Foundation Topics


IP Subnetting

IP subnetting is the means by which IP networks are addressed. It refers to the IP Layer 3 address, but it also refers to how one large IP network address is subdivided into many smaller network addresses. This section introduces the concept of addressing. It explains the need for a Layer 3 address in a routed network and the relationship between a Layer 3 and a Layer 2 network address. Against this background, the section explains IP addressing and how to address an entire organization with many networks from one unique network address.

The Need for Layer 3 Addressing

A Layer 3 address is a logical address sitting on top of a physical network structure. Its importance is in its ability to direct traffic and thus overcome the need for broadcasts, which can cause problems for a switched environment. A Layer 2 (switched) network cannot control or limit broadcasts, which can therefore saturate the available bandwidth. The resulting congestion results in slow response times and the loss of sessions.

A Layer 3 address allows network traffic to be directed to its destination. In fact, the purpose of any address is to find a specific location, whether it is the address of a restaurant or the company e-mail server. The location is found because every address is hierarchical; just as a restaurant is in a city, on a street, at a street number, the e-mail server is on a network at a host number.

Network Structures and Data Flow

For data to be sent to its destination, the underlying physical structure, or wiring, should support the logical structure, or the Layer 3 addressing. This structure also should reflect the organizational data flow. It would make sense for servers to be accessible to departments that share information and for the physical wiring and logical addressing to support this sharing of resources. Therefore, the servers might be physically adjacent and on the same IP subnet. Both the physical and the logical structure of the network should support the organizational data flow because without this structure, application data can wander throughout your network inefficiently, clogging up available bandwidth.

The Network and How It Is Addressed

Layer 3 provides the capability to logically address the network. To appreciate fully the power and purpose of the Layer 3 address, it is important to understand the meaning of the term network (as defined by Layer 3).

A network address has two parts : the network and the host portions. The host portion of the address identifies the individual device within a group. The network portion identifies a group of individual devices.

Unfortunately, the term network is used loosely; although it is often defined, the term is seldom understood . In addition, the term network appears in several different contexts, compounding the confusion created for the user .

It is increasingly important to have an accurate definition of a network because new technologies, such as VLANs and Layer 3 switching, have blurred the distinctions between the different layers of the OSI model.

Layer 3 switching and VLANs are a technology that use an intelligent switch to distinguish between different logical networks at Layer 3. It is possible, therefore, to transfer data at great speed in hardware, because no routing decisions need to be made. If data needs to be transferred between logical networks, a routing decision at Layer 3 needs to be made, which will take longer.

The following list outlines the various uses of the term network :

  • The piece of wire or physical medium to which a group of devices are connected. This is more accurately defined as a segment.

  • A Layer 3 network.

  • The LAN.

  • The corporate or organizational network.

For our purposes, the term network refers to the Layer 3 network.

Layer 3 Network Characteristics

A Layer 3 address is a logical address imposed on a physical network with physical addresses hardcoded into the devices. The logical address is one that is created by the administrator to allow data to be directed through the network to the remote destination. A Layer 3 address comes in two parts, the network and the host. The network portion of a Layer 3 address is a border chosen by an administrator to group end devices. This group is given an identifier or label, which is the network number.

A Layer 3 network address has the following characteristics:

  • The network number defines a group of end devices or hosts and labels the group with a network number.

  • The address is hierarchical, which allows decisions to be made on groups of devices.

  • The devices running the Layer 3 protocol do not forward broadcasts.

  • The group address combined with the unique membership number for that group identifies the end device. This is the host address.

  • Although the identifier for the end device might not be unique to the organization, it will be unique to the group or network.

  • If the addressing is carefully planned and the addressing scheme allows, groups can be consolidated (cities into states, states into countries, countries into continents, for example). The networks logically grouped together under one administrative control, such as a company, are called an autonomous system.

An Analogy for Understanding the Concept of a Network

Administrative lines, or borders, are drawn between one city and another, between one state and another, and even between countries. These borders serve the same purpose as the network portion of a Layer 3 address; that is, they allow rules to be placed on a group of end systems (in the geographic analogy, humans ).

With a logical Layer 3 address, the network can direct traffic to specific devices. Routing tables, which are lists of networks held in routers, serve as maps and road signs.

It is very important to plan carefully the placement of these boundaries to ensure the geographic proximity of the end devices or hosts. After boundaries are defined, they seldom change. This is not to say that they cannot change; indeed, historically, boundaries between cities, states, and countries have been redefined, but not without careful thought and the possibility of some transitional trauma. With the emergence of VLANs, however, it is easier to change a network boundary.

Layer 3 to Layer 2 Conversion

Although it is important to understand the need for a Layer 3 address, it becomes much easier to understand in the context of host-to-host communication. This requires a brief journey back to the OSI seven-layer model.

When an end system or host decides to send data to another system, certain things have to happen. The application generates the data and hands it down the stack until the Layer 3 address and packet header is added. The appropriate Layer 2 adds the header and Layer 2 address, which is an address with no hierarchy; that is, it is a flat address. No hierarchy is needed because the destination machine is either directly connected to the same medium or on the same technology, such as Frame Relay. The Layer 2 sends the frame to the physical layer, where it is transmitted to the destination end device.

