Solved

Subnetting--WHY DO IT?

Posted on 2001-06-16
11
860 Views
Last Modified: 2012-06-27
Ok, I've read just about all I can take on the subject of subnetting. I know how to calculate back and forth between subnets and masks, but I still don't understand a couple of things:
1. What's the purpose? I've read that it speeds up the network and allows for more security. Neither of these have been explained in more detail, and they aren't very intuitive. On this same subject, isn't it true that if a network is broken into subnets it'll require a router between each subnet, making things more complex(not to mention expensive) So why would I want to do it?
2. There seems to be a conflict about the 255.255.255.128 netmask. Some sites say that this would create 2 subnets with 126 hosts each(which makes sense) others say that this is an invalid mask and that the next valid mask ends with 192, providing only 62 hosts/subnet.Which is true?
Thanks,
tibori
0
Comment
Question by:tibori
  • 4
  • 3
  • 2
  • +2
11 Comments
 
LVL 4

Accepted Solution

by:
jwalsh88 earned 50 total points
ID: 6199120
I will attempt to address all your comments.

First, the subnet mask 255.255.255.128 normally only has one valid subnet.  That is due to how subnet masking works, it does not allow you to use the zero-subnet.  So, that would leave you with only one usable subnet, xxx.xxx.xxx.128 255.255.255.128
But, in some cases you can configure devices(like cisco routers) to use the zero-subnet giving you two subnets, xxx.xxx.xxx.0 255.255.255.128 and xxx.xxx.xxx.128 255.255.255.128.

There is not a question of when to use subnets and when not to.  The real question is when to use routers and when not to.  Because sometimes implementing subnets(which you are correct when you say you would more then likely now need a layer3 IP router) can slow things down.  Some of the reasons to use routers is that your network is too saturated with broadcasts.  Which are used by alot of different protocols on PCs today.  Routers create seperate segments that block broadcasts.  This will significantly speed up a network that is overrun with broadcast.  There is a very basic statement about when to use routers just to break up broadcasts.  In a NT environment(Actually any Windows-based networking) around 500 devices is too many to not break up the broadcasts, in Novell IPX they say 200-300 users, in Appletalk it's around 200 users.  So, thats a small guideline of when to add a router.  Also, there is the concern of security.  You can enforce an insane amount of security with a router that you can't do with any thing else.  The security can come in alot of ways, everything from true access lists that can be very specific to flow control.  If you need more clarification on this subject let me know.  As for making it more complex.  The only added complexity is learning how to configure and maintain your layer 3 routing device.  But it is well worth it, they arent as expensive as they are because they are great complex devices, it's just because everyone wants them.  Don't be fooled into thinking that the internet core routers from Cisco, Juniper and others cost those respective companies anywhere near 1.5-2 million dollars. In fact I happen to know that even after R&D they don't cost much more to produce then their Enterprise routers like the Cisco 7206VXR which list at somewhere near $38,000.  Quite alot cheaper.  So, in conclusion I would say if you are having protocol problems (Like problems with broadcasts or trying to get one protocol across another or things like that related to layer3 protocols) or if you want security features.  Then get a router.  And this is where your answer comes in.  If you get a router you might have to subnet up your network.  But if you plan correctly, unless you have a huge network with thousands of subnets, you should have to subnet up your network.  You should be able to just use another private address range and if you are connecting to the internet use NAT to translate it.

One thing you should know is that you don't need to have a router just because you want to use seperate subnets.  you can use as many subnets as you want on one network segment.  just can't talk to devices that are using seperate subnets even if they are on the same physical network.

Sorry if any of this is confusing you but tried to answer as much as I could without asking you anymore questions.  If you need more clarification , just let me know and also let me know exactly what you have and what you are thinking of doing and why.  I should be able to explain to you what all your options are and what the benifits and caveats of each solution would be.

0
 
LVL 7

Expert Comment

by:jjeff1
ID: 6199183
There are other reasons to subnet.

Broadcast is a large part of it. Virtually every network protocol uses some amount of broadcast. By definition, broadcast traffic goes to every node on a network. You can imagine that a large number of nodes all sending and receiving traffic will slow things down even on a fast network. But if you have a slow speed link between 2 sites, say you have a small leased line, the broadcast would choke the connection. By placing a router at each end of the connection, you eliminate broadcast from going over the WAN link.

