Monday, June 29, 2015

IPv4 Subnet Masks Made Simple

Subnet masking is one of those "black magic" topics of networking that you either get or you don't.  Unfortunately, most published explanations of subnet masking do a very poor job of explaining it to the lay person or to the beginning IT engineer. 

Accordingly, this blog post is an attempt to offer a simple explanation for people who need to understand this.  The contents of this blog primarily come from the EnGenius Certified System Engineer training course, written by Jason D. Hintersteiner, Copyright 2014-2015.

What is a subnet mask?

When configuring a static IPv4 address on a network device (i.e. PC, laptop, network switch, AP, etc.), you need to provide at least four parameters:

  • IP Address:  This is the unique 32 bit address of the network device
  • Subnet Mask:  This defines the scope (i.e. size) of the LAN
  • Default Gateway:  This defines the location of the router on the LAN which will route traffic intended for external networks (e.g. Internet)
  • DNS Server(s):  These define the IP addresses of domain name resolution (DNS) servers to convert human-friendly (well, friendlier) server names (e.g. www.emperorwifi.com) into its corresponding IP address (e.g. 173.194.206.121).     

The subnet mask, therefore, defines the size of the local area network (LAN), so that the device can determine whether other network devices it communicates with are on the internal LAN or on the external wide area network (WAN).

Why do we distinguish between LAN and WAN?


Quite simply, a network device needs to know how to address traffic.  Every network interface card (NIC), whether wired or wireless, has a MAC address.  This is a unique 48 bit address, expressed in 6 hexadecimal octets as in 88:dc:96:ab:cd:ef, that is burned into the hardware when the NIC is manufactured (though it can be spoofed in most operating systems).   When network devices intercommunicate, the first address used in that communication is the MAC address, not the IP address.  MAC addresses, though, do not leave the realm of a LAN.   If two devices are on the same LAN, they will communicate directly by specifying each other's MAC addresses.  Note that the gateway / router is not involved in this communication, and will probably never even see the traffic depending on how the network is structured.  When a device wants to communicate with another device not in the LAN, the device communicates to the MAC address of the default gateway, which in turn routes the traffic on to the WAN.

How is a subnet mask structured?

By definition, a subnet mask must be of equal length to the IP address, as it is used as a filter to express what portion of the IP address is "local" vs. global".  In IPv4, therefore, the subnet mask is a 32 bit number, usually expressed in dotted decimal notation.  Similarly, in IPv6, the subnet mask is a 128 bit number expressed in hex.  

Unlike an IP address, however, a subnet mask only has a specific set of values.   To understand this, it makes more sense to look at the subnet mask in binary.   The subnet mask consists of a contiguous set of "1"s followed by a contiguous set of "0"s.    The "1"s indicate the bits in the IP address used for comparison - when that portion of the IP address matches between two hosts, the two hosts are on the same LAN.  If that portion of the address doesn't match, then they are on different networks and traffic must be sent through a router / gateway in order to communicate. 

As a shorthand, classless inter-domain routing (CIDR) notation is used with a "/" after the IP address.  The CIDR notation is actually more intuitive than the dotted decimal notation, as it indicates the number of "1"s in the subnet mask.   The following table shows the complete set of valid IPv4 subnet masks.


The larger the subnet, the lower the CIDR number, and the more hosts that can share the same LAN.  The total number of devices on the LAN is 2^(32 - CIDR). 

Practical Examples and Reserved Addresses

Most consumer and enterprise equipment come with a 255.255.255.0 or /24 subnet mask by default, and this is the one people are generally familiar with.  

A network that is 192.168.0.0/24 means that it has 256 total addresses on the LAN [i.e. 2^(32-24) = 2^8 = 256] with an address range of 192.168.0.0 - 192.168.0.255. 

A network that is 192.168.0.0/28 means that it has 16 total addresses on the LAN [i.e. 2^(32-28) = 2^4 = 16] with an address range of 192.168.0.0 - 192.168.0.15.  

A network that is 192.168.0.0/21 means that it has 2048 addresses on the LAN [i.e. 2^(32-21) = 2^11 = 2048] with an address range of 192.168.0.0 - 192.168.7.255.