On receiving the incoming bits, the destination system will buffer the bits until a frame is assembled . Layer 2 will ask the following questions and perform the following tasks :

  • Is the frame valid?

  • Does it pass the cyclic redundancy check (CRC)?

  • Is it too small or too big?

  • Is the frame addressed to this device (at Layer 2)?

  • For which Layer 3 protocol is the frame destined (for example, IP and IPX)?

  • Is that Layer 3 running on the device?

  • Strip off the Layer 2 header and address.

  • Pass the packet or datagram up to Layer 3.

At this point, Layer 3 will ask the following questions and perform the following tasks:

  • Is this datagram or packet addressed to me?

  • If the packet is addressed to me, and if it has not been damaged in transit but passes the Layer 3 verification, then strip off the header and pass it up to the upper layer.

  • If the frame is not valid, then drop the frame.

  • If the packet is not addressed to this system and the system is a router, the packet is handed to the switch or routing process.

  • The router will first look in all the caches to ascertain whether packets have been forwarded to this Layer 3 address before. If this is the case, the address is likely to be cached, allowing the datagram to be switched to its next hop. If the address is not in cache, the packet is sent to the routing process to be process switched. Subsequent packets will be switched.

An IP Address

TCP/IP is unique because, although it has a fixed 32-bit address, it does not have a fixed number of bits allocated to the network or host portion of the address, in the way that AppleTalk or IPX addresses were defined. Therefore, an IP address can be read only in the context of a subnet mask.

A governing body, the Internet Assigned Numbers Authority ( IANA ,, allocates an original address. This address can be subdivided into a range of networks called subnets by reallocating the host bits as network bits. The number of bits reassigned to be network bits is dependent on the number of networks that are required. To identify how many of the address bits have been extended into the network portion of the address, a subnet mask is used.

The subnet mask defines the network portion of the address, by masking or obscuring the host portion of the address, revealing the network address. The subnet mask is therefore crucial to the ability to route traffic, as every router needs to identify the network portion of the destination address in order to forward the packet.

Unfortunately, IP network terminology is vague, and the address provided by the Internet community might be referred to by any of the following terms:

  • Address provided by the IANA

  • Classful address

  • Supernet address

  • Internet address

  • Network address

  • Major address


For the purposes of this book, the term classful address is used to refer to the unique network address given out by the IANA body. It might also be referred to as the IANA address .

The Internet community originally identified three classes of organizations:

  • Small organizations fall into Class C

  • Medium organizations fall into Class B

  • Large organizations fall into Class A

Actually, five classes of addresses are used on the Internet. The other two classes represent multicast (Class D) and experimental addresses (Class E). Routing protocols and videoconferencing increasingly use Class D addresses.

A router identifies the class of address by looking at the first few bits of the 32-bit address. When looking at the address in a decimal format, the number in the first octet reveals the class of address. This is known as the first octet rule.

Table 2-2 shows how the classes are broken up.

Table 2-2. Classes of Addresses

Class of Address

First Octet

Number of Hosts That Address Could Represent on One Network

Class A address

001 to 127

Could represent 16.77 million hosts on one network; the 127 address is reserved as a loopback address

Class B address

128 to 191

Could represent 65,534 hosts on one network

Class C address

192 to 223

Could represent 254 hosts on one network

Class D address

224 to 239

Not relevant

Class E address

240 to 254

Not relevant

The Internet Authoritative Bodies

The Internet community assigns an organization with a unique binary pattern or classful address. The group within the Internet community responsible for allocating unique classful networks has changed over the years . Originally, the government- funded IANA assigned numbers and was, until recently, commercially administered by Networks Solutions of Herndon, Virginia. On November 25, 1998, the Internet Corporation for Assigned Names and Numbers (ICANN) was officially recognized. This global nonprofit corporation, currently managed by the U.S. government, was created to perform administrative functions for the Internet. ICANN has gradually taken over responsibility for coordinating the assignment of protocol parameters, the management of the domain name and root server systems, and the allocation of IP address space.

The growth of the Internet has led to regional organizations for the allocation of IP addresses, and under ICANN, the IANA continues to distribute addresses to the regional Internet registries.

The most recent list of these follows :

  • Regional registries:

    - Asia-Pacific Network Information Center (APNIC),

    - American Registry for Internet Numbers (ARIN),

    - R seaux IP Europ ens (RIPE),

  • Domain registration : InterNIC,

When it has possession of the classful address, an organization is responsible for determining where to place the boundary between network and host addresses and is responsible for addressing the network.

Allocating the network address bits is a straightforward task because it is simply a matter of countingcounting bits and counting in binary, but counting nonetheless. In addition, many charts can help ease the pain of binary-to-decimal translation. Although it is easy to implement, the complexity lies in the network design.

The following example illustrates how the bit allocation of a subnet address works.

An Example of Bit Allocation in a Network Address

If 10 bits are allocated to the network portion of the address, 22 bits are left to the host portion of the address. In binary, 10 bits can be used to represent 1024 distinct entities or networks (each being assigned a unique bit pattern or address). The 22 bits left to identify hosts can be used to represent four million hosts (actually, 4,194,304) on each network.