Also, you'll find that ISPs use subnets to protect their customers from each other. As an ISP, I could have several of my customers share a subnet. Lets say I have a class C and each customer was allowed to use 1/2 of it. Well, if one of the customers configured their network wrong, they could cause IP conflicts with the other customer. Not to mention this type of arrangement would also allow one customer to see the broadcasts from another.

Finally, subnetting is also done for organizational purposes. Often you'll find networks that comprise several buildings where each building get's it's own subnet.
0
 
LVL 2

Expert Comment

by:estest
ID: 6202773
I think jwalsh is talking about the difference between the "Cisco formula" for subnetting and the "Real formula" for subnetting. (ip subnet zero)

When designing a WAN you don't want to use a Class B, or even a Class C network for a point to point connection. That would be a terrible waste. There are only 2 hosts on a point to point connection, and that's all you need.

You use the 255.255.255.252 subnet mask for these, where

.0 is the 1st network address (with ip subnet zero enabled)
.1 is the 1st valid host
.2 is the 2nd valid host
.3 is the broadcast address
.4 is the 2nd network address
.5 is the 1st valid host
and so on, and so on

So, conserving IP addresses is another reason (the main reason IMHO).


hth

Tim
CCNA
Most Valuable Professional for TCP/IP Administration
http://www.brainbench.com
0
 
LVL 3

Author Comment

by:tibori
ID: 6202785
Thank you both, I believe the first part of my question has been answered. The second part is still a little confusing.  jwalsh88, you say that subnetting "does not allow you to use the zero-subnet." Is this true with other subnets as well? What I mean is does the xxx.xxx.xxx.192 netmask actually only allow 3 subnets instead of 4?
Secondly, does a straight TCP/IP network use broadcasts? I've read that the NETBEUI protocol does, if there's not a WINS server, but that's the only one I know of. What others(briefly) are there?
So just to summarize, is it safe to say, that most likely one would NOT subnet a Class C network, on a local LAN let's say, unless you were an ISP with a limited amount of IP addresses..
One last thing about security, to see if I understood it correctly. If I want to improve security by isolating parts of a network, but have limited hardware(hubs or switches), I could hook all of my machines into the same hardware, and put them into different subnets, and the two subnets would not be able to "touch" each other, but could still share the hardware?? This is very interesting...something I havent' thought about.. Is it true then that once I add a router between the two subnets, I've given up the security, and am left with a speed improvement due to lowered broadcasts?
Thanks
0
 
LVL 4

Expert Comment

by:jwalsh88
ID: 6202992
estest,

There is no "cisco" formula for subnetting.  There is only TCP/IP subnetting.  And you would be the one wasting IP addresses if you use them for Point to Point links.  The only PPP links that need IP addresses are links to Hosts.  Links between routers Don't Need IP addresses period.  The router will need an IP address but none of the WAN interfaces do.  And in a WAN ofcourse their wouldn't be any Class B or Class C that s because you have enabled classless ip addressing on your routers.  So, while conserving IP addresses is an okay result of subnetting it's not a very big one unless you are a internet carrier or ISP.  In fact I see no reason to use it unless you are designing a WAN with lots of small offices.  Then you would still use IP unnumbered WAN links but subnet up your usable IP addresses for each small office.  Ofcourse why do that when you can just use the large amount of private IP addresses that come with 192.168.x.x private range or even use classless routing and break up the 10.x.x.x range.  I would love to hear your explanation of how anything I said above was incorrect.

tibori, sorry for getting off the subject.  All Protocols use Broadcasts just some use more then others.  And yes you can't use the zero subnet of any range or subnet unless the devices (routers) you are using either support the use of it by default or have it enabled.  Some, don't support it at all.  The same goes for using Classless IP ranges period.  To use your Cisco routers with subnetted address ranges make sure to enable ip classless, otherwise you could have problems later.  And no you never give up security by adding a router you increase the probability of security depending on what you do with the router(how it's configured).  If you don't want to have the two networks talk to each other you don't need a router just to stop the broadcast you can just plug them into different physical networks with linking them together in any way or putting them on seperate VLANs.  Just like you would have to do if you put in a router except that you don't put in the router.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 2

Expert Comment

by:estest
ID: 6203209
jwalsh88,

easy killer....

I didn't mean to start a fire here.

None of your answers are "incorrect". WAN design and IP addressing schemes aren't Right or Wrong. It depends on the requirements of the network and the circumstances.


But...

Using un-numbered WAN interfaces on large router networks makes troubleshooting a real pain in the ass (IMHO).

