Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

subnets and subnetting

0 views
Skip to first unread message

John

unread,
Dec 9, 2005, 1:34:38 AM12/9/05
to
What are the reasons for creating a subnet on your network?

AFAICT, almost all your systems (except the gateway to the net) get
non-routable IP's (ex. 10.0.n.m or 192.168.n.m), then you create a
subnet by setting an IP and netmask with ifconfig, and updating your
routing table (and the routing tables of other systems on your network
-- or have DHCP do it I presume) to know about the subnet. But what I
don't see is the point.

Is it to keep fewer records in your arp table?

Do you only create subnets on a LAN where all nodes can talk to
eachother? Or are you supposed to only create subnets when you've got a
router with an extra NIC on it

Instead of using subnets, why not just drop a router anywhere you've got
a fairly large related group of chatty hosts, connect those hosts to
hubs/switches, then connect the uplink to that router?

I've been reading from sources like Frisch's "Essential System
Administration" and
http://www.tcpipguide.com/free/t_IPSubnetAddressingSubnettingConcepts.htm
but although most docs discuss extensively how to compute netmasks and
related technical details, I'm still struggling with seeing the big
picture here. Thanks.

---J

--
[ remove zees if contacting via email ]

Michael Heiming

unread,
Dec 9, 2005, 2:41:06 AM12/9/05
to
In comp.os.linux.networking John <john_si...@yahooz.com>:

> What are the reasons for creating a subnet on your network?

There are several possible reasons. A few that come to my mind
off-hand:

You have thousands or even tens of thousands of hosts and want to
separate them. Clients using DHCP and server using fixed IP.

M$ clients tend to be quite chatty, put them in there own subnet
so they can happily broadcast the whole day without annoying
others.

You want to build a DMZ for critical stuff and separate them
using firewalls or and a WLAN where you only allow certain
service like ssh to cable LAN.

You want separate backup LAN(s) for better performance.

Good luck

[..]

--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo zvp...@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 409: The vulcan-death-grip ping has been applied.

Moe Trin

unread,
Dec 9, 2005, 3:01:37 PM12/9/05
to
On Fri, 09 Dec 2005, in the Usenet newsgroup comp.os.linux.networking,
in article <WE9mf.5274$O05....@fe09.lga>, John wrote:

>What are the reasons for creating a subnet on your network?
>
>AFAICT, almost all your systems (except the gateway to the net) get
>non-routable IP's (ex. 10.0.n.m or 192.168.n.m), then you create a
>subnet by setting an IP and netmask with ifconfig, and updating your
>routing table (and the routing tables of other systems on your network
>-- or have DHCP do it I presume) to know about the subnet. But what I
>don't see is the point.

1. Administrative. To separate entities that wouldn't normally be
talking to each other - accounting verses engineering verses sales

2. Physical separation. The facility in town A can't possibly be on
the same wire as the facility in town B (never mind states or countries).

3. Traffic. Ethernet is a common carrier type of network. You don't
want everybody on the same wire. It gets _busy_ with all them packets.

4. Security. Public, verses DMZ, verses internal networks.

>Is it to keep fewer records in your arp table?

That's item 3. When my company set up the IP network in 1986, they used
a 255.255.252.0 network mask - allowing 1022 hosts on each subnet. I
don't think we've ever had more that 600 on a given subnet, but "be
prepared". By 1994, we were installing Etherswitches to break our coax
into chunks with no more than 70 workstations or 4 servers or one router
on a segment. In 1997, we started transitioning to switched 100BaseT
media, just as now we are replacing that with 1000BaseT and fiber. The
whole reason is to reduce the congestion on the individual wire. Yes,
we're still using that same network mask.

>Do you only create subnets on a LAN where all nodes can talk to
>eachother? Or are you supposed to only create subnets when you've got a
>router with an extra NIC on it

If you mean having two subnets on the same physical wire - that negates
the whole reason for subnetting.

>Instead of using subnets, why not just drop a router anywhere you've got
>a fairly large related group of chatty hosts, connect those hosts to
>hubs/switches, then connect the uplink to that router?

That's more normal.

>I've been reading from sources like Frisch's "Essential System
>Administration" and
>http://www.tcpipguide.com/free/t_IPSubnetAddressingSubnettingConcepts.htm
>but although most docs discuss extensively how to compute netmasks and
>related technical details, I'm still struggling with seeing the big
>picture here. Thanks.

The Linux Network Administrator's Guide (from the LDP as well as O'Reilly)
is also a good read.

Old guy

John

unread,
Dec 10, 2005, 12:29:24 AM12/10/05
to
Moe Trin wrote:
> On Fri, 09 Dec 2005, in the Usenet newsgroup comp.os.linux.networking,
> in article <WE9mf.5274$O05....@fe09.lga>, John wrote:
>
>
>>What are the reasons for creating a subnet on your network?
>>
>>AFAICT, almost all your systems (except the gateway to the net) get
>>non-routable IP's (ex. 10.0.n.m or 192.168.n.m), then you create a
>>subnet by setting an IP and netmask with ifconfig, and updating your
>>routing table (and the routing tables of other systems on your network
>>-- or have DHCP do it I presume) to know about the subnet. But what I
>>don't see is the point.
>
>
> 1. Administrative. To separate entities that wouldn't normally be
> talking to each other - accounting verses engineering verses sales
>
> 2. Physical separation. The facility in town A can't possibly be on
> the same wire as the facility in town B (never mind states or countries).

Ah... When you say, "on the same wire", do you include machines plugged
into eachother via a *switch*, along with the ones connected to each
other via simple hubs?


> 3. Traffic. Ethernet is a common carrier type of network. You don't
> want everybody on the same wire. It gets _busy_ with all them packets.

Again though, from what I understand, a switch will not forward traffic
that it learns doesn't need to be forwarded, so does this reason for
using a subnet still hold?


> 4. Security. Public, verses DMZ, verses internal networks.
>
>
>>Is it to keep fewer records in your arp table?
>
>
> That's item 3. When my company set up the IP network in 1986, they used
> a 255.255.252.0 network mask - allowing 1022 hosts on each subnet.

Ah. So, in terms used back then, they were assigned a "class B" network?