The total number of devices that can be addressed is calculated by multiplying the number of host addresses available on each network by the number of networks that can be addressed, as follows:

4,194,304 * 1,024 = 4,294,967,296

However, the administrator does not have the whole 32 bits to use. The Internet community, which manages the addresses to ensure their uniqueness, allocates a unique bit pattern to each organization that requests a connection to the Internet. This bit pattern is then used to uniquely identify the organization within the Internet.

The Subnet Mask

The way that the subnet mask extracts the network portion of the address from the whole IP address is by using a logical AND operation. Once you understand the principles of how this works, the math is easy.

The Logical AND

When an address is assigned to an interface, it is configured with the subnet mask. Although represented in a dotted decimal form, the router converts the address and mask into binary and performs a logical AND operation to find the network portion of the address.

To perform a logical AND , the IP address is written out in binary, with the subnet or Internet mask written beneath it in binary. Each binary digit of the address is then ANDed with the corresponding binary digit of the mask.

The rules of the AND operation are as follows:

  • Positive AND positive is positive.

  • Negative AND anything is negative.

This means that the following is true:

  • 1 AND 1 is 1.

  • 1 AND 0 is 0.

  • 0 AND 1 is 0.

  • 0 AND 0 is 0.

Figure 2-1 illustrates the AND logic.

Figure 2-1. AND Logic and the Subnetwork


Layer 3 can now make a decision on how to route the network number that has been revealed. The result is the removal of the host portion of the address, and the subnet address is left intact. Therefore, the host is a member of the subnet, which is the result of the logical AND converted to decimal.

With this information, the router can now perform a search on the routing table to see whether it can route to the remote network. The routing table uses the network entry that has the longest match of bits to the destination network.


The terms used to describe the mask are numerous and often vague. This book uses the term subnet mask when referring to the mask used within an organization, and it uses Internet mask or prefix mask when referring to the address allocated by ARIN.

When determining the subnet mask, certain rules must be followed. RFC 950, "Internet Standard Subnetting Procedure," outlines these rules.


You can find all RFCs online at, where xxx is the number of the RFC. If you do not know the number of the RFC, you can find it by doing a topic search at

Familiar Rules in IP Subnetting

Because originally the routing protocols could not send the subnet mask with the routing update, the first set of rules about applying IP addresses were different than they are now. For the most part, these rules still hold true. With the advent of new technology, however, it is now possible to surmount some of the previous limitations set out in RFC 950.

The earlier (and perhaps familiar) rules included the following:

  • The network bits (bits set to 1) in the subnet mask do not need to be contiguous, although they are advised to be contiguous.

  • The network bits must not be all 0s or 1s.

  • The decision on the number of bits allocated to the network is made once per classful address.

Because the original routing protocols did not send the subnet mask with the routing update, each router that received a subnet entry had to make some assumptions. The router assumed that the mask in use for the received subnet was the same as the one configured on its system.

If the subnet received in the routing update was of a different classful address (it was not configured on one of the router's interfaces), the router resolved the network address to the class address. The class of network was determined by the first octet rule . This rule uses the first few bits of the address to identify the class of address. The first octet rule is explained in more detail in the next section, "The New Subnet Rules."

When designing an IP network, you must ensure that the subnet mask is consistent in a classful network. As in a classful network, the routing protocol does not send the subnet mask in with the routing updates. If the subnet mask is not consistent, the routers might become confused and the network discontiguous .

New technology means that routing protocols can now send the subnet mask with the routing update. Therefore, the earlier rules regarding network classes do not necessarily apply.

The New Subnet Rules

Because the newer routing protocols can send the mask with the routing update, it is possible to have greater flexibility in the IP addressing design of your network. In particular, it is no longer necessary to adhere to the rule that the subnet mask can be created only once per classful network. The mask is held with the subnet in the routing table, which allows the distinction between the broadcast address and the subnet address that has been defined. This requires variable-length subnet masks (VLSM), which are described in the section titled "Variable-Length Subnet Masks." Likewise, it is no longer necessary for either the classful address or the individual organization to conform to the rules of classful routing. Classful routing occurs when the Layer 3 device observes the Internet address class boundaries of A, B, C, D, and E. It does this by using the first octet rule, as shown in the following table.

Table 2-3. The First Octet Rule

Bit Pattern

Class of Address

First Octet Range


0 to 127



128 to 191



192 to 223



224 to 239



240 to 255

A classful routing protocol does not transmit any information about the prefix length. It uses the first octet rule to determine the class of address, which is why the routing protocol cannot support VLSM. If the routing protocol is not connected to a classful network, it does not have a subnet mask, and it summarizes the address at the classful network boundary by using the first octet rule. Examples of classful routing protocols are Routing Information Protocol (RIPv1) and Interior Gateway Routing Protocol (IGRP).

