This first part of this chapter gets into the binary nuts and bolts of IP addresses. One stress is on understanding IP addresses, classful vs. classless addresses, dotted quad notation, subnet masks, etc. The real focus is on being able to supernet, subnet and summarize routes in your head, and do it quickly. The author conveys the idea that the CCIE candidate needs to be able to answer questions relating to IP addressing automatically, i.e. perform the sorts of mental gymnastics that one needs to do easily.
So okay…off to my point-by-point review of all the important stuff in the chapter:
- IP address facts: 32 bit binary number; written as dotted quads in decimal format; a subnet/network/prefix all have the same connotation
- Classful addresses were defined by RFC 791. In its original context, a classful address had 2 portions – the network portion and the host portion.
A =/8’s (1-126)
So a Class A would have 8 bits for the network portion, and 24 bits for the host portion. A Class B would have 16 bits for the network portion and 16 b its for the network portion, etc.
- You can divide classful blocks into subnets to allow for more efficient use of the address space. That introduces a third portion to the network address, known as the subnet. So now we have a network portion (the classful part), subnet portion (the sub-chunk of the classful block your using), and the host portion.
- Classless addressing is pretty much the same thing, only we’re throwing out RFC 791. Therefore, we end up with 2 portions of an address (which is how most of us normal people think about it anyway): the prefix portion and the host portion. Typical classless IP notation uses a / numeric at the end of the address to signify how long the prefix is. So a 192.168.100.0/24 indicates that the subnet portion is 24 bits long (or a 255.255.255.0 mask if you’re still not getting this.)
- The author makes a brutally obvious point here, but it’s one worth reiterating. You have to know IPv4 addressing forwards and backwards, inside out. You need to look at any given IP notation, say 10.23.21.0/19 and know by gut instinct what the network is, what the broadcast is, how many networks you could get, and how many hosts in the network. Or if not by gut instinct, be able to compute that really really fast, preferably in your head. And then he goes into a bunch of examples of how to do this. I’m not going to take the time to regurgitate those examples here. I came up with a method that worked for me back in the CCNP/CCSP days, and it’s served me adequately, so I’ll stick with it. However, I’m rusty, so I need to practice. I’ll throw some examples so you know how I think about subnetting.
- 10.1.0.0/16 = 10.1.255.255 broadcast, total hosts = (256*256)-2=65534 (you lose 1 host to the network at the top of the range, and 1 to the broadcast address at the bottom of the range)
- 10.1.0.0/17 = 1 split in the 3rd octet, and therefore 2 networks broken into 128 sized chunks.
- 10.1.0.0/17 = 10.1.127.255 broadcast, total hosts = (256*128)-2 = 32766
- 10.1.128.0/17 = 10.1.255.255 broadcast, total hosts = (256*128)-2 = 32766
- 10.1.0.0/18 = 2 splits (i.e. 1 split of 2, and then those 2 each split into 2 themselves) in the 3rd octet, and the number of networks increases by a power of 2. So now we have 4 networks broken into 64 sized chunks.
- 10.1.0.0/18 = 10.1.63.255 broadcast
- 10.1.64.0/18 = 10.1.127.255 broadcast
- 10.1.128.0/18 = 10.1.191.255 broadcast
- 10.1.192.0/18 = 10.1.255.255 broadcast
- Note in the above examples how tidily this splits up, by 2’s, and the network and broadcast values from the previous split show back up again. Use the solarwinds.net free subnet calculator as a quick way to visualize this and to check your work.
- The author also mentions that given something obscure like 220.127.116.11/27, you’d need to figure out what subnet that was in. So…using my method (which may not work for you, I realize), then you’d know that we’ve got a /24 split into 8 subnets (25 = 1 spilt/2 subnets, 26 = 2 splits/4 subnets, 27 = 3 splits/8 subnets). The split boundaries are on the 32’s (/25 = 128’s, /26 = 64’s, /27’s = 32’s), so the networks are 18.104.22.168/27, 22.214.171.124/27, 126.96.36.199/27, etc. We’ve gone far enough at this point, because we know that 188.8.131.52/27 falls into the 184.108.40.206/27 network, which has 30 hosts and a broadcast address of 220.127.116.11. Hooray!
- To be fair, don’t let me kid you into thinking that what the author does is radically different from what I’m doing. It isn’t. But he dabbles in binary and powers of 2 quite a bit. That’s good, from the standpoint of understanding the mechanics of what’s going on. After all, an IP address ISN’T a dotted quad decimal number as far as the computer is concerned. It’s really a 32-bit binary. Knowing the rules about 1’s filling from left-to-right consecutively and so on make better sense if you understand the binary arithmetic makes better sense as well. But I’d rather not have to think about the binary at all if I can get around it. It just takes too much time.
- You might also want to know how to convert one octet (one fourth of a dotted quad) from binary to decimal. Okay. Think of the octet in binary – what is it – 8 bits, right? 8 bits in a row. So how to we convert that to decimal? A crude but effective way is to think of each 8 bits as a switch representing a decimal number. The represented numbers are as follows:
128 64 32 16 8 4 2 1. If the switch is “on” (binary “1”), then add the number. If the switch if is “off” (binary “0”), then don’t add the number. So, let’s do an easy one. You’ve got binary 00010001. We’d add 16+1, and get decimal 17. How about 11100000? You’d add 128+64+32 and get 224. Make sense? That can bail you out if your brain starts to cramp up on a test and you’re not confident of your answer – you can check yourself this way, and write it down in a way where there’s no doubt that you’re right. The catch is that it’s pretty time-consuming, so you should use this only as a safety net.
