IPv4子网划分如何工作?

这是关于IPv4子网的典型问题 。

有关:

  • IPv6子网划分如何工作,它与IPv4子网划分有什么不同?

子网划分是如何工作的?你如何通过手工或头脑来做到这一点? 有人可以解释概念和几个例子? 服务器故障获得了大量的子网function问题,所以我们可以使用一个答案将它们指向服务器故障本身。

  • 如果我有一个networking,我怎么知道如何分割?
  • 如果给我一个networking掩码,我怎么知道networking范围是什么?
  • 有时会出现一个斜杠,然后是一个数字,这个数字是多less?
  • 有时候有一个子网掩码,但也是一个通配符掩码,他们看起来像是一样的东西,但他们是不同的?
  • 有人提到了一些关于认识二进制的东西吗?

存在IP子网允许路由器为数据包select合适的目的地。 您可以使用IP子网为了逻辑原因(防火墙等)或物理需求(较小的广播域等)而拆分较大的networking。

简而言之,IP路由器使用您的IP子网来做出路由决策。 了解这些决策如何工作,并且您可以了解如何规划IP子网。

数到1

如果您已经熟练使用二进制(基数2)表示法,则可以跳过本节。

对于那些离开你的人:因为你不能stream利地使用二进制符号而感到羞耻!

是的 – 这可能有点苛刻。 学习用二进制来计算真的很容易,并学习将二进制转换成十进制和后面的快捷方式。 你真的应该知道如何去做。

用二进制计数非常简单,因为你只需要知道如何计数到1!

想象一下汽车的“里程表”,不同于传统的里程表,每个数字只能从0开始计数到1。当汽车新出厂时,里程表读数为“00000000”。

当你驾驶你的第一英里时,里程表读数为“00000001”。 到现在为止还挺好。

当你驾驶第二英里时,里程表的第一位数字回滚到“0”(因为它的最大值是“1”),里程表的第二位翻到“1”,使里程表读数为“ 00000010" 。 这看起来像10号十进制符号,但它实际上是二进制符号2(你驾驶汽车到目前为止的里程数)。

当你驾驶第三英里时,里程表读数为“00000011”,因为里程表的第一位数字再次变成了。 二进制表示中的数字“11”与十进制数字3相同。

最后,当你驾驶你的第四英里时,两位数字(在第三英里末尾读数为“1”)回滚到零位,第三位数字上升到“1”位置,给我们“ 00000100" 。 这是十进制数字4的二进制表示。

如果你愿意的话,你可以记住所有这些,但是你真的只需要了解小的里程表是如何 “越过”的,因为它的数字越来越大。 除了在虚构的“二进制里程表”上每个数字只能是“0”或“1”之外,它和传统的十进制里程表的操作完全一样。

要将十进制数字转换为二进制数字,您可以将里程表向前滚动,通过打勾进行打勾,大声计数,直到您将其滚动到等于要转换为二进制数的十进制数的次数。 无论在里程表上显示什么,所有的couting和rolling都将是你计算的十进制数的二进制表示。

既然你明白里程表如何前进,你也会明白它是如何倒退的。 要将里程表上显示的二进制数字转换回十进制数字,您可以一次将里程表滚回一次,直到里程表读数为“00000000”。 当所有的计数和滚动完成后,你最后一个大声朗读的数字就是里程表开始的二进制数字的十进制表示。

以这种方式在二进制和十进制之间转换值将是非常繁琐的。 你可以做到,但效率不高。 学习一点点algorithm就能更快地完成任务。

快速放在一边:二进制数字中的每个数字都被称为“位”。 从“二进制”到“数字”是“b”。 有一点是二进制数字。

将一个二进制数(比如说“1101011”)转换为十进制数是一个简单的过程,只需要一个简单的algorithm。

首先计算二进制数中的位数。 在这种情况下,有7个在一张纸上(在你的头脑中,在一个文本文件等),并开始填充他们从右到左。 在最右边的位置,input数字“1”,因为我们总是以“1”开头。 在左边的下一个插槽中,将右侧插槽中的值加倍(所以,下一个插槽中的“2”,下一个插槽中的“4”)并继续,直到所有插槽都已满。 (你最终会记住这些数字,这是2的能力,因为你越来越多了,我可以达到131,072,但我通常需要一个计算器或纸张)。