The need for a subnet mask to summarize on a bit boundary other than the default provided by the first octet rule also prevents the summarization of class addresses within the Internet. However, if the routing protocol supports classless routing, there is no reason why Internet addresses cannot be summarized in the same way as subnets. As long as the address is allocated with a prefix mask to identify the network portion of the address, the IANA can hand out an address without regard for the bit boundary at Class A, B, or C.

The address must be allocated with a prefix mask to identify the network portion of the address. RFC 1812, "Requirements for IP Version 4 Routers," restricts the flexibility of the addressing slightly, however, by requiring contiguous bits to be used in the mask.

It is also possible to overcome some of the rules regarding the allocation of network and host bits, which is explained later in the chapter in the section "Rules for VLSM."

Prefix Routing/CIDR

Prefix routing, commonly known as classless interdomain routing (CIDR), is possible because of the newer routing protocols sending the subnet mask with the routing updates.

In this section, the need for CIDR and prefix routing is explained in the context of the problems experienced in the Internet with the size of routing tables. An example of how CIDR works is provided.

A Definition of Prefix Routing/CIDR

Prefix routing is just the means by which the Internet identifies the portion of the 32-bit TCP/IP address that uniquely identifies the organization. In effect, this means that the Internet can allocate a group of classful networks, represented by a single network address. This allows for prefix routing and summarization within the routing tables of the Internet. Prefix masks represent a group of TCP/IP network addresses using the method of address or subnet masks.

This aggregation of classful networks defies the old structure of Class A, B, C addressing, or classful addressing. The aggregation of classful networks, therefore, is classless and deals with connectivity between organizations through the Internet, referred to as interdomain routing . This technology is called CIDR. Table 2-4 shows the RFCs that outline the use of CIDR in an IP network.

Table 2-4. RFCs about CIDR

RFC Number



Applicability Statement for the Implementation of Classless Inter-Domain Routing (CIDR)


An Architecture for IP Address Allocation with CIDR


Classless Interdomain Routing (CIDR) : An Address Assignment and Aggregation Strategy


Exchanging Routing Information Across Provider Boundaries in the CIDR Environment

Problems with IP Addressing and the Internet

The Internet community found that small companies that wanted to connect to the Internet with a small number of hosts (50, for example) needed a Class C address, although a Class C designation might waste a large portion of its 254 addresses.

Conversely, if an organization has more than 254 hosts but fewer than 65,534 hosts, the Internet must either waste a large number of addresses by allocating a Class B address or provide multiple Class C addresses. RFC 1466, "Guidelines for Management of IP Address Space," discusses the low percentage of allocated addresses in use.

The Class A, B, C address structure does not have enough granularity for today's Internet. Because the Internet has grown in popularity, this has become a pressing problem. In addition, the number of entries in the routing tables of the Internet was reaching capacity, although only a small percentage of the addresses allocated were being used. The Internet started to reclaim unused addresses, but this was obviously a short-term solution. The implementation of CIDR with prefix routing is solving both problems, as you will learn about in the next sections.

CIDR as a Solution

An organization requiring multiple Class C addresses is allocated consecutive Class C addresses. However, the organization is issued only one address (representing the multiple addresses) for the Internet routing entry. This is achieved by pulling the network mask to the left, creating a prefix mask.

The shorter the prefix, the more generally the network is defined; the longer the prefix, the more specific the identification is. Table 2-5 visually demonstrates the use of the prefix.

Table 2-5. Table to Illustrate the Use of Prefix Masks



New Address Space


12 percent of a Class C

30 hosts


24 percent of a Class C

62 hosts


50 percent of a Class C

126 hosts


2 Class Cs

510 hosts


4 Class Cs

1022 hosts


8 Class Cs

2046 hosts


16 Class Cs

4094 hosts

The Internet IP addressing group ARIN, at, typically gives blocks of consecutive addresses to an Internet service provider (ISP) to allocate addresses to organizations that want to connect to the Internet. This reduces the routing tables even further by placing some of the address management responsibilities on the ISP.


Connecting to an ISP requires some consideration because the ISP provides the addresses used in your organization. If you change your ISP, that address space will have to be relinquished back to the issuing ISP. This requires readdressing of the local network or some software application to translate the addresses. The Network Address Translation (NAT) is offered by Cisco and is an example of one such application, though there are many different solutions on the market.

In summary, CIDR solves the problem of the excessive network resources required to manage the huge routing tables. The next section provides an example of the use of CIDR.

An Example of the Use of CIDR

It is easy to see how CIDR works when the address and the mask are written in binary, as the router processes them. The Internet community has allocated a group of Class C addresses, although they are presented as a single network. Table 2-6 shows an example of an IP address in both decimal and binary format.

Table 2-6. An IP Address and Mask Shown in Binary


Octet 1

Octet 2

Octet 3

Octet 4

IANA address in decimal




IANA address in binary





Prefix as a subnet mask in decimal




Prefix as a subnet mask in binary





If it were a standard Class C address, the mask would be By making the mask, the last three bits of the third octet essentially give the organization eight Class C networks.

Imagine that a company called CyberKit has applied for a Class C address from the Internet authorities, though the company really needs a larger address space to address its network fully. To everyone's surprise, the company has been awarded eight Class C networks. The company owners are delighted because they were expecting only one Class C address.

