Question about netmasks

[Rich Grise]

I'm trying to wrap my head around subnets. I think I've finally got
the thing about 10.0.0.0 with the netmask 255.0.0.0 gives me a
local address pool of 10.0.0.1 to 10.255.255.254, is that accurate?
So, it's functionally equivalent to

0000 1010.0000 0000.0000 0000.0000 0001
through
0000 1010.1111 1111.1111 1111.1111 1110;

so it could be looked at like within the 10 network, I have 0xFFFFFE
unique addresses available, flat, and the 255.255 etc is just an
artifact, right?

But now, I could use netmasks and make subnets, right? I'm still
rereading the paragraph about how the netmask makes certain computers
visible or invisible to others based on some algorithm, right?

Now, I was wondering, since there's 4 computers up front, plugged
into my own personal server in my office, IP # 10.0.0.1, and
they're variations of subnets:

10.0.0.1 Thunderbird

10.13.8.1 Vehicle
10.13.33.1 Entheos

These 3 are in my office, and my own hardware.

These other ones are up front, and nominally Joe's. (Well, except
for Quality, which is Don's.)
10.254.129.1 ABI_Chief
10.254.130.1 ABI_Front
10.254.131.1 ABI_OPS
10.254.132.1 ABI_Quality

And Thunderbird is the default gateway for all of them, and I know
it's at least a router, because it's routing this but I wonder
if "router" is like a subset of "server", and then wonder about
things like, well, it's got httpd and ftpd going and answering,
does that make it a server? Well, the other two also have apache,
so they're all web servers, but I think you get my point. (or maybe
it doesn't make any difference - is it more prestigious to say,
"I run the server on our LAN" than to say, "I run the router on
our LAN"? ;-)

So I have the power to do a lot of playing around here, with IPs and
DHCP and DNS and I think I'm going to have to learn what NIS means -
I'm pretty sure NFS means Network(ed) File System, but am I supposed
to have it running, and do I? Well, anyway, I'll get to that. The
actual point of this post is a fundamental question: does it make
any kind of sense at all to split up a physical network into logical
subnets, or is it more a thing about getting past two gateways?
(i.e, can I make it so that I can see all 7 computers, but they
can only see the 4 up front and Thunderbird)

Maybe I'm looking for some philosophical grounding, so that when
I read those Fantastic Manuals ;-), the new information has some
kind of substrate to stick to.

Thanks!
Rich

 

[Owen Jacobson]

(Partly I'm writing this for me, because it's been a while since I
actually described this to anyone. Please, feel free to correct me if I
misexplain something.)

I'm trying to wrap my head around subnets. I think I've finally got the
thing about 10.0.0.0 with the netmask 255.0.0.0 gives me a local address
pool of 10.0.0.1 to 10.255.255.254, is that accurate? So, it's
functionally equivalent to

0000 1010.0000 0000.0000 0000.0000 0001 through 0000 1010.1111 1111.1111
1111.1111 1110;

so it could be looked at like within the 10 network, I have 0xFFFFFE
unique addresses available, flat, and the 255.255 etc is just an
artifact, right?

Technically you have 10.0.0.0-10.255.255.255 available, but the address
containing all-zeros in the host portion is reserved for the network
address and the address containing all-ones in the host portion is
reserved for the broadcast address. Your perception of the usable range
is accurate.

But now, I could use netmasks and make subnets, right? I'm still
rereading the paragraph about how the netmask makes certain computers
visible or invisible to others based on some algorithm, right?

Network masks don't control visibility. They control routing. The
difference is important: in theory hosts on the same segment with
different IPs can always communicate with each other, network address
differences notwithstanding. However, (a) this isn't always the case (b)
it's unwise at best and (c) it's not what subnet masks are designed to do.

The algorithm is pretty simple: it's just bitwise-AND. Consider:

10.13.8.1: 0000 1010.0000 1101.0000 1000.0000 0001
& 255.0.0.0: 1111 1111.0000 0000.0000 0000.0000 0000
----------------------------------------------------
10.0.0.0: 0000 1010.0000 0000.0000 0000.0000 0000

Network masks generally must be continuous from the left-hand side of the
mask, so the usual notation is simply ip.ad.dr.ess/bits -- the network
mask is "bits" bits long, from the right. for instance: your example
network is 10.0.0.0/8.

Now, I was wondering, since there's 4 computers up front, plugged into
my own personal server in my office, IP # 10.0.0.1, and they're
variations of subnets:

10.0.0.1 Thunderbird

10.13.8.1 Vehicle
10.13.33.1 Entheos

These 3 are in my office, and my own hardware.

Easily 10.0.0.0/9's bottom end...