所以,你的小纸条上应该有你的纸条。

64 | 32 | 16 | 8 | 4 | 2 | 1 | 

从插槽下方的二进制数字中转录位,如下所示:

  64 | 32 | 16 | 8 | 4 | 2 | 1 | 1 1 0 1 0 1 1 

现在,添加一些符号并计算问题的答案:

  64 | 32 | 16 | 8 | 4 | 2 | 1 | x 1 x 1 x 0 x 1 x 0 x 1 x 1 --- --- --- --- --- --- --- + + + + + + = 

做所有的math,你应该拿出:

  64 | 32 | 16 | 8 | 4 | 2 | 1 | x 1 x 1 x 0 x 1 x 0 x 1 x 1 --- --- --- --- --- --- --- 64 + 32 + 0 + 8 + 0 + 2 + 1 = 107 

就是这样 十进制中的“1101011”是107.这只是简单的步骤和简单的math。

将十进制转换为二进制就简单,并且是相同的基本algorithm,反向运行。

假设我们要把数字218转换成二进制。 从一张纸的右边开始,写下数字“1”。 在左边,将该值加倍(如此“2”),并继续向纸张的左侧移动,加倍最后的值。 如果您要写入的号码大于正在转换的号码,请停止写入。 否则,继续将前面的数字和文字加倍。 (使用这个algorithm将一个大数字(如34,157,216,092)转换为二进制数可能有点乏味,但这当然是可以的。)

所以,你应该在你的文件上:

  128 | 64 | 32 | 16 | 8 | 4 | 2 | 1 | 

你停止在128位写数字,因为128的倍数,这会给你256,会比正在转换的数字大(218)。

从最左边的数字开始,写上面的“218”(128),问自己:“218大于还是等于128? 如果答案是肯定的,则在“128”下划一个“1”。 在“64”以上,写出218减128(90)的结果。

看“64”,问问自己:“90以上还是64以上? 所以你在“64”下面写一个“1”,然后从90中减去64,写在“32”(26)上面。

当你到达“32”时,你会发现32不大于或等于26.在这种情况下,在“32”下面写一个“0”,把数字(26)从32“上面复制到” 16“,然后继续问自己同样的问题与其余的数字。

当你完成了,你应该有:

  218 90 26 26 10 2 2 0 128 | 64 | 32 | 16 | 8 | 4 | 2 | 1 | 1 1 0 1 1 0 1 0 

顶部的数字只是用于计算的笔记,对我们来说并不重要。 不过,在底部,你会看到一个二进制数字“11011010”。 果然,218,转换为二进制,是“11011010”。

遵循这些非常简单的程序,您可以将二进制转换为十进制,然后再使用计算器。 math是非常简单的,规则只需要一点练习就能记住。

分割地址

想像比萨饼交付IP路由。

当你被要求向“123 Main Street”送一份披萨时,作为一个人,你很清楚你要到名为“Main Street”的街道上的编号为“123”的build筑物。 很容易知道你需要去100街的大街,因为build筑物的数量在100到199之间,大多数城市街区都有数百个。 你只是“知道”如何分割地址。

路由器提供数据包,而不是披萨。 他们的工作和比萨司机一样:把货物(包裹)尽可能地靠近目的地。 路由器连接到两个或更多IP子网(完全有用)。 路由器必须检查数据包的目标IP地址,并将这些目标地址分成“街道名称”和“build筑物号码”组件,就像披萨司机一样,做出交付决定。

IPnetworking上的每台计算机(或“主机”)都configuration有唯一的IP地址和子网掩码。 该IP地址可以被划分为被称为“主机ID”和“街道名称”组件(在上述示例中为“主要街道”)的“build筑物编号”组件(在上面的示例中为“123”), “networkingID”。 对于我们的人眼来说,很容易看到build筑物号码和街道名称在“123 Main Street”,但很难看到“10.13.216.41中子网掩码为255.255.192.0”的分区。