> I don't think we've ever had more that 600 on a given subnet, but "be
> prepared". By 1994, we were installing Etherswitches

(before my time I believe -- I'm guessing these are just like regular
switches, only for coax instead of twisted pair)

> to break our coax
> into chunks with no more than 70 workstations or 4 servers or one router
> on a segment.

I see. A segment here is one bus where everybody sees all packets.


> In 1997, we started transitioning to switched 100BaseT
> media, just as now we are replacing that with 1000BaseT and fiber. The
> whole reason is to reduce the congestion on the individual wire. Yes,
> we're still using that same network mask.

:)

>
>>Do you only create subnets on a LAN where all nodes can talk to
>>eachother? Or are you supposed to only create subnets when you've got a
>>router with an extra NIC on it
>
>
> If you mean having two subnets on the same physical wire - that negates
> the whole reason for subnetting.

Ah! Ok, thanks. I'd been learning about subnets with the mental model of
them being on the same physical wire.

>
>>Instead of using subnets, why not just drop a router anywhere you've got
>>a fairly large related group of chatty hosts, connect those hosts to
>>hubs/switches, then connect the uplink to that router?
>
>
> That's more normal.

Hm. This is what I'm not getting. If you don't use subnets *between*
nodes on the same physical wire, then that means you use them for a
group of nodes connected to some interface to the rest of the network,
right? Well, if that interface is a router, it's not going to forward
packets that are being locally delivered anyway, so what use is making
that group of computers into its own subnet?


>
>>I've been reading from sources like Frisch's "Essential System
>>Administration" and
>>http://www.tcpipguide.com/free/t_IPSubnetAddressingSubnettingConcepts.htm
>>but although most docs discuss extensively how to compute netmasks and
>>related technical details, I'm still struggling with seeing the big
>>picture here. Thanks.
>
>
> The Linux Network Administrator's Guide (from the LDP as well as O'Reilly)
> is also a good read.
>
> Old guy

Thanks again Old guy. I didn't like that guide the first time I looked
at it, but I'll give it another try. Meantime, I've got a copy of Craig
Hunt's "TCP/IP Network Administration, 3rd ed" here that looks quite useful.

Thanks again for your comments on this.

James Knott

unread,
Dec 10, 2005, 7:11:28 AM12/10/05
to
John wrote:

> What are the reasons for creating a subnet on your network?
>
> AFAICT, almost all your systems (except the gateway to the net) get
> non-routable IP's (ex. 10.0.n.m or 192.168.n.m), then you create a
> subnet by setting an IP and netmask with ifconfig, and updating your
> routing table (and the routing tables of other systems on your network
> -- or have DHCP do it I presume) to know about the subnet. But what I
> don't see is the point.
>
> Is it to keep fewer records in your arp table?
>
> Do you only create subnets on a LAN where all nodes can talk to
> eachother? Or are you supposed to only create subnets when you've got a
> router with an extra NIC on it
>
> Instead of using subnets, why not just drop a router anywhere you've got
> a fairly large related group of chatty hosts, connect those hosts to
> hubs/switches, then connect the uplink to that router?
>
>

I can't think of any valid reason for having different subnets on the same
wire. It won't affect the arp cache at all, as it is populated and cleared
through normal use. It knows nothing about subnets etc. All it does is
match an IP to a MAC address. Also, if you do set up different subnets,
when you try to reach on on the other subnet, your computer will send the
traffic to your default route. The router, knowing that the destination is
on the same local network as you, will send an ICMP redirect, telling your
computer to send directly to the destination. So, multiple subnets on the
same network, will only generate more traffic, with no benefit.


Incidentally, all IPs are routable. It is only routing rules that prevent
the RFC 1914 address from reaching the internet. Many companies use those
address ranges for internal company networks and route them as necessary.

James Knott

unread,
Dec 10, 2005, 7:18:00 AM12/10/05
to
Moe Trin wrote:

> On Fri, 09 Dec 2005, in the Usenet newsgroup comp.os.linux.networking,
> in article <WE9mf.5274$O05....@fe09.lga>, John wrote:
>
>>What are the reasons for creating a subnet on your network?
>>
>>AFAICT, almost all your systems (except the gateway to the net) get
>>non-routable IP's (ex. 10.0.n.m or 192.168.n.m), then you create a
>>subnet by setting an IP and netmask with ifconfig, and updating your
>>routing table (and the routing tables of other systems on your network
>>-- or have DHCP do it I presume) to know about the subnet. But what I
>>don't see is the point.
>
> 1. Administrative. To separate entities that wouldn't normally be
> talking to each other - accounting verses engineering verses sales

Using different subnets on the same local network will not do that.
Computers on the different subnets can still communicate freely.

>
> 2. Physical separation. The facility in town A can't possibly be on
> the same wire as the facility in town B (never mind states or countries).

I don't think this is relevant to the question. I assume the OP was
referring to a single local network.

>
> 3. Traffic. Ethernet is a common carrier type of network. You don't
> want everybody on the same wire. It gets _busy_ with all them packets.

Again totally irrelevant.


>
> 4. Security. Public, verses DMZ, verses internal networks.

Again, I don't think this was part of the original question.


>
>>Is it to keep fewer records in your arp table?

No.

>
> That's item 3. When my company set up the IP network in 1986, they used
> a 255.255.252.0 network mask - allowing 1022 hosts on each subnet. I
> don't think we've ever had more that 600 on a given subnet, but "be
> prepared". By 1994, we were installing Etherswitches to break our coax
> into chunks with no more than 70 workstations or 4 servers or one router
> on a segment. In 1997, we started transitioning to switched 100BaseT
> media, just as now we are replacing that with 1000BaseT and fiber. The
> whole reason is to reduce the congestion on the individual wire. Yes,
> we're still using that same network mask.

That's different again. You use subnets to separate a large IP address
range, into smaller pieces, which are then used via different local
networks. Those local networks may be in different locations or different
departments, separated by a router. However, unless there's a firewall
between the subnets, there will be no barrier to communication between
them. IP applications don't care about subnets etc. They simply see an
address that they can communicate with. How the address is handled depends
on a lower layer in the protocol stack.

James Knott

unread,
Dec 10, 2005, 7:20:11 AM12/10/05
to
John wrote:

> Ah... When you say, "on the same wire", do you include machines plugged

> into eachother via a switch, along with the ones connected to each
> other via simple hubs?

