TCP/IP First-Step [Electronic resources] نسخه متنی

Figure 7-4. Ranges of IP Addresses Are Reserved for Each Departmental Network

Figures 7-3 and 7-4 show the firewall as the device connecting the enterprise network to the Internet. This is not precisely accurate, but is a simplification for the sake of the example. In the real world, you would likely have two routers with the firewall sandwiched between them. That structure creates a semi-safe region of the network known as a demilitarized zone or DMZ.

Although Figure 7-4 isn't sufficiently detailed to show this, one cable port on the router must belong to each subnet. That way, the router forms a physical interconnection between each of the subnetworks, but treats them as separate networks. You must use IP addresses to get from one subnetwork to another.

Table 7-1 shows you how the original 10.1.2.0/24 network address is carved up to satisfy the four departmental networks. This table shows you the network address of each of the four subnets, the first valid host address in each subnetwork, and the last valid host in each subnet.

As you can see from Table 7-1, each department enjoys its own range of IP addresses. The router is told how the original network address is carved so that it knows how to forward packets between the subnetworks.

Where's the Subnet Address?

Each subnetwork has been given a block of addresses of the same size: 28 bits (indicated by the /28) for the network and subnetwork addresses, which leaves 4 bits for the host addresses in each subnetwork. extended network prefix. An extended network prefix enables IP packets to be routed directly to your network, but not to your specific workstation. You can think of this in terms of a mailing address. A mailing address precisely identifies where you live and how to get mail to you. Each mailing address also has at least three parts: a town, a street, and a house number. Notice the increased specificity? Town, street, house: Each level in the hierarchy is more specific than the preceding level. That town consists of many streets, and each street can have a differing amount of homes.

An IP address works the same way. The network address is analogous to the town you live in. The subnetwork address is more like a street in that it is not identifying a single, specific house; there are many contained inside the previous hierarchical address component (that is, the town). The network address and subnetwork address form the extended network prefix. This term is usually only encountered when talking with real network geeks! The host address is directly comparable to your mailing address dwelling number. Although that's not a perfect analogy, it does get the point across.

If you look back at Table 7-1, it is not at all obvious that a two-level hierarchical address (network and host address) has been cut into a three-level hierarchical address by adding a subnet field. In fact, the subnet field is nowhere to be seen! You can see that the network address has been segmented into smaller pieces and that each piece has a range of IP host addresses, but that's it. The subnet address is absent. That's because you are just looking at a mask. You can't see the subnet address until you look at the IP address in its native binary form.

In this example, the subnet address is 4 bits in length. You already know that a binary address is 32 bits in length and that the decimal mask is created by segmenting that 32-bit address into four equal chunks of 8 bits each. Those 8 bits are separated visually by a dot. If the subnet address is only 4 bits in length, it wouldn't be represented by one of the four dotted-decimal numbers. Instead, it would be a piece of one of those decimal numbers.

The bits used to create a subnetwork address are always borrowed from the host address field. Remember, the original network address was 24 bits in length. The entire Internet knows about this address and uses it to send IP packets to this little enterprise. Consequently, you can't mess with the network address without causing sending and receiving problems via the Internet. That leaves little choice but to create subnetwork addresses from the host address field. Because the original network address was 24 bits in length, the host address has exactly 8 bits. Of those, 4 bits were borrowed to create the subnetwork addresses. That results in an extended network address of 28 bits long and just 4 bits for host addresses within each subnetwork.

Checking the Math

Now that you know how to create subnetworks from a network address block into subnetworks, the next step in mastering the arcane art of subnetting is doing the math. Table 7-1 shows you the different address ranges allocated to each of the five subnetworks. However, those ranges weren't chosen out of a hat! They were chosen because they made sense mathematically.

The problem is that the logic behind subnetting really only becomes apparent when you stop using decimal numbers. Remember, an IP address is a 32-bit binary number. It has become customary to use decimal numbers only because human beings can't remember long strings of highly repetitive binary numbers. The decimal numbers are nothing but a mask for the real addressthe 32-bit binary number. That binary number, fortunately, usually remains hidden from view by a series of masks. You have to stare at the bits to appreciate subnetting.

Staring at the Bits

To see the subnet address, you have to look at the binary address itself. base address) of each subnet in the Binary Host Addresses column.

When viewed in dotted binary form, the subnet address really does leap out at you. Especially because bold italics are used! Even though the subnet address is really just 4 bits embedded within a string of 32 bits, you can see how you start counting at 0000 and increment that 4-bit field normally using binary addition.

The first subnet address is 0000, the second is 0001, then 0010, 0011, and finally 0100. Using this scheme, you could create 0101, 0110, 0111, 1000, 1001, 1010, 1011, 1100, 1101, 1110, and finally 1111 as additional subnet addresses. That makes sense, but you have to remember that each bit really represents a group of 16 as far as the decimal IP address is concerned.