IP路由器“只是知道”如何将IP地址拆分成这些组成部分来做出路由决策。 由于了解IP数据包如何路由取决于理解这个过程,我们也需要知道如何分解IP地址。 幸运的是,从IP地址和子网掩码中提取主机ID和networkingID实际上非常简单。

首先写出二进制的IP地址(如果你还没有学会这么做的话,可以使用计算器,但要记住学习如何去做 – 这真的很容易,并且让异性留下深刻的印象派对):

  10. 13. 216. 41 00001010.00001101.11011000.00101001 

用二进制写出子网掩码:

  255. 255. 192. 0 11111111.11111111.11000000.00000000 

书面并排,你可以看到,在“1”停止“排队”到IP地址点的子网掩码中的点。 这是networkingID和主机ID分裂的一点。 所以,在这种情况下:

  10. 13. 216. 41 00001010.00001101.11011000.00101001 - IP address 11111111.11111111.11000000.00000000 - subnet mask 00001010.00001101.11000000.00000000 - Portion of IP address covered by 1's in subnet mask, remaining bits set to 0 00000000.00000000.00011000.00101001 - Portion of IP address covered by 0's in subnet mask, remaining bits set to 0 

路由器使用子网掩码在IP地址中“掩盖”1所覆盖的位(用0代替未被“掩蔽”的位)以提取networkingID:

  10. 13. 192. 0 00001010.00001101.11000000.00000000 - Network ID 

同样,通过使用子网掩码来“掩盖”IP地址中由0覆盖的位(再次用0代替未被“掩蔽”的位),路由器可以提取主机ID:

  0. 0. 24. 41 00000000.00000000.00011000.00101001 - Portion of IP address covered by 0's in subnet mask, remaining bits set to 0 

在比萨交付过程中,人的眼睛不容易看到networkingID和主机ID之间的“中断”,因为它在物理地址中的“build筑物号”和“街道名”之间,但最终的效果是相同。

既然您可以将IP地址和子网掩码分割成主机ID和networkingID,则您可以像路由器那样路由IP。

更多的术语

(IP /编号),您将看到遍及互联网和本答案其余部分的子网掩码。 这种符号被称为“无类别域间路由”(CIDR)符号。 “255.255.255.0”由开头的24位1组成,写成“/ 24”比“255.255.255.0”快。 要将一个CIDR号码(比如“/ 16”)转换成一个点分十进制的子网掩码,只需写出1的数字,将其分成8位组,并将其转换为十进制数。 (例如,“/ 16”是“255.255.0.0”。)

回到“过去的日子”,子网掩码没有被指定,而是通过查看IP地址的某些位得出的。 例如,以0 – 127开头的IP地址的隐含子网掩码为255.0.0.0(称为“A类”IP地址)。

这些隐含的子网掩码今天不被使用,我不build议再去了解它们,除非你不幸地处理了不支持无类别IP寻址的旧设备或旧协议(如RIPv1)。 我不会进一步提及这些地址的“类别”,因为它今天不适用,而且会令人困惑。

一些设备使用称为“通配符掩码”的符号。 “通配符掩码”只不过是一个全为0的子网掩码,其中1将是1,而1将是0。 / 26的“通配符掩码”是:

  11111111.11111111.11111111.11000000 - /26 subnet mask 00000000.00000000.00000000.00111111 - /26 "wildcard mask" 

通常,您会看到用于匹配访问控制列表或防火墙规则中的主机ID的“通配符掩码”。 我们不会在这里进一步讨论。

路由器如何工作

正如我之前所说,IP路由器有一个类似的工作比萨交付司机,他们需要得到他们的货物(包)到目的地。 当出现一个绑定地址为192.168.10.2的数据包时,IP路由器需要确定哪个networking接口最好将该数据包接近目的地。

假设你是一个IP路由器,并且你有连接到你的接口编号为:

