What does it *really* mean to have a number of computers at your site "on a subnet", wrt another group of computers "on a different subnet"?

I know that your router to the Internet doesn't forward 10.x/172.16.x/192.168.x packets to the outside world... what does it care what your NIC's subnet setting is?

Suppose you have one router, one switch and LAN behind it, and 20 computers on that LAN. Does grouping them into 2 subnets simply mean going to 10 of those computers and setting their subnet mask to one value, then going to the other 10 and setting it to another value? Or does it involve some setting on the router?

Why would it be useful to have multiple subnets on your network? I don't think it buys you any more IP addresses... Is it simply a way to cut down on overall network traffic (i.e. the packets from one group of users don't have to go out over the whole network if most of the time they're only going to someone else in their group/office/subnet)?

Thanks.

it often makes it more easy for the admin (read= more detailed control). e.g. one can block certain netblocks for accessing parts on the network, or route certain netblock traffic though other paths etc etc. and yes, you can create more hosts on a block with smart subnetting techniques! (although this is officially called supernetting).
Maybe you should read some stuff about subnetting and tcp in general. It will give you even more understanding about the advantages of using subnets. (and how to create/calculate them).

> Maybe you should read some stuff about subnetting and tcp in general.

Thanks. Yeah, I have been. Actually, just now I was looking at Frisch's "Essential System Administration". So far, all the resources I read simply refer to subnetting as a way to divvy up your network into "subnets", and then they go on to describe how you'd set your NIC's subnet using ifconfig.

I'm looking for the big picture though.

Ok, I found this:
http://www.tcpipguide.com/free/t_IPS...ngConcepts.htm
which was somewhat helpful.

Also, I think I'm understanding it more. The connection I was missing was the routing table. Setting up a subnet seems to entail not only configuring your NIC's IP addy and netmask, but also entails adding routes to routing tables (or having DHCP do this I presume). Further, routing tables work the same for individual hosts as they do for routers -- they're generic.

Think of it this way: all of the computers on the same "subnet" can communicate directly with one another. To talk to other subnets, they must send their traffic through a gateway of some sort.

sundial, so, if you've got two subnets on the same LAN, and you send a packet from one node on one subnet to a node on the other subnet, you're saying that the packet has to bounce off the gateway? I'd think you could just set your routing table to "deliver directly" any packets destined for that subnet...

The rules are these -

If a host wants to send a packet to an IP detination host within its own subnet then it is allowed to arp for the L2 address and then generate and send a frame directly to the destination.

If a host wants to send a packet to a host that is outside of its own subnet then it MUST send that packet via a gateway or router. (In IP terminology the two are the same thing) i.e its arps for the default gateway and the frame is sent with a destination MAC address of the default gateway.

There are no exceptions to this rule.

The host can send to other gateways if it has explicite routing information for the destination, either configured, redirected or learned by routing protocol, otherwise the host will send the packet to its default gateway, hence the name.

Thanks baldy.

2 simple things had me quite confused:

1. I didn't realize that routers besides the ones that
connect your systems directly to the 'Net forward rfc1918
addresses, and

2. I was thinking in terms of using a subnet on one LAN --
on one single wire with a large number of nodes on that
wire (whether connected via hubs or switches). I think
I see now that it doesn't make sense to have more than
one subnet on a single wire (dunno a better word to use
than "wire" here).

I'm still a little confused, but it's getting better.
Is the usual set-up of networks and subnets like this? :
Hm. Now I'm trying to see the difference between when the group with H3 is on its own subnet or not...

Umm, H3 is connected via a router it is on a different subnet by definition.
If H3 was on the same subnet as H1 and H2 then the box labelled R2 would be bridging.

If you try to configure the same subnet on two interfaces one of two things will happen. Either R2 will tell you you're not allowed e.g. Cisco IOS. Or will accept the config BUT when the router configured connected routes for the interfaces in its route table it will end up picking one interface as the local exit for the subnet. All packets hitting the router will be routed out of the same interface which is not what you want.

Normally one VLAN equals one subnet. You can have more than one subnet on a VLAN if you put secondary addresses on the router interface, but normally theres no point, things are tidier without. You need to remember though that even if a single VLAN has two sunbets on it the packets between subnet A and B MUST still go via the router even though the subnets share the same "wire".

You can have one subnet on two VLANS but only by bridging between them at which point you've just completely destroyed the point of having two VLANS.

All routers can forward the RFC1918 reserved ranges its just that by common consent these ranges are "reserved" from use on the internet. i.e you can pump packets into the internet towards 192.168.1.1 and they will simply follow the defaut route until they hit a router thats been properly configure to filter them out or the default route disappears. You would never get a response as the network doesn't exist as far as the internet is concerned.

Historically we would have used "wire" to refer to an ethernet segment, back in the days where multiple hosts shared one transmission medium or "collision domain". I guess VLAN is now synonymous with "broadcsat domain", so where a network of switches doesn't use VLANs, i.e is a "flat" network, has no hierarchical structure and all ports are in the same broadcast domain we still refer to it as a "single VLAN".


Good diagam btw

Thanks much for the reply baldy. Sorry it's taken me so long to get back to this thread.

> Umm, H3 is connected via a router it is on a different subnet by definition.
> If H3 was on the same subnet as H1 and H2 then the box labelled R2 would be
> bridging.

Yes. I see that now: Routers separate networks.

> Normally one VLAN equals one subnet.

Check.

Thanks again for the great reply, including clarifying the terms "on the same wire", "VLAN", and "on the same broadcast domain". That helped me a lot also.

I'll get some of this onto the LQ wiki ASAP so you don't have to go through all this again with the next fellow.

Even on the same LAN segment, if 2 systems reside in two different IP subnetworks, they cannot address one another by MAC address. Two systems in the same subnetwork can address one another by MAC address only. The two that reside in different subnetworks must forward the packet to the nearest router and be routed to the second subnetwork, even though it is on the same LAN. So, the router deduces, you came from ethernet port 5, network 1.1.1.0, and you are destined for network 1.1.2.0. OK, network 1.1.2.0 resides off my ethernet port 5. I will send the packet to that port. Ethernet port 5 sees that the host address is 1.1.2.5, looks up the arp cache for host address 1.1.2.5, and applies the destination MAC address. The routing is now complete, and the ethernet port 5 sends the packet back out on the LAN.

Thanks. Updated this a bit:
http://wiki.linuxquestions.org/wiki/Subnet

It is more oriented to explain addressing rather than routing. I would be happy to write a routing/network/subnetwork/subnet masking tutorial if we have a place for things like that on this site. I am a new member here and really do not know my way around yet.

Feel free to edit the LQ wiki at-will. That's what it's there for.

Regarding that addressing stuff on the Subnet page, I only re-did the text before the "Determining the network address" subsection.

Currently, it seems to me that the networking section at the LQ wiki is somewhat jumbled and could use some refactoring...

Just be careful not to scuff the beautiful gems I leave there on occasion.

Subnetting helps in accomplishing the following things:

1) Cuts down on unnecessary network traffic thus improving bandwidth available.
2) Is a good way of isolating a group of computers from another group in the same lan. For example, the computers in the accounting department which contains salary records should not be accessible to the guys in say, the marketing department . Thus introducing another security layer.

You can easily subnet using switch (cisco, juniper etc) which is hardware based.

Another way to subnet is using a linux machine acting as the gateway which may contain one or more ethernet cards. If the gateway has only one ethernet card, then you have to associate multiple IP addresses to the single ethernet card (which is easy in linux).