Figure 2-2 shows the addresses awarded to CyberKit, the use of CIDR addresses, and how prefix routing works at the binary level.

Figure 2-2. Prefix Routing and the Use of CIDR


Although eight Class C addresses are provided to the organization, they are identified to the Internet as one address:, with a prefix mask of /21, which is the subnet mask of

The organization does not have to use the addresses as Class C addresses. In accordance with the original rules, the organization can use the right-most zeroed bits however it deems appropriate.

Advantages of Prefix Routing/CIDR

Prefix routing is used to reduce the size of Internet routing tables. As explained in the preceding example, the Internet gave away the equivalent of eight Class C networks, but just one network entry appeared in the Internet's routing table. In an environment that has more than 120,000 entries in the routing table (at the time of this writing), the size of the routing table in many ISPs has peaked at 120,000 entries. This is a significant reduction in the size of the routing table (which is expressed in terms of CPU utilization, memory, and bandwidth congestion).

In addition to the advantages of the original rules of TCP/IP addressing and subnet design, there is new flexibility granted to the Internet with prefix routing. The Internet no longer needs to abide by the rules of Classes A, B, and C. As shown, with some thought, many Internet networks might be presented as one network, thus reducing the network overhead. It could be said that the Internet has summarized many networks into one network. Figure 2-3 shows the effect of using prefix routing. The Internet's routing table shows only two entries, from organization A and from organization B. This shows how the routing table within the Internet can be summarized, thus conserving resources.

Figure 2-3. Summarization of Internet Networks Using Prefix Routing


Prefix routing/CIDR or summarization achieves the same benefits in terms of the following:

  • Reduction in the size of the routing table

  • Less overhead in terms of network traffic, CPU, and memory

  • Greater flexibility in addressing the networks

An organization can use summarization for the same reason as the Internet uses it with prefix routing: to reduce network overhead. The length of the prefix in this case depends on the number of bits needed rather than the Class A, B, and C structure.


The bit pattern provided by the Internet Assigned Numbers Authority (IANA) or any of its four Regional Internet Registries (RIRs) cannot be altered . The bits to the right of the unique address given by the IANA governing body are at the disposal of the organization.

To use the power of summarization within an organization, a sophisticated routing protocol that sends the mask with the routing updates is required. The capability to move the network/host boundary is called VLSM , which you will learn more about in the next section.

Variable-Length Subnet Masks

Variable-length subnet mask (VLSM) is used within an organization instead of CIDR, which is used within the Internet. VLSMs enable you to allocate required host bits on a granular basis.

Because organizations are rarely uniform in the distribution of hosts, it is much more efficient to provide only those host bits needed to address the number of hosts on a particular network.

An Example of VLSM

Consider a company that has been given a Class B address. The company has grown and now has some satellite offices that connect via point-to-point serial lines. The remote offices have eight workstations, three printers, and a router connecting them to the outside world. The main site has a building with ten floors, and each floor has approximately 25 workstations and four printers. A server farm in the basement has three servers and two routers. In this scenario, it is impossible to create a mask that serves all these environments. If you use an older routing protocol, you will waste a considerable amount of the available address space.

VLSM requires a routing protocol that supports the sending of the subnet mask.

The following routing protocols support VLSM:

  • RIPv2

  • OSPF

  • IS-IS


  • BGP-4

Static routes could be said to use VLSM. They are often used when redistributing between routing protocols sharing an classful network when one routing protocol supports VLSM and the other does not. In these instances, the static route will define one summarized route for the non-VLSM routing protocol. This technique is also used when redistributing into BGP-4.

The following routing protocols do not support VLSM:

  • RIPv1

  • IGRP

  • EGP

Rules for VLSM

The rules for variably subnetting an IP network are remarkably straightforward. The key is to remember that a hierarchical design in the addressing scheme is the goal. The physical network design also must reflect this logical hierarchy (Chapter 3, "Designing IP Networks," discusses hierarchical design in detail). After the physical design is mapped, the logical structure can be placed on top of it.

The following rules apply when subnetting:

  • A subnet can be used to address hosts, or it can be used for further subnetting.

  • All 1s or all 0s in the subnet portion of the classful network could not originally be used, subsequently the command ip subnet-zero was introduced. It is a default setting for some Cisco equipment. If this rule has been followed, any subnet that is further subnetted does not need to obey this rule because it has already been observed .

  • The routing protocol must carry the subnet mask in its updates.

  • Multiple IP subnets intended for summarization must have the same high-order bits.

  • Routing decisions are made on the entire subnet, and the router goes from more specific to more general when making routing decisions.

The two main reasons for using VLSM are that it makes efficient use of the available addressing and it enforces a good hierarchical design, allowing summarization and documentation.

The benefits and the mechanics of VLSM are demonstrated in the following case study.

Case Study: Addressing the Network

To illustrate how VLSM works in supporting a hierarchical design and allowing summarization, this case study will break down a possible addressing scheme for a large organization.

To reassure you that it is actually a relatively easy task, a complicated example has been chosen. We will use a Class B address and create an addressing scheme for the company CyberKit.