Generally, that would refer to hosts in the same broadcast zone, that is
there's no router in between. They could be connected via switch, hub or
coax cable. The method is irrelevant, as they're functionally equivalent,
from the host's perspective.

Menno Duursma

unread,
Dec 10, 2005, 9:16:22 AM12/10/05
to
On Sat, 10 Dec 2005 07:18:00 -0500, James Knott wrote:

> [ ... ] You use subnets to separate a large IP address range, into
> smaller pieces,

Which can be mapped to names (via /etc/networks , DNS , NIS or whatever.)
The full machine hostname would become: <host>.<subnet>.<tld>

> which are then used via different local networks. Those local networks
> may be in different locations or different departments, separated by a
> router.

That may as well be VLANed brige/switch segments.

--
-Menno.

prg

unread,
Dec 10, 2005, 10:39:52 AM12/10/05
to

James Knott wrote:
> Moe Trin wrote:
>
> > On Fri, 09 Dec 2005, in the Usenet newsgroup comp.os.linux.networking,
> > in article <WE9mf.5274$O05....@fe09.lga>, John wrote:
> >
> >>What are the reasons for creating a subnet on your network?
> >>
> >>AFAICT, almost all your systems (except the gateway to the net) get
> >>non-routable IP's (ex. 10.0.n.m or 192.168.n.m), then you create a
> >>subnet by setting an IP and netmask with ifconfig, and updating your
> >>routing table (and the routing tables of other systems on your network
> >>-- or have DHCP do it I presume) to know about the subnet. But what I
> >>don't see is the point.
> >
> > 1. Administrative. To separate entities that wouldn't normally be
> > talking to each other - accounting verses engineering verses sales
>
> Using different subnets on the same local network will not do that.
> Computers on the different subnets can still communicate freely.

Huh??? Senseless. Without proper route table entries, the router
won't forward _any_ packets between subnets. And of course, broadcasts
are not forwarded. This is what subnets and routers are designed to
do. In fact, even _on_ the same wire, hostA can be "isolated/hidden"
from hostB by placing hostA on a different subnet. Was a common trick
in the days of terminated coax and hosts that need to be kept "apart"
but had to share a common _physical_ pathway.

> > 2. Physical separation. The facility in town A can't possibly be on
> > the same wire as the facility in town B (never mind states or countries).
>
> I don't think this is relevant to the question. I assume the OP was
> referring to a single local network.

You mean "local" as restricted to ethernet? My school system has each
campus on a separate subnet, and the admins' "local" subnet is separate
from the students'. Done with route tables, not a firewall. OP may
(or may not) benefit from understanding that IP subnets are not
restricted by physical location/layout. It's a _logical_ networking
protocol.

> > 3. Traffic. Ethernet is a common carrier type of network. You don't
> > want everybody on the same wire. It gets _busy_ with all them packets.
>
> Again totally irrelevant.

In the absence of switches, just how do you propose to avoid contention
on the wire? How do you propose to exert _some_ control over backbone
access and traffic load?

> > 4. Security. Public, verses DMZ, verses internal networks.
>
> Again, I don't think this was part of the original question.

Yes, security and the role of subnets in providing some of it are
pointless.

> >>Is it to keep fewer records in your arp table?
>
> No.
>
> >
> > That's item 3. When my company set up the IP network in 1986, they used
> > a 255.255.252.0 network mask - allowing 1022 hosts on each subnet. I
> > don't think we've ever had more that 600 on a given subnet, but "be
> > prepared". By 1994, we were installing Etherswitches to break our coax
> > into chunks with no more than 70 workstations or 4 servers or one router
> > on a segment. In 1997, we started transitioning to switched 100BaseT
> > media, just as now we are replacing that with 1000BaseT and fiber. The
> > whole reason is to reduce the congestion on the individual wire. Yes,
> > we're still using that same network mask.
>
> That's different again. You use subnets to separate a large IP address
> range, into smaller pieces, which are then used via different local
> networks. Those local networks may be in different locations or different
> departments, separated by a router. However, unless there's a firewall
> between the subnets, there will be no barrier to communication between
> them.

Good to know I don't need routers to segregate/integrate/control access
between subnets -- just a firewall. Does this mean that I need a
firewall to connect my web server (accessed by the intranet/internet)
to the database that sits on a different subnet and provides all the
data? Same for my logging host? Must my muti-homed web server forward
traffic between the "public" interface and the backend interface? If
it doesn't, do I still need a firewall to protect my backend subnet
from the "public" traffic? Does the Weak ES host model used by Linux
affect this?

> ... IP applications don't care about subnets etc. They simply see an

John

unread,
Dec 10, 2005, 1:59:57 PM12/10/05
to
James Knott wrote:
> John wrote:
>
> [snip]

>
> Incidentally, all IPs are routable. It is only routing rules that prevent
> the RFC 1914 address from reaching the internet. Many companies use those
> address ranges for internal company networks and route them as necessary.
>

Za! Thank you James! It's funny the things you take for granted when
learning a new subject. I'd just somehow assumed that packets addressed
to those special IP addresses (I think you mean rfc1918) never made it
past *any* router. Hm. Maybe I should go back to regular coffee... ;)

James Knott

unread,
Dec 10, 2005, 7:14:56 PM12/10/05
to
prg wrote:

>> Using different subnets on the same local network will not do that.
>> Computers on the different subnets can still communicate freely.
>
> Huh??? Senseless. Without proper route table entries, the router

> won't forward any packets between subnets. And of course, broadcasts


> are not forwarded. This is what subnets and routers are designed to

> do. In fact, even on the same wire, hostA can be "isolated/hidden"


> from hostB by placing hostA on a different subnet. Was a common trick
> in the days of terminated coax and hosts that need to be kept "apart"

> but had to share a common physical pathway.

What exactly was the OP talking about? The impression I got, was that he
was referring to having different subnets on the same local network. If
so, my comments stand. What exactly is it he's asking about?

As for having multiple subnets on the same local wire, and both are
communicating with the default router, when a host on one subnet tries to
use the default route, it will be told that the other host is on the same
local network, by means of an ICMP redirect, which will tell the host to
communicate directly, instead of via the router. You cannot hide one
computer from the other, if they're on the same local network. I know this
from experience, when I tried an experiment with two subnets on the same
local network.

