IP and Subnet Question

I am running a cisco router with a IP of xxx.248.206.1
and I have a Cisco Firewall that is connected to it at xxx.248.206.143, then my actual work network is connected to the firewall through the firewall internal port of

My IP assignments for the Internal Office systems are:

I would like to know if my internal office pc network is supposed to be a subnet mask of

I am wondering because it seems I screwed up a few places and used for some and for others.

Can someone tell me what the right subnet would be and why?
(Don't post a link, just explain it please.. )
Who is Participating?
Rule of thumb. Use the mask that fits your network. If less than 253 hosts, use
2nd rule of thumb. ALL devices, including and especially the gateway, must have the same mask.

It should be

However, the systems with will still work, with some exceptions.  Where you will have a problem is when you need to connect to IP Addresses that will be out of this subnet, but shouldn't be.

For example, if your IP Address is and your Subnet is set to, you will connect to everything that starts with 172.16.1 just fine.  You will NOT be able to connect to 172.16.2.x-172.16.254.x (or 172.16.0.x) because since your Subnet SHOULD BE, these would be LOCAL addresses.  Since you set the Subnet to, they will be viewed as non-local, and the traffic will attempt to go through the default gateway.

Unless you have any of those other systems with 172.16.(something other than 1).x, you will be fine.

pjargonCommented: should work
What this means is that your computer can communicate directly to everything on the network with an ip starting with 172.16.1.*, anything else needs to go through the firewall first.

If you use as a subnet mask, everything will probably still work fine, just means that your computer can communicate directly with anything 172.16.*.*

It depends upon what else you have on your network though.  If you have machines with an ip of 172.16.2.* (or any other not-1 number for the 3rd group), you'll need
If all you have is 172.16.1.* machines, is what you're after.

Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

What it really boils down to is how big do you need it to be?  Since your're using the 172.16.x.x range, as long as you have it at least as (which is huge) you'll be fine.  Judging by the numbers you've assigned already, unless you have some unusually large setup with thousands of computers, will be fine also.  What's most important in this scenario is that A) they are all the same and B) all of the addresses you use fit within that range.

Basically what it boils down to for these two masks is this- = All IP addresses must start with 172.16.x.x = All IP addresses must start with 172.16.1.x

You can go larger or smaller as need be, but that would unnecessarily complicate things.

If you have a relatively small network, you would want to use the class C mask of Your range would then be - for hosts.

If your network were larger and you were not too worried about flooding it with broadcast traffic, you could use the class B range of and have a much larger range of -

The difference is 254 hosts on the class C and way more on the other. In your case, it would be prudent to use

As long as all your internal addresses fit in the address space of 172.16.1.x then you can use a subnet of  Otherwise, set all netmasks to  If they're all on the same subnet, they should all have the same subnet mask.  It might still work with a mixmatch of subnet masks, however your firewall would wind up routing packets internally that it really doesn't need to be if everything was on the same subnet.  

Technically, if you're using 172.16.x.x address space, RFC 1918 says subnets in the range should be "20 bit blocks" meaning they should have a netmask of

It will work either way, but to stay true to the RFC, I'd change them all to
gormlyAuthor Commented:
Um.. two conflicting responses.. not encoraging at all.

My reason for this question is I have network issues sometimes and I want to figure out why.
I just recently added a MAC to the network (uggg) and I can't get the thing to work with the network, sometimes it see's things, sometimes it does not.  Sometimes it connects.. sometimes it does not.

Anyway, to really help me out could you go through this list and tell me what the subnets should be on these devices?

Cisco Router should have:
IP: xxx.248.206.1

Outside IP: xxx.248.206.143

Inside IP:

Office PC

Printer attached to network but outside the firewall:
IP: xxx.248.206.90
All of the m should be
" All of the m should be"  depends how you define "should".  It'll work if all are, but again, according to RFC1918 the 172.16.x.x networks should have a netmask of  Either way will work, you don't need a subnet with less than 253 IP devices on that subnet, but it would be "cleaner" to stick with the RFC.  Either netmask will work.  Just make sure they're all the same on all the 172.16.1.x machines.  Some admins would think it was silly to use 20 bit address space, others would think it's silly to break RFC, others would change the 172.16.x.x's to 192.168.x.x's and use a netmask, others wouldn't care as long as it worked.  Decide what category you fit in and make the appropriate change.  
gormlyAuthor Commented:
I really don't know now...

It should be but then again it should be but it can be even though this says it can be

I mean come on...
I know you guys are trying to help but geese louise....

Should I stay or should I go now...

Which One should I use?
You can use either. If all internal hosts have the same one, you will not have a problem. (your ISP will determine the subnet of the Cisco gear and the printer) is a standard small network subnet.

It is the preferable one.
Use on all internal (172.16.1.x) systems.  You should have been given a netmask to use for your public IP's by your ISP.
Maybe this will help...

To understand which subnet you need to use means you must understand subnetting.

An IP Address contains two parts, a NETWORK identification, and a HOST identification.  The network part of the address must be the same for all devices that will be on the same network segment.  The host part of the address must be unique for each device on the network.