Why 16? The reason is because even though 4 bits have been extracted from the 32-bit address to make the math more obvious, it really remains an integral component of that overall address. The least significant number (in mathematical terms) is always the rightmost number. In this subnetwork address, that rightmost number occupies the 16s column.

Remember, this isn't the Base10 number system with its all too familiar 1s, 10s, 100s, 1000s progression from right to left. You're working with Base2. The progression is in powers of 2, not 10. The rightmost bit of the subnetwork address is in the 2⁴ column, which equals 16 in Base10. The result of this relative positioning of the subnetwork address's rightmost bit is that increments within the subnetwork address (such as from 0110 to 0111) are really increments in blocks of 16 when viewed in decimal numbers.

A total of 16 possible subnets could be created using a 4-bit subnet address. That makes perfect sense because 2⁴ power is 16. You can create up to 16 host addresses inside each of those subnets because there are exactly 4 bits left for host addresses in each. In decimal terms, the base address of each subnet created would be a multiple of 16. They would start at 10.1.2.0 and progress as follows:

10.1.2.16

10.1.2.32

10.1.2.48

10.1.2.64

10.1.2.80

10.1.2.96

…

That pattern is obvious only when you know what to look for!

Leaving Room for the Network

One subtle but important point may have gotten lost in the details of Tables 7-1 and 7-3: An extra subnet was created. You were led down the primrose path by identifying the functional areas of the company that needed its own subnets, but then one more was created for the network itself. Why? Simply because it is a good way to design a network.

The router and network core must have its own range of addresses. In fact, the router and network core was the first subnet created in Table 7-1. This can be confusing because you know that one cable port on the router must belong to each of the subnetworks. Why can't the router just be a part of one of those subnetworks? Technically, it can. Actually, doing that is a bad idea! It limits your ability to secure the network and can cause performance problems for those users unlucky enough to share a network with what is likely the busiest device of all: the router!

By giving the router (which forms the core or center of the enterprise's network) its own subnetwork, you create the potential for improving network security and performance. As a general rule, the router (and maybe other devices) that will be shared by all the subnetworks should be at the center of your network. That is, all subnetworks should have equal access to it. For that reason, it is ideal to have the core of your network populated with essential shared resources such as a firewall and computers that run essential infrastructural services in their own subnetwork.

The Benefits and Drawbacks of Subnetting

Subnetting, like most things in life, is not perfect. In fact, it is really more of a mixture of ups and downs than anything else. Subnetting affords great flexibility and enhances your ability to manage and use a network, but all that comes at a price. In the end, the benefits far outweigh the drawbacks. Consequently, subnetting has become ubiquitous in IP networks. Quickly walk through the ups and downs.

The Benefits

Now that you know a little bit about subnetting, it's time to sit back and reflect on the benefits of this approach to managing IP addresses. There are, in my opinion, three main benefits of subnetting:

More efficient use of an IP network address
By being able to cut up a single block of network addresses into smaller pieces, you avoid wasting IP addresses. This lets you avoid having to obtain multiple network address blocks. This was the original motivation that drove the Internet to accept subnetting. The supply of IP network addresses was being used up at an alarming rate, so the Internet Engineering Task Force (IETF) seized upon subnetting as a way of making the remaining supply last longer.

Resource organization
You can create a subnet and fill it with just printers, or servers, or even computer programmers. One could argue that all three should be separated from the rest of the network's resources and users for the sake of optimizing network performance.

Security
You can improve your network's security by compartmentalizing sensitive resources into their own subnetwork. Although that doesn't prevent other people from accessing them, it does make it a bit more difficult.

Drawbacks

One of the drawbacks to subnetting might seem a bit paradoxical. You just read that subnetting allows you to more efficiently use a block of network addresses, but subnetting can actually waste IP addresses. Each subnet requires you to reserve two addresses: one to identify the subnet itself and the other for broadcasting to all machines within that subnet. A /24 network contains 256 total addresses and you can use 254 of those addresses if you don't subnet it. For each subnet you create, you lose an additional two addresses. This is nitpicking; obviously subnetting has proven its worth over time. This just demonstrates that it is not perfect.

The other major drawback to subnetting is that it is not at all a simple science. Actually, it's quite complex! Even if you know what you are doing, you can make quite a mess of your network by improperly managing the address block. You don't get into details about how difficult it is to manage a subnetted IP network address block, but suffice it to say that not many people can think in Base2. You see how unintuitive the boundaries are between subnets when you look at the binary numbers back in Table 7-3. Now imagine that the address space you were managing contained dozens of subnets and thousands of endpoints. A larger address block just creates greater potential for a bigger mess.