> > I don't think this is relevant to the question. I assume the OP was
> > referring to a single local network.
>
> You mean "local" as restricted to ethernet? My school system has each
> campus on a separate subnet, and the admins' "local" subnet is separate
> from the students'. Done with route tables, not a firewall. OP may
> (or may not) benefit from understanding that IP subnets are not

> restricted by physical location/layout. It's a logical networking
> protocol.
>

I assumed "local" means a single ethernet (or other) network, where all
computers can see broadcasts from any other. That is, there are no routers
between them.


As for the rest of your note, there's no point in commenting, until we find
out what the OP was talking about. We seem to be heading in completely
different directions.

James Knott

unread,
Dec 10, 2005, 7:16:36 PM12/10/05
to
John wrote:

In your original question, were you referring to subnets on the same local
network? Or subnets physically separated by a router?

Moe Trin

unread,
Dec 10, 2005, 10:04:34 PM12/10/05
to
On Sat, 10 Dec 2005, in the Usenet newsgroup comp.os.linux.networking,
in article <PNtmf.5679$O05....@fe09.lga>, John wrote:

>Ah... When you say, "on the same wire", do you include machines plugged
>into eachother via a *switch*, along with the ones connected to each
>other via simple hubs?

Yes - also includes concentrators and coaxial networks.

>Again though, from what I understand, a switch will not forward traffic
>that it learns doesn't need to be forwarded, so does this reason for
>using a subnet still hold?

_Something_ has got to move those bits about, so even a switch is going
to get busy eventually.

>> By 1994, we were installing Etherswitches
>
>(before my time I believe -- I'm guessing these are just like regular
>switches, only for coax instead of twisted pair)

Basically yes. The units we were using them had different interfaces
available, so you could use them on 10BaseT, 10Base5 (AUI - called
thick-net) or a BNC for 10Base2 (thin-net or cheaper-net).

>I see. A segment here is one bus where everybody sees all packets.

Yes

>Ah! Ok, thanks. I'd been learning about subnets with the mental model of
>them being on the same physical wire.

No, you would normally break this up into segments based on something like
a single building, or even part of a single floor of a multi-story building.

>Hm. This is what I'm not getting. If you don't use subnets *between*
>nodes on the same physical wire, then that means you use them for a
>group of nodes connected to some interface to the rest of the network,
>right? Well, if that interface is a router, it's not going to forward
>packets that are being locally delivered anyway, so what use is making
>that group of computers into its own subnet?

By the way, I thought of a fifth reason for subnetting - different
speeds. I still have some 10 MHz Ethernet, a lot of 100 MHz, and some
Gigabit. Those have got to go on separate wires. I know the DMZ is
still running on 10 Megabit simply because the pipe to the world can
be saturated with that - why should we spend money for a faster net
when no one can see any speed benefit? Likewise, the network we use
for backups is "slow" because the data can only be written to backup
media so fast. On the other hand, we've moved ALL of our file servers
to Gigabit copper, because we can use the added speed.

The world began in Ethernet with 10Base5 - roughly 1/2 inch diameter coax,
and any segment could be not longer than 500 meters (1640 feet) though
you could use bridges to add additional segments off a backbone. Rule one
said "two repeaters max" between any two nodes. Rule two said the taps
on the coax had to be spaced a multiple of 2.5 meters (8.2 feet) apart.
The repeater (if used) counted as a tap. Now if you were really silly,
you could install 248 repeaters on the "main" coax, and each of those
repeaters could feed a side coax with 247 more hosts. This was virtually
guaranteed NOT to work - as that is 61256 hosts on a single collision
domain. Try to get a word in edgewise. No way, Jose. Got that in
your mind? Now, let's back it down to something more practical - say
one backbone, and two repeaters. We're still talking about 740 hosts
on one wire. This might work, (it did for us, but systems weren't as
talkative as they are today), but is far from optimum.

I mentioned a thing called a 'collision domain'. While signals travel
on the wire pretty fast (0.7 times the speed of light - about 200 million
meters a second), a bit at 10 MHz on the wire is about 20 meters in
length. So with a 500 meter long cable, a host on one end could start
shoveling bits onto the wire, and have sent 25 of them before a host
on the other end of that same wire saw the first one. Ethernet works
by only having one guy transmitting at a time. What happens when
both hosts at the end of the wire try to transmit at the same time?
They'll each detect that something isn't right _after_ they've
started transmitting. Each computer says a nasty word, and continues
to transmit for a bit longer (called 'collision reinforcement') so
that everyone else on the wire who happened to try at the same time
detects the collision, then they stop, and increment that counter you
see in the /sbin/ifconfig output. They then wait a "random" amount
of time before trying to transmit again. Part of the length limit is
to make sure that any collision is detected, and a collision reinforcement
sent, and the resulting mess is still shorter than the smallest legal
packet length (on a 10 MHz Ethernet, that's an 8 byte Ethernet preamble,
6 bytes of destination address, 6 bytes of source address, a two byte
type number, and 46 bytes of "data", plus a trailing 4 byte CRC - for a
grand total of 72 bytes or 576 bit periods) and thus detectable as
garbage to be thrown away.

When you move on to a switched network, such as modern switches using
twisted pairs or fiber, this problem sorta goes away. First, you can
do 'full duplex' (both ends of the connection can transmit at the same
time). You may still run into a collision when the switch runs out of
ears to listen to you or the host on the other side of the switch is
already busy listening to another host, but they are less common.
Another problem still present is when you need to broadcast (almost
certainly an ARP packet - maybe DHCP) something, and not all the
other systems are able to listen AND the switch has run out of buffer
space.

Another problem is that switches can only get to be so big before
economics kicks in - you want to try to find a switch with 500 ports?
Guess how inexpensive that puppy is going to be. Maybe some smaller
switches and a router is going to be cheaper.

>Thanks again Old guy. I didn't like that guide the first time I looked
>at it, but I'll give it another try.

You might also want to have a look at RFC0950

0950 Internet Standard Subnetting Procedure. J.C. Mogul, J. Postel.
Aug-01-1985. (Format: TXT=37985 bytes) (Updates RFC0792) (Also
STD0005) (Status: STANDARD)

There are some magic hints hidden in there, as well as the earlier
proposals (RFC0917, 0925, 0932, 0936. 0940, and 1027). There is more
material in RFC1122, and 1219.