If the Internet assigns the address, how might you address the network shown in Figure 2-4?

Figure 2-4. Hierarchical Design of a Network Topology Used to Support the Use of VLSM


The first task is to determine the number of regions , campuses, buildings , floors, and hosts on each floor. You also need to consider any anticipated growth or change in the network.

For this example, the network is comprised of the following:

  • Three regions exist, but the company has plans to expand into other areas. Any expansion will probably not exceed eight states (adequate to cover the country).

  • Within each region/state, there are no more than three campuses.

  • Within each campus, there are no more than four buildings. This number might increase, however.

  • No building has more than three floors.

  • No floor has more than 30 hosts.

With this topology and growth detailed, it is possible to start allocating bits of the network address.

Taking the address and writing out the last 16 bits, you can easily assign them to the different addressing tasks at hand. Figure 2-5 covers assigning IP addressing bits for VLSM.

Figure 2-5. Assigning IP Addressing Bits for VLSM


Consideration must be given to the subnetting rules (RFC 950 and RFC 1878, "Variable-Length Subnet Table For IPv4") that state that there must not be all 0s or all 1s in the following:

  • The Internet portion of the address

  • The host portion of the address

  • The algorithm for calculating the number of networks or hosts available is 2 n 2 (where n is the number of bits).

The subnet portion of the address used to be governed by this rule as well, but current Cisco technology allows the use of the all zero address for the subnet. The number of subnets is now calculated by the 2 n formula, where n is the number of bits by which the subnet mask was extended.

Historically, subnet zero was used by some network devices as a zero broadcast. Even today, some systems, such as Sun Solaris 4.x, have problems using subnet zero even with OSPF.

The command to enable the use of the 2 n zero subnet became the default configuration in version 12.0 of the Cisco IOS software.

However, you must still give attention to the host portion of the address. The host portion of the address must conform to the rule as defined; otherwise , it is not possible for the router to distinguish between hosts and broadcast addresses. An IP address cannot use all 0s or all 1s in the host portion of the address, because the all-0s address is used to show the subnet delimiter , and the all-1s address to broadcast to every device on the segment.

Allocating VLSM Addresses

Applying the addressing scheme designed in the preceding case study is very simple after the design has been worked out.

Taking California as the example to examine, we shall now address the entire region.

Figure 2-6 shows the bit allocation that was determined.

Figure 2-6. Bit Allocation



Remember that the case study will conform to the rule of reserving the broadcast addresses in the access layer of the network, the last level of subnetting.

Also remember that the buildings have the same bit pattern for each campus. However, this bit pattern is unique within the whole address space, because the pattern for the campus is unique and the address must be seen in its entirety.

The third host on the fourth floor of the second building in San Jose, California, will be given the address shown in Figure 2-7. The address in Figure 2-7 is represented as in dotted decimal, with a mask of

Figure 2-7. Example of How to Apply VLSM


Applying an addressing structure that uses VLSM with careful reference to the physical topology is very straightforward. When presented with a host address, it is common for people to try to determine the bit allocation working from the host address. If the addressing scheme has been well documented, network management is much easier, because as soon as the address is seen, its physical location is known. This simplifies troubleshooting, because a problem seen on a management console can be solved by member of the support staff.


This use of VLSM shows clearly that when allocating addresses in IP, it is necessary to reduce the address to binary and to disregard the octet boundary. Reducing the address to binary and disregarding the octet boundary creates a continuous set of bits to be applied as appropriate to address the network.

VLSM also enables you to allocate the required bits for addressing a particular network.

Optimizing the IP Address Space

Particularly in the use of WANs, where there is a predominance of point-to-point connections, allocating an entire subnet is very wasteful . VLSM allows refinement of the address space to exactly that which is needed and no more.

As demonstrated, dealing with VLSM to support the hierarchical design requires the consideration of the entire network topology. When using VLSM to optimize the IP address space, the network addressing can become extremely confusing if it is not clearly managed and documented.

In the preceding example, no consideration was given to the connections between the regions, campuses, and buildingsall of which could be point-to-point lines.

Now it is important to consider the last part of the network addressing, which will illustrate the use of VLSM for IP address optimization.

Assigning IP VLSM Subnets for WAN Connections

One common approach is to allocate a subnet that has not been assigned to hosts and to variably subnet it for use with connectivity between, rather than within, areas.

In reference to the case study described earlier, it would be sensible to take a subnet from the bits allocated to the buildings. Because there are enough bits allocated to address eight buildings, you have twice as many subnets as required. Even with the possibility of growth, one subnet would not be missed. Because the building bits come after the bits assigned to the campus, you must make a choice as to which campus will be selected for the honor of contributing a subnet of WAN addressing. This is an arbitrary decision that you need to document. If necessary, a building subnet can be commandeered from each campus.

If possible, the subnet you use should have nothing to do with any of the existing subnets. There is a consistency in numbering that identifies the WAN links, so in a troubleshooting environment, you can immediately see that a WAN link is causing the trouble and will not confuse the subnet (VLSM) with an existing segment.