The Subnet Mask is used to separate the NETWORK part and HOST part of the IP Address.  To see where the split is, you need to convert it to binary.

An IP Address and a Subnet Mask are each made up of 4 octets.  They are named this because each octet is 8 binary digits.

For example, is the decimal equivalent of 11111111.11111111.00000000.00000000 binary.

A Subnet Mask will always begin with 1s and then switch to 0s (It will never switch back and forth).  The place where the 1s change to 0s is the split between the NETWORK part and the HOST part of the IP Address.

For example, if your IP Address was and your Subnet Mask was, you would convert the Subnet Mask to binary (11111111.11111111.00000000.00000000).  This tells you that the first two octets of the IP Address identify the NETWORK and the last two octets identify the HOST.

So, in this example, 172.16.x.x is the NETWORK (the system will see everything that begins with this as local), and the .2.1 is the HOST (the part that is unique to this system on the network).

If the IP Address was and the Subnet Mask was, you would again convert the Subnet Mask to binary (11111111.11111111.11111111.00000000).  This tells you that the first three octets of the IP Address identify the NETWORK and the last ONE octet identifies the HOST>

In this example, 172.16.3.x is the NETWORK (the system will see everything that begins with this as local), and the .1 is the HOST (the part that is unique to this system on the network).

It gets more complex with other subnets (i.e. IP Address with a Subnet Mask of is 11111111.11110000.00000000.00000000 and would mean that 172.16.x.x-172.31.x.x are on the same network).  I can explain this in greater detail if necessary.

The main question I usually get is "why does it matter".  The quick answer is this...

The further the 1s move the the right, the more NETWORKS you can have, but there will be less HOSTS on each network.  The further the 1s end to the left, the more HOSTS you can have per network, but there are fewer networks available. ( has roughly 16 million available networks, but only 254 hosts on each one, has only 254 available networks, but each one can have roughly 16 million hosts).

Hope that helps.

The 172.16.x.x-172.31.x.x blocks are private addresses in what was once the "Class B" range of addresses.

You need to decide whether you're using the ( subnet, or the ( subnet.  EITHER WILL WORK JUST FINE.  But you'll avoid problems by consistently using one or the other.  (Here's an example where DHCP can save you a lot of work -- you set it once in one place, and almost everything on the network can get it from there.)

There are two basic advantages to using the ( network in this situation:

1.  Can handle more than 253 client devices on the same subnet.  (Might not be a factor for you.)

2.  Works with classful devices/protocols that recognize 172 as a class B prefix, instead of using the mask.  (Again, might not be a factor for you.)

gormlyAuthor Commented:
Thanks all for your help

lrmoore, once again, you have helped by getting to the point with a reason
to all others, thank you.. I gave the points to lrmoore because he has help tremedously in the past and has always been right.

Although you have given a great effort and more info than I could ever need, I know I can completely trust lrmoore's answer based on my past experiences.
No offense meant to anyone, and I thank you all.

...but you asked for a reason, then awarded the points to a response that didn't have an explanation...

Quote from your question:  "Can someone tell me what the right subnet would be and why?"

...just seems like a tremendous waste of time for those of us who actually put the effort into explaining the reasoning...
The reason is simple - it's whatever fits gormly's network best. I didn't think he needed a lesson is subnet masking or a review of the RFC's.
Either way will work - of course, but what weight should gormly give one over the other?
The true answer is "it depends".
It depends on the number of hosts on the network
It depends on the plans to breakup the hosts into vlans
It depends on the potential growth of the network
It depends on connections to external networks
It depends on requirements for route summarization
It depends on external connections or connecting devices that may only understand classful masks
It depends on personal preferences - some people like to experiment with VLSM and learn to subnet much more precisely than just on classful masks
It depends most on the boss and what he/she wants to do. I've had clients insist on using class A network with class B masks at every location, even though each location only had a maximum of 10 users.
Bottom line - it depends on a multitude of things.

My personal recommendation, as a network designer/consultant designing and building global networks, is to use the most-bits-matching classful mask that fits your network. <253 hosts use class C mask. >253 hosts, use class C mask with VLAN's and L3 routing. There is no good reason to have a flat network consisting of more than 500 hosts - ever. 500 is the maximum industry-standard "rule-of-thumb" number of hosts on any single vlan or network, so why would you need to use a mask that permits umpteen gazillion hosts on one network? The only logical reason is if you have a legacy device on the network that ONLY recognizes classful boundaries and won't work with subnet masks. Then, why not just start with a Class C network?

lrmoore, I agree with your recommendations 100%, that wasn't my issue...but anyway...

One possible reason to use a subnet that allows a larger than "necessary" number of hosts...

We use a Class B mask (16 bit) at most of our offices for keeping things organized.

Example:  if the network were /

We use:

172.16.1.x for routers
172.16.2.x for switches
172.16.3.x for servers
172.16.4.x for network printers
172.16.5.x for management devices
172.16.6.x for DHCP
172.16.7.x for wireless access points
etc., etc.

While we have few enough hosts at each location to use a class C address, I have found that using a class B and splitting up the addresses makes things a lot easier to identify.

Do I need a Class B network?  No.  But, it makes it a lot easier to administer and troubleshoot.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.