In IPv4, there are also reserved addresses, as follows:
  • Network Address:   This identifies the subnet.  This is always the first address of the range. 
  • Broadcast Address:   This is the address that is used to communicate broadcast messages to all devices within a LAN.   (An example is DHCP responses from the DHCP server).  This is always the last address of the range.
The network address and the broadcast address must be defined with the subnet mask in order to provide context.  As an example, the three networks above (192.168.0.0/24, 192.168.0.0/28, 192.168.0.0/21) all have the same network address, namely 192.168.0.0, but different broadcast addresses (i.e. 192.168.0.255, 192.168.0.15, 192.168.7.255).    Similarly, two different networks can share the same broadcast address (e.g. 192.168.7.255 is a valid broadcast address for 192.168.0.0/21 as well as 192.168.7.0/24). 

One additional note, because of the network address and broadcast address, the number of LAN addresses that can be used for hosts is always 2 less than the number of addresses on the subnet. It is actually 3 less, because a host address has to be reserved for the gateway to route traffic to the external network (e.g. the Internet).  By convention and convenience, the gateway is assigned to either the first or the last usable host IP address (e.g. 192.168.0.1 or 192.168.0.254 in our 192.168.0.0/24 example), though strictly speaking it can be any valid host address on the subnet.

Why Do We Care?

We care about subnet masking when architecting wired and wireless networks, to ensure that we can accommodate all of the hosts we expect to see on the network.  As the number of devices per user continues to increase (who doesn't have a smartphone, tablet, e-reader, and laptop when they travel, and perhaps a game console and other network-enabled devices as well), and as the IoT trend introduces a torrent of small devices on our person and in our environments to measure all sorts of things, the typical 255.255.255.0 subnet mask is no longer sufficient.

Take the example of a 100 room hotel that has a guest network.  We generally want all of our guests on the same subnet, to facilitate their ability to wirelessly roam around the hotel (i.e. they can use the device in their room and stay connected when they go down to the hotel's pool or restaurant).   If we use a 255.255.255.0 subnet mask, we have 253 possible hosts to accommodate.  When guests average 1 device per user, 100 devices on the network falls well within our 253 possible hosts.  At an average of 2 devices per user, 200 devices on the network starts to come uncomfortably close to our 253 address limit.  At an average of 3 devices per user (3-4 devices per guest is currently "common"), we've exceeded our address pool of 253 devices, meaning that 47 devices are not getting an address and getting on the network, leading to complaints, aggravated guests, aggravated staff, and future lost business.  The same scenario in a 200 room hotel reaches that 253 host limit a lot more quickly.

However, if we use a subnet that is a /22 (1021 usable addresses for guests) or /21 (2045 usable addresses for guests), we have increased the size of the local area network and thus the total address pool.

Hopefully you found this explanation clear and straightforward.  Any questions?  Please post a comment.

2 comments:

  1. I will admit my tech illiteracy now and admit that I know next to nothing about IPv4 masks etc. However, that is why I like your post, because you made it easier to understand. I was especially interested in your hotel example. I have stayed at places where the internet worked fine until evening when it crashed. It's kind of nice to know at least one reason this can happen.

    iptrading.com

    ReplyDelete
    Replies
    1. I am glad you enjoyed the post.

      There are several reasons why Wi-Fi can suck at a hotel, especially during peak usage hours like evenings. Running out of IP addresses is one of those, but it is also easily avoidable with proper subnet planning.

      In some cases, the property may simply not have adequate Internet bandwidth to handle the level of traffic from the guests, which is driven by availability of broadband and cost. Most hotels are smart enough these days to know better, and usually are willing to spend the money to have at least a decent amount of bandwidth for their size.

      The most typical reason for bad Wi-Fi is co-channel interference, where neighboring APs are on the same (or overlapping) channels and thus can interfere with each other. The busier the network, the more Wi-Fi traffic is being generated, the more likely that neighboring APs will interfere with each other, and the more that the network comes to a crawl as a result.

      Delete