Old guy

Moe Trin

unread,
Dec 10, 2005, 10:10:33 PM12/10/05
to
On Sat, 10 Dec 2005, in the Usenet newsgroup comp.os.linux.networking,
in article <vfadnSIzf9f...@rogers.com>, James Knott wrote:

>Moe Trin wrote:

>> 1. Administrative. To separate entities that wouldn't normally be
>> talking to each other - accounting verses engineering verses sales
>
>Using different subnets on the same local network will not do that.
>Computers on the different subnets can still communicate freely.

I'm certainly not talking about using the same coax for multiple nets,
and I'm not sure how you got the idea I was. Don't forget, I started
on 3Base5 Ethernet, then went up side to 10Base5. Originally, I had five
or six protocols BESIDES IPv4 running on each wire. All of our network
layout was done back when thicknet was the only game in town. That holds
true even for the new facility that is being planned on the back half of
the property. It most certainly will not be using coax, but the subnet
assignments work the same way on fiber.

>I don't think this is relevant to the question. I assume the OP was
>referring to a single local network.

He's asking about how subnets are used. He doesn't understand that.
There are six main subnets in the primary building I work in, plus a
few more experimental ones that aren't supposed to be aware of each
other. There are 19 subnets in this facility. There are a lot more in
the rest of the company. Ignoring all but the primary building, there
is no way anyone would connect those six main subnets onto a single
collison domain.

>> 3. Traffic. Ethernet is a common carrier type of network. You don't
>> want everybody on the same wire. It gets _busy_ with all them packets.
>
>Again totally irrelevant.

Where can I buy these infinite bandwidth switches you are using?

>Those local networks may be in different locations or different
>departments, separated by a router. However, unless there's a firewall
>between the subnets, there will be no barrier to communication between
>them.

So your routers work at the link level? Those would be switches. Our
routers are all operating at the network level.

>IP applications don't care about subnets etc. They simply see an
>address that they can communicate with. How the address is handled
>depends on a lower layer in the protocol stack.

Is that a big shiny nit I see? ;-)

Old guy

Moe Trin

unread,
Dec 10, 2005, 10:11:24 PM12/10/05
to
On Sat, 10 Dec 2005, in the Usenet newsgroup comp.os.linux.networking,
in article <9OKdneKo14k...@rogers.com>, James Knott wrote:

>What exactly was the OP talking about? The impression I got, was that he
>was referring to having different subnets on the same local network. If
>so, my comments stand. What exactly is it he's asking about?

I got the impression that this was fundamentals - not that specific. Yes
he was thinking of everyone on the same wire, but that idea is not part
of the discussion any more - he now knows not to do that.

>As for having multiple subnets on the same local wire, and both are
>communicating with the default router, when a host on one subnet tries to
>use the default route, it will be told that the other host is on the same
>local network, by means of an ICMP redirect, which will tell the host to
>communicate directly, instead of via the router.

Major nit. A default router is the router that IN LINUX leads to the
world. We run into more than enough people following the microsoft
example and declaring defaults one each interface they have no matter
what, and then wondering why they are having problem. By example,
I have _six_ routers on each of our main subnets at work - which is the
default?

>You cannot hide one computer from the other, if they're on the same
>local network. I know this from experience, when I tried an experiment
>with two subnets on the same local network.

True - why would you do that? What do you hope to accomplish?

>I assumed "local" means a single ethernet (or other) network, where all
>computers can see broadcasts from any other. That is, there are no routers
>between them.

I certainly wasn't talking about that model.

>As for the rest of your note, there's no point in commenting, until we find
>out what the OP was talking about. We seem to be heading in completely
>different directions.

I get the impression this is a concepts question - trying to get the head
around the basic idea of subnetting. I think his term of reference is the
mindset of a home user wondering how the big guys play.

Old guy

John

unread,
Dec 11, 2005, 1:12:26 AM12/11/05
to
Moe Trin wrote:
> On Sat, 10 Dec 2005, in the Usenet newsgroup comp.os.linux.networking,
> in article <9OKdneKo14k...@rogers.com>, James Knott wrote:
>
>
>>What exactly was the OP talking about? The impression I got, was that he
>>was referring to having different subnets on the same local network. If
>>so, my comments stand. What exactly is it he's asking about?
>
>
> I got the impression that this was fundamentals - not that specific. Yes
> he was thinking of everyone on the same wire, but that idea is not part
> of the discussion any more - he now knows not to do that.

Exactly.

>
>>[snip]


>
>
>>As for the rest of your note, there's no point in commenting, until we find
>>out what the OP was talking about. We seem to be heading in completely
>>different directions.
>
>
> I get the impression this is a concepts question - trying to get the head
> around the basic idea of subnetting. I think his term of reference is the
> mindset of a home user wondering how the big guys play.
>
> Old guy

It's like you're readin' my mind Old guy. :) Thanks for the help.

Actually, I'm *also* trying to better understand a network that I
occasionally have access to. There, we've got about 15 machines on the
main subnet, only 3 of which happen to need to talk to a certain server
running a database.

Now, these 3 machines that need to talk to the db server happen to all
have 2 NIC's in them. One network interface for the subnet the rest of
the hosts are on, and the other for a small special subnet that the db
server is on.

I'm still poking around their routing tables to make better sense of it. :)

John

unread,
Dec 11, 2005, 1:29:33 AM12/11/05
to

I didn't know which was the customary way of dealing with subnets, nor
if even both ways were possible. Recall, I asked:

| Do you only create subnets on a LAN where all nodes can talk
| to eachother? Or are you supposed to only create subnets when
| you've got a router with an extra NIC on it

(though, I forgot the question mark at the end there).

Thanks,

James Knott

unread,
Dec 11, 2005, 7:15:27 AM12/11/05
to
Moe Trin wrote:

>>As for having multiple subnets on the same local wire, and both are
>>communicating with the default router, when a host on one subnet tries to
>>use the default route, it will be told that the other host is on the same
>>local network, by means of an ICMP redirect, which will tell the host to
>>communicate directly, instead of via the router.
>
> Major nit. A default router is the router that IN LINUX leads to the
> world. We run into more than enough people following the microsoft
> example and declaring defaults one each interface they have no matter
> what, and then wondering why they are having problem. By example,

> I have six routers on each of our main subnets at work - which is the
> default?