- Moving on a bit from the mathematics behind subnetting, the author makes a key point that so many organizations (in my experience) miss. That is, a network engineer who can plan a network would logically assign a large block to a region of the network such that he could take advantage of summarization. Summarization is the idea that rather than advertise every single little block you have out on your network, you can summarize a whole bunch of blocks into a single, summary route advertisement. Let’s say you want to use 10.1.0.0/16 for your NYC office. And in NYC, you spit that range up into 10.1.1.0/24, 10.1.2.0/24, 10.1.3.0/24 and so on. Well, you could advertise every one of those /24’s back into your network core as-is. Or…you could advertise a single 10.1.0.0/16 route into your core that basically says “Hey, if you want to hit any net in 10.1.0.0/16, send your traffic on up to NYC.” Then when that traffic get to NYC, your NYC routers will know the grubby details of each /24 and how to route it appropriately. So, summarizing is good because it makes for neater routing tables and less processing overhead on the part of a router.
- If you use this strategy of assigning larger blocks in this way, the author mentions a strategy for breaking up that large block into subnets. He makes the point to break up the block such that the largest sized networks come from the beginning of the block, smaller sizes further down, and the very smallest size blocks (say /30’s for point to point links) are at the tail end of your block. That gives you flexibility and room for growth, plus allows for neat boundaries.
- You need to know how to best (most efficiently) summarize routes. So, given a series of blocks, you have to be able to look at it and determine what larger blocks these could be grouped into with a shorter prefix. For example, 192.168.96.0/24 and 192.168.97.0/24 could be summarized as 192.168.96.0/23. Several pages are devoted to the idea of how to summarize routes when you can “burn” subnets that might not be in use, and when you have to summarize ONLY the routes that are listed – no “burning” allowed.
- Moving on, we get to CIDR – “classless interdomain routing”. CIDR is the idea of subnetting and supernetting with no particular care for classful rules. (In other words, how you’ve probably been networking for most of your career.) The drive behind CIDR was to make the Internet routing tables smaller. (What with the 190K+ routes in my BGP routers, we could do with a bit more supernetting.)
- Private address space (RFC1918) are blocks of addresses that have been reserved for non-Internet use. Anyone can use them, but they aren’t routable over the Internet. The blocks are 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16. So to use them on the Internet, you need to NAT (network address translate) them to something public. RFC1918 address space coupled with NAT saved the Internet from running out of available addresses. Well, it stemmed the tide for several years anyway. They keep telling us that we’ll all be using IPv6 at some point. I’m sure that day will come, but it doesn’t seem like it will be soon.
- Let’s talk NAT (RFC1631). Cisco routers NAT, and you should know how to do this. At a simple level, NAT occurs when a packet matching NAT criteria flows between an interface labeled “ip nat inside” to a packet labeled “ip nat outside”. The criteria is defined by ip nat statements in the router that say what source addresses should be NAT, and what they should be NAT to. Then the router keeps a NAT translation table in memory, so that when return traffic comes back, the router knows how to un-NAT the traffic and forward it on.
- An “inside local” address is the real address of the host inside your network. In other words, the address that’s assigned to the machine if you were to look at the IP stack address properties.
- An “inside global” address is the NAT address of the host inside your network. This is the address that the rest of the world THINKS your host is, because you NAT the host.
- “outside local” and “outside global” have the same idea, but think of the traffic flowing from outside to in, instead of inside to out. Read more about this here if you’d like to grab at this concept a bit more. Remember that “local” is how things look from the perspective of the cloud “inside” the NAT router. “Global” is how things look from the perspective of the cloud “outside” the NAT router. That doesn’t mean you can’t get it all confused in your head, but it should be straightforward enough.
- “ip nat inside” – interface command for the inside interface.
- “ip nat outside” – interface command for the outside interface.
- “ip nat inside source static 192.168.14.15 18.104.22.168” would statically NAT 192.168.14.15 on the inside to 22.214.171.124 on the outside network. Static is a “one-to-one” NAT – only this inside address will get translated to only that outside address.
- “show ip nat translations” will show you the inside local/global and outside local/global NAT translations.
- It might occur to you that one to one static NAT mappings isn’t the best way to run a railroad, and you’d be right. The better way is to use dynamic NAT. The idea behind dynamic NAT is that you can give the router a pool of addresses, and then let the router figure out on-the-fly what inside address to NAT to what outside address he’s got available in the pool. That works just as long as you have enough addresses in the pool. And so now you’re thinking – “What if I have only one address available from my ISP to NAT to? And I have to NAT my whole company to that one address? What then?” Well, that’s what we call dynamic NAT with overload or PAT – Port Address Translation. Overloading/PAT allows you to NAT a whole bunch of inside addresses to a single outside address. The way this happens is that the TCP/UDP ports are ALSO translated, not just the IP address. In this way, the router can track a whole bunch of inside hosts and NAT them based on what ports he has available on the outside address he’s NAT’ting to. So, your inside source address AND port get NAT, thus overloading or PAT.
- “ip nat pool myoutside 126.96.36.199 188.8.131.52 netmask 255.255.255.252” creates a pool with a couple of addresses.
- “ip nat inside source list 1 pool myoutside” tells the router to NAT all the inside addresses defined by access-list 1 to the pool addresses from “myoutside”. (This is NOT PAT!)
- “ip nat inside source list 1 int s0/0 overload” tells the router to NAT all the inside addresses defined by access-list 1 to the IP address assigned to interface Serial0/0, and to use PAT.
- “clear ip nat translations *” blows away the NAT translation, which in a practical sense means that you’ll briefly interrupt everyone’s traffic flow through the router – use with caution.