Subnetting 101

Links

Due to various people asking me all about subnet masks, I decided to write this.

Converting between binary and decimal

Why is this section here? Because a subnet mask is really a binary number. It's just converted to decimal so that us humans can read it. When you're configuring networking on a computer, you're entering the IP address and subnet mask in decimal, but the computer thinks in binary. It helps to convert between the two if you're not comfortable with subnetting.

Converting from binary to decimal

Example: Convert the binary number 10110101 into its equivalent decimal number.

There are eight bits in the number so we draw a table with eight columns with the value of the bit in binary (note that the values go from right to left in powers of 2).

128
64
32
16
8
4
2
1
1
0
1
1
0
1
0
1
128 x 1
64 x 0
32 x 1
16 x 1
8 x 0
4 x 1
2 x 0
1 x 1

Therefore, the decimal number is equal to:

128 + 0 + 32 + 16 + 0 + 4 + 0 + 1

which is 181.

Converting from decimal to binary

Example: Convert the decimal number 199 into its equivalent binary number.

Using powers of 2, we can represent 199 as follows:

128 + 64 + 4 + 2 + 1

We then go back to our table:

128
64
32
16
8
4
2
1
128 x 1
64 x 1
32 x 0
16 x 0
8 x 0
4 x 1
2 x 1
1 x 1
1
1
0
0
0
1
1
1

We can then simply read off the resultant binary number, which in this case is 11000111.

Now that you know how to do this, I can explain subnet masks to you...

What is a subnet mask?

Just like an IP address, a subnet mask is a 32-bit binary number, divided into four octets of eight bits each. Its purpose is to determine what part of the IP address denotes the network and what part of the IP address denotes the host on said network. The subnet mask consists of 1s on the left-hand side, and 0s on the right hand side - the 1s denote the network part of the IP address (the network ID) and the 0s the host part (or, if you prefer, the host ID). Obviously, the position of the bits match up. For example, consider the following:

IP address: 11000000.10101000.00001010.00010101
Subnet mask: 11111111.11111111.11111111.00000000

From this example, we can see that the first 24 bits in the IP address denote the network ID, and the remaining 8 bits the host ID.

If we convert those numbers to decimal (to make it readable by us humans), we get an IP address of 192.168.10.21 with a subnet mask of 255.255.255.0 - this means that the network ID is 192.168.1 and there are 256 hosts on the network. (Actually, that's not quite right - it's 254. I'll explain why later.)

Note that the 1s have to be on the left and the 0s have to be on the right - this means that a subnet mask like 11111111.11111111.11110001.0000000 is invalid! To explain it another way: subnet marks consist of a variable number of contiguous high order bits. If you convert to decimal, valid values for octets are 0, 128, 192, 224, 240, 248, 252, 254 and 255.

If the octet is 255, then the entire octet is part of the network ID. Likewise, if the octet is 0, then the entire octet is part of the host ID.

You may see IP address ranges expressed as follows: 10.0.0.0/8 - this is the network address followed by the number of bits in the subnet mask representing the network ID. If you do the maths, the subnet mask is 255.0.0.0 meaning that the IP address range is 10.0.0.0 to 10.255.255.255. This, by the way, is known as Classless Interdomain Routing (CIDR) - this is how IP addresses are allocated to companies.

Why is a subnet mask important?

When a connection is initiated between two hosts, TCP/IP needs to know whether or not the destination host is on the same network as the source. If it's on the same network, then TCP/IP can send any packets directly to the destination host; if the destination host is on a different network then TCP/IP has to send the packet to the default gateway (aka router).

How does TCP/IP determine if the source and destination hosts are on the same subnet? It takes the source host's IP address and subnet mask, then performs a binary AND on the corresponding bits. For those of you who don't know any Boolean algebra, here's the rules for a binary AND:

  • 0 AND 0 = 0
  • 0 AND 1 = 0
  • 1 AND 0 = 0
  • 1 AND 1 = 1

The result is the network IP address.

The same process is performed with the destination IP address and the source's subnet mask, then the two results are compared. If they are the same, the source and destination hosts are on the same network. If they are different, then they are on different networks.

Here's an example. Computer A has the IP address 137.158.109.195 with a subnet mask of 255.255.254.0. It wishes to communicate with Computer B, which has an IP of 137.158.128.7. This is how it works...

 
Computer A
Computer B
IP address: 10001001.10011110.01101101.11000011 10001001.10011110.10000000.00000111
Subnet mask: 11111111.11111111.11111110.00000000 11111111.11111111.11111110.00000000
Network ID portion: 10001001.10011110.01101100.00000000 10001001.10011110.10000000.00000000

From this, we can see that Computer A's network IP address is 137.158.108.0 while Computer B's network IP address is 137.158.128.0 - the two computers are therefore on different networks and TCP/IP will forward packets to the default gateway.

How many IP addresses in the subnet?

It is important when determining a subnet mask to know the maximum number of hosts that you can have in your subnet. Doing so is ridiculously easy. As I've already mentioned, the 1 bits in the subnet masks denote the network ID while the 0 bits denote the host ID. All you have to do is count the 0 bits, then use the formula 2^(number of 0 bits) - 2 (keep in mind that binary is base 2). The reason why you subtract 2 is that the first and last IP addresses of a subnet are reserved - the first one is always the network IP address that I mentioned earlier (and therefore you can't use it as a host IP address), while the last IP address is reserved as a broadcast address.