I've managed large WANs (20K+ routers) with and without IPs on the WAN interfaces, and I prefer the "with" configuration.

As for using RFC1918 addressing (192.168...10...171.16-31...)I agree. There is no reason to number their WAN ports with "real" addresses when the "private" ones would do just fine.


As for my comments about a "Cisco formula" and a "Real formula"..

Cisco uses the "Cisco formula" on the Cisco certification exams. Meaning.... if you try to use ip subnet zero in your calculations on a Cisco test, you'll get the question wrong.
Does this mean you can't use ip subnet zero in real life? No. It just means that on the test, you must give the "Cisco Answer", no matter what is right or wrong.


I do like your comments about routers separating Broadcast Domains. This is an important use of routers that has nothing to do with the other typical reasons for using routers, protocol or media conversion.


hth

Tim
CCNA
Most Valuable Professional for TCP/IP Administration
http://www.brainbench.com
0
 
LVL 3

Author Comment

by:tibori
ID: 6212199
Thank you all for the great information!!
Just to clarify something I'd like to propose the following example:
Let's say I have an internal network(let's say only 2 machines) and I would like to set them up in a network. Is the following true about the hosts being on the same network(i.e. being able to communicate without a router) with the following ip's and netmasks:
Scenario 1:
             PC1: 10.0.0.1/255.0.0.0
             PC2: 10.255.255.254/255.0.0.0
Scenario 2:
             PC1: 172.16.0.1/255.255.0.0
             PC2: 172.16.255.254/255.255.0.0
Scenario 3:
             PC1: 192.168.0.1
             PC2: 192.168.0.254

In each of the above cases(the way I understand it) PC1 and PC2 should be able to communicate without a router. Is that true?
Another question: In a class A or B scenario do the addresses that end with 255 or 0 mean something special as they do in Class C. What I mean is : Is 10.0.0.255 a valid host address. If not, what is it used for?
And one more:
If I had limited hardware but wanted to isolate two networks, could I safely put them on different subnets to isolate them. For example let's say I had 4pc's and only one 4port hub. Then let's say I wanted to have two networks with 2pc's each that couldn't talk to each other, but I wanted to share the hub. I guess, this would work, unless someone was clever enough to add a route in their routing table to the other network....
thanks

0
 
LVL 3

Author Comment

by:tibori
ID: 6229184
Thank you all.
0
 
LVL 4

Expert Comment

by:jwalsh88
ID: 6230855
tibori,
to answer your questions above yes all of those scenarios are correct. as far as ending in 255 or 0 this is how that works.  In a subnet in TCP/IP addressing you have a range.
for the subnet 192.168.0.0 255.255.255.0 that range is 192.168.0.0-192.168.0.255.  The first and last possible address in that range cannot be used because they are special.  the first address in every range is the address of the network, the last address is the broadcast address of that network.  Those would be 192.168.0.0 and 192.168.0.255 respectively in the example above.  Now if you are using 10.0.0.0 255.0.0.0 the same rule applies first and last address are "special".  Difference is the range is much bigger now.  the range is 10.0.0.0-10.255.255.255.  So the first and last address are the only "special" addresses which are 10.0.0.0(network) and 10.255.255.255(broadcast).  So to answer your question yes 10.0.0.255 would just be another host address.  Now if your address was 10.0.0.255 but your mask was 255.255.255.0 then this would become the broadcast address because the range is only 10.0.0.0-10.0.0.255.

And to answer your final question, yes if you put 4 on a hub with two sets of different ip addressing schemes the machines can't talk using tcp/ip.  And that is regardless of any attempt to use static routes on the machine.
0
 
LVL 3

Author Comment

by:tibori
ID: 6231984
jwalsh88: thank you for explaining it so clearly. I have a better understanding of the whole think. At least I think I do :)
Thanks,
tibori
0
 

Expert Comment

by:PrawnStar
ID: 7322491
"And to answer your final question, yes if you put 4 on a hub with two sets of different ip addressing schemes the machines can't talk using tcp/ip.  And that is regardless of any attempt to use static routes on the machine."

True, but if someone installed a second TCP/IP stack on one of the machines, which is very easy to do, it could speak to both subnets.

If you want to seperate for security then isolate them on seperate hubs.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

What’s a web proxy server? A proxy server is a server that goes between clients and web servers, used in corporate to enforce corporate browsing policy and ensure security. Proxy servers are commonly used in three modes. A)    Forward proxy …
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now