subnets and subnetting

What are the reasons for creating a subnet on your network?

AFAICT, almost all your systems (except the gateway to the net) get
non-routable IP's (ex. 10.0.n.m or 192.168.n.m), then you create a
subnet by setting an IP and netmask with ifconfig, and updating your
routing table (and the routing tables of other systems on your network
-- or have DHCP do it I presume) to know about the subnet. But what I
don't see is the point.

Is it to keep fewer records in your arp table?

Do you only create subnets on a LAN where all nodes can talk to
eachother? Or are you supposed to only create subnets when you've got a
router with an extra NIC on it

Instead of using subnets, why not just drop a router anywhere you've got
a fairly large related group of chatty hosts, connect those hosts to
hubs/switches, then connect the uplink to that router?

I've been reading from sources like Frisch's "Essential System
Administration" and
http://www.tcpipguide.com/free/t_IPS...ngConcepts.htm
but although most docs discuss extensively how to compute netmasks and
related technical details, I'm still struggling with seeing the big
picture here. Thanks.

---J

--
[ remove zees if contacting via email ]

In comp.os.linux.networking John <(E-Mail Removed)>:
> What are the reasons for creating a subnet on your network?

There are several possible reasons. A few that come to my mind
off-hand:

You have thousands or even tens of thousands of hosts and want to
separate them. Clients using DHCP and server using fixed IP.

M$ clients tend to be quite chatty, put them in there own subnet
so they can happily broadcast the whole day without annoying
others.

You want to build a DMZ for critical stuff and separate them
using firewalls or and a WLAN where you only allow certain
service like ssh to cable LAN.

You want separate backup LAN(s) for better performance.

Good luck

[..]

--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo (E-Mail Removed) | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 409: The vulcan-death-grip ping has been applied.

On Fri, 09 Dec 2005, in the Usenet newsgroup comp.os.linux.networking,
in article <WE9mf.5274$(E-Mail Removed)>, John wrote:

>What are the reasons for creating a subnet on your network?
>
>AFAICT, almost all your systems (except the gateway to the net) get
>non-routable IP's (ex. 10.0.n.m or 192.168.n.m), then you create a
>subnet by setting an IP and netmask with ifconfig, and updating your
>routing table (and the routing tables of other systems on your network
>-- or have DHCP do it I presume) to know about the subnet. But what I
>don't see is the point.

1. Administrative. To separate entities that wouldn't normally be
talking to each other - accounting verses engineering verses sales

2. Physical separation. The facility in town A can't possibly be on
the same wire as the facility in town B (never mind states or countries).

3. Traffic. Ethernet is a common carrier type of network. You don't
want everybody on the same wire. It gets _busy_ with all them packets.

4. Security. Public, verses DMZ, verses internal networks.

>Is it to keep fewer records in your arp table?

That's item 3. When my company set up the IP network in 1986, they used
a 255.255.252.0 network mask - allowing 1022 hosts on each subnet. I
don't think we've ever had more that 600 on a given subnet, but "be
prepared". By 1994, we were installing Etherswitches to break our coax
into chunks with no more than 70 workstations or 4 servers or one router
on a segment. In 1997, we started transitioning to switched 100BaseT
media, just as now we are replacing that with 1000BaseT and fiber. The
whole reason is to reduce the congestion on the individual wire. Yes,
we're still using that same network mask.

>Do you only create subnets on a LAN where all nodes can talk to
>eachother? Or are you supposed to only create subnets when you've got a
>router with an extra NIC on it

If you mean having two subnets on the same physical wire - that negates
the whole reason for subnetting.

>Instead of using subnets, why not just drop a router anywhere you've got
>a fairly large related group of chatty hosts, connect those hosts to
>hubs/switches, then connect the uplink to that router?

That's more normal.

>I've been reading from sources like Frisch's "Essential System
>Administration" and
>http://www.tcpipguide.com/free/t_IPS...ngConcepts.htm
>but although most docs discuss extensively how to compute netmasks and
>related technical details, I'm still struggling with seeing the big
>picture here. Thanks.

The Linux Network Administrator's Guide (from the LDP as well as O'Reilly)
is also a good read.

