If you're setting up a TCP/IP network or already operate one, you've undoubtedly come across the bewildering term "subnet" -- a way to "renumber" host addresses to avoid addressing conflicts on TCP/IP networks. Encounters with the S-word are unavoidable when you configure hosts and workstations for TCP/IP. For example, you're often asked to supply a mystical value called a subnet mask or to specify the number of subnet bits when setting up routers. Sometimes you can get by plugging in some preordained value without actually understanding the value's meaning or purpose.
Eventually, though, you'll face a situation that requires you to understand and correctly configure subnets. That situation may be as simple as splitting an existing LAN segment for traffic control, or as complex as setting up a firewall for Internet access. If you want to better manage your LAN traffic and security or interconnect to other TCP/IP networks, including the worldwide Internet, you should understand why subnets exist, how they work, the notations used to describe them, and how network devices such as routers and AS/400s work with subnets. This article introduces you to subnets; future articles will cover specifics, such as how to assign subnets on the AS/400.
Why Subnets Exist
In a perfect world, network protocols would be designed right the first time, anticipating all possible future requirements and leaving plenty of room for expansion. In the real world, though, protocol designers never seem to foresee all the possible uses for their protocols and often underestimate one key protocol component: address size.
You might think TCP/IP, with its 32-bit address accommodating more than eight billion nodes, is an exception to this failing. However, the way TCP/IP arranges its address space, you could only have eight billion nodes if they were all on the same physical LAN. If you want to spread those nodes out over, say, the surface of the earth, you run into problems.
TCP/IP's original design specifies three types of address space — Class A, Class B, and Class C (Figure 1) — that accommodate three sizes of networks: large, medium, and small, respectively. A network is defined as a group of hosts connected to a common networking medium, such as an Ethernet LAN. Every Internet Protocol (IP) address is divided into two parts: a network part to the left, and a host part to the right. For example, in the address 188.8.131.52 (a Class C address), 195.101.85 represents the network part, and .32 represents the host part. (For more information about IP addresses, see "Configuring IP Addresses," February 1996.)
Class A addresses have a one-byte network part and a three-byte host part, supporting a few (126) large networks, each with many (2.1 million) hosts. Class B addresses have a two-byte network part and a two-byte host part, supporting more networks than Class A (up to 16,408) but fewer hosts (16,408). Class C addresses have a three-byte network part and a one-byte host part, supporting more than 2.1 million networks, but each network can have only 254 hosts.
This organization of IP address space leads to a lot of waste, because few corporate networks fit well into one of these classes. For example, a Class B address, with some 16,000 host addresses available, is overkill for all but the largest corporations. Yet a Class C address, with only 254 hosts, might easily be outgrown by even small companies. In either case, few organizations will have all their computers on a single LAN, so they'll need more than one network address. The result is IP address space fragmentation, with oversized networks and lots of unused host addresses.
You might ask, "Who cares whether address space is wasted? The total number of addresses is huge, and all the addresses are available for any individual organization." The answer is that you care, if you ever plan to connect your network to other TCP/IP networks. When you interconnect networks, all IP addresses must be unique. If you decide to join your network with a new subsidiary, and both of you use the Class B network address 184.108.40.206 (the address used in many sample networks, and thus one often chosen in real life), you must renumber one or both networks. And if you want to connect to the global Internet, you almost certainly won't be able to use a Class-B address at all, because all those addresses have already been assigned to other organizations. Again, you'll have to renumber your network. Renumbering an entire network is an arduous, problem-plagued process even for a few hosts, let alone hundreds of them.
Subnetting solves the IP address space fragmentation problem by letting you "move" some of the bits in the host part of an IP address to the network side of the address. Using one of the subnet notation methods I describe in this article, you can organize IP host addresses into subnets, each with its own subnet number, to divide your address space into separate logical networks and avoid addressing conflicts. Subnets are an extension to the TCP/IP protocol added in 1985 and described in Request For Comment (RFC) document 950. (RFC documents are the way Internet standards are promulgated. They're available on the Internet at ftp://ds.internic.net/rfc/.)
You can use subnets with any address class, but today subnets are most commonly used for Class C addresses, and less frequently for Class B addresses. For practical purposes, nobody uses Class A addresses for interconnection, because only a few large organizations have these addresses.
How Subnets Work
Subnets are represented by a particular subnet notation, or method, such as subnet masks — the most widely used notation. (See "Alternatives to Subnet Mask Notation," page 60, for information about two other notation types: Classless Internet Domain Routing, or CIDR, and IBM's notation.) You either set a subnet mask value manually or have your TCP/IP software automatically do that for you. When a device interprets an IP address, it looks at the address "through" the subnet mask, a grouping of bits that masks the address. In the subnet mask, "one" bits correspond to the network part of the address, and "zero" bits correspond to the host part. All addresses whose network parts match are considered to be on the same network, regardless of their IP address class. For example, a Class C network has a default subnet mask of 255.255.255.0 (255 is 11111111 in binary, indicating that the first three bytes are dedicated to the network part of the address). This scheme effectively extends the network part of the address beyond the size nominally set for a given address class, thus subdividing the normal network into multiple subnetworks.
