Private Addressing and Subnetting Large Networks Solutions in this chapter: ■ Discovering the motivation for using private addresses ■ Calculating address allocation efficiency ■ Examining RFC 1918 private address ranges ■ Developing strategies for subnetting private addresses Chapter 11 457 93_sbcran_11 10/16/00 2:03 PM Page 457 458 Chapter 11 • Private Addressing and Subnetting Large Networks Introduction You’ve heard it said: “We’re running out of IP Addresses!” Really? In the IP (version 4) architecture, we use 32-bit address fields. With 32-bits in our addresses, there are 2 32 unique addresses available. That’s over four billion addresses. We know that the Internet has experienced exponential growth over the last few years, but even with continued growth, it’s unlikely that we’ll see anywhere near four billion machines on the Internet any time soon. So where’s the problem? The problem exists in the granularity of address allocation. Prior to Classless Inter-Domain Routing (CIDR), addresses were allocated in classful blocks. That is, if you needed more addresses than a Class C network provided, you got a Class B network address; if you needed more than a Class B provided, you got a Class A network address. Those were the only three choices. (Not many organiza- tions actually got Class A addresses, of course.) Although there are indeed over 4 billion unique IP addresses available with the current version of IP, the number of unique network numbers is much fewer. In fact, there are only 126 Class A networks, about 16,000 Class B networks, and about 2 million Class C networks. This design has led to widespread waste of globally unique IP addresses. Strategies to Conserve Addresses In the 1970s, the architects of the Internet envisioned an internetwork with dozens of networks and hundreds of nodes. They developed a design where any node on the internetwork was reachable by any other node. Back then, no one could have guessed the effect new applications like the World Wide Web and vastly increased bandwidth would have on the number of people interested in participating in “the Net.” In the Internet today, there are tens of thousands of networks and millions of nodes. Unfortunately, the original design has not scaled well. The increased number of networks joining the Internet has strained router technology, and the sheer number of participants has strained the limits of IP addressing as it was originally designed. Some compromises had to be made to allow the Internet to continue its growth. Several strategies have been developed and implemented to help the Internet community cope with its growing pains. They help reduce the load on the Internet routers and help us use globally unique IP addresses more efficiently. These strategies include: www.syngress.com 93_sbcran_11 10/16/00 2:03 PM Page 458 www.syngress.com ■ CIDR ■ Variable-Length Subnet Masking (VLSM) ■ Private Addressing Classless Inter-Domain Routing (CIDR) Classless Inter-Domain Routing (CIDR), specified in RFCs 1517, 1518, and 1519, was introduced in September 1993 as a way to reduce router table growth. As a side effect, it has helped reduce the waste of IP Addresses by reducing the granularity of allocation. Now, instead of full Class A, B, or C networks, organizations can be allocated any number of addresses. (Normally, addresses are allocated in even powers of two to allow CIDR to realize its maximum benefit, but in reality, any number of addresses can be allocated.) For example, if you needed 3,000 addresses for your network, a single class C network (256 addresses) would be insufficient. If, however, you were assigned a Class B network (65,536 addresses), there would be over 62,000 addresses wasted! With CIDR, you can be allocated a block of 4,096 addresses—equivalent to 16 class C networks (a /20 in CIDR nota- tion). This block of addresses will cover your addressing needs now, allow room for growth, and use global addresses efficiently. Variable-Length Subnet Mask (VLSM) Variable-Length Subnet Mask (VLSM) is a technique used to conserve IP addresses by tailoring the mask to each subnet. Subnets that need many addresses will use a mask that provides many addresses. Those that need fewer addresses will use a different mask. The idea is to assign “just the right amount” of addresses to each subnet. Many organizations have point-to-point WAN links. Normally, these links comprise a subnet with only two addresses required. But that would never do