  • Ethernet0 – 192.168.20.1,子网掩码/ 24
  • 以太网1 – 192.168.10.1,子网掩码/ 24

如果您收到一个目的地址为“192.168.10.2”的数据包,那么可以很容易的告诉人们,数据包应该从接口Ethernet1发出,因为Ethernet1接口地址对应于数据包的目的地地址。 所有连接到Ethernet1接口的计算机将具有以“192.168.10”开头的IP地址,因为分配给您的接口Ethernet1的IP地址的networkingID是“192.168.10.0”。

对于路由器来说,这个路由select过程是通过build立一个路由表并在每次发送一个数据包时查阅表来完成的。 路由表包含networkingID和目标接口名称。 您已经知道如何从IP地址和子网掩码获取networkingID,因此您正在构build路由表。 这是我们的这个路由器的路由表:

  • networkingID:192.168.20.0(11000000.10101000.00010100.00000000) – 24位子网掩码 – 接口Ethernet0
  • networkingID:192.168.10.0(11000000.10101000.00001010.00000000) – 24位子网掩码 – 接口Ethernet1

对于绑定为“192.168.10.2”的传入数据包,我们只需要将该数据包的地址转换为二进制数(作为人类 – 路由器将其从二进制开始),并尝试将其与我们路由中的每个地址进行匹配表(直到子网掩码中的位数),直到我们匹配一个条目。

  • 传入数据包目的地:11000000.10101000.00001010.00000010

比较我们的路由表中的条目:

 11000000.10101000.00001010.00000010 - Destination address for packet 11000000.10101000.00010100.00000000 - Interface Ethernet0 !!!!!!!!.!!!!!!!!.!!!????!.xxxxxxxx - ! indicates matched digits, ? indicates no match, x indicates not checked (beyond subnet mask) 11000000.10101000.00001010.00000010 - Destination address for packet 11000000.10101000.00001010.00000000 - Interface Ethernet1, 24 bit subnet mask !!!!!!!!.!!!!!!!!.!!!!!!!!.xxxxxxxx - ! indicates matched digits, ? indicates no match, x indicates not checked (beyond subnet mask) 

以太网0的条目匹配前19位,但是然后停止匹配。 这意味着它不是正确的目的地界面。 您可以看到接口Ethernet1匹配目标地址的24位。 啊,哈! 该数据包绑定到接口Ethernet1。

在现实生活中的路由器中,路由表以这样一种方式sorting,即检查最长的子网掩码是否首先匹配(即最具体的路由),并且在数字上是这样的:一旦发现匹配,就可以路由分组并且不需要进一步的匹配尝试(这意味着192.168.10.0将被首先列出并且192.168.20.0将不会被检查)。 在这里,我们正在简化一下。 花哨的数据结构和algorithm使IP路由器更快,但是简单的algorithm会产生相同的结果。

静态路由

到目前为止,我们已经谈到了我们假设的路由器有直接连接到它的networking。 显然,这并不是世界真正有效的方式。 在比萨驾驶比喻,有时司机是不允许比前台进一步进入大楼,必须把比萨饼交给其他人送到最后收件人(暂停你的怀疑和忍耐,同时我拉伸我的比喻,请)。

我们先从前面的例子“路由器A”调用我们的路由器。 你已经知道RouterA的路由表了:

  • networkingID:192.168.20.0(11000000.10101000.00010100.00000000) – 子网掩码/ 24 – 接口RouterA-Ethernet0
  • networkingID:192.168.10.0(11000000.10101000.00001010.00000000) – 子网掩码/ 24 – 接口RouterA-Ethernet1

假设还有另外一台路由器“Router B”,其IP地址分别为192.168.10.254/24和192.168.30.1/24,分配给它的Ethernet0和Ethernet1接口。 它有以下路由表:

  • networkingID:192.168.10.0(11000000.10101000.00001010.00000000) – 子网掩码/ 24 – 接口RouterB-Ethernet0
  • networkingID:192.168.30.0(11000000.10101000.00011110.00000000) – 子网掩码/ 24 – 接口RouterB-Ethernet1

在漂亮的ASCII艺术中,networking看起来像这样:

