Why subnet?

Discussion in 'Networks' started by demarrer, Jun 3, 2008.

  1. demarrer

    demarrer Byte Poster

    165
    5
    25
    Hi,

    I have been reading a lot about subnetting and networking in general recently. When it comes to subnetting most books talk about the "how to subnet" and not "why subnet".

    So my question is why do you need to subnet, what are the real world examples of when subnetting comes into play?

    I have a feeling it's an obvious answer so shoot me if I'm being dumb.

    Any suggestions?

    Cheers.
     
    Certifications: A+, Security +, CCNA, CCSA
    WIP: music, (dreaming of) CCIE Security :D
  2. hbroomhall

    hbroomhall Petabyte Poster Gold Member

    6,624
    117
    224
    The classic answer talks about a company where they have been given a range, but want to separate departments so they don't interfere with each other.

    You would use subnets to achieve this separation. This also allows security separation, where general office people can't get to payroll machines for example.

    Harry.
     
    Certifications: ECDL A+ Network+ i-Net+
    WIP: Server+
  3. Spice_Weasel

    Spice_Weasel Kilobyte Poster

    254
    45
    45
    Also, to add to what Harry said - broadcasts are an important reason to subnet. Any ethernet network (or other technology) has various technical limits to the size of the network. A significant limit is broadcast traffic. Since broadcast traffic will be seen by every node on the network, and must be processed by every node, then excessive broadcast traffic will choke a network. Since there are many kinds of broadcast traffic (arp, bootp, netbios, multicast, etc) that are needed for the network to function, a large network can produce enough broadcast traffic to degrade performance. One solution is to subnet into smaller networks, connected by routers, which block broadcast traffic. For example, imagine a network of 10000 hosts - there might be 5 thousand broadcasts per second, chewing up transmission slots on the ethernet network and forcing hosts to process large amounts of uneeded traffic.

    Modern networks and computers can handle much more broadcast traffic than old 10 Mbps ethernet, but even so it is generally a good practice to limit the size of broadcast domains in networks.

    Spice_Weasel
     
    Certifications: CCNA, CCNP, CCIP, JNCIA-ER, JNCIS-ER,MCP
    WIP: CCIE
  4. r.h.lee

    r.h.lee Gigabyte Poster

    1,011
    52
    105
    demarrer,

    Questions:
    1. Do you have more than one room in your home?
    2. Do you have any siblings or family in that home?
     
    Certifications: MCSE, MCP+I, MCP, CCNA, A+
    WIP: CCDA
  5. demarrer

    demarrer Byte Poster

    165
    5
    25
    cheers for the response.

    yes more than one room! I actually went a bit red when I read that post!:oops:

    Maybe I'm turning into a geek...
     
    Certifications: A+, Security +, CCNA, CCSA
    WIP: music, (dreaming of) CCIE Security :D
  6. r.h.lee

    r.h.lee Gigabyte Poster

    1,011
    52
    105
    Well, think of each room in your home as a "subnet" of the overall space underneath the roof. By "subnetting" the house, you get more manageable sections that you can specialize it's use. Same thing with networks. You want to subnet the network so that you can have one subnet for the servers, one subnet for the clients, one subnet for wireless, and so on. Now do you see WHY you want to subnet?

    I hope this helps.
     
    Certifications: MCSE, MCP+I, MCP, CCNA, A+
    WIP: CCDA
  7. demarrer

    demarrer Byte Poster

    165
    5
    25
    Thanks. That's a really great analogy.

    I think I have it!!!
     
    Certifications: A+, Security +, CCNA, CCSA
    WIP: music, (dreaming of) CCIE Security :D
  8. Mell

    Mell Bit Poster

    10
    0
    21
    Another reason to subnet...

    Saves address...I will not go into any details as it may be a bit too much info, unless of course you want that info :biggrin

    Mell
     
    Certifications: CCNA CCNP MCP MCSA MCSE
    WIP: open to suggestions
  9. demarrer

    demarrer Byte Poster

    165
    5
    25
    Is this getting into the world of VLANs?

    O.k Mell, hit me with the info :-)

    H
     
    Certifications: A+, Security +, CCNA, CCSA
    WIP: music, (dreaming of) CCIE Security :D
  10. Tinus1959

    Tinus1959 Gigabyte Poster

    1,539
    42
    106
    You do not want to give everyone with an internet connection a C-class network, so you devide your network into smaller portions.
     
