example of a use case where this might break? > Or at the very least make it a warning like the duplicate IP address warning. I am ok with a warning, but I still think it could be fully implemented.
adam commented 2025-12-29 19:42:52 +01:00
Author
Owner
Copy Link

@DorianBourgeoisat commented on GitHub (Aug 14, 2022):

Could you give me an example of a use case where this might break?

I cannot, but there might be one, thus my stance on prefering flexibility.

@DorianBourgeoisat commented on GitHub (Aug 14, 2022): > Could you give me an example of a use case where this might break? I cannot, but there might be one, thus my stance on prefering flexibility.
adam commented 2025-12-29 19:42:52 +01:00
Author
Owner
Copy Link

@BrunoBlanes commented on GitHub (Aug 15, 2022):

I don't think there is one, because you are not forbidding users from doing what they already do, you are just moving it somewhere else. Sure, it might add additional clicks to get there, but at the benefit of not creating duplicate addresses.

@BrunoBlanes commented on GitHub (Aug 15, 2022): I don't think there is one, because you are not forbidding users from doing what they already do, you are just moving it somewhere else. Sure, it might add additional clicks to get there, but at the benefit of not creating duplicate addresses.
adam commented 2025-12-29 19:42:52 +01:00
Author
Owner
Copy Link

@empusas commented on GitHub (Aug 15, 2022):

One use case I had in a company that I worked for. They have used the same IP range for the connectivity to their customers, but that have been always different server in the backend. The reason was they did not have sufficient public IPs to assign per customer. They did not want to use the VRF feature from Netbox. Instead the used the tenant field to distinguish between them, so they still got a warning about duplicate IPs, but they did not care.
A similar use case would be link local IPs(169.254. 0.0/16) for transfer segments between network devices that are used everywhere between NW devices in the same VRF.
That does not mean that all those use cases are the proper way to do it, but with the lack of registered IPv4 addresses people got "creative".

I would agree that the code for the loopup between IP and prefixes I posted above is not optimal (I would add the tenant also as filter )and I think there is another request open to have as relation between IPs and prefixes, which would be the best solution I guess.

But the root cause I still see for your problem is that you setup Netbox, give everybody R/W access without given them any training on your standards how to use it.
There are many features in Netbox where there is not only one way to do it. So if users don't stick to a defined standard it will lead to problem at some point. At the latest when you start developing an automation that uses Netbox as SoT you expect the data in some form.

Netbox gives you many flexibility on how to use it. For example nobody is forced yet to use the VRF feature.

@empusas commented on GitHub (Aug 15, 2022): One use case I had in a company that I worked for. They have used the same IP range for the connectivity to their customers, but that have been always different server in the backend. The reason was they did not have sufficient public IPs to assign per customer. They did not want to use the VRF feature from Netbox. Instead the used the tenant field to distinguish between them, so they still got a warning about duplicate IPs, but they did not care. A similar use case would be link local IPs(169.254. 0.0/16) for transfer segments between network devices that are used everywhere between NW devices in the same VRF. That does not mean that all those use cases are the proper way to do it, but with the lack of registered IPv4 addresses people got "creative". I would agree that the code for the loopup between IP and prefixes I posted above is not optimal (I would add the tenant also as filter )and I think there is another request open to have as relation between IPs and prefixes, which would be the best solution I guess. But the root cause I still see for your problem is that you setup Netbox, give everybody R/W access without given them any training on your standards how to use it. There are many features in Netbox where there is not only one way to do it. So if users don't stick to a defined standard it will lead to problem at some point. At the latest when you start developing an automation that uses Netbox as SoT you expect the data in some form. Netbox gives you many flexibility on how to use it. For example nobody is forced yet to use the VRF feature.
adam commented 2025-12-29 19:42:53 +01:00
Author
Owner
Copy Link

@BrunoBlanes commented on GitHub (Aug 15, 2022):

Your use case would not be affected at all with this change. I am not trying to make it impossible to add duplicate addresses, I only want the ability to do it to be moved to the appropriate place.

But the root cause I still see for your problem is that you setup Netbox, give everybody R/W access without given them any training on your standards how to use it.

As I've said already, people make mistakes, they have received proper training, and they need permission to assign addresses for them to be able to do their work, but as it happens sometimes you do forget to check both the "IP Address" and "Prefixes" tab.

@BrunoBlanes commented on GitHub (Aug 15, 2022): Your use case would not be affected at all with this change. I am not trying to make it impossible to add duplicate addresses, I only want the ability to do it to be moved to the appropriate place. > But the root cause I still see for your problem is that you setup Netbox, give everybody R/W access without given them any training on your standards how to use it. As I've said already, people make mistakes, they have received proper training, and they need permission to assign addresses for them to be able to do their work, but as it happens sometimes you do forget to check both the "IP Address" and "Prefixes" tab.
adam commented 2025-12-29 19:42:53 +01:00
Author
Owner
Copy Link

@github-actions[bot] commented on GitHub (Oct 15, 2022):

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. NetBox is governed by a small group of core maintainers which means not all opened issues may receive direct feedback. Do not attempt to circumvent this process by "bumping" the issue; doing so will result in its immediate closure and you may be barred from participating in any future discussions. Please see our contributing guide.