Here's an example for you to try. On my home network, I use the subnet mask 255.255.255.240. See if you can work out how many IP addresses I have to play around with. The answer is at the bottom of the page.

Default subnet masks

The default subnet mask for an IP address depends on which class the IP address is in. Class A IP addresses begin with a binary 0, Class B addresses with a binary 10, and Class C addresses with a binary 110. Class D and beyond are special; we won't consider them. Converted to decimal, the first octet of a Class A IP address ranges from 1 to 126 (actually it ranges to 127, but 127 may not be used because the IP address 127.0.0.1 is used for loopback testing, therefore it ranges to 126), the first octet of a Class B IP address ranges from 128 to 191, and the first octet of a Class C IP address ranges from 192 to 223.

With that in mind, here are the default subnet masks for Class A, B and C:

Class
Default subnet mask
Number of hosts in subnet
Class A 255.0.0.0 16,777,214
Class B 255.255.0.0 65,534
Class C 255.255.255.0 254

Determining an IP addressing scheme

It's extremely unlikely that you'll come across a Class A or a Class B network using the default subnet masks. Rather, these large networks will be probably be divided into smaller networks. Conversely, seeing that all Class A and Class B IP addresses have already been allocated (obviously this isn't counting private IP address ranges), an organisation requiring more than 254 IP addresses would be allocated several Class C ranges, and they would then change the subnet mask so that all the computers would be on the same network if they so wished (this is called supernetting).

There are several reasons for this:

  • It's very inefficient to have large numbers of computers on the same network. Yes, when I went to rAge 2006, they had all ~1200 computers on the same network, but they had a Gigabit backbone. Not all networks are so lucky - and besides, a few more thousand computers and even that Gigabit backbone won't be able to cope.
  • Some organisations have a mixture of LAN technologies (for example, Ethernet and token ring). You can't use different LAN technologies on the same network, so you would have to make them separate networks and use a router to connect them.
  • Many larger organisations (universities such as UCT and UKZN being a good example here) have more than one site, and they use WAN links between them - these WAN links in most cases form a separate network.

As a network designer, you need to carefully plan your network addressing scheme. There are several factors that you need to consider:

  • Whether a private or public addressing scheme is needed,
  • How many networks you need,
  • How many subnetworks you need,
  • How many hosts per subnet, and
  • What your subnet mask will be.

When I designed my home network, I obviously went for a private IP addressing scheme (the private IP address ranges are 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16), then thought "I'm never going to get more than a certain number of computers on my network", and worked out my subnet mask (which, as I said earlier, is 255.255.255.240) from that.

If we go through it step-by-step, these are the steps:

  1. Select an IP address class that will give you sufficient subnets and hosts per subnet. Class B should be fine for most people; smaller organizations could get by with Class C.
  2. Work out how many subnets are needed. Remember to include WAN connections here.
  3. Modify the default subnet mask to your needs. To do this, convert the number of subnets that you'll think that you'll need (taking growth into account) into binary, see how many bits that is, and add it to the subnet mask.
  4. Now work out the subnet ranges. To do this, subtract the significant octet in a subnet mask (the significant octet will be the one that's not 0 or 255) from 256. This will give you the first subnet ID. Subsequent subnet IDs are simply the next subnet value higher.
  5. Work out the IP address ranges for each subnet. The first one is the first subnet address with a binary one added to it; the last one is the subsequent subnet ID with two binary digits subtracted from it. Repeat for all subnets.
  6. Physically configure the network.

Here's an example. An organisation uses a Class B IP range. They require 5 subnets with at least 2000 hosts per subnet. We have to work out the subnet mask and the IP address ranges for each subnet.

Steps 1 and 2 have been given to us, so we can proceed straight to Step 3. 5 subnets are required, and 5 converted to binary is 101. That's three bits. Three bits added to the default subnet mask for Class B is 11111111.11111111.11100000.00000000, which in decimal is 255.255.224.0. That's the subnet mask that we'll be using.

At this point, it's a good idea to check that our subnet mask does indeed give us the required number of hosts per subnet. 255.255.224.0 is a 19-bit subnet mask, which means that there are 13 bits left for the host ID. Using the formula that I mentioned earlier, we get 2^13 - 2, which is 8190. This is clearly larger than 2000, so we know that our subnet mask fulfills the requirement. However, if they required 10,000 hosts per subnet, then our subnet mask doesn't fulfill the requirements and we would have to re-plan our network (maybe using a Class A IP range instead of Class B).

Now we can go to Step 4 and work out the subnet IDs. 224 subtracted from 256 gives us 32. Our subnet IDs are therefore 0, 32, 64, 96, 128, 160, 192 and 224.

Then we can go to Step 5 and work out the IP address ranges for each subnet as follows:

Subnet ID
IP address range
B.B.0.0 B.B.0.1 - B.B.31.254
B.B.32.0 B.B.32.1 - B.B.63.254
B.B.64.0 B.B.64.1 - B.B.91.254
B.B.92.0 B.B.92.1 - B.B.127.254
B.B.128.0 B.B.128.1 - B.B.159.254
B.B.160.0 B.B.160.1 - B.B.191.254
B.B.192.0 B.B.192.1 - B.B.223.254
B.B.224.0 B.B.224.1 - B.B.255.254

All that's now left for us to do is to configure the network.

Conclusion

Hopefully you now know all about subnet masks, how they work, and what they're used for. If you think that I've left something out or could have explained something better, please let me know.

Oh, and on my home network, I have 14 IP addresses to play around with.