for a typical LAN where there are dozens (if not hundreds) of hosts in a subnet. By using a routing protocol that supports VLSM, we can use a block of addresses much more efficiently. Private Addresses By far, the most effective strategy for conserving globally unique (public) IP addresses involves not using any at all! If your enterprise network will be using TCP/IP protocols, but will not be communicating with hosts in the global Internet, you don’t need to use public IP addresses. The Internet Protocol simply requires that all hosts in the interconnected network have unique addresses. If the internetwork is limited to your organization, then the IP addresses need only be unique within your organization. Private Addressing and Subnetting Large Networks • Chapter 11 459 93_sbcran_11 10/16/00 2:03 PM Page 459 460 Chapter 11 • Private Addressing and Subnetting Large Networks Today, many (if not most) organizations want to have at least some ability to communicate over the Internet. Does that mean these organiza- tions must use public addresses? Yes it does—but it does not mean that all of the devices in that network must have public addresses. Such net- works can still use private addresses and a technique called Network Address Translation (NAT) to convert those private (inside) addresses to public (outside) addresses. Addressing Economics IPv6 is fixing the problem with the limited address space of IPv4. Until IPv6 is fully deployed, we must make use of the IP addressing system we have. Sometimes, the networks we must support are not IP-address friendly. For example, consider the sample network in Figure 11.1. In the network shown in Figure 11.1, we have multiple LANs at the headquarters location and several branch offices that each have one LAN. The headquarters router is acting as a “collapsed backbone,” connecting all the headquarters LANs and, via leased lines, the branch office routers. The organization has been assigned class B address 172.16.0.0, which provides 65,536 unique addresses. www.syngress.com Figure 11.1 A sample network. 93_sbcran_11 10/16/00 2:03 PM Page 460 Private Addressing and Subnetting Large Networks • Chapter 11 461 As we mentioned earlier, the serial links connecting routers need their own IP addresses. In a point-to-point network such as the dedicated leased lines shown in the figure, each of the links is an individual subnet. Table 11.1 lists the various subnets and the addressing requirements for each. Table 11.1 Sample Network Addressing Needs Location # Subnets # Hosts Headquarters 1 50 1 110 1 190 1 150 1 150 Branches 60 30 WAN Links 60 2 In this example, the network is using RIP (version 1) as the routing pro- tocol, so each subnet must use the same mask. Identify the largest subnet in our network: One of the subnets at the Headquarters location needs 190 addresses. Consulting our resources, we see that 255.255.255.0 is the most appropriate mask to use because it provides 254 unique addresses in each subnet. Table 11.2 shows just how inefficient it can be to use a single, fixed mask for all subnets. www.syngress.com Using Frame Relay Network as WAN Technology When you use Frame Relay networks as your WAN technology, the entire Frame Relay “cloud” is one subnet, and each router interface will have an address appropriate for that subnet. For IT Professionals 93_sbcran_11 10/16/00 2:03 PM Page 461 462 Chapter 11 • Private Addressing and Subnetting Large Networks Table 11.2 Sample Network Address Analysis Location # Subnets Interfaces Subnet Total Unused Unused Headquarters 1 50 204 204 1 110 144 144 1 190 64 64 1 150 104 104 1 150 104 104 Branches 60 30 224 13,440 WAN Links 60 2 252 15,120 The Headquarters subnets are sized appropriately, even allowing for some growth. The branch office subnets provide many more addresses than will actually be used. The biggest waste occurs in the WAN links. Since the sample network is using point-to-point links between headquar- ters and the branches, we will never need more than two addresses in each subnet. If you add up the numbers, there are a total of 2,570 addresses needed, but we are allocating 125 subnets with 254 addresses each for a total of 31,750 addresses. As you can see, we’re not using our Class B net- work address very efficiently. The situation is even worse than it first appears. We see there are over 29,000 unused addresses in the subnets we are using; we’re only using 125 of the possible 256 subnets available. If you include