@github-actions[bot] commented on GitHub (Oct 15, 2022): This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. NetBox is governed by a small group of core maintainers which means not all opened issues may receive direct feedback. **Do not** attempt to circumvent this process by "bumping" the issue; doing so will result in its immediate closure and you may be barred from participating in any future discussions. Please see our [contributing guide](https://github.com/netbox-community/netbox/blob/develop/CONTRIBUTING.md).
adam commented 2025-12-29 19:42:53 +01:00
Author
Owner
Copy Link

@elipsion commented on GitHub (Oct 20, 2022):

I suggest you mark your parent prefixes as "container", the child prefixes as "active" and tell people only to assign IPs in "active" prefixes.

If/when #7845 is implemented, this can be enforced via permissions and an access constraint:

[{"address__parent_prefix__status": "ACTIVE"}]
@elipsion commented on GitHub (Oct 20, 2022): > I suggest you mark your parent prefixes as "container", the child prefixes as "active" and tell people only to assign IPs in "active" prefixes. If/when #7845 is implemented, this can be enforced via permissions and an access constraint: ```json [{"address__parent_prefix__status": "ACTIVE"}] ```
adam commented 2025-12-29 19:42:54 +01:00
Author
Owner
Copy Link

@BrunoBlanes commented on GitHub (Oct 20, 2022):

It still wouldn't solve it though. We currently set all of our public /24 IPv4 prefixes to be containers given that that's the minimum mask you can advertise on the internet, it seemed suitable. However, from those we assign /32 IPs for enterprise clients, /30 prefixes for point-to-point connection with client providers, /27 prefixes for CGNAT, and so on.

The Container type is really more of an organizational characteristic than anything else. We couldn't use that to enforce a restriction on usage.

@BrunoBlanes commented on GitHub (Oct 20, 2022): It still wouldn't solve it though. We currently set all of our public /24 IPv4 prefixes to be containers given that that's the minimum mask you can advertise on the internet, it seemed suitable. However, from those we assign /32 IPs for enterprise clients, /30 prefixes for point-to-point connection with client providers, /27 prefixes for CGNAT, and so on. The `Container` type is really more of an organizational characteristic than anything else. We couldn't use that to enforce a restriction on usage.
adam commented 2025-12-29 19:42:54 +01:00
Author
Owner
Copy Link

@kkthxbye-code commented on GitHub (Oct 20, 2022):

@BrunoBlanes - You can prevent creation during form validation using custom validators, not sure if that is a usable workaround for you specific usecase.

@kkthxbye-code commented on GitHub (Oct 20, 2022): @BrunoBlanes - You can prevent creation during form validation using custom validators, not sure if that is a usable workaround for you specific usecase.
adam commented 2025-12-29 19:42:54 +01:00
Author
Owner
Copy Link

@BrunoBlanes commented on GitHub (Oct 20, 2022):

I haven't used this feature, could you link me to some documentation?

@BrunoBlanes commented on GitHub (Oct 20, 2022): I haven't used this feature, could you link me to some documentation?
adam commented 2025-12-29 19:42:55 +01:00
Author
Owner
Copy Link

@kkthxbye-code commented on GitHub (Oct 20, 2022):

https://docs.netbox.dev/en/stable/customization/custom-validation/

Under Custom Validation Logic you can see a small example. You would have to write a manual check in python. if I understand your issue correctly, you would have to check that the netmask matches the closest parent prefix.

@kkthxbye-code commented on GitHub (Oct 20, 2022): https://docs.netbox.dev/en/stable/customization/custom-validation/ Under `Custom Validation Logic` you can see a small example. You would have to write a manual check in python. if I understand your issue correctly, you would have to check that the netmask matches the closest parent prefix.
adam commented 2025-12-29 19:42:55 +01:00
Author
Owner
Copy Link

@BrunoBlanes commented on GitHub (Oct 21, 2022):

It sure is a workaround that I'll implement on our instance, however doing it this way means if the user makes a mistake, he will have to go back to square one and find the right prefix for the task. Doing it natively we could avoid rework by just not showing this as a free IP addresses in the front-end.

@BrunoBlanes commented on GitHub (Oct 21, 2022): It sure is a workaround that I'll implement on our instance, however doing it this way means if the user makes a mistake, he will have to go back to square one and find the right prefix for the task. Doing it natively we could avoid rework by just not showing this as a free IP addresses in the front-end.
adam commented 2025-12-29 19:42:55 +01:00
Author
Owner
Copy Link

@jeremystretch commented on GitHub (Dec 9, 2022):

The prescribed behavior, as far as I can tell, seems rather esoteric and would likely break competing use cases. As this FR has not found any substantial support in the community and a (potentially) viable alternative solution has been proposed, I'm going to close this for inactivity.

@jeremystretch commented on GitHub (Dec 9, 2022): The prescribed behavior, as far as I can tell, seems rather esoteric and would likely break competing use cases. As this FR has not found any substantial support in the community and a (potentially) viable alternative solution has been proposed, I'm going to close this for inactivity.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
beta
breaking change
complexity: high
complexity: low
complexity: medium
needs milestone
netbox
pending closure
plugin candidate
pull-request
Mirrored from GitHub Pull Request
 severity: high
severity: low
severity: medium
status: accepted
status: backlog
status: blocked
status: duplicate
status: needs owner
status: needs triage
status: revisions needed
status: under review
topic: GraphQL
topic: Internationalization
topic: OpenAPI
topic: UI/UX
topic: cabling
topic: event rules
topic: htmx navigation
topic: industrialization
topic: migrations
topic: plugins
topic: scripts
topic: templating
topic: testing
type: bug
type: deprecation
type: documentation
type: feature
type: housekeeping
type: translation
No Label pending closure type: feature
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/netbox#6599
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?