Old guy

Moe Trin wrote:
> On Fri, 09 Dec 2005, in the Usenet newsgroup comp.os.linux.networking,
> in article <WE9mf.5274$(E-Mail Removed)>, John wrote:
>
>
>>What are the reasons for creating a subnet on your network?
>>
>>AFAICT, almost all your systems (except the gateway to the net) get
>>non-routable IP's (ex. 10.0.n.m or 192.168.n.m), then you create a
>>subnet by setting an IP and netmask with ifconfig, and updating your
>>routing table (and the routing tables of other systems on your network
>>-- or have DHCP do it I presume) to know about the subnet. But what I
>>don't see is the point.
>
>
> 1. Administrative. To separate entities that wouldn't normally be
> talking to each other - accounting verses engineering verses sales
>
> 2. Physical separation. The facility in town A can't possibly be on
> the same wire as the facility in town B (never mind states or countries).

Ah... When you say, "on the same wire", do you include machines plugged
into eachother via a *switch*, along with the ones connected to each
other via simple hubs?


> 3. Traffic. Ethernet is a common carrier type of network. You don't
> want everybody on the same wire. It gets _busy_ with all them packets.

Again though, from what I understand, a switch will not forward traffic
that it learns doesn't need to be forwarded, so does this reason for
using a subnet still hold?


> 4. Security. Public, verses DMZ, verses internal networks.
>
>
>>Is it to keep fewer records in your arp table?
>
>
> That's item 3. When my company set up the IP network in 1986, they used
> a 255.255.252.0 network mask - allowing 1022 hosts on each subnet.

Ah. So, in terms used back then, they were assigned a "class B" network?


> I don't think we've ever had more that 600 on a given subnet, but "be
> prepared". By 1994, we were installing Etherswitches

(before my time I believe -- I'm guessing these are just like regular
switches, only for coax instead of twisted pair)

> to break our coax
> into chunks with no more than 70 workstations or 4 servers or one router
> on a segment.

I see. A segment here is one bus where everybody sees all packets.


> In 1997, we started transitioning to switched 100BaseT
> media, just as now we are replacing that with 1000BaseT and fiber. The
> whole reason is to reduce the congestion on the individual wire. Yes,
> we're still using that same network mask.



>
>>Do you only create subnets on a LAN where all nodes can talk to
>>eachother? Or are you supposed to only create subnets when you've got a
>>router with an extra NIC on it
>
>
> If you mean having two subnets on the same physical wire - that negates
> the whole reason for subnetting.

Ah! Ok, thanks. I'd been learning about subnets with the mental model of
them being on the same physical wire.

>
>>Instead of using subnets, why not just drop a router anywhere you've got
>>a fairly large related group of chatty hosts, connect those hosts to
>>hubs/switches, then connect the uplink to that router?
>
>
> That's more normal.

Hm. This is what I'm not getting. If you don't use subnets *between*
nodes on the same physical wire, then that means you use them for a
group of nodes connected to some interface to the rest of the network,
right? Well, if that interface is a router, it's not going to forward
packets that are being locally delivered anyway, so what use is making
that group of computers into its own subnet?


>
>>I've been reading from sources like Frisch's "Essential System
>>Administration" and
>>http://www.tcpipguide.com/free/t_IPS...ngConcepts.htm
>>but although most docs discuss extensively how to compute netmasks and
>>related technical details, I'm still struggling with seeing the big
>>picture here. Thanks.
>
>
> The Linux Network Administrator's Guide (from the LDP as well as O'Reilly)
> is also a good read.
>
> Old guy

Thanks again Old guy. I didn't like that guide the first time I looked
at it, but I'll give it another try. Meantime, I've got a copy of Craig
Hunt's "TCP/IP Network Administration, 3rd ed" here that looks quite useful.

Thanks again for your comments on this.

