Routing – the point of a subnet mask on a local network

iprouterroutingsubnetswitch

I have a question regarding subnet masks and my understanding (or misunderstanding of them).

So when a subnet mask is used, a bitwise AND is performed using the subnet mask and the IP address(es). Traffic is exchanged (routed) between subnetworks with special gateways (routers) when the routing prefixes of the source address and the destination address differ. A router constitutes the logical or physical boundary between the subnets.

OK so far. But surely on everything has to be sent to a router/switch anyway right? So why do you need to have the subnet mask on your computer? If all data goes through the router, surely it is only the router that needs to have the subnet mask on it?

Best Answer

What a mask does is to define the separation between the network portion of an address, and the host portion of an address. IPv4 lets you slide these two pieces around to get a network which has enough host addresses to match your needs. This answer may help you to visualize this.

You can also use shorter masks to aggregate or summarize networks. This allows you to advertise a single route instead of a bunch of smaller routes.

But surely on everything has to be sent to a router/switch anyway right? So why do you need to have the subnet mask on your computer? If all data goes through the router, surely it is only the router that needs to have the subnet mask on it?

Not everything needs to be sent to a router. Traffic destined for the same network will never go through the router. Switches don't count since they don't participate in layer-3, where IP is.

When a host wants to send something to another host, it masks the destination address to see if it is on the same network as itself. If it is, it just sends the traffic directly to the host on the same network. If the destination is on another network, it sends the traffic to its configured gateway. It does this using layer-2 (e.g. MAC) addresses, not by changing the destination IP address.

With IPv6, you basically have a single network size (/64), so much of address manipulation is easier.

Related Solutions

Cisco Routing – Show IP Route Shows Interface with /32 Subnet Mask

Assigning a /32 to an interface that connects to something else doesn't make any sense. You can assign the /32 to a loopback interface:

interface Loopback0
 ip address 192.168.1.1 255.255.255.255

If you want to assign the 192.168.10.1 address to the GigabitEthernet0/0 interface which uses 192.168.10.0/24:

interface GigabitEthernet0/0
 ip address 192.168.10.1 255.255.255.0

This results in the network 192.168.10.0/24 entry in the routing table as a connected route (C). I suppose it depends on the IOS version, but you can also get a local (not link local which is something else, entirely) route to the specific (/32) address assigned to an interface in your router. My IOS does this. The version you have doesn't show the L in the codes, whereas mine does as the first entry:

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

IPv6 – Why IPv6 is Needed

Two things are getting confused here:

classful addressing vs CIDR
Masquerading / NAT

Going from classful addressing to Classless Inter Domain Routing (CIDR) was an improvement that made the address distribution to ISPs and organisations more efficient, thereby also increasing the lifetime of IPv4. In classful addressing an organisation would get one of these:

a class A network (a /8 in CIDR terms, with netmask 255.0.0.0)
a class B network (a /16 in CIDR terms, with netmask 255.255.0.0)
a class C network (a /24 in CIDR terms, with netmask 255.255.255.0)

All of these classes were allocated from fixed ranges. Class A contained all addresses where the first digit was between 1 and 126, class B was from 128 to 191 and class C from 192 to 223. Routing between organisations had all of this hard-coded into the protocols.

In the classful days when an organisation would need e.g. 4000 addresses there were two options: give them 16 class C blocks (16 x 256 = 4096 addresses) or give them one class B block (65536 addresses). Because of the sizes being hard-coded the 16 separate class C blocks would all have to be routed separately. So many got a class B block, containing many more addresses than they actually needed. Many large organisations would get a class A block (16,777,216 addresses) even when only a few hundred thousand were needed. This wasted a lot of addresses.

CIDR removed these limitations. Classes A, B and C don't exist anymore (since ±1993) and routing between organisations can happen on any prefix length (although something smaller than a /24 is usually not accepted to prevent lots of tiny blocks increasing the size of routing tables). So since then it was possible to route blocks of different sizes, and allocate them from any of the previously-classes-A-B-C parts of the address space. An organisation needing 4000 addresses could get a /20, which is 4096 addresses.

Subnetting means dividing your allocated address block into smaller blocks. Smaller blocks can then be configured on physical networks etc. It doesn't magically create more addresses. It only means that you divide your allocation according to how you want to use it.

What did create more addresses was Masquerading, better known as NAT (Network Address Translation). With NAT one device with a single public address provides connectivity for a whole network with private (internal) addresses behind it. Every device on the local network thinks it is connected to the internet, even when it isn't really. The NAT router will look at outbound traffic and replace the private address of the local device with its own public address, pretending to be the source of the packet (which is why it was also known as masquerading). It remembers which translations it has made so that for any replies coming back it can put back the original private address of the local device. This is generally considered a hack, but it worked and it allowed many devices to send traffic to the internet while using less public addresses. This extended the lifetime of IPv4 immensely.

It is possible to have multiple NAT devices behind each other. This is done for example by ISPs that don't have enough public IPv4 addresses. The ISP has some huge NAT routers that have a handful of public IPv4 addresses. The customers are then connected using a special range of IPv4 addresses (100.64.0.0/10, although sometimes they also use normal private addresses) as their external address. The customers then again have NAT router that uses that single address they get on the external side and performs NAT to connect a whole internal network which uses normal private addresses.

There are a few downsides to having NAT routers though:

incoming connections: devices behind a NAT router can only make outbound connections as they don't have their own 'real' address to accept incoming connections on
port forwarding: this is usually made less of a problem by port forwarding, where the NAT routed dedicates some UDP and/or TCP ports on its public address to an internal device. The NAT router can then forward incoming traffic on those ports to that internal device. This needs the user to configure those forwardings on the NAT router
carrier grade NAT: is where the ISP performs NAT. Yyou won't be able to configure any port forwarding, so accepting any incoming connections becomes (bit torrent, having your own VPN/web/mail/etc server) impossible
fate sharing: the outside world only sees a single device: that NAT router. Therefore all devices behind the NAT router share its fate. If one device behind the NAT router misbehaves it's the address of the NAT router that ends up on a blacklist, thereby blocking every other internal device as well
redundancy: a NAT router must remember which internal devices are communicating through it so that it can send the replies to the right device. Therefore all traffic of a set of users must go through a single NAT router. Normal routers don't have to remember anything, and so it's easy to build redundant routes. With NAT it's not.
single point of failure: when a NAT router fails it forgets all existing communications, so all existing connections through it will be broken
big central NAT routers are expensive

As you can see both CIDR and NAT have extended the lifetime of IPv4 for many many years. But CIDR can't create more addresses, only allocate the existing ones more efficiently. And NAT does work, but only for outbound traffic and with higher performance and stability risks, and less functionality compared to having public addresses.

Which is why IPv6 was invented: Lots of addresses and public addresses for every device. So your device (or the firewall in front of it) can decide for itself which inbound connections it wants to accept. If you want to run your own mail server that is possible, and if you don't want anybody from the outside connecting to you: that's possible too :) IPv6 gives you the options back that you used to have before NAT was introduced, and you are free to use them if you want to.

Best Answer

Related Solutions

Cisco Routing – Show IP Route Shows Interface with /32 Subnet Mask

IPv6 – Why IPv6 is Needed

Related Topic