How to change CIDR for SSPI
search cancel

How to change CIDR for SSPI

book

Article ID: 424873

calendar_today

Updated On:

Products

VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

SSPI uses the 10.10.0.0/16 IP range for internal cluster communication by design. While this is a private RFC1918 address space, in some environments it may overlap with the customer’s existing internal network, causing routing or connectivity conflicts.

In such cases, it is possible to change the SSPI internal CIDR range. However, this should be considered only after exploring alternative options, such as deploying SSPI in a different subnet or adjusting upstream routing to avoid overlap.

 

Environment

The customer environment already uses the 10.10.0.0/16 network and cannot allocate an alternate subnet for SSPI, resulting in an unavoidable IP overlap.

Cause

This behavior is by design.
SSPI is configured to use 10.10.0.0/16 for internal communication.

  • Example of Default Routing from the lab:
root@sspi:~# ip route
default via 10.91.1.x dev eth0 proto static     <== SSPI assigned 
10.10.0.0/24 dev antrea-gw0 scope link src 10.10.0.1    <== internal network
10.91.1.0/24 dev eth0 proto kernel scope link src 10.91.1.x   <== SSPI assigned

Resolution

Important Notes

  • This procedure modifies the SSPI internal networking configuration.

  • A snapshot of the SSPI VM is strongly recommended before proceeding.

  • The script must be executed as the root user.

Procedure

  • Take a snapshot of the SSPI VM before making any changes.

  • Copy the CIDR change scripts to the SSPI root directory as the sysadmin user.

  • Log in to the vCenter Web Console as sysadmin.

  • Switch to the root user:

sudo -i
  • Set execute permissions on the script:
 
chmod 755 ./sspi-cidr-change.sh

  • Run the script and provide the new CIDR range when prompted:

     
    ./sspi-cidr-change.sh

    Example input:

     
    Enter new pod CIDR (example: 172.17.0.0/16): 172.17.0.0/16

Example Script Execution Output

example from the lab: 

root@sspi:~# ./sspi-cidr-change.sh
Confirmed: running with root privileges.
========================================
Stopping required services...
========================================

========================================
Running kubeadm reset
Confirm with 'y' when prompted
========================================
[preflight] Running pre-flight checks
W0110 01:15:41.846947    4320 removeetcdmember.go:106] [reset] No kubeadm config, using etcd pod spec to get data directory
[reset] Stopping the kubelet service
[reset] Unmounting mounted directories in "/var/lib/kubelet"
[reset] Deleting contents of directories: [/etc/kubernetes/manifests /var/lib/containers/kubelet /etc/kubernetes/pki]
[reset] Deleting files: [/etc/kubernetes/admin.conf /etc/kubernetes/super-admin.conf /etc/kubernetes/kubelet.conf /etc/kubernetes/bootstrap-kubelet.conf /etc/kubernetes/controller-manager.conf /etc/kubernetes/scheduler.conf]

The reset process does not perform cleanup of CNI plugin configuration,
network filtering rules and kubeconfig files.

For information on how to perform this cleanup manually, please see:
    https://k8s.io/docs/reference/setup-tools/kubeadm/kubeadm-reset/


========================================
Cleaning up CNI and kube files...
========================================

========================================
Creating backup of node-setup script...
Backup file: /opt/vmware/vsx-operator/bin/node-setup-firstboot.sh.bak
========================================

========================================
Pod CIDR update
Current CIDR: 10.10.0.0/16
========================================
Enter new pod CIDR (example: 172.17.0.0/16): 172.17.0.0/16
Updating podSubnet from 10.10.0.0/16 to 172.17.0.0/16...

========================================
CIDR updated successfully
IMPORTANT: This script is intended to be run as root.
Rebooting system...
========================================

Broadcast message from root@sspi on pts/2 (Sat 2026-01-10 01:15:51 UTC):

The system will reboot now!

 

  • SSPI will reboot automatically.

  • After the reboot completes, log in as sysadmin and verify the routing table:

root@sspi:~# ip route
default via 10.91.1.x dev eth0 proto static
10.91.1.0/24 dev eth0 proto kernel scope link src 10.91.1.x
172.17.0.0/24 dev antrea-gw0 scope link src 172.17.0.1

The internal SSPI CIDR should now reflect the newly configured network.

Additional Information

  • If the IP overlap is limited to a jump host or bastion, and not the SSPI deployment itself, refer to the following KB instead:

KB 423522 – Jumpbox IP range overlap

 

 

Attachments

sspi-cidr-change.sh get_app
Powered by Wolken Software