I wasn't talking about multiple routers. I was talking about a simple
situation, where there is one router leading to the rest of the world and
two "subnets", with different address ranges, on the same local network.
Assume the router is connected to both subnets, which implies two IP
addresses on one NIC and hosts on both pointing to it as the default. Now
when computers on one subnet try to communicate with one on the other, it
will try to send via the default route. The router, knowing about both
subnets being on the same local network, will send an ICMP redirect to the
host, telling it to communicate directly. That computer will then attempt
to do that. One thing that people tend to forget, is that IP addresses are
not used to transport data from one computer to another. That's what MAC
addresses are for. The purpose of an IP address is to determine how to
handle the data. Does it go to a local computer? Does it have to go via a
router? It then uses the arp process to determine the MAC for the
appropriate destination. Normally, if it believes the destination is off
network, it will use the router and if it believes it's local, it will use
the ARP process to determine the MAC address. If it's told that what it
had believed to be off network destination, is in fact local, it will then
use ARP to determine the MAC address, even though the IP says it's not
local. All traffic on the local network is carried using the MAC address,
regardless of what the IP address is.

> >You cannot hide one computer from the other, if they're on the same
> >local network. I know this from experience, when I tried an experiment
> >with two subnets on the same local network.
>
> True - why would you do that? What do you hope to accomplish?

I wanted to see if it was possible to have my wireless router plugged into
my main network and keep the two sets of data separate. My experiment
showed what I describe above. In the end, I added a 3rd NIC to my firewall
and connected the WiFi there.

> I get the impression this is a concepts question - trying to get the head
> around the basic idea of subnetting. I think his term of reference is the
> mindset of a home user wondering how the big guys play.

While that's certainly true, the context wasn't clear.


James Knott

unread,
Dec 11, 2005, 7:20:19 AM12/11/05
to
Moe Trin wrote:

>>Those local networks may be in different locations or different
>>departments, separated by a router. However, unless there's a firewall
>>between the subnets, there will be no barrier to communication between
>>them.
>
> So your routers work at the link level? Those would be switches. Our
> routers are all operating at the network level.
>
>>IP applications don't care about subnets etc. They simply see an
>>address that they can communicate with. How the address is handled
>>depends on a lower layer in the protocol stack.
>
> Is that a big shiny nit I see? ;-)

No. I was simply pointing out the differences in layers. An IP app only
"knows" that a destination is out there somewhere. The IP layer determines
if routing is required and the physical and data link layers do the actual
moving of data around the local network. There is no need for the app to
consider routing and no need for IP to consider the actual network method
used.

James Knott

unread,
Dec 11, 2005, 7:26:09 AM12/11/05
to
John wrote:

> I didn't know which was the customary way of dealing with subnets, nor
> if even both ways were possible. Recall, I asked:
>

You can do either method. The customary application, is where you want to
have separate physical networks connected via routers. There may also be
occasions when you want to contain some systems within the local network,
but want to allow other to communicate with elsewhere, via a router. For
example, you could have network printers and file shares on a different
address range from the desktop computers. You'd then give the computers
two addresses ( you can give NICs more than one address). One is used for
talking to the outside world and the other only with the hosts on the local
network. However, as mentioned in my other messages, using such subnets
will not have much effect on communicating with other hosts on the local
net.

Menno Duursma

unread,
Dec 11, 2005, 10:28:53 AM12/11/05
to
On Sun, 11 Dec 2005 07:15:27 -0500, James Knott wrote:

> I wasn't talking about multiple routers. I was talking about a simple
> situation, where there is one router leading to the rest of the world
> and two "subnets", with different address ranges, on the same local
> network. Assume the router is connected to both subnets, which implies
> two IP addresses on one NIC and hosts on both pointing to it as the
> default. Now when computers on one subnet try to communicate with one
> on the other, it will try to send via the default route. The router,
> knowing about both subnets being on the same local network, will send an
> ICMP redirect to the host, telling it to communicate directly.

Unless the router is configured not to do that.
Which in Linux might be:

sysctl -w net.ipv4.conf.all.send_redirects=0

> That computer will then attempt to do that.

Unless the stack is setup to reject such a reply.
In Linux again:

sysctl -w net.ipv4.conf.all.accept_redirects=0

> One thing that people tend to forget, is that IP addresses are not used
> to transport data from one computer to another.

Thier not?

> That's what MAC addresses are for.

Whether or not MAC addressing is used underneath IP addressing, depends on
the underlying protocol(s) used. You seem to assume this to be Ethernet
(or something similar) but it doesn't necessarily have to be ...

> The purpose of an IP address is to determine how to handle the data.
> Does it go to a local computer? Does it have to go via a router?

This process is called: "routing" machines have tables for this.

> It then uses the arp process to determine the MAC for the appropriate
> destination. Normally, if it believes the destination is off network,
> it will use the router and if it believes it's local, it will use the
> ARP process to determine the MAC address. If it's told that what it had
> believed to be off network destination, is in fact local, it will then
> use ARP to determine the MAC address, even though the IP says it's not
> local. All traffic on the local network is carried using the MAC
> address, regardless of what the IP address is.

The way you seem to use the term: "local network" is confusing here. Terms
to used would probably be "network segment" and/or "broadcast domain".

--
-Menno.

Moe Trin

unread,
Dec 11, 2005, 8:26:44 PM12/11/05
to
On Sun, 11 Dec 2005, in the Usenet newsgroup comp.os.linux.networking,
in article <gwPmf.11452$O05....@fe09.lga>, John wrote:

>Actually, I'm *also* trying to better understand a network that I
>occasionally have access to. There, we've got about 15 machines on the
>main subnet, only 3 of which happen to need to talk to a certain server
>running a database.
>
>Now, these 3 machines that need to talk to the db server happen to all
>have 2 NIC's in them. One network interface for the subnet the rest of
>the hosts are on, and the other for a small special subnet that the db
>server is on.

Ah, OK - that's a little different, but not unknown. Many of our servers
have three NICs. The first is a high speed NIC (often Gigabit net) that
allows them to pump those bits out to the clients. There is a second NIC
(often 10 or 100BaseT) for the administrative connection. This is a
security issue. The third NIC goes to a 'backup' server where the tape
drives (yes, we still use tapes as well as other media) live. That's done
for bandwidth reasons. Each of those are on separate networks. That means
separate IP addresses for each, and consequently - separate hostnames.