In this example, if you use the bit pattern 000 as the network address for the building section, as well as for the campus and the region, the third octet would result in a 0. The network address for all interconnectivity would be 140.100.0. . . The last octet would be available for further subnetting with VLSM.

The subnet chosen for the WAN connections will be subnetted further using 30 bits of subnetting. This allows for only two hosts and is therefore a very efficient mask for point-to-point links.

Remember that the old rule for not using all 0s or all 1s is based on the entire subnet, not on the octet boundary. However, it is also important to remember that there is no longer a problem with subnet zero, which current Cisco IOS allows by default. Figure 2-8 shows assigning IP VLSM subnets for WAN connections.

Figure 2-8. Assigning IP VLSM Subnets for WAN Connections


The following is an example of how the addressing might be broken down.

Between the buildings in California:


  • A 27-bit mask allows for 30 end-system addresses. This assumes that the buildings are connected via FDDI or Fast Ethernet.

  • The range of hosts is to

  • The broadcast address is

Between the buildings and the campuses in California:





The prefix mask of /30 provides two host addresses, which allows for point-to-point addresses using Frame Relay.

Between the campuses and the regions:




The prefix mask of /30 provides two host addresses, which allows for point-to-point addresses that might also be using Frame Relay.

Between the regions:




The prefix mask of /30 provides two host addresses, which allows for point-to-point addresses that might also be using Frame Relay or dedicated serial leased lines.


In the instance of a subnet being used to address WAN connections, it might not be possible to summarize these networks. To summarize subnets, the subnets contained in the summary address must be contiguous; otherwise, the router is confused as to where to send the data. In a WAN environment, the connections might not be within a confined area, but scattered throughout the network.

The rules and conditions for creating a valid and appropriate IP addressing scheme for the network are complicated. Among other things, the addressing scheme must allow for growth, to scale over time. What works today might not be flexible for next year's business requirements. You cannot build a network that will accommodate every change and addition to its environment. With careful design, however, it might be possible to anticipate some of these changes and to ensure a network with enough flexibility to survive the changes.


Having assigned IP addressing based on a hierarchical design, you can now consider the full weight of the advantages of VLSM in implementing summarization. The primary advantage is the reduction in network traffic and the size of the routing table.

Summarization allows the representation of a series of networks in a single summary address.

The reasons that the Internet implemented CIDR are equally pertinent in a single organization. VLSM and CIDR use the same principles, with VLSM being just an extension of CIDR at the organizational level.

At the top of the hierarchical design, the subnets in the routing table are more generalized. The subnet masks are shorter because they have aggregated the subnets lower in the network hierarchy. These summarized networks are often referred to as supernets , particularly when seen in the Internet aggregation of class addresses. They are also known as aggregated routes. Figure 2-9 shows the physical network design for the case study discussed earlier. Figure 2-10 shows the allocation of addresses using VLSM to support summarization for this network design.

Figure 2-9. The Application of Summarized Routes on a Hierarchically Designed Network


Figure 2-10. The Binary Calculation of the Hierarchical Addressing for the Organization


The Advantages of Summarization

The capability to summarize multiple subnets within a few subnets has the following advantages, as discussed in the next few sections:

  • Reduces the size of the routing table

  • Simplifies recalculation of the network

  • Hides network changes

  • Allows networks to grow

Reducing the Size of the Routing Table

In reducing the size of the routing table, the updates are smaller, demanding less bandwidth from the network. A smaller routing table also requires less memory in the router or CPU in the routing process itself because the lookup is quicker and more efficient.

The recalculation of the network is also simplified by maintaining small routing tables.

Hiding Network Changes

If the routing table contains a summary of the networks beneath it, any changes in the network at these levels are not seen. This is both a good thing and a bad thing. If the network in the earlier case study140.100.50.128/27, the subnet on the fourth floor of the second building in San Jose, Californiawere to go down, the router at the core would be oblivious to the LAN problem. This is beneficial because there are no additional updates or recalculation.

The disadvantage is that any traffic destined for that subnet is sent on the assumption that it exists. To be more accurate, the core router sees the inbound IP packet destined for and, instead of applying the /27 mask, uses the mask that it has configured. It employs the /19 mask that sees the subnet, although in reality the destination subnet is If the subnet is no longer available, all traffic is still forwarded until it reaches a router that sees the network as directly connected or to the first router that sees the network as unavailable. This would be a router using the /27 bit mask. An ICMP message that the network is unreachable is generated to the transmitting host. The host might stop transmitting after hearing that the network is down.

Although unnecessary traffic will traverse the network for a while, it is a minor inconvenience compared to the routing update demands on the network and the CPU utilization on the routers in large networks.

Other Solutions to Address Exhaustion

The efficient use of IP addressing, through prefix routing, CIDR, and VLSM, helps to alleviate address exhaustion experienced by the Internet; however, there are a few other methods that can be used. These are discussed in this section.

The use of the Cisco feature IP unnumbered is useful on the point-to-point serial lines because it saves the use of a subnet. IP unnumbered is a utility that allows point-to-point serial lines to have no IP address assigned. This is possible because the serial line is literally a pipe with two directly connected hosts. Each end of the serial line borrows an IP address from another interface on the Cisco router if an address is required: for example, when generating an IP packet and needing a source address for the packet header.