the other 131 subnets with 254 possible addresses each we have a grand total of 62,454 unused addresses. In other words, we’re using just under 4 percent of the total addresses provided by our Class B network number. This inefficient use of addresses is one of the main causes of IP address exhaustion. If we could use VLSM, the subnets would be sized more appropriately, but the larger problem remains. We would still be using only about 4 percent of our total Class B space. An Appeal RFC 1917, published in February 1996, is titled “An Appeal to the Internet Community to Return Unused IP Networks to the IANA.” It cites the growing problem of IP address exhaustion and asks administrators to be good “netizens” and return blocks of IP addresses to the Internet Assigned Numbers Authority for reallocation. It suggests three alternatives: ■ If you aren’t going to connect to the public Internet, you don’t need globally unique addresses. Use private addresses instead. www.syngress.com 93_sbcran_11 10/16/00 2:03 PM Page 462 Private Addressing and Subnetting Large Networks • Chapter 11 463 ■ If you have a portable block of addresses, return the block to the IANA and use addresses supplied by your upstream Internet Service Provider. ■ If you have a large block of public addresses, but only need a small portion of them, return the large block to IANA and request a smaller block of addresses. This would be the appropriate action for our example network considered earlier. Public vs Private Address Spaces The Internet Protocol requires that each interface on a network have a unique address. If the scope of your network is global, then the addresses must be globally unique. Such is the case with the Internet. Since global uniqueness must be assured, a centralized authority must be responsible for making sure IP address assignments are made correctly and fairly. For the last few years, this has been the function of the IANA. The Internet has been rapidly expanding in both number of connected net- works and number of new applications. The 1990s have seen both the commercialization and the internationalization of the Internet. To meet the demands of a growing Internet community, the IANA is being replaced by the Internet Corporation for Assigned Names and Numbers (ICANN). NOTE More information about the ICANN can be found at www.icann.com. If an organization wants to use IP protocols and applications in its net- work, but has no intention of connecting its network to the global Internet, the IP addresses it uses need not be globally unique. A network of this type is called a private network, and the addresses used are called private addresses. Can I Pick My Own? If you are deploying IP on a private network, you can use any IP addresses you wish, as long as you adhere to the normal IP addressing rules. Before you go crazy and use an entire Class A address for each subnet, consider the following possibilities: www.syngress.com 93_sbcran_11 10/16/00 2:03 PM Page 463 464 Chapter 11 • Private Addressing and Subnetting Large Networks ■ Most organizations will eventually choose to implement some kind of connection to the Internet—if for no other reason than to exchange e-mail. ■ There may be a merger or acquisition in your future that might require joining your network to one or more other networks. As an example, suppose you needed a Class C address for a small net- work that will not be connected to the Internet (see Figure 11.2). You chose to use 207.46.130.0 as your network address and configured all your devices accordingly. As soon as you finish getting everything set up, your boss decides to implement Internet e-mail. You consult your friendly neigh- borhood ISP who tells you not to worry. They can use a trick called Network Address Translation (see Chapter 10) that will allow you to keep using your addresses and give you access to the Internet. Great! Everything works just fine except for one thing—you can’t access www.microsoft.com. The Class C address 207.46.130.0 has been officially assigned to Microsoft, which uses it in its Web server farm. When you try to access the Microsoft Web site, DNS (the Domain Name System) resolves the name to IP address 207.46.130.14. When your browser sends an HTTP request to the target address, the IP software thinks (rightly so) that the address is inside your network and does not forward it to the router. www.syngress.com Figure 11.2 The danger of picking your own addresses. 