Many TCP/IP software packages automatically generate a subnet mask based on the class of IP address you specify. For example, if you set an IP address of 220.127.116.11 for your NetManage Chameleon or Windows NT host, the software automatically generates a subnet mask of 255.255.255.0. If you want to extend that subnet — for example, to 255.255.255.224 — you need to manually change the mask value. Figure 2 shows the possible subnet sizes for a Class C network. The largest subnet divides the network into two subnets of 128 addresses each; the smallest divides it into 64 subnets of four addresses each.
Figure 3 shows how subnet masks work. Here, the IP address 18.104.22.168 is interpreted with a subnet mask of 255.255.255.224, which divides the 22.214.171.124 network into eight subnets of 32 addresses each. The extended part of the network address is called the subnet number. The first subnet is numbered subnet 0, the second subnet 1, and so on. In the example, the three-bit extension to the network part of the address contains 001, indicating the host is on subnet 1. The now-smaller (five bits instead of eight) host part contains 00011, which equals a host address of 3. Thus, the unsubnetted host address 35 becomes the third host on subnet 1.
Another way to look at this subnet is as a list of address ranges (Figure 4). You can see that subnet 0 extends from 126.96.36.199 through 188.8.131.52; subnet 1 is from 184.108.40.206 through 220.127.116.11, and so on. When subnetting is used, each of these ranges is a complete, self-contained network, just as each Class C address is a complete, self- contained network. There are important implications to this that you'll see later.
In theory, not all the addresses in each subnet can be used as host addresses. As mentioned in "Alternatives to Subnet Mask Notation," subnet rules reserve the first and last address in each subnet as broadcast addresses (which are used to send a single message to all systems in a network), so the number of available host addresses is always two less than the total number of addresses in the subnet. Because two addresses are always used for broadcasting, the smallest usable subnet is one with four addresses, leaving two for host addresses. A subnet of two addresses could not contain any hosts, making it impractical, and a subnet of one address is illegal (except in one circumstance, explained in "Alternatives to Subnet Mask Notation"). However, in practice, not all devices actually use the first and last addresses for broadcasting. I'll explain this apparent contradiction shortly.
The subnet mechanism works the same way for any class IP address: You simply start with the network and host portions divided appropriately for that class. Figure 5 shows a Class B address subnetted into 16 subnets, each containing 4,096 addresses.
Living With Subnets
There are three general rules for using subnet addressing in a LAN:
Rule 1: Packet forwarding is always required to move traffic between subnets. Because a subnet is treated by other hosts as separate network, you must use a packet- forwarding device to move traffic from one subnet to another. A packet-forwarding device — such as a standalone router or a computer with packet-forwarding capabilities (e.g., an AS/400 or RS/6000) — moves traffic between networks (or subnets) by reencapsulating packets to give them addresses compatible with the destination network. Keep in mind that multiple logical networks can exist on the same physical LAN, so it isn't necessary to have separate physical ports on the packet-forwarding device.
Figure 6 shows a simple example of packet forwarding between subnets on two different physical LANs, one Ethernet, one Token-Ring. Joining two dissimilar network technologies is a common use for subnetting, because doing so lets you use the same address space on more than one physical network. In this scenario, the two LANs are subnets of the Class C network 192.168.1.0, which has a subnet mask of 255.255.255.248 (a CIDR value of /29). The packet- forwarding device is an AS/400 with an interface on each LAN and with a separate IP address assigned to each interface. By default, OS/400 forwards traffic between networks. Note that the AS/400 requires a routing entry for each subnet, specifying the AS/400 interface being used, the subnet mask, and the subnet value.
Figure 7 shows an example of packet forwarding between subnets on the same physical LAN. The same Class C subnets are used as in the previous example, but in this case, the packet-forwarding device is a router that also performs packet filtering — a security control that limits the types of traffic that may pass from one subnet to the other, another common application of subnets. Any traffic destined for a particular subnet must pass through the router and thus be subject to filtering. From the host systems' point of view, the two subnets appear to be on separate physical networks.
Rule 2: All devices on a network must agree on subnet size. Failing to obey this rule is the primary cause of subnet failures. Not all devices enforce this rule; such devices are called variable-subnet-capable devices. Variably sized subnets have applications in certain networks in which address space is at a premium (such as the Internet), but for most corporate networks, you should avoid variable subnets.