  Interface Interface Ethernet1 Ethernet1 192.168.10.1/24 192.168.30.254/24 __________ V __________ V | | V | | V ----| ROUTER A |------- /// -------| ROUTER B |---- ^ |__________| ^ |__________| ^ ^ Interface Interface Ethernet0 Ethernet0 192.168.20.1/24 192.168.10.254/24 

你可以看到,路由器B知道如何“进入”一个networking192.168.30.0/24,路由器A一无所知。

假设连接到路由器A的以太网0接口的networking上连接有IP地址为192.168.20.13的PC向路由器A发送数据包进行传送。 我们假设的数据包的目的地址是192.168.30.46,它是连接到与路由器B的以太网1接口连接的networking的设备。

使用上面显示的路由表,路由器A的路由表中的任何一项都不会与目的地址192.168.30.46匹配,因此路由器A将把该数据包返回给正在发送的PC,消息“目标networking不可达”。

为使路由器“知道”192.168.30.0/24networking的存在,我们在路由器A的路由表中添加以下条目:

  • networkingID:192.168.30.0(11000000.10101000.00011110.00000000) – 子网掩码/ 24 – 可通过192.168.10.254访问

通过这种方式,路由器A有一个与我们的示例数据包的192.168.30.46目的地匹配的路由表条目。 这个路由表条目有效地说:“如果你得到一个192.168.30.0/24的数据包,发送到192.168.10.254,因为他知道如何处理它。 这是我之前提到的类似于“在前台交付披萨”的行为 – 将包传递给知道如何使其更接近其目的地的人。

添加一个条目到“路由表”被称为添加一个“静态路由”。

如果路由器B要将数据包传送到192.168.20.0子网掩码255.255.255.0networking,则在其路由表中也需要一个条目:

  • networkingID:192.168.20.0(11000000.10101000.00010100.00000000) – 子网掩码/ 24 – 可通过:192.168.10.1(路由器A在192.168.10.0networking中的IP地址)

这将在这些路由器之间的192.168.10.0/24networking之间创build在192.168.30.0/24networking和192.168.20.0/24networking之间传送的path。

您总是要确保这样的“间隙networking”两侧的路由器具有“远端”networking的路由表条目。 如果我们的例子中的路由器B没有连接到路由器A的“远端”networking192.168.20.0/24的路由表项,那么我们假设的来自PC的192.168.20.13的数据包到达目标设备192.168.30.46,但192.168.30.46尝试发回的任何回复将被路由器B返回为“目标networking不可达”。 单向沟通通常是不可取的。 当你考虑计算机networking中的通信时,一定要确保你考虑双向stream量。

你可以从静态路线中获得很多里程。 像EIGRP,RIP等dynamic路由协议实际上只不过是路由器彼此之间交换路由信息的一种方式,实际上可以用静态路由来configuration路由信息。 但是,在静态路由上使用dynamic路由协议的一大优点是,dynamic路由协议可以基于networking条件(带宽利用率,接口“下降”等) dynamic地改变路由表,并且因此使用dynamic路由协议可能会导致configuration“绕开”networking基础设施中的故障或瓶颈。 (尽pipedynamic路由协议不在这个答案的范围之内)

你不能从这里到达那里

在我们的例子路由器A的情况下,当一个绑定“17​​2.16.31.92”的数据包进入时会发生什么?

查看路由器路由表中,目标接口或静态路由都不匹配172.18.31.92的前24位(即10101100.00010000.00011111.01011100,BTW)。

正如我们已经知道的,路由器A将通过“目的地networking不可达”消息将数据包返回给发送者。

假设有另一个路由器(路由器C)坐在地址“192.168.20.254”。 路由器C有一个连接到互联网!

