A back-to-basics look at subnetting.
- By Bill Heldman
The advent of TCP/IP was such a good thing that it took the world by
storm. Everyone wanted to get in on the TCP/IP action. For a while the
protocol's acceptance was so popular that there was a fear we'd run out
of IP addresses. In the mid-1990's, there was a push to update TCP-IP
from version 4 (IPv4) to version 6 (IPv6—don't ask, no one knows
why there wasn't a version 5), an upgrade that would substantially increase
the number of allowable IP addresses. (Because IP v4 is predicated on
a 32-bit addressing scheme, there are 232 possible addresses. IPv6 uses
a 128-bit addressing scheme, so there are scads more addresses available-2128.)
The move to IPv6 has died down in the U.S., but it's gaining popularity
in other countries, especially in Asia. A large backbone that has been
developed worldwide utilizes IPv6, called the "6bone."
So, why didn't we run out of IP addresses? Two good reasons:
- The creators of TCP-IP set aside a reserved group of IP addresses
that could be used on private networks (i.e. not allowed out on the
Internet) as follows:
Class A: 10.0.0.1 - 10.255.255.254
Class B: 172.16.0.1 - 172.31.255.254
Class C: 192.168.0.1 - 192.168.255.254
- Protocols such as Network Address Translation (NAT), Classless Inter-Domain
Routing (CIDR) and Network Address Port Translation (NAPT) were developed
to allow bfor the translation of internal addresses to addresses that
could be used on the Internet. Today routers and firewalls can quickly
NAT addresses and allow for seamless interaction between users on a
private network using reserved IP network addresses and on the Internet
using standard IP addresses.
Suppose that your company, in the early days of TCP-IP went out and purchased
a couple of valid (non-private) Class C network address ranges. Each Class
C network can yield up to 256 addresses, so your company could theoretically
grow to 512 addresses (though there are a few limitations like the 0th
and the 255th addresses—i.e. 192.168.0.0 and 192.168.0.255). But
there are some intrinsic problems with this. First of all, since these
are public addresses, if you're not careful to set up some kind of security
it's possible for scurrilous Internet types to hack into your private
network. Secondly, what happens when your network outgrows those 512 addresses?
With the distinct lack of IPv4 networks available today (through www.iana.org)
you might be out of luck getting your hands on an entirely new Class C
So, using a private network range of addresses is a godsend. Easy to
implement, well-known and understood, easily NAT-ted through routers and
firewalls, a private network is the way to go.
That being said, which one do you pick: Class A, Class B or Class C?
Class C private numbers are fine for people who are experimenting with
subnetting and for small applications—training rooms or small companies,
for example. For companies that won't exceed more than 65,534 addresses,
a Class B private network is fine. However, most companies I've worked
for simply opt to get into the Class A 10.xxx.yyy.zzz network, lovingly
called "10-Dot". I think this is because 10-Dot addresses are easy to
work with and understand, or at least easier than 172.16.something-or-other.
Implementing a 10-Dot network gives you 4,294,967,296 addresses to use—less
the amount of 0th and 255th addresses you use in your subnetting. Most
companies won't ever use in excess of 4 million addresses, so 10-Dot is
a great choice, regardless of company size. As a result of this, lots
of companies are migrating to a 10-Dot internal network.
A side-benefit to the 10-Dot network: Because companies had to pay a
lot of money for their public addresses, they can save a few bucks by
not renewing them. Yes, your company will need a few public addresses
(such as for the DMZ and firewalls servers, routers, etc.), but those
should be available through your ISP.
Now, you've decided to implement a 10-Dot network in your company and
you convince your management that it's a good idea. How do you go about
getting this work done?
First you need to understand the idea of subnetting. It's a very
simple concept that gets taken to esoteric extremes. By manipulating the
subnet mask for a given range of addresses, you, in effect, isolate different
ranges of addresses from one another. I've written articles on the finer
aspects of subnetting, as have thousands of others, but for our purposes,
we really don't need to get fancy. A basic 10-Dot implementation doesn't
take a lot of effort. In this article we'll assume your company is small
and doesn't have layer upon layer of technical complexity. Design engineers
would be needed to assist in large 10-Dot rollouts.
Let's say that you work for a company of 500 people. You have five basic
divisions of people in your company:
All users reside in a single campus on two floors. The IDF on floor two
and an MDF on floor one are connected by fiber-optic cable. You have a
rack of switches in both the IDF and MDF.
Let's also assume that you have one entry point to the Internet, a router,
a Microsoft Internet Security and Acceleration (ISA) server, a couple
of DMZ servers and a few internal servers, including a Microsoft Exchange
server. You have a telephone switch that uses an IP address.
As a general rule of thumb, it's a good idea to logically separate servers
and other hardware from people. Additionally, good subnetting principles
call for the isolation of distinct people groups. So, given that information
and a 10-Dot schema, we might come up with the following subnets:
- Router, firewalls and DMZ internal NICs—10.0.1.zzz
- Switches in MDF and IDF and telephone switch—10.0.3.zzz
Getting Started With The 10-Dot Network and Subnetting
Note that you can simply refer to the number in the 3rd octet as
the subnet number for a given group of computers or people. Thus you'd
say servers are in the two, printers in the four and sales in the five
To effectively put things into place, you'd use a Class C 255.255.255.0
subnet mask. In fact, the key to the whole thing is the subnet mask. By
utilizing different numbers on the 3rd octet, coupled with a Class C mask,
you've effectively isolated your network to distinct groups, giving 254
(remember the 0th and 255th addresses) possible addresses for each subnet.
Therefore, as an example, the Sales group in the five subnet can hook
up 254 devices, whether those devices are user workstations or other gear.
Now for the sticky part. A router is required for subnetting to work.
If you don't have a router and you implement a simple scheme such as the
one above, the Sales group won't be able to communicate with the Marketing
group and vice-versa. (Alternatively, you can have Layer 3 switches. The
point is you have to have some sort of routing protocol in place to handle
subnetting.) The majority of difficulty you'll encounter when implementing
a 10-Dot scheme will be reconfiguring the router to handle the new subnets.
When considering a 10-Dot implementation of whatever size, there
are some things you'll want to keep in mind:
- You have to reconfigure DHCP scopes.
- You have to reconfigure printers, servers and other gear with static
- You may have to perform a manual IPCONFIG /Release and IPCONFIG /Renew
(or WINIPCFG release and renew) on each workstation involved in the
conversion, so they will pick up the new IP address.
- You'll have to manually change pplications, ODBC configurations and
other configuration files that have statically coded-in IP addresses.
(Applications in which the developers naively compiled in the static
address—stuff never changes, does it?—will have to recompile
- As needed, you'll have to check and reconfigure DNS and WINS servers,
to make sure that name-resolution continues to be available to hosts
on the network.
- You'll have to do some advance planning and work with ISPs and with
your firewall and DMZ servers to make sure Internet clients (e-mail
for example) can still get inside and that internal clients can still
hit the Web.
- You may have to consider a brand new VLAN design in your switches.
Here's where the whole thing can go wrong: lack of planning. 10-Dot subnetting
seems so simple that Admins don't take time to think through their migration.
Let's say that you have 25 Sales people that you decide to cut over on
Friday evening. How will you support those 25 so that they have complete
access to the other users in the building on Monday morning, even though
you have not yet migrated the others? The idea of maintaining parallel
IP addressing schemes always crops up in 10-Dot migrations.
Therefore, any admin considering a 10-Dot network should be sure to sit
down with stakeholders and other IT-savvy people to develop a project
plan that clearly denotes the steps and activities involved in such a
migration—even a small one.