With three different subnet notations abroad, ensuring that different devices agree on subnet size isn't as easy as you might think. Use the subnet notation equivalence table in sidebar Figure B to verify that values from differing notations agree. And with OS/400 subnetting, take care to determine the correct subnet value. A common problem on AS/400 networks is changing IP addresses but forgetting to change the subnet value.
Rule 3: Avoid using the first and last subnets when possible. Due to ambiguities in the original TCP/IP subnet specification, not all devices implement subnetting the same way. Strictly interpreted, the RFC-950 specification reserves the first and last subnets, which would have binary values of all 0s and all 1s, respectively, for broadcast traffic. However, in practice, broadcast messages are never sent using these values (theyÕre sent only when both the subnet and host addresses are all 1s or all 0s), so the restriction is unnecessary.
The cost of following the restriction is high: It completely eliminates subnets that divide a network in two parts, because there are only two resulting subnets: one first, the other last. And for other subnet sizes, losing the first and last subnets can waste a lot of address space. Unfortunately, you often can't tell whether a device is strict or lax on this point without actually trying to use the first or last subnet. When possible, you should avoid these subnets until you actually need to use them; in the interim, you should try to learn whether your network devices follow the strict or lax interpretation of subnets. The AS/400 permits the use of these subnets. You may be able to reconfigure other devices to change their behavior (for example, Cisco routers let you use subnet 0 via the IP SUBNET ZERO command).
Now that you have a grasp of the basics, you can start to explore the uses of TCP/IP subnetting in your networks. Perhaps you need to construct subnets to join LANs that today are physically unconnected, or maybe you want to secure part of your network from outside access. You may even be working with a limited address space assigned by an Internet service provider in preparation for connecting your organization to the Internet. Future articles will address these specific uses for subnets. Until then, get comfortable with subnets — they'll be with us a long time.
Mel Beckman is a senior technical editor for NEWS/400. You can reach him via the Internet at email@example.com.
Sidebar: Alternatives to Subnet Mask Notation
Subnet mask notation is one of several methods for specifying subnets. Historically, subnet masks were used because subnets originally did not require consecutive bits. For example, a subnet mask (in binary) of
specifies host address bits intermingled with network address bits. Today, however, subnets must use consecutive bits, so the mask notation is overly complex and inconvenient. Subnet masking is still the most widely used notation, but the mask notation is being abandoned in favor of a new notation called Classless Internet Domain Routing (CIDR). The idea behind CIDR is to eliminate the notion of IP address classes altogether and instead specify network address sizes explicitly.
CIDR notation is much simpler than subnet mask notation. Instead of a long string indicating which bits belong to the network and which belong to the host parts of an IP address, CIDR notation just specifies the number of bits in the network part; by definition all the other bits will be in the host part. The CIDR notation convention is to prefix the CIDR value with a single forward slash (/). Thus, the CIDR equivalent to a Class B address would be /16, because 16 bits are in the network part of a Class B address. Figure A shows the CIDR subnet values for the IP addresses 18.104.22.168 and 22.214.171.124.
Figure B shows the equivalent CIDR values for every possible subnet mask value. Some devices use hexadecimal notation for subnet masks, so equivalent hex values are included. The table also shows the number of addresses for each possible CIDR network size.
Because subnet rules reserve the first and last address in each subnet as broadcast addresses (as explained in the main article), the CIDR value of /31 — which specifies a subnet with only two addresses — isn't valid, because both addresses would be allocated for broadcasts, leaving none for hosts. However, the CIDR value of /32 is valid, although each subnet would have only one address. The single-address subnet is a special case, supported by most TCP/IP implementations, to let devices that provide routing to many remote locations with only one host use address space efficiently. A dial-in terminal server is an example of such a device. Each dial-in user is a single host and is thus assigned one IP address. Because only one host is on the subnet, broadcast addresses aren't needed; all broadcasts go directly to that host.
There is a third subnet notation, used primarily by OS/400 (you just knew IBM would be different here, didn't you?). OS/400's notation is a variation on the subnet mask notation, using a mask that specifies only the subnet portion of the address (as opposed to the whole network portion) and a subnet value that explicitly indicates the subnet a given address is on. Figure C shows IBM's subnetting notation. IBM requires this notation in OS/400 routing entries, but it isn't difficult to translate traditional subnet masks into IBM-style masks and subnet values. For example, if your system is at address 192.168.66.33 on a Class C network subnetted /27 (in CIDR notation, indicating subnets of 32 addresses each), the IBM notation would use a subnet mask value of 0.0.0.224 with a subnet value of 0.0.0.32. Hopefully, in the future IBM will replace its existing notation — which is even more cumbersome than subnet masks alone — with CIDR addressing.