  Interface Interface Interface Ethernet1 Ethernet1 Ethernet1 192.168.20.254/24 192.168.10.1/24 192.168.30.254/24 __________ V __________ V __________ V (( heap o )) | | V | | V | | V (( internet )) ----| ROUTER C |------- /// -------| ROUTER A |------- /// -------| ROUTER B |---- (( w00t! )) ^ |__________| ^ |__________| ^ |__________| ^ ^ ^ Interface Interface Interface Ethernet0 Ethernet0 Ethernet0 10.35.1.1/30 192.168.20.1/24 192.168.10.254/24 

如果路由器A可以将不匹配任何本地接口的数据包路由到路由器C,那么路由器C就可以将它们发送到互联网上,这将是一件好事。 input“默认网关”路线。

在我们的路由表的最后添加一个条目,如下所示:

  • networkingID:0.0.0.0(00000000.00000000.00000000.00000000) – 子网掩码/ 0 – 目标路由器:192.168.20.254

当我们试图将“172.16.31.92”匹配到路由表中的每个条目时,我们最终会碰到这个新条目。 起初,这有点令人困惑。 我们正在寻找与目标地址的零位匹配……等等…什么? 匹配零位? 所以,我们根本不找一场比赛。 这个路由表条目基本上是这样说的:“如果你到达这里,而不是放弃交付,把这个数据包发送到路由器192.168.20.254,让他来处理它”。

192.168.20.254是我们知道如何传送数据包的目的地。 当面对一个没有特定路由表条目的目的地的数据包时,这个“默认网关”条目将始终匹配(因为它匹配目标地址的零位),并给我们一个“最后的手段”的地方,我们可以发送数据包交付。 有时您会听到称为“最后的网关”的默认网关。

为了使默认网关路由有效,它必须引用可以使用路由表中的其他条目访问的路由器。 例如,如果您尝试在Router A中指定默认网关192.168.50.254,则传递到此类默认网关将失败。 192.168.50.254不是路由器知道如何将数据包传送到其路由表中的任何其他路由的地址,所以这样的地址作为默认网关是无效的。 这可以简明扼要地说明:默认网关必须设置为通过在路由表中使用另一条路由而可以访问的地址。

真正的路由器通常将默认网关存储为其路由表中的最后一个路由,以便在数据包未能匹配表中的所有其他条目后匹配数据包。

城市规划和IP路由

将IP子网分解成更小的IP子网是lke城市规划。 在城市规划中,分区用于适应景观(河stream,湖泊等)的自然景观,影响城市不同地区之间的交通stream量,并将不同types的土地利用(工业,住宅等) 。 IP子网划分真的很相似。

networking子网划分有三个主要原因:

  • 您可能想要通过不同的通信媒体沟通。 如果两个build筑物之间有T1 WAN连接,则可以在这些连接的末端放置IP路由器,以便于通过T1进行通信。 每一端的networking(也可能是T1本身的“插接”networking)将被分配到唯一的IP子网,以便路由器可以决定哪些业务应该通过T1线路发送。

  • 在以太网中,您可以使用子网限制networking给定部分的广播stream量。 应用层协议使用以太网的广播function来达到非常有用的目的。 但是,随着越来越多的主机打包到同一个以太网中,线路上的广播stream量(或者无线以太网中的空气)的百分比可能会增加,从而导致传输非广播stream量时出现问题。 (在过去,广播stream量通过强制他们检查每个广播数据包,可能压倒主机的CPU,这在今天是不太可能的)。交换式以太网上的过多stream量也可能以“将帧泛洪到未知目的地”的forms出现。 这种情况是由于以太网交换机无法跟踪networking上的每个目的地而造成的,也是交换式以太网networking无法扩展到无限主机的原因。 为了子网的目的,将帧洪泛到未知目的地的效果类似于过量广播业务的影响。

  • 您可能需要“警察”不同组主机之间的stream量types。 也许你有打印服务器设备,你只希望授权的打印排队服务器计算机发送作业给他们。 通过限制允许stream向打印服务器设备子网的stream量,用户无法将PCconfiguration为直接与打印服务器设备通信以绕过打印计费。 您可能会将打印服务器设备放入子网中,并在连接到该子网的路由器或防火墙中创build规则,以控制允许向打印服务器设备发送stream量的主机列表。 (路由器和防火墙通常都可以根据数据包的源地址和目的地址决定是否传送数据包,防火墙通常是具有迷恋性格的路由器的子类,他们可以非常关心数据包的有效载荷,而路由器通常忽略有效载荷并只传送数据包。)