---J

--
[ remove zees if contacting via email ]

John wrote:

> What are the reasons for creating a subnet on your network?
>
> AFAICT, almost all your systems (except the gateway to the net) get
> non-routable IP's (ex. 10.0.n.m or 192.168.n.m), then you create a
> subnet by setting an IP and netmask with ifconfig, and updating your
> routing table (and the routing tables of other systems on your network
> -- or have DHCP do it I presume) to know about the subnet. But what I
> don't see is the point.
>
> Is it to keep fewer records in your arp table?
>
> Do you only create subnets on a LAN where all nodes can talk to
> eachother? Or are you supposed to only create subnets when you've got a
> router with an extra NIC on it
>
> Instead of using subnets, why not just drop a router anywhere you've got
> a fairly large related group of chatty hosts, connect those hosts to
> hubs/switches, then connect the uplink to that router?
>
>

I can't think of any valid reason for having different subnets on the same
wire. It won't affect the arp cache at all, as it is populated and cleared
through normal use. It knows nothing about subnets etc. All it does is
match an IP to a MAC address. Also, if you do set up different subnets,
when you try to reach on on the other subnet, your computer will send the
traffic to your default route. The router, knowing that the destination is
on the same local network as you, will send an ICMP redirect, telling your
computer to send directly to the destination. So, multiple subnets on the
same network, will only generate more traffic, with no benefit.


Incidentally, all IPs are routable. It is only routing rules that prevent
the RFC 1914 address from reaching the internet. Many companies use those
address ranges for internal company networks and route them as necessary.

Moe Trin wrote:

> On Fri, 09 Dec 2005, in the Usenet newsgroup comp.os.linux.networking,
> in article <WE9mf.5274$(E-Mail Removed)>, John wrote:
>
>>What are the reasons for creating a subnet on your network?
>>
>>AFAICT, almost all your systems (except the gateway to the net) get
>>non-routable IP's (ex. 10.0.n.m or 192.168.n.m), then you create a
>>subnet by setting an IP and netmask with ifconfig, and updating your
>>routing table (and the routing tables of other systems on your network
>>-- or have DHCP do it I presume) to know about the subnet. But what I
>>don't see is the point.
>
> 1. Administrative. To separate entities that wouldn't normally be
> talking to each other - accounting verses engineering verses sales

Using different subnets on the same local network will not do that.
Computers on the different subnets can still communicate freely.

>
> 2. Physical separation. The facility in town A can't possibly be on
> the same wire as the facility in town B (never mind states or countries).

I don't think this is relevant to the question. I assume the OP was
referring to a single local network.

>
> 3. Traffic. Ethernet is a common carrier type of network. You don't
> want everybody on the same wire. It gets _busy_ with all them packets.

Again totally irrelevant.
>
> 4. Security. Public, verses DMZ, verses internal networks.

Again, I don't think this was part of the original question.
>
>>Is it to keep fewer records in your arp table?

No.

>
> That's item 3. When my company set up the IP network in 1986, they used
> a 255.255.252.0 network mask - allowing 1022 hosts on each subnet. I
> don't think we've ever had more that 600 on a given subnet, but "be
> prepared". By 1994, we were installing Etherswitches to break our coax
> into chunks with no more than 70 workstations or 4 servers or one router
> on a segment. In 1997, we started transitioning to switched 100BaseT
> media, just as now we are replacing that with 1000BaseT and fiber. The
> whole reason is to reduce the congestion on the individual wire. Yes,
> we're still using that same network mask.

That's different again. You use subnets to separate a large IP address
range, into smaller pieces, which are then used via different local
networks. Those local networks may be in different locations or different
departments, separated by a router. However, unless there's a firewall
between the subnets, there will be no barrier to communication between
them. IP applications don't care about subnets etc. They simply see an
address that they can communicate with. How the address is handled depends
on a lower layer in the protocol stack.

John wrote:

> Ah... When you say, "on the same wire", do you include machines plugged
> into eachother via a switch, along with the ones connected to each
> other via simple hubs?

Generally, that would refer to hosts in the same broadcast zone, that is
there's no router in between. They could be connected via switch, hub or
coax cable. The method is irrelevant, as they're functionally equivalent,
from the host's perspective.

On Sat, 10 Dec 2005 07:18:00 -0500, James Knott wrote:

> [ ... ] You use subnets to separate a large IP address range, into
> smaller pieces,

Which can be mapped to names (via /etc/networks , DNS , NIS or whatever.)
The full machine hostname would become: <host>.<subnet>.<tld>

> which are then used via different local networks. Those local networks
> may be in different locations or different departments, separated by a
> router.

That may as well be VLANed brige/switch segments.

--
-Menno.