    Certifications: See my signature
    WIP: MCSD, MCAD, CCNA, CCNP
  11. caffeinatedbacon

    caffeinatedbacon New Member

    1
    0
    1
    Well, this post is 5 years late, but in case anyone else comes across this...

    Subnetting typically consumes addresses, not saves them (as networks are being made smaller through the use of CIDR). Mell may have been thinking of NATing which uses non-routable (private network) IPs to translate routable IP traffic to a private host by protocol or IP (or both). The reason subnetting actually consumes IP addresses rather than saving them is in the nature of broadcast domains themselves. As you may be aware, there are two 'host' addresses that can not be used by any host in a network; one that translates to all binary-zero (the network address) and one that translates to all binary-one (the broadcast address).

    These restrictions aren't often encountered in a 256 address network, but as subnetting makes each network smaller, the subnetting 'overhead' becomes apparent. To fully-understand this process, it's easiest to look at an IP address as a binary number. As binary is a base-2 numbering system, each digit in a binary number represents double the digit to its right (compared to our regular base-10 system which is 10 times the number to it's right).

    For example, the number two written as a binary octet is 00000010, the number five is written as 00000101, the number nineteen as 00010011, and so on all the way up to two-hundred-and-fifty-five 11111111 (the reason there are 256 addresses is that 00000000 is considered a number, '0'). Since most people are familiar with networks segmented (subnetted) at a specific octet, they never fully realize that there are special numbers within that octet being used to manage that broadcast domain.

    Most people are familiar with the private IP's typically assigned by home routers; we deal with them all the time (192.168.0.x, 192.168.1.x, etc.), but don't recognize the actual numbers your computer deals with; the binary addresses. Let's say your computer is assigned the address 192.168.1.100 with a netmask of 255.255.255.0, that number is actually 11000000.10101000.00000001.01100100 with a netmask of 11111111.11111111.11111111.00000000. Notice anything interesting in the netmask? It's an unbroken string of 1's followed by an unbroken string of 0's, and that's not a coincidence. In the netmask (network mask), 1's represent the network portion of an address while 0's represent the host portion. subnetting involves making networks larger or smaller by moving the boundary between 1's and 0's in the netmask. In this way, valid netmasks would be 11111111.11111111.11111000.00000000, or 11110000.00000000.00000000.00000000, or 11111111.11111111.11111111.11000000, but *NOT* 11111111.11111111.11100011.11001000 (because the strings of 1's and 0's are broken in the third and fourth octets).

    So how does subnetting consume addresses? Well, let's look at an example. Let's say your ISP has assigned you 256 addresses in the 172.16.2.0/24 range (yes, these are non-routable, but we'll use them for the example). You want to assign a group of IP's to some servers, some to some workstations, and some to a test environment where you like to play with live computer viruses. Since you don't want your viruses to infect your servers or workstations, you want them in separate broadcast domains; how would you do it? With subnetting! How can we break this IP range down into at least three separate networks? We move the network/host boundary in the mask!

    Instead of using the 11111111.11111111.11111111.00000000 mask we were assigned, we'll use 11111111.11111111.11111111.11000000. Now *why* would we use x.x.x.11000000 (I'm going to use 'x' to represent eight 1's)? It all comes down to how many networks we *need*. Remember how we wanted a network for servers, a network for workstations, and a network for live viruses? That's three networks...since we need to segment networks at the 1/0 boundary, we can't divide the network into any less than four separate networks to achieve our requirements. Remember how earlier we said that a network's address was represented as all 0's? well, this is where those 0's come in to play.

    Our network assignment is 172.16.2.0/24, that network IP is represented as 10101100.00010000.00000010.00000000. Since we have decided that the first two numbers of the fourth octet *also* represent the network portion of the address, the four *new* network IP addresses are:
    10101100.00010000.00000010.00-000000
    10101100.00010000.00000010.01-000000
    10101100.00010000.00000010.10-000000
    10101100.00010000.00000010.11-000000
    (note the hyphen '-' represents the network/host boundary and is for clarity only; it is not used or entered anywhere)

    So here, we used to have one address in our 172.16.2.0/24 range representing the network IP, now we have four. That's four addresses we now can't use for hosts (PC's, servers, XBox's, etc.). Do you also remember how earlier we noted that all 1's in the host portion of an IP address represented the broadcast address? Well those addresses translate to:
    10101100.00010000.00000010.00-111111
    10101100.00010000.00000010.01-111111
    10101100.00010000.00000010.10-111111
    10101100.00010000.00000010.11-111111
    (again, the hyphen '-' represents the network/host boundary and is for clarity only; it is not used or entered anywhere)

