Eric Stewart: Running Off At The Mouth

The Network As A Symptom: Subnets

by Eric Stewart on Apr.21, 2016, under Networking, Technology

Related to my previous post about “The Network As A Symptom“, during my time on call, I got another request that stated: “I need a port opened between 10.0.0.24 and 10.0.0.56. I know they’re on the same subnet, but I’m getting timeouts when trying to connect between them.”

The thing is, they weren’t on the same subnet.

What Is A Subnet?

I’m sure Wikipedia has a lot to say about this.  And I’m not going to bother looking it up and linking it for you.

My off-the-top-of-my-head definition?  “A subset of IP addresses, within which connectivity to known addresses does not require a router.”  In other words, if you know the IP address of another system on the subnet, you don’t need a Layer 3 path to get to it.  It’s Layer 2 adjacent.  Of course, those are the kind of networking term I’d prefer to avoid, so let’s see if I can come up with something else … how about “Systems behind the same gateway IP”?

IP Configuration Of A System

Without going into the gritty details of how to configure a networked device, you usually need three pieces of information if you’re statically configuring the IP of something:

  • The IP address that the system will use
  • The network mask of the subnet
  • The gateway IP

The IP address of the system is fairly self explanatory (I hope).  The “gateway IP” is the address (usually the last available one on the subnet, but sometimes the first) that the system should contact when attempting to connect to another device/system not on the same subnet.  The “network mask” essentially defines what addresses make up the subnet.

Explaining “Subnet Mask” Without Showing All Of The Binary Math Is Hard

But I’ll give it a go.  A “mask” in computer terms is something that a value is compared with (using an AND operation, where 0 & 1 is 0, 1 & 1 is 1) to determine how two addresses might relate.  It’s why when you take 10.0.0.20 and a mask of 255.255.255.0 (or 10.0.0.20/24), we define the network as 10.0.0.0/24 – the last octet is the only thing that changes on that particular subnet.

So, in our original case, if the mask is 255.255.255.0, 10.0.0.20 and 10.0.0.56 would both be on the same network.  However, in the real world example this is based off of, we had a very limited address space, and wanted to be able to isolate systems from each other for security reasons.  So …

If the mask is something else … say, 255.255.255.224, this causes the network definition for 10.0.0.20 in CIDR notation to be 10.0.0.0/27 (CIDR notation just takes the number of “1”s in a subnet mask expressed in binary terms and counts them), and the usable IPs to be 10.0.0.1 – 30 (those of you with enough knowledge of binary might see two addresses missing – be aware that the first and last “IP” are used for the network definition and broadcast address, respectively).  For any other IP address, 10.0.0.20 would attempt to use its configured gateway IP to contact the system at 10.0.0.56, which is on another subnet defined as 10.0.0.32/27, which would cover IPs 10.0.0.33 – 62.

It Seems To Get Harder To Figure Out When Your Talking Smaller Than A /24

And I say that as a network engineer who does this kind of thing for a living.  So unless the IPs of the devices are directly adjacent, unless you’re fully cognizant of the subnet mask, you can’t always say that two systems with similar IPs are on the same subnet.

Oh, and to avoid the confusion you might be feeling right now: the bigger the mask, the smaller the subnet (since, the bigger the mask, the fewer IPs that are available to the subnet for use).  So that’s what we mean when we say “smaller than a /24”: a “/25” is roughly half the size, a “/26” would be roughly half that, etc.

How Do You Tell?

Given access to the network configurations of two systems, if they have different gateways, then they are (almost certainly) on different subnets.  In this example, if the gateway uses the “standard” of being the last usable address in the subnet, the gateway of 10.0.0.20 would be 10.0.0.30, and the gateway of 10.0.0.56 should be 10.0.0.62.  If ICMP isn’t being blocked (and unfortunately in many security conscious situations, it is), a “tracert” or “traceroute” (depending on the OS involved) would go direct from one IP to the other (if I had to guess without doing one as a test, showing only one hop) if the two IPs were on the same subnet.  If they were on different subnets, at the very least there would be two hops: the first being the gateway, and the second being the destination.

You Can Be Forgiven For Getting It Mixed Up

As I said in the earlier post, these are written mainly for the IT person who isn’t a network engineer.  We don’t usually go out of our way to make things difficult or make the cases different enough to trip you up.  In $JOB’s situation, the real world case involved our remote/tertiary data center, which is housed in another state, using someone else’s address space (a portion of which they were nice enough to allow us to use).  It was, essentially, a /24 that we chopped up into smaller subnets in order to provide the separation desired.

If you find yourself in a similar situation in your environment, I would hope that the network engineers refrain from being too short with you.  At least the first couple of times they remind you.

:,

Hi! Did you get all the way down here and not find an answer to your question? The two preferred options for contacting me are:
  • Twitter: Just start your Twitter message with @BotFodder and I'll respond to it when I see it.
  • Reply to the post: Register (if you haven't already) on the site, submit your question as a comment to the blog post, and I'll reply as a comment.

Leave a Reply

You must be logged in to post a comment.