93_sbcran_11 10/16/00 2:03 PM Page 464 Private Addressing and Subnetting Large Networks • Chapter 11 465 The lesson here is that there is a risk in dreaming up your own IP addresses—even if you never intend to connect to the global Internet. RFC 1918—Private Network Addresses In the midst of the explosive Internet growth in the early 1990s, RFC 1597 suggested a way to help conserve globally unique IP addresses. The idea was to set aside three blocks of addresses that would never be officially allocated to any organization. These blocks could then be used in any and every private network without fear of duplicating any officially assigned IP addresses in other organizations. NOTE Not everyone agreed with this plan. The authors of RFC 1627 (June 1994) complained that an Internet policy decision was made without the normal peer review and public comment process. They also point out that the original ideal of the Internet architecture, worked out over decades, was to have every host uniquely addressable. They argue that RFC 1597 violates this ideal. Ultimately, of course, the proponents of pri- vate addressing prevailed. In February 1996, RFC 1597 was updated and made obsolete by RFC 1918, and was assigned the “Best Current Practice” status. The Three Address Blocks RFC 1918 designates three ranges of IP addresses as private: ■ 10.0.0.0–10.255.255.255 ■ 172.16.0.0–172.31.255.255 ■ 192.168.0.0–192.168.255.255 The first of these address blocks is equivalent to a traditional Class A address. In CIDR notation, it would be 10.0.0.0/8. RFC 1918 calls it a 24-bit block of addresses because only 8 of the 32 bits is fixed; the other 24 bits are available for local administration. Either way, the range con- tains 16,777,216 unique addresses—enough to supply even the largest networks. The second block is called a 20-bit block and is equivalent to 16 tradi- tional Class B networks, or a /12 block in CIDR terminology. This block contains 1,048,576 addresses. www.syngress.com 93_sbcran_11 10/16/00 2:03 PM Page 465 466 Chapter 11 • Private Addressing and Subnetting Large Networks Finally, the third block is known as a 16-bit block and is equivalent to 256 Class C networks. This 16-bit prefix supplies 65,536 different IP addresses. Table 11.3 summarizes the private address blocks defined by RFC 1918. Considerations Anyone can use any of the address blocks in Table 11.3 in any network at any time. The main thing to remember is that devices using these addresses will not be able to communicate with other hosts on the Internet without some kind of address translation. Here are some things to think about when deciding to use private addressing in your network: Number of addresses One of the main benefits of using private addresses is that you have plenty to work with. Since you are not using globally unique addresses (a scarce resource), you don’t need to be conservative. In the example network shown in Figure 11.1, you could use an entire class B equivalent address block without feeling guilty. Even though you would be using only 4 percent of the available addresses, you are not hoarding a valuable commodity. Security Using private addresses can also enhance the security of your network. Even if part of your network is connected to the Internet, no one outside your network will be able to reach your devices. Likewise, no one from inside your network will be able to reach hosts on the Internet. RFC 1918 specifies that “…routing information about private networks shall not be propagated on inter-enterprise links, and packets with private source or destination addresses should not be forwarded across such links. Routers in networks not using private address space, especially those of Internet ser- vice providers, are expected to be configured to reject (filter out) routing infor- mation about private networks.” www.syngress.com Table 11.3 Private IP Address Blocks Address Block Classful Equivalent Prefix Length Number of Addresses 10.0.0.0– 10.255.255.255 172.16.0.0– 172.31.255.255 192.168.0.0– 192.168.255.255 16,777,216 1,048,576 65,536 /8 /12 /16 1 Class A 256 Class B 65,536 Class C 16 Class B 4,096 Class C 1 Class B 256 Class C 93_sbcran_11 10/16/00 2:03 PM Page 466 [...]