Let's use 10.0.0.0 and choose three subnets - 10.0.0.0/24 for one,
10.0.1.0/24 for the second and 10.0.3.0/24 for the third. 10.0.0.10 is
foo.example.com. 10.0.1.10 is called foo1.example.com, and 10.0.2.10 is
called foo2.example.com. How about another host also with three cards -
same idea, but address 10.0.x.11 and names bar, bar1, and bar2. Now,
from host bar, you can direct your packets via any interface by using
the right destination hostname. If you telnet to foo, the packets will
use 10.0.0.0/24 because that is the most direct route. Telnet to foo1,
and it will use 10.0.1.0/24 for the same reason. You are going to
connect to the same computer, but the packets will use this, or that, or
the other interface (network) solely based on the hostname (or IP address)
you try to connect to.

>I'm still poking around their routing tables to make better sense of it. :)

The combination of the desired hostname or address coupled with the
routing table is the answer. For the above, you'd see:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.0 0.0.0.0 255.255.255 U 1 0 0 eth0
10.0.1.0 0.0.0.0 255.255.255 U 1 0 0 eth1
10.0.2.0 0.0.0.0 255.255.255 U 1 0 0 eth2
127.0.0.0 0.0.0.0 255.0.0.0 U 1 0 0 lo

The kernel having to send a packet to 10.0.2.15 is only going to make one
choice here. 'eth2' leads exactly where we want to go. The routing table on
the "other computer" will look the same. How will the packets get routed
BACK to the originating computer? Look at the packets on the wire - it
has that label with the smiling Sandy Klauz saying "To 10.0.0.10, From
10.0.0.11". The other connection on the other wire? I'm sure it's
obvious that it's "To 10.0.1.10, From 10.0.1.11" Thus, there is no
problem about telling the "computers" apart (even though 10.0.x.10 is
one computer) because we're talking to 10.0.0.10 not 10.0.x.10. The
computers don't know that 10.0.x.10 is one computer (and don't care).

Does that mess make sense now?

Old guy

Moe Trin

unread,
Dec 11, 2005, 8:28:42 PM12/11/05
to
On Sun, 11 Dec 2005, in the Usenet newsgroup comp.os.linux.networking,
in article <1JqdndXeBv3...@rogers.com>, James Knott wrote:

>If it's told that what it had believed to be off network destination,
>is in fact local, it will then use ARP to determine the MAC address,
>even though the IP says it's not local.

That's a router sending an ICMP Type 5 - but not all operating systems
follow this any more - denial of service problems.

>All traffic on the local network is carried using the MAC address,
>regardless of what the IP address is.

You can expand that one - all traffic on the Ethernet is carried using
MAC address regardless of the _protocol_ in use. We had IP, Novell's
IPX, AppleTalk, XNS, DecNet, and Banyan Vines all on the same wire.

>> What do you hope to accomplish?
>
>I wanted to see if it was possible to have my wireless router plugged into
>my main network and keep the two sets of data separate. My experiment
>showed what I describe above. In the end, I added a 3rd NIC to my firewall
>and connected the WiFi there.

The only way they can be separated is if they are never destined for each
other - meaning traffic from the WiFi only goes directly to a host on the
same wire. If the traffic has to go through a router, you're screwed. Now,
you CAN have a host with two NICs on separate networks but the same
physical media (example 10.0.0.10/24 and 10.0.2.10/24). Using an IP
Alias may be a possibility - but usually this doesn't work because
the aliased card only _listens_ on the other address, and _sends_ using
the un-aliased address.

Old guy

Kurt

unread,
Dec 11, 2005, 9:55:29 PM12/11/05
to
A very interesting discussion. The most common reason I set up subnets
is security. It requires VLANs and a router with an interface on each
VLAN, or a layer-3 switch. Access lists control who can talk to who.
Aonther good reason is to create groups that can access the Internet,
and those who can't. Most every educational institution has an
Adminstrative VLAN and a student VLAN with routers configured so that a
connection can be made from a teacher's computer to a student's, but not
the other way around. Traffic shaping can allow groups on one subnet to
have higher priority or greater bandwidth than another, Cisco's "Voice
VLAN" combined with CDP and VTP auto configures IP phones to a VLAN (and
then to a DHCP server in that VLAN for their subnet info) for
high-priority (realtime) required by voice connections. These are just a
few of the many good reasons to use subnets.

...kurt

Menno Duursma

unread,
Dec 12, 2005, 6:53:02 AM12/12/05
to
On Sun, 11 Dec 2005 18:55:29 -0800, Kurt wrote:
> John wrote:

>> What are the reasons for creating a subnet on your network?
>>
>> AFAICT, almost all your systems (except the gateway to the net) get
>> non-routable IP's (ex. 10.0.n.m or 192.168.n.m), then you create a
>> subnet by setting an IP and netmask with ifconfig, and updating your
>> routing table (and the routing tables of other systems on your network
>> -- or have DHCP do it I presume) to know about the subnet. But what I
>> don't see is the point.
>>
>> Is it to keep fewer records in your arp table?

This can be a reson to: yes.

>> Do you only create subnets on a LAN where all nodes can talk to
>> eachother?

No. Either if broadcast traffic and/or ARP tables would otherwise blow out
of perportion (ie: they get to be a bottle neck), or it just makes sense
to devide the network into smaller chunks (for security, administation.)

>> Or are you supposed to only create subnets when you've got a router
>> with an extra NIC on it

This is probably prevered, however Unix machines can be configured to act
as "route servers" too.

>> Instead of using subnets, why not just drop a router anywhere you've
>> got a fairly large related group of chatty hosts, connect those hosts
>> to hubs/switches, then connect the uplink to that router?

This could be called a network segment (at the media level.) And can
indeed be a good idee, if one can accept the one router to be a
singe-point-of-failure ... If however this would be a problem: rather then
add another router, maybe confgure switches to spaning-tree (and just
replace any Hubs and Reapeaters with switches.)

> A very interesting discussion. The most common reason I set up subnets
> is security.

As James Knott pointed out though: subneting in and of itself doesn't
provide much security provided "users" can get administative access to any
node (machine/device) connected to the same network segment.