Cisco's use of secondary addressing is useful because it provides two subnets to a physical interface and, therefore, more available host bits. This does not save address space, but it is a solution for routing protocols that do not support VLSM. Some compatibility issues exist with some IP routing protocols; for example, not all routing protocols will see the second subnet.

Configuring Summarization

Summarization allows networks to grow because the network overhead can scale.

In the newer routing protocols, summarization must be manually configured; this manual configuration adds subtlety and strength. Each routing protocol deals with summarization in a slightly different way. How summarization works or is configured depends on the routing protocol used. This is discussed in Chapter 5, "IP Link-State Routing Principles."


Although Border Gateway Protocol (BGP) and Enhanced IGRP (EIGRP) perform automatic summarization, the summarization is done at the classful network boundary, using the first octet rule. This is the same as with older routing protocols, such as RIP.

Automatic Summarization

All routing protocols employ some level of summarization. The older protocols, such as RIP and IGRP, automatically summarize at the Internet address or natural class boundary. They have no choice because the subnet mask is not sent in the routing updates. When a routing update is received, the router looks to see whether it has an interface in the same classful network. If it has one, it applies the mask configured on the interface to the incoming routing update. With no interface configured in the same Internet address, there is insufficient information and the routing protocol uses the natural mask for the routing update. Automatic summarization uses the first octet rule.

Manual Summarization

EIGRP, IS-IS, RIPv2, and OSPF are more sophisticated. They send the subnet mask along with the routing update. This feature allows the use of VLSM and manual summarization. When the routing update is received, it assigns the mask to the particular subnet. When the routing process performs a lookup, it searches the entire database and acts on the longest match. Searching the routing table for the longest match is an important feature because it allows the following:

  • The granularity of the hierarchical design

  • Manual summarization

  • Discontiguous networks

Discontiguous Networks

A discontiguous network refers to a network in which a different classful network separates two instances of the same classful network. This can happen through either intentional design or a break in the network topology. If the network is not using a routing protocol that supports VLSM, this creates a problem, because the router does not know where to send the traffic. Without a subnet mask, it resolves the address down to the classful network, which appears as if there is a duplicate address. The same classful network appears twice, but in different locations. In most cases, the router will load balance between the two paths leading to the two instances of the one classful network address, the two discontiguous subnets. As with any multiple entry in a routing table, the router will load balance over the multiple paths if they are equal, resulting in only a portion of the traffic taking the correct path . The symptoms that the network will see are those of intermittent connectivity.

Figure 2-11 shows an instance of a discontiguous network.

Figure 2-11. Discontiguous Networks


Considerations for Summarization with Discontiguous Networks

Discontiguous networks are not a problem with VLSM, because the routing table does a lookup based on the longest match; therefore, the routing process will choose the network with the longest mask and no duplicate path is seen. However, if VLSM is used on networks that employ automatic summarization, problems of discontiguous networks could arise. Despite the fact that VLSM can distinguish between network and, automatic summarization would reduce these separate networks to If these networks are separated by another classful network, it would cause discontiguous network problems.

Manual summarization allows the administrator to create summarization with greater granularity and thus avoid such problems. Also, if a hierarchical design has been implemented, it is possible that discontiguous networks will not arise when summarization is used, as would be a smaller branch off the main branch of

If there are discontiguous networks in the organization, it is important that summarization is turned off or not configured. Summarization might not provide enough information to the routing table on the other side of the intervening classful network to be capable of appropriately routing to the destination subnets. This is especially true of EIGRP, which automatically summarizes at the classful network boundary, which would be disastrous in this situation.

In OSPF and EIGRP, manual configuration is required for any sophistication in the network design. It is not always possible to achieve summarization because it depends entirely on the addressing scheme that has been deployed. However, because EIGRP can perform summarization at the interface level, it is possible to select interfaces that do not feed discontiguous networks for summarization. This capability to summarize selectively is very powerful.

The key to whether summarization is configurable is determined by whether there are common high-order bits in the addresses.

As demonstrated in the case study "Addressing the Network" earlier in this chapter, the design has created common high-order bits to facilitate summarization. The addressing scheme for the case study, shown in Figure 2-7, shows that every campus within a region will share the same high-order bits (those to the left). In California, every campus, building, floor, and host will share the bits 001, whereas within the California campus of San Jose, every building shares the high-order bits of 001 10. Therefore, it is very simple to configure summarization.

This is not necessarily the case if the addressing structure is already in place. Some analysis of the addressing scheme is required to decide whether summarization can be configured.

If summarization is deemed impossible, you have the following two options:

  • Don't summarize, but understand the scaling limitations that have now been set on the network.

  • Readdress the network. This task is not to be underestimated, although the advantages may well make it worthwhile.

CCNP BSCI Exam Certification Guide
CCNP BSCI Exam Certification Guide (CCNP Self-Study, 642-801) (3rd Edition)
ISBN: 1587200856
EAN: 2147483647
Year: 2002
Pages: 194
Authors: Clare Gough © 2008-2017.
If you may any questions please contact us: