Explain me ,PLEASE!

[Alon Brodski]

Hello world!

I wonder if someone could explain to me in simple English what subnet mask
is and how to apply it to IP address.
Second thing is...Is there an advantage of using L2TP (no IPSec) vs. PPTP?

 

[Philip Herlihy]

At one level, subnet mask is easy to grasp. Compare it with a phone number,
eg:
+44 1234 5678

The structure is (to some extent) hierarchical, so that all +44 ... ...
numbers are in the UK, for example, and all +44 1234 .... numbers may be in
one city in the UK.

Similarly, a subnet mask is a way of defining a "subnet" by indicating which
part of an IP address must be common to all nodes on a subnet. A "subnet"
is just a logical grouping of addresses for the purpose of routing traffic,
or maybe blocking it - a firewall can use a subnet mask to define a group of
addresses to be blocked or allowed.

For example, if an IP address is:
123.321.456.654
and the relevant subnet mask is:
255.255.255.0
then that defines a group of addresses which all start:
123.321.456....
where this mask is the *only* rule which defines the subnet. An example in
words: "Our computers are organised so that all computers in the Ethernet
in the new building have IP addresses which begin 123.321.456... and the
router in the old building uses a subnet mask of 255.255.255.0 to recognise
which traffic should be routed over the connection between the two
buildings.

That's at the simple level. In fact, the "four-groups-of-three-digits" is a
shorthand way of representing a very long binary number, and the "mask" part
refers to a "bitwise" comparison operation which I won't try to explain
here. A subnet mask can be any "pattern" in that 4x3 format, eg:
212.444.919.001

A "subnet mask" is really just a bit pattern which is used to match IP
addresses - if there's a match, then it's part of the subnet defined by the
"mask".

I don't have a clue what the answer is to the second part of your
question... (I'm not young enough to know everything).

 

[Alon Brodski]

Hey!

Thanks for your help!
Ok,let's take a real life example...If IP address is :172.22.33.79 and
subnet mask is:255.255.224.0
If I understand it correctly that means....That all the PC's that connected
to this particular LAN MUST have IP address that starts as 172.22.,because
we have twice 255's that sorta "block" the IP address range in same places
of original IP address.The last part of IP addresses can be anything from 0
to 255,right? because of 0 in subnet mask at the end of it.The 33/224 part
(2nd from the right) is still unclear to me.
So if I understand it right...LANs with 255.0.0.0 subnet mask would have
enormous number of workstations and those that have 255.255.255.0 would only
have up to 255 PC's on it,correct?

 

[Philip Herlihy]

Responses inline, flagged with "###"

--
####################
## PH, London
####################

...If IP address is :172.22.33.79 and
subnet mask is:255.255.224.0
If I understand it correctly that means....That all the PC's that connected
to this particular LAN MUST have IP address that starts as 172.22.,because
we have twice 255's that sorta "block" the IP address range in same places
of original IP address.

### Yes.

The last part of IP addresses can be anything from 0

to 255,right? because of 0 in subnet mask at the end of it

### Yes

The 33/224 part

(2nd from the right) is still unclear to me.

### Yes, this is much harder to grasp!
### I'm going to pull this bit out as a separate reply, so watch this
space.

So if I understand it right...LANs with 255.0.0.0 subnet mask would have
enormous number of workstations and those that have 255.255.255.0 would only
have up to 255 PC's on it,correct?

### Almost! You forgot the value 0 which makes it up to 256.


PH.

 

[Philip Herlihy]

This is the hardest bit to grasp - took me ages. It's helpful to think in
terms of binary numbers. An IP address is usually written as "dotted
decimal" but the "mask" operation only really works when you "translate" to
binary. IP addresses are (currently) always four groups of three digits, but
let's illustrate it with a very short IP address of only one group of three
decimal digits, say: 123.

Just as "Eight" would be written in binary as 1000, so,
"Two hundred and fifty-five" would be written as 11111111, and
"One hundred and twenty-three" would be written in binary as 01111011
Tip - you can use the XP calculator in "Scientific" view and toggle between
dec and bin views. Be sure to add missing leading 0's - there should always
be 8 binary digits.

So let's say you have an IP address in decimal of 123. If you have a subnet
mask of 254, the binary version of that is 11111110. The bitwise masking
operation defines all the numbers which "match" - think of the 1's as holes
and the 0's as blocked. Where there are holes, you can see the number
underneath.

01111011 = 123 (base address)
11111110 = 254 (subnet mask)
-----------
yyyyyyyn Digits showing through the "holes" are significant.
Those not visible are "wildcards".

This gives you:
0111101* These are the leading digits of any address in the subnet we've
defined..
Remember you're dealing with 8 bit numbers. There are two 8-bit numbers
which start with
0111101*, and those are:
01111011 = 123
01111010 = 122

Job done.

Now if you use a shorter subnet mask of (say) 6 leading 1's instead of 7, so
the mask is
252 = 11111100

you get
01111011 = 123 (base address)
11111100 = 252 (new subnet mask)
-----------
yyyyyynn (digits showing through the "holes") Think of the 1's in the mask
as meaning "use the corresponding digit from the base address", and the 0's
in the mask as meaning "either 0 or 1",

and there are four 8-bit numbers which start with the same 6 digits as our
base address of 123
011110**
These are:
01111000 = 120
01111001 = 121
01111010 = 122
01111011 = 123

Now if you scale this back up to the real world so there are four groups of
three decimal digits, each representing an 8-bit binary number, the same
process applies. Note that subnet masks are often "contiguous", meaning
that they could be described as "the first x binary digits" but they don't
have to be - they can be any binary pattern (much harder to grasp without
thinking in binary.

As a final exercise, check my rusty binary arithmetic:
Your address of 172.022.033.079 corresponds to the binary number:
11111111111111110010000101001111
Your subnet mask of 255.255.224.000 corresponds to the binary number:
11111111111111111110000000000000

Now "mask" one with the other to get:
11111111111111110010000101001111
11111111111111111110000000000000, so all addresses in the subnet must begin:
1111111111111111001*************

(This should all line up in a fixed-width font like Courier)

There are 8192 addresses (which is 2 to the power 13 - count the stars!)
addresses in any subnet defined by the mask 255.255.224.000. The Base
Address defines which 8192 addresses they are.

Now don't you wish you'd never asked?

 

[Philip Herlihy]

Clarification:

The Base Address does determine which addresses they are, but so does the
subnet mask. There could be different subnet masks, each defining the same
number of subnet addresses, but identifying quite different actual
addresses.

 

[Philip Herlihy]

For each 3-digit group, from the right,
I entered that number into Windows calculator (Scientific view) in "dec"
format
Then switched format to "bin"
Then copied the resulting binary to Notepad
- remembering to add missing leading zeroes
- appending to the left-hand side of anything already there

Of course I could have simply multiplied each "number" by the appropriate
power of 2, and then added them, but that was too easy...

aaa.bbb.ccc.ddd = aaa + (bbb * 2^8) + (ccc * 2^16) + (ddd * 2^24)

 

[Philip Herlihy]

Whoops! Rusty is the word. The digit group on the left is the most
significant, not the least.

Should be:

aaa.bbb.ccc.ddd = ddd+ (ccc * 2^8) + (bbb * 2^16) + (aaa * 2^24)

Woke up this morning with this mistake on my mind for some accountable
reason. Suspect I may not be getting out enough...