> It requires VLANs and a router with an interface on each VLAN, or a
> layer-3 switch.

You had better be sure that is configured correctly:
http://www.packetfactory.net/papers/VLAN-hopping/

> Access lists control who can talk to who. Aonther good reason is to
> create groups that can access the Internet, and those who can't. Most
> every educational institution has an Adminstrative VLAN and a student
> VLAN with routers configured so that a connection can be made from a
> teacher's computer to a student's, but not the other way around. Traffic
> shaping can allow groups on one subnet to have higher priority or
> greater bandwidth than another, Cisco's "Voice VLAN" combined with CDP

Maybe play around some with:
http://yersinia.sourceforge.net/

> and VTP auto configures IP phones to a VLAN (and then to a DHCP server
> in that VLAN for their subnet info) for high-priority (realtime)

What if someone was to spoof thier MAC adress to the phone belonging one?

> required by voice connections. These are just a few of the many good
> reasons to use subnets.

Agreed.

--
-Menno.

James Knott

unread,
Dec 12, 2005, 8:08:25 PM12/12/05
to
Menno Duursma wrote:

>> That's what MAC addresses are for.
>
> Whether or not MAC addressing is used underneath IP addressing, depends on
> the underlying protocol(s) used. You seem to assume this to be Ethernet
> (or something similar) but it doesn't necessarily have to be ...

I think you'll find the vast majority of local networks are ethernet.
However, the same principle applies to token ring, arcnet etc.

>
>> The purpose of an IP address is to determine how to handle the data.
>> Does it go to a local computer? Does it have to go via a router?
>
> This process is called: "routing" machines have tables for this.
>
>> It then uses the arp process to determine the MAC for the appropriate
>> destination. Normally, if it believes the destination is off network,
>> it will use the router and if it believes it's local, it will use the
>> ARP process to determine the MAC address. If it's told that what it had
>> believed to be off network destination, is in fact local, it will then
>> use ARP to determine the MAC address, even though the IP says it's not
>> local. All traffic on the local network is carried using the MAC
>> address, regardless of what the IP address is.
>
> The way you seem to use the term: "local network" is confusing here. Terms
> to used would probably be "network segment" and/or "broadcast domain".

Quite so, but again, most people have experience only with simple networks.
I described exactly what I was referring to in another message.

>

Menno Duursma

unread,
Dec 13, 2005, 4:36:23 AM12/13/05
to
On Mon, 12 Dec 2005 20:08:25 -0500, James Knott wrote:
> Menno Duursma wrote:
>>> That's what MAC addresses are for.
>>
>> Whether or not MAC addressing is used underneath IP addressing, depends on
>> the underlying protocol(s) used. You seem to assume this to be Ethernet
>> (or something similar) but it doesn't necessarily have to be ...
>
> I think you'll find the vast majority of local networks are ethernet.
> However, the same principle applies to token ring, arcnet etc.

But not SDH (SONET). Or (most?) other hi-speed serial links say: PPP.

>>> [...] All traffic on the local network is carried using the MAC


>>> address, regardless of what the IP address is.
>>
>> The way you seem to use the term: "local network" is confusing here.
>> Terms to used would probably be "network segment" and/or "broadcast
>> domain".
>
> Quite so, but again, most people have experience only with simple
> networks.

No: they simply have no idee they are if fact users (and maybe even partly
admins) of some rather large network - or don't care much either way.

> I described exactly what I was referring to in another message.

You might want to look into: OpenVPN.

--
-Menno.

James Knott

unread,
Dec 13, 2005, 7:36:46 PM12/13/05
to
Menno Duursma wrote:

> On Mon, 12 Dec 2005 20:08:25 -0500, James Knott wrote:
>> Menno Duursma wrote:
>>>> That's what MAC addresses are for.
>>>
>>> Whether or not MAC addressing is used underneath IP addressing, depends
>>> on the underlying protocol(s) used. You seem to assume this to be
>>> Ethernet (or something similar) but it doesn't necessarily have to be
>>> ...
>>
>> I think you'll find the vast majority of local networks are ethernet.
>> However, the same principle applies to token ring, arcnet etc.
>
> But not SDH (SONET). Or (most?) other hi-speed serial links say: PPP.

How many people use SONET on their local lan? Or PPP for that matter. Both
are useful between networks though.


>
>>>> [...] All traffic on the local network is carried using the MAC
>>>> address, regardless of what the IP address is.
>>>
>>> The way you seem to use the term: "local network" is confusing here.
>>> Terms to used would probably be "network segment" and/or "broadcast
>>> domain".
>>
>> Quite so, but again, most people have experience only with simple
>> networks.
>
> No: they simply have no idee they are if fact users (and maybe even partly
> admins) of some rather large network - or don't care much either way.
>
>> I described exactly what I was referring to in another message.
>
> You might want to look into: OpenVPN.

I already use it.

Menno Duursma

unread,
Dec 14, 2005, 5:06:47 AM12/14/05
to
On Tue, 13 Dec 2005 19:36:46 -0500, James Knott wrote:
> Menno Duursma wrote:
>> On Mon, 12 Dec 2005 20:08:25 -0500, James Knott wrote:
>>> Menno Duursma wrote:
>>>>> That's what MAC addresses are for.
>>>>
>>>> Whether or not MAC addressing is used underneath IP addressing,
>>>> depends on the underlying protocol(s) used. You seem to assume this
>>>> to be Ethernet (or something similar) but it doesn't necessarily have
>>>> to be ...
>>>
>>> I think you'll find the vast majority of local networks are ethernet.
>>> However, the same principle applies to token ring, arcnet etc.
>>
>> But not SDH (SONET). Or (most?) other hi-speed serial links say: PPP.
>
> How many people use SONET on their local lan?

I don't care, but have seen it used between buildings before. My point
though is IP (subnets) don't care either.

> Or PPP for that matter.

This is used _very_ often. Both as a more reliable (C)SLIP over POTS
modems, and over Ethernet frames briged to an ATM network (xDSL).

> Both are useful between networks though.

Indeed they are. However the SDH network i was one of the administators
for is, eh well, rather large - and not "between networks" perse' ...
Although i gather the're switching (or have switched) to WDM - which i
know very little about - it's been over 6jears since i worked there.

--
-Menno.

0 new messages