These other ones are up front, and nominally Joe's. (Well, except for
Quality, which is Don's.)
10.254.129.1 ABI_Chief
10.254.130.1 ABI_Front
10.254.131.1 ABI_OPS
10.254.132.1 ABI_Quality

....and the top of 10.128.0.0/9.

And Thunderbird is the default gateway for all of them.

So far, so good.

I wonder if "router" is like a subset of "server"

The roles are orthogonal. A router is a host that routes packets. A
server is a host that provides an end service that waits to be connected
to[0]. As you've noticed, one host can fill both roles.

it's got httpd and ftpd going and answering, does that make it a server?

Yes. Specifically it makes it a web and ftp server.

Well, the other two also have apache, so they're all web servers
Yes.

So I have the power to do a lot of playing around here, with IPs and
DHCP and DNS and I think I'm going to have to learn what NIS means

It's one of a number of methods of centralising user information (logons,
addresses, etc) on a network.

I'm pretty sure NFS means Network File System, but am I supposed to have
it running, and do I?

Supposed to: if you want to provide network-accessible file storage that
integrates with the unix directory structure. This is not the only way to
do this.

Are you: probably not.

Well, anyway, I'll get to that. The actual point of this post is a
fundamental question: does it make any kind of sense at all to split up
a physical network into logical subnets, or is it more a thing about
getting past two gateways? (i.e, can I make it so that I can see all 7
computers, but they can only see the 4 up front and Thunderbird)

The way you'd do this is probably like this[1]:

+---------------------+
Your ISP | eth1|--10.1.0.0/16--Vehicle, Entheos
----x.x.x.x-|eth0 Thunderbird |
| eth2|--10.2.0.0/16--"The 4 up front"
+---------------------+

Notably this means that Thunderbird has *three*, not two, IP addresses --
one in each network it's attached to (10.1.0.1 and 10.2.0.1 are good
choices). Also note that 10.1.0.0/16 and 10.2.0.0/16 are
physically-separate networks. You *can* run them over the same piece of
cable (same wireless connection, etc) but it's difficult and not really
worthwhile.

Thunderbird would also have to be set up to route between the two
10.x.0.0/16 networks as well as to the internet connection.

Once you've got that, you can control visiblity between subnets using
iptables to selectively DROP or REJECT packets destined from one network
to the other based on some criterion while ACCEPTing others.

From a theoretical standpoint, subnets make more sense for breaking your
network up by physical location than by role, unless the hosts sharing a
role are also (relatively) clustered physically. In your case that's
actually true, but the wording of your question doesn't make that too
clear.

[0] General definition.
[1] ...wonderful ascii-vision diagram, brought to you by Mr. Clean!
Remember to view using a fixed-width font.

 

[Owen Jacobson]

the network mask is "bits" bits long, from the right. for instance: ^^^^^
your example network is 10.0.0.0/8.

Shoot me.

 

[Roland Hall]

:
: I'm trying to wrap my head around subnets. I think I've finally got
: the thing about 10.0.0.0 with the netmask 255.0.0.0 gives me a
: local address pool of 10.0.0.1 to 10.255.255.254, is that accurate?
: So, it's functionally equivalent to
:
: 0000 1010.0000 0000.0000 0000.0000 0001
: through
: 0000 1010.1111 1111.1111 1111.1111 1110;

You don't need to space to represent binary.

00001010.00000000.00000000.00000001 : first user address
00001010.11111111.11111111.11111110 : last user address

Or easier to use:
10.0.0.0/8 - 8 bits of subnet mask

: so it could be looked at like within the 10 network, I have 0xFFFFFE
: unique addresses available, flat, and the 255.255 etc is just an
: artifact, right?

You can use hex if you want or decimal or octal for that matter. You could
even use 32-bit decimal instead of dotted decimal.
167772161

If your router is 10.0.0.1, then you could ping it with: ping 167772161 and
it will return: pinging 10.0.0.1 with 32 bytes of data:

: But now, I could use netmasks and make subnets, right? I'm still
: rereading the paragraph about how the netmask makes certain computers
: visible or invisible to others based on some algorithm, right?

It's easier to work from a chart but the basic idea is every time you add a
bit of subnet mask, you double your networks and split your subnets in half,
losing 2 addresses each time, all 0s and all 1s a.k.a. network/broadcast
addresses respectively.

Ex.

It's easier to use a Class C subnet mask to learn. Each bit is a power of
2, since we're talking binary.
So, the last octet in a Class C subnet mask is:
128 64 32 16 8 4 2 1

When you add a bit of subnet mask, you add it to the right, not left. If
you had the network address:
10.0.0.0
with a subnet mask of:
255.255.255.0 or ff.ff.ff.0 or CIDR: 10.0.0.0/24
....you have 24 bits of subnet mask. 8 bits for each of the first 3 octets.
We know there is only 8 left because IPv4 uses 32-bit addresses.

If you wanted to subnet this address into two subnets, instead of the one
you have, then you add one bit of subnet mask:
255.255.255.128 or ff.ff.ff.80 or CIDR: 10.0.0.0/25
You are masking off the 8th bit of the last (4th) octet. So, the network
addresses are:
10.0.0.0
10.0.0.128

Both of these represent your all 0s. So, it is easy to determine the
broacast (all 1s) addresses:
10.0.0.127
10.0.0.255

If you add another bit of subnet mask:
255.255.255.192 (128+64) or ff.ff.ff.c0 or CIDR: 10.0.0.0/26
You split both subnets in half. So, you lose two address for each subnet,
or in this case 4.
10.0.0.0
10.0.0.64
10.0.0.128
10.0.0.192

Broadcasts:
10.0.0.63
10.0.0.127
10.0.0.191
10.0.0.255

Here is the trick. If the bit you're adding is 128, you subnet is 128
addresses minus 2 = 126. If it is 64, then 64 addresses minus 2 = 62 and so
on. Easy way to determine the mask is: 256 - (right most masked bit value).
So, 256-128 = 128. 256 - 64 = 192.
Another way is to take 256 (full octet value - zero is first number) and
subtract the masked total. 256 - 192 = 64. So, 0 is the first network
address, 64 is the next, +64 = 128, +64 + 192. The mask value is the
zero-based subnet value or, in this case, 63. Add 63 to each network
address to get the broadcast address. 0 + 63 = 63, 64 + 63 = 127, etc.

Eventually you just remember them like you know 12x12 = 144 in decimal
because you're used to doing it. The way I am showing you is not formal, it
is just simple to use.

: Now, I was wondering, since there's 4 computers up front, plugged
: into my own personal server in my office, IP # 10.0.0.1, and
: they're variations of subnets:
:
: 10.0.0.1 Thunderbird
:
: 10.13.8.1 Vehicle
: 10.13.33.1 Entheos
:
: These 3 are in my office, and my own hardware.
:
: These other ones are up front, and nominally Joe's. (Well, except
: for Quality, which is Don's.)
: 10.254.129.1 ABI_Chief
: 10.254.130.1 ABI_Front
: 10.254.131.1 ABI_OPS
: 10.254.132.1 ABI_Quality
:
: And Thunderbird is the default gateway for all of them, and I know
: it's at least a router, because it's routing this but I wonder
: if "router" is like a subset of "server", and then wonder about
: things like, well, it's got httpd and ftpd going and answering,
: does that make it a server? Well, the other two also have apache,
: so they're all web servers, but I think you get my point. (or maybe
: it doesn't make any difference - is it more prestigious to say,
: "I run the server on our LAN" than to say, "I run the router on
: our LAN"? ;-)

IP routing and server services are on different layers and not comparable.
However, if you're looking for prestige, they is guaged by whom you're
trying to impress. (beauty is in the eye of the beholder?) (O:=

Why not just say you work in IT, since that will have the appearance of
being a team player.

: So I have the power to do a lot of playing around here, with IPs and
: DHCP and DNS and I think I'm going to have to learn what NIS means -
: I'm pretty sure NFS means Network(ed) File System, but am I supposed
: to have it running, and do I?

If you're running NFS, then ok. If not, why have it enabled?

: Well, anyway, I'll get to that. The
: actual point of this post is a fundamental question: does it make
: any kind of sense at all to split up a physical network into logical
: subnets, or is it more a thing about getting past two gateways?
: (i.e, can I make it so that I can see all 7 computers, but they
: can only see the 4 up front and Thunderbird)

I have news for you. You only have one subnet. If you mask at /8 with a
Class A address, then the first octet is your network and the others are all
addresses.

: Maybe I'm looking for some philosophical grounding, so that when
: I read those Fantastic Manuals ;-), the new information has some
: kind of substrate to stick to.
:
: Thanks!
: Rich

References worth reading:
http://www.urec.cnrs.fr/autres_techno/BGP4/CIDR_faq.html
http://public.pacbell.net/dedicated/cidr.html
http://www.pantz.org/networking/tcpip/subnetchart.shtml
http://www.allredroster.com/iptodec.htm
http://www.sover.net/~jwills/subcalc.html
http://www.telusplanet.net/public/sparkman/netcalc.htm
http://www.cotse.com/networkcalculator.html

HTH...

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Online Support for IT Professionals -
http://support.microsoft.com/servicedesks/technet/default.asp?fr=0&sd=tech
How-to: Windows 2000 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308201