James Knott wrote:
> Moe Trin wrote:
>
> > On Fri, 09 Dec 2005, in the Usenet newsgroup comp.os.linux.networking,
> > in article <WE9mf.5274$(E-Mail Removed)>, John wrote:
> >
> >>What are the reasons for creating a subnet on your network?
> >>
> >>AFAICT, almost all your systems (except the gateway to the net) get
> >>non-routable IP's (ex. 10.0.n.m or 192.168.n.m), then you create a
> >>subnet by setting an IP and netmask with ifconfig, and updating your
> >>routing table (and the routing tables of other systems on your network
> >>-- or have DHCP do it I presume) to know about the subnet. But what I
> >>don't see is the point.
> >
> > 1. Administrative. To separate entities that wouldn't normally be
> > talking to each other - accounting verses engineering verses sales
>
> Using different subnets on the same local network will not do that.
> Computers on the different subnets can still communicate freely.

Huh??? Senseless. Without proper route table entries, the router
won't forward _any_ packets between subnets. And of course, broadcasts
are not forwarded. This is what subnets and routers are designed to
do. In fact, even _on_ the same wire, hostA can be "isolated/hidden"
from hostB by placing hostA on a different subnet. Was a common trick
in the days of terminated coax and hosts that need to be kept "apart"
but had to share a common _physical_ pathway.

> > 2. Physical separation. The facility in town A can't possibly be on
> > the same wire as the facility in town B (never mind states or countries).
>
> I don't think this is relevant to the question. I assume the OP was
> referring to a single local network.

You mean "local" as restricted to ethernet? My school system has each
campus on a separate subnet, and the admins' "local" subnet is separate
from the students'. Done with route tables, not a firewall. OP may
(or may not) benefit from understanding that IP subnets are not
restricted by physical location/layout. It's a _logical_ networking
protocol.

> > 3. Traffic. Ethernet is a common carrier type of network. You don't
> > want everybody on the same wire. It gets _busy_ with all them packets.
>
> Again totally irrelevant.

In the absence of switches, just how do you propose to avoid contention
on the wire? How do you propose to exert _some_ control over backbone
access and traffic load?

> > 4. Security. Public, verses DMZ, verses internal networks.
>
> Again, I don't think this was part of the original question.

Yes, security and the role of subnets in providing some of it are
pointless.

> >>Is it to keep fewer records in your arp table?
>
> No.
>
> >
> > That's item 3. When my company set up the IP network in 1986, they used
> > a 255.255.252.0 network mask - allowing 1022 hosts on each subnet. I
> > don't think we've ever had more that 600 on a given subnet, but "be
> > prepared". By 1994, we were installing Etherswitches to break our coax
> > into chunks with no more than 70 workstations or 4 servers or one router
> > on a segment. In 1997, we started transitioning to switched 100BaseT
> > media, just as now we are replacing that with 1000BaseT and fiber. The
> > whole reason is to reduce the congestion on the individual wire. Yes,
> > we're still using that same network mask.
>
> That's different again. You use subnets to separate a large IP address
> range, into smaller pieces, which are then used via different local
> networks. Those local networks may be in different locations or different
> departments, separated by a router. However, unless there's a firewall
> between the subnets, there will be no barrier to communication between
> them.

Good to know I don't need routers to segregate/integrate/control access
between subnets -- just a firewall. Does this mean that I need a
firewall to connect my web server (accessed by the intranet/internet)
to the database that sits on a different subnet and provides all the
data? Same for my logging host? Must my muti-homed web server forward
traffic between the "public" interface and the backend interface? If
it doesn't, do I still need a firewall to protect my backend subnet
from the "public" traffic? Does the Weak ES host model used by Linux
affect this?

> ... IP applications don't care about subnets etc. They simply see an
> address that they can communicate with. How the address is handled depends
> on a lower layer in the protocol stack.

James Knott wrote:
> John wrote:
>
> [snip]
>
> Incidentally, all IPs are routable. It is only routing rules that prevent
> the RFC 1914 address from reaching the internet. Many companies use those
> address ranges for internal company networks and route them as necessary.
>

Za! Thank you James! It's funny the things you take for granted when
learning a new subject. I'd just somehow assumed that packets addressed
to those special IP addresses (I think you mean rfc1918) never made it
past *any* router. Hm. Maybe I should go back to regular coffee...

---J

--
[ remove zees if contacting via email ]