Discovery II Module 4 Planning the Addressing Structure

4.1 IP Addressing in the LAN

4.1.1. Review of IP Addresses
One of the most important aspects of communications on an Internetwork is the logical addressing scheme. IP addressing is the method used to identify hosts and network devices. The number of hosts connected to the Internet continues to grow, and the IP addressing scheme has had to be adapted to cope with this growth. In order to send and receive messages on an IP network, every network host must be assigned a unique 32 bit IP address. Because large binary numbers are difficult for humans to read and understand, IP addresses are usually displayed in dotted-decimal notation. In dotted-decimal notation, each of the four octets is converted to a decimal number separated by a decimal point. For example, the IP address: 11000000.10101000.00000001.01101010 is represented as 192.168.1.106 in dotted decimal notation. IP addresses are hierarchical. A hierarchy is like a family tree with parents at the top and children connected to them below. For a network, this means that part of the 32-bit number identifies the network (parent) while the rest of the bits identify the host (child). In the early days of the Internet, there were so few organizations needing to connect to it, that networks were assigned by only the first 8 bits (first octet) of the IP address. This left the remaining 24 bits to be used for local host addresses.

The 8-bit network designation made sense at first, because originally people thought that the Internet would be made up of a few very large universities, governments, and military organizations. Using only 8 bits for the network number enabled the creation of 256 separate networks, each containing over 16 million hosts. It soon became apparent that more organizations, and eventually individuals, would be connecting to the Internet to do research and to communicate with others. More networks were required, and a way to assign more network numbers had to be created.

In order to cope with the demand, more unique network numbers were required. To create more possible network designations, the 32-bit address space was organized into five classes. Three of these classes, A, B, and C, provide addresses that can be assigned to individual hosts or networks. The other two classes, D and E, are reserved for multicast and experimental use. Dividing the original eight-bit networks into smaller classes increased the number of available network designations from 256 to over two million. Until this change, routers examined only the first 8-bits of an IP address for the network ID. Now how would routers know to look beyond the first 8-bits to identify Class B or C networks? It was decided to divide the networks in a manner that would make it easy for routers to determine the correct number of network ID bits. The class of a network is indicated by the values of the first few bits of the IP addresses, called the high order bits. If the first bit is 0, the network is a Class A and the first octet represents the network ID. When the first bit is 1, the router examines the second bit. If that bit is 0, the network is a Class B, and the router uses the first 16 bits for the network ID. If the first 3 bits are 110, it indicates a Class C address. Class C addresses use the first 24 bits, or three octets, to designate the network. Networks grew throughout the 1980s and into the 1990s, with many organizations adding hundreds, even thousands, of hosts. An organization with thousands of hosts should have been well served by a Class B network. Unfortunately there were some problems. Organizations with thousands of hosts rarely had them all in one place. Some organizations wanted to separate individual departments from each other for security purposes. To solve these problems, the organizations leading the development of the Internet chose to partition their networks into mini-networks, or subnets, using a process called subnetting. How does a single class B network get split into multiple networks, in a way that each subnet is treated as a separate network?

RFC 917, Internet Subnets, defines the subnet mask as the method routers use to isolate a subnet from an IP address. When a router receives a packet it uses the destination IP address in the packet and the subnet masks associated with the routes in its routing table to determine the appropriate path on which to forward the packet. The router reads the subnet mask from left to right, bit for bit. If a bit in the subnet mask is set to 1, it indicates that the value in that position is part of the network ID. A 0 in the subnet mask indicates that the value in that position is part of the host ID. The two-level hierarchy of classed addressing included a network ID and a host ID. In classful subnetting, the network ID is left alone, and the host ID is divided into a subnet ID and a new host ID. For example, a Class B network has a 16-bit default subnet mask of 11111111.11111111.00000000.00000000, or 255.255.0.0. That leaves 16-bits for the host ID. One way to divide a class B into multiple networks is to use four of the host bits as a subnet ID. There is now a 20-bit subnet mask of 255.255.240.0, and only 12-bits remain for the host ID. DIAGRAM ON BOARD Partitioning the host ID this way always results in a fixed number of subnets and a fixed number of hosts per subnet. In a situation where an organization has a Class B network with four subnets, thousands of IP addresses can be wasted if some of the subnets have only a few hosts in them. To use IP addresses more efficiently, Classless Inter-Domain Routing (CIDR) was created. With CIDR, there are no more network classes. CIDR uses variable length subnet masks (VLSM) for subnetting. The network ID no longer has to be on an octet boundary. In a classed addressed system, the network represented by the IP address 192.168.5.0 is a class C network address. The minimum number of bits that can make up the network ID is 24 and the maximum number of hosts is 254. Using CIDR addressing, sometimes referred to as classless addressing, the number of bits that can make up the network ID is not restricted by class. Networks can be created that use the 192.168.0.0 address space with fewer than 24 bits indicating the network number. For example the address 192.168.82.174 is part of a network in which the first 18 bits make up the network ID. The network that this host is in would be specified as 192.168.64.0/18, where the /18 indicates an 18-bit subnet mask (255.255.192.0).