    That's another four addresses we can't use to represent hosts in our network. So now we have four networks where there was one, and eight unusable addresses where there were two. Do you see how IP addresses can quickly get consumed? Let's say that instead of four networks we wanted eight? That mask would be x.x.x.11100000; we'd have eight network IP's, eight broadcast IP's and sixteen unusable addresses total. With every digit added to a network mask, the number of unusable addresses doubles that of the previous. So a mask of x.x.x.11111000 has 32 unusable addresses, 30 more than our original network, and we haven't assigned a single IP to a single device yet! And therein lies the reason that subnetting typically consumes addresses, not saves them.

    Now, to answer demarrer's original question (holy-cow that took a while!), the reasons to subnet would be:
    - Segmenting for (the illusion of) security (as noted by hbroomhall); I say the illusion of security because limiting access to your network through the use of subnetting without introducing physical (routers, firewalls, non-interconnected switches, etc.) or virtual separation (VLAN's) is like using craft paper as the front door to your house. While it might identify to law-abiding citizens where your private property begins, it will in no way deter a criminal from entering your house.
    - Reducing broadcasts (as noted by Spice_Weasel); YMMV, but typical networks are limited to between 254-510 hosts
    - Provisioning IP addresses to others for their own purposes (as an ISP would; as alluded to by Tinus1959)
    - Physical routing identification (the best way to describe this is with an example: let's say you work on a campus, the campus has two buildings, each with four floors, and each floor has 150 offices. Setting all 1,440 offices to participate in the same broadcast domain is not efficient, so you'd need to break things down. You could start by assigning each building a network segment; maybe 10.0.0.0/22 for one and 10.0.4.0/22 for the other. You could further break down each building into floors; 10.0.0.0/24, 10.0.1.0/24, 10.0.2.0/24, 10.0.3.0/24 for one building, and 10.0.4.0/24, 10.0.5.0/24, 10.0.6.0/24, 10.0.7.0/24 for the other. This allows you to easily separate traffic both logically and physically while maintaining IP addresses that 'look' similar to end users)

    Good grief I hope this helps someone...this ended up waaaay more detailed than I originally intended.

    ***BONUS MIND = BLOWN MOMENT***

    To understand why networks (and network masks) are referred to as /24, /16, /27, etc., count the number of "1's" in the binary-representation of the network mask...cool, eh? ;)
     
    milordman likes this.
  12. AgentGPF

    AgentGPF New Member

    3
    0
    1
    As someone who works with a network of ~10,000 users (not including entire companies) and ~2000 pieces of gear, can you imagine throwing a class C, private or otherwise at every single location for network management?

    And how about for publics? Trust me, trying to get IP space from ARIN, and giving everyone a /24, wont fit their budget nor is it real world. Currently they won't give out anything larger than a /22 unless you make a damned good case, meaning, showing that you have a list of devices/customers OVER that number and need it right now. What company or liste of clients over 1000 people is going to wait for you to get IP space from ARIN? None that I know of. Turnaround is not that fast with them.

    You separate networks with subnetting because it is the ONLY way that scales in the real world unless you are dealing with companies who all, for some reason, need entire netblocks.
     
  13. BraderzTheDog

    BraderzTheDog Kilobyte Poster

    276
    2
    49
    In large networks, this is essential to ensure the network is safe and secure.

    For example if you work for a service provider or hosting company, how else would you separate each customer from each other? Also how would you be able to lock down access between networks? If we are talking 1 flat class C network, company A would be able to access company B's kit. Why...? Because you are simply talking layer 2 communication, the requests would never traverse a firewall or layer 3 device, or for that matter be subject to any packet inspection.
     
    Certifications: CCNA R&S, CCNA-SEC, CCSA, JNCIA FWV, MCITP, MCTS, MTA, A+
  14. AgentGPF

    AgentGPF New Member

    3
    0
    1
    Actually, we don't let residential customers 'talk to each other' when residing in the same subnet. They cannot discover each other through port scans, nor can they reach each other at all.

    Other subnets they can reach fine, subnetting is not really a means of security in itself.

    Exceptions being when a commercial customer with a /29 is running their own router, and thereby creating their own broadcast domain.
     
    Last edited: Aug 24, 2013

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.