... can perform routing Remote access and routing are tightly integrated functions A remote access server is, essentially, a router When a remote user dials into a remote access server, access to the rest of the network must be granted by routing the remote user’s requests to the various requested resources Because of this tight integration, it is not uncommon to see routing and remote access services combined... on the routers as follows: Router1# router bgp 1 neighbor 134.201.56.13 remote- as 2 neighbor 134.201.56.14 remote- as 3 Router2# router bgp 2 neighbor 134.201.56.12 remote- as 1 Router4# router bgp 3 neighbor 134.201.56.12 remote- as 1 www.syngress.com 93 _sbcran_11 10/16/00 2:03 PM Page 481 Private Addressing and Subnetting Large Networks • Chapter 11 481 In the preceding example, Router1, Router2, and... Most networks will have only one autonomous system number When you are exchanging routes with www.syngress.com 93 _sbcran_11 10/16/00 2:03 PM Page 477 Private Addressing and Subnetting Large Networks • Chapter 11 477 Figure 11.4 Routing BGP in single-homed connections another router speaking BGP (called a peering session), it will start out like the following: router BGP 14 290 neighbor 204.118.35.166 remote- as... network component Remote access servers also utilize modems in the same way as a network interface—again, making them, effectively, routers You can find this appendix as a chapter in Syngress Media’s Building a Cisco Network for Windows 2000 (available at www.syngress.com); it is provided here as an introductory resource on Active Directory, terminal services, and configuring remote access services, for... /U:YourScriptFile If you are using a 32-bit version of Windows (Windows 95 , Windows 98 , Windows NT), the command is WINNT32.EXE with the following parameters: Winnt32 /s:PathToSourceFiles /tempdrive:TempDriveLetter /unattend: YourScriptFile www.syngress.com 93 _sbcran_appndx 10/16/00 12:42 PM Page 4 89 Implementing the Windows 2000 Servers • Appendix 4 89 There are additional parameters for both of these setup executables,... exchange routing updates The neighbor command is used to establish a TCP connection: router bgp 1 neighbor 134.201.56.13 remote- as 2 router bgp 2 neighbor 134.201.56.12 remote- as 1 www.syngress.com 93 _sbcran_11 480 10/16/00 2:03 PM Page 480 Chapter 11 • Private Addressing and Subnetting Large Networks These statements use the TCP/IP address of the directly connected routers for the EBGP connection Note that... internetwork The procedure is the same—choose a mask, allocate the subnet bits, and determine the range of addresses for each subnet www.syngress.com 93 _sbcran_11 10/16/00 2:03 PM Page 4 69 Private Addressing and Subnetting Large Networks • Chapter 11 4 69 The Network The network that we’ll study here is relatively stable There are about 3000 retail stores owned by the company and no store has more than... illustrate the use of specifying a loopback interface www.syngress.com 93 _sbcran_11 482 10/16/00 2:03 PM Page 482 Chapter 11 • Private Addressing and Subnetting Large Networks Router1# router bgp 1 neighbor 201.13.145.88 remote- as 1 Router2# loopback interface 0 IP address 201.13.145.88 255.255.255.0 router bgp 1 neighbor 180.121.33.67 remote- as 1 neighbor 180.121.33.67 update-source loopback 0 Router1... an ISP, to a remote location such as a home or office BGP is not needed in stub area configurations s Multihomed areas Central sites with at least two staticallydefined or dynamically routed connections to remote locations Data will only flow to and from the remote locations BGP is also not needed in this multihomed configuration s Transit areas Central sites with at least two connections to remote locations... address space and make an addressing plan with a good growth path If subnetting is a problem, the 16-bit block (class C networks) , or the 20-bit block (class B networks) of private address space can be used.” The concept of subnetting was introduced into the IP world in August 198 5 (RFC 95 0) Since most IP software modules in use today were developed after that time, they do understand how to do subnetting . organization. Private Addressing and Subnetting Large Networks • Chapter 11 4 59 93_sbcran_11 10/16/00 2:03 PM Page 4 59 460 Chapter 11 • Private Addressing and Subnetting Large Networks Today, many (if not most). argue that RFC 1 597 violates this ideal. Ultimately, of course, the proponents of pri- vate addressing prevailed. In February 199 6, RFC 1 597 was updated and made obsolete by RFC 191 8, and was assigned. intend to connect to the global Internet. RFC 191 8—Private Network Addresses In the midst of the explosive Internet growth in the early 199 0s, RFC 1 597 suggested a way to help conserve globally