4.1.2 Subnetting a Network

The customer network using the single ISR is badly overloaded. The proposed solution is to add a second networking device, a larger ISR, and to divide the single network into two separate networks. For security purposes, the wireless and wired users need to be on separate local networks. The original wireless integrated router can provide the wireless users with connectivity and security. The hubs connecting the wired users can connect directly to the new ISR switch ports. Some ISRs do not have integrated switch ports, so it is necessary to add a separate switch to support the wired users. During the 1990s, many networks had no connection either to other networks or to public Internet. In order to reduce the number of unique registered IP addresses that were assigned to organizations, the Internet Engineering Task Force (IETF) decided to reserve some of the Internet address space for use by these private networks. These blocks of addresses did not need to be able to be routed over the public Internet. This meant that all private networks could make use of the same addresses, and so long as they did not connect to each other, communication could occur normally. A single Class A address, 10.0.0.0 was reserved for private use. Some Class B and Class C address space was also set aside for private networks.

Most networks today use a private address structure. Only the devices that connect directly to the Internet are assigned registered Internet routable addresses. By default, most consumer networking devices give out private addresses through DHCP.

4.1.3 Classful Subnetting

A classed IP address hierarchy has two levels: a network and a host. In classful routing, the first three leading bit values determine whether an IP address is either class A, B, or C. After an address is identified by class, the number of bits that make up the network ID and the number of bits that make up the host ID are known. Default subnet masks are used to tell the network and host bits apart. Subdividing a network adds a level to the network hierarchy. Now there are three levels: a network, a subnetwork, and a host. How are these three levels identified? In classful addressing, the number of network bits is fixed. There are 8 bits that designate a Class A network, 16 bits for a Class B, and 24 for a Class C. That leaves the host bits as the only part of the IP address with any flexibility to modify. The available host bits can be divided into a subnet identifier ID and a host ID. The decision about how many host bits to use for the subnet ID is a big planning decision. There are two considerations when planning subnets: the number of hosts on each network, and the number of individual local networks needed. The table for the subnet possibilities for the 192.168.1.0 network shows how the selection of a number of bits for the subnet ID affects both the number of possible subnets and the number of hosts that can be in each subnet.

4.1.4 Custom Subnet Masks

Routers distinguish between networks by using the subnet mask to determine which bits make up the network ID and which bits make up the host portion of the address. When a
network is partitioned, the router needs a modified or custom subnet mask to distinguish the subnets from each other.

A default subnet mask and a custom subnet mask differ from each other as follows: Default subnet masks only change on octet boundaries. For instance, the default subnet mask for a Class A network is 255.0.0.0. Custom subnet masks take bits from the host ID portion of the IP address and add them to the default subnet mask.
To create a custom subnet mask, the first question to answer is how many bits to take from the host ID to add to the subnet mask.

The number of bits for a subnet ID that will be added to the subnet mask depends on several factors. In this example, those factors have been limited for the sake of simplicity. Not all situations will be so simple. For instance, in an organization assigned a Class C address, what if there are multiple networks, one network with 7 hosts, another with 60 hosts, and a third with 34 hosts? In classed subnetting, all subnets must be the same size, which means that the minimum number of hosts that each subnet must support is 60. To support a minimum number of 60 hosts, at least 6 bits are required in the host ID, which leaves 2 bits for the subnet identifier. Under these conditions, four subnets can be created, each with 64 hosts. Devices on the network are informed of the subdivision by the use of the subnet mask. Now, it is possible to tell what subnet an IP address is in and to design simple classful subnetted IP address schemes.

In a base Class C network, there are 24 bits in the network portion of the address and 8 bits in the host portion of the address. Each bit in a binary IP address has only one of two possible values, a 0 or a 1. The number of host addresses is calculated by using the power of 2. Therefore, the number of host addresses available using an 8-bit address is 2^8, or 2x2x2x2x2x2x2x2. With an 8-bit host ID, there is one network with 254 possible host addresses. If a Class C network is subnetted and 3 bits are taken from the host ID to use for the subnet ID, there are 5 bits left for host addresses. Five host bits mean that there can be 30 hosts per subnet, or 2^5 - 2. Remember that the all-zeros and all-ones host addresses are reserved for the network designation and the broadcast address. The number of subnets is calculated in a similar manner. If 3 bits are used for the subnet address, the number of subnets is 2x2x2, or 2^3. By subnetting in this manner, there are 8 subnets with 30 hosts each. When determining how many hosts are needed in each subnet, it is necessary to include the router interface as well as the individual host devices. Each router interface must have an IP address in the same subnet as the host network attached to it.

4.1.5 Communicating between Subnets

Think of a subnet as a small network. When a network is split into two subnets, there are actually two separate networks. Remember that routers connect networks. In order for a device in one subnet to communicate with a device in the other, a router is required. In this particular network, there are two routers: the wireless ISR and the 1841 ISR.

The configuration must ensure that interfaces on routers that connect to each other are assigned IP addresses in the same network or subnet, and that clients are assigned default gateways that they can reach. The interface that connects the wireless ISR to the 1841 ISR must be on a common network. Here the common link shows the two routers connected on the 192.168.1.16/29 subnet with IP addresses 192.168.1.17/29 and 192.168.1.18/29.

What can you gather from the customer subnet mask of 255.255.255.248? 1. 192.168.1.0 has been subnetted 2. That five bits were borrowed 255.255.255.1111100 = 248 There are 6 IP addresses listed. How many SUBnetworks are being used? 3 Subnet work x.x.x.0 .8 .16 .24 .32 .40 1st useable address .1 .9 .17 .25 .33 And so on Range .1-.6 .9-.14 .17-.22 .25-.30 .33-.38 Last useable address .6 .14 .22 .30 .38 Broadcast address .7 .15 .23 .31 .49

4.1.6 IPv6
CIDR and private IP addressing were developed to provide a temporary solution to the problem of IP address depletion. These methods, though useful, did not create more IP addresses. IPv6 does that. IPv6 was first proposed in 1998 with RFC 2460.

Although its primary purpose was to solve IPv4 IP address depletion, there were other good reasons for its development. Since IPv4 was first standardized, the Internet has grown significantly. This growth has uncovered advantages and disadvantages of IPv4, and the possibility for upgrades to include new capabilities. A general list of improvements that IPv6 proposes are: More address space Better address space management Easier TCP/IP administration Modernized routing capabilities Improved support for multicasting, security, and mobility The development of IPv6 intends to address as many of these requests and problems as possible. With IPv6, IP addresses are 128-bits in size with a potential address space of 2^128. In decimal notation, that is approximately a 3 followed by 38 zeroes. If IPv4 address space was represented by the volume of a teaspoon, IPv6 address space would be represented by a volume almost equivalent to the planet Saturn. Working with 128-bit numbers is difficult, so the IPv6 address notation represents the 128 bits as 32 hexadecimal digits, which are further subdivided into eight groups of four hexadecimal digits, using colons as delimiters. The IPv6 address has a three-part hierarchy. The global prefix is the first three blocks of the address and is assigned to an organization by an Internet names registry. The subnet and the Interface Identifier (ID) are controlled by the network administrator. Network administrators will have some time to adjust to this new IPv6 structure. Before the widespread adoption of IPv6 occurs, network administrators still need a way to more efficiently use private address spaces.

4.2 NAT and PAT

4.2.1 Basic Network Address Translation (NAT)
Network Address Translation (NAT) allows a large group of private users to access the Internet by sharing a small pool of public IP addresses. Address translation is similar to how a telephone system works in a company. As a company adds employees, at some point, they no longer run a public phone line directly to each employee's desk. Instead, they use a system that allows the company to assign each employee an extension number. The company can do this because not all employees use the phone at the same time. Using private extension numbers enables the company to purchase a smaller number of external phone lines from the phone company. NAT works similarly to a company phone system. Saving registered IP addresses is one of the main reasons that NAT was developed. NAT can also provide security to PCs, servers, and networking devices by withholding their actual IP host addresses from direct Internet access. The main advantage of NAT is IP address reuse, and the sharing of globally unique IP addresses between many hosts from a single LAN. NAT also serves users transparently. In other words, they do not need to know about NAT to get on the Internet from a private network. Finally, NAT helps shield users of a private network against access from the outside. NAT does have some disadvantages, including: The impact of NAT on certain applications that have IP addresses in their message payload. These IP addresses must be translated as well, which increases load on the router CPU. This extra workload on routers hinders network performance. NAT hides private IP addresses from public networks. It performs like access control which can be desirable, but can also be bad if legitimate remote access from the Internet to a device on the private network is desired.

4.2.2 IP NAT Terms

When configuring NAT on a router, the following terms help understand how the router accomplishes NAT. The inside local network refers to any network connected to a router interface that is part of the privately addressed LAN. Hosts on inside networks have their IP addresses translated before they are transmitted to outside destinations. The outside global network is any network attached to the router that is external to the LAN and that does not recognize the private addresses assigned to hosts on the LAN. An inside local address is the private IP address configured on a host on an inside network. It is an address that must be translated before it can travel outside the local network addressing structure. An inside global address is the IP address of an inside host as it appears to the outside network. This is the translated IP address. The outside local address is the destination address of the packet while it is on the local network. Usually this address is the same as the outside global address. An outside global address is the actual public IP address of an external host. The address is allocated from a globally routable address or network space.

4.2.3 Static and Dynamic NAT

One of the advantages of using NAT is that individual hosts are not directly accessible from the public Internet. But what if one or more of the hosts within a network are running services that need to be accessed from Internet connected devices, as well as devices on the local private LAN?

One way to provide access to a local host from the Internet is to assign that device a static address translation. Static translations ensure that an individual host private IP address is always translated to the same registered global IP address. It also ensures that no other local host will be translated to the same registered address. Dynamic NAT occurs when a router is configured to assign an IP address from an available pool of outside global addresses to an inside private network device. As long as the session is open, the router watches for that inside global address and sends acknowledgments to the initiating inside device. When the session ends, the router simply returns the inside global address to the pool. Dynamic NAT allows hosts assigned with private IP addresses on a network, or intranet, to access a public network, such as the Internet. Static NAT allows hosts on the public network to access selected hosts on a private network. This means that when configuring NAT for user access to the outside, configure dynamic NAT. If a device on the inside network needs to be accessible from the outside, use static NAT. Both NAT methods can be installed at the same time if it is required.

4.2.4 Port-Based Network Address Translation (PAT)

When an organization has a very small registered IP address pool, or perhaps even just a single IP address, it can still enable multiple users to simultaneously access the public network with a mechanism called NAT overload, or port address translation (PAT). PAT translates multiple local addresses to a single global IP address. When a source host sends a message to a destination host, it uses an IP address and port number combination to keep track of each individual conversation with the destination host. In PAT, the gateway translates the local source address and port combination in the packet to a single global IP address and a unique port number above 1024. Although each host is translated into the same global IP address, the port number associated with the conversation is unique. Responding traffic is addressed to the translated IP address and port number used by the host. A table in the router contains a list of the internal IP address and port number combinations that are translated to the external address. Responding traffic is directed to the appropriate internal address and port number. Because there are over 64,000 ports available, a router is unlikely to run out of addresses, which could happen with dynamic NAT. Since the translation is specific to the local address and local port, each connection, which generates a new source port, requires a separate translation. For example, 10.1.1.1:1025 requires a separate translation from 10.1.1.1:1026. The translation is only in place for the duration of the connection, so a given user does not keep the same global IP address and port number combination after the conversation ends. Users on the outside network cannot reliably initiate a connection to a host on a network that uses PAT. Not only is it impossible to predict the local or global port number of the host, but a gateway does not even create a translation unless a host on the inside network initiates the communication.

4.2.5 IP NAT Issues

Most of the time, NAT operates invisibly. People access the Internet from private networks without ever realizing the work that the router is doing to make that happen. The big issue with NAT is the additional work load necessary to support IP address and port translations. Some applications increase the work load of the router because they embed an IP address as part of the encapsulated data. The router must replace the source IP addresses and port combinations that are contained within the data, as well as the source addresses in the IP header.

With all this activity taking place in a router because of NAT, its implementation in a network requires good network design, careful selection of equipment, accurate configuration and regularly scheduled maintenance. As a protocol that supports IPv4, NAT has helped to delay the complete depletion of the IPv4 address space. It has become so commonplace in integrated networking devices, used in homes and small businesses, that for some people, configuring it is a matter of selecting a check box. As business grow and they require more sophisticated gateway and routing solutions, device configurations for NAT and other features and functions, become more complex.