在规划一个城市时,可以规划街道如何相互交叉,并且可以使用转弯,单向和死胡同街道来影响交通stream量。 你可能想要主街30个街区,每个街区各有99个build筑物。 计划你的街道编号是非常简单的,这样每个街区的街区数量就会增加100。 很容易知道每个后续块中的“开始号码”应该是什么。

在规划IP子网时,需要关注的是使用适当数量的可用主机ID(build筑物编号)构build适当数量的子网(街道),并使用路由器将子网彼此连接(交叉点)。 有关路由器中指定的允许的源地址和目标地址的规则可以进一步控制stream量的stream量。 防火墙可以像强迫交通警察一样行事。

为了这个答案的目的,build立我们的子网是我们唯一关心的问题。 与城市规划一样,您不用十进制,而是使用二进制来描述每个子网的边界。

续: IPv4子网划分如何工作?

(是的…我们达到了答案的最大尺寸(30000个字符)。)

续: IPv4子网划分如何工作?

您的ISP给你的networkingID 192.168.40.0/24(11000000.10101000.00101000.00000000)的范围。 您知道您希望使用防火墙/路由器设备来限制networking不同部分(服务器,客户端计算机,networking设备)之间的通信,因此,您希望将networking的各个部分分开到IP子网(防火墙/路由器设备之间可以路由)。

你有:

  • 12台服务器计算机,但是可能会多达50%
  • 9个开关
  • 97客户端电脑,但你可能会得到更多

将192.168.40.0/24分解成这些碎片的好方法是什么?

思考在两个权力,并与更多的可能的设备工作,你可以想出:

  • 18台服务器电脑 – 其次是32
  • 9个开关 – 两个下一个最大的功率是16
  • 97台客户端电脑 – 其次是128的最大功率

在给定的IP子网中,有两个保留的地址不能用作有效的设备IP地址 – 主机ID部分全部为零的地址,主机ID部分全部为1的地址。 因此,对于任何给定的IP子网,可用主机地址的数量是32的数量减去子网掩码中的位数的二的两倍。因此,在192.168.40.0/24的情况下,我们可以看到子网掩码有24位。 这留下了8位可用于主机ID。 我们知道2到8次幂是256–意味着256个可能的比特组合适合8比特宽的时隙。 由于这些8位的“11111111”和“00000000”组合对于主机ID是不允许的,所以这给我们留下了可以在192.168.40.0/24networking中分配的254个可能的主机。

在这254个主机中,看起来我们可以将客户端计算机,交换机和服务器计算机安装到该空间中,对吧? 咱们试试吧。

你有8位的子网掩码来“播放”(IP地址192.168.40.0/24的其余8位不在你ISP提供的子网掩码中)。 我们必须找出一种方法来使用这8位来创build许多可以适应上述设备的唯一networkingID。

从最大的networking – 客户端计算机开始。 您知道,可能的设备数量中的下一个较大的幂是128.二进制数字128是“10000000”。 幸运的是,对于我们来说,这符合我们免费的8位插槽(如果没有的话,这将表明我们的起始子网太小,无法容纳我们所有的设备)。

让我们把我们的networkingID,由我们的ISP提供,并添加一个子网掩码的一个位,它分成两个networking:

 11000000.10101000.00101000.00000000 - 192.168.40.0 network ID 11111111.11111111.11111111.00000000 - Old subnet mask (/24) 11000000.10101000.00101000.00000000 - 192.168.40.0 network ID 11111111.11111111.11111111.10000000 - New subnet mask (/25) 11000000.10101000.00101000.10000000 - 192.168.40.128 network ID 11111111.11111111.11111111.10000000 - New subnet mask (/25) 

仔细查看,直到它是有道理的。 我们将子网掩码的长度增加了一个比特,导致networkingID覆盖了一个用于主机ID的位。 由于这一点可以是零或一,我们已经有效地将我们的192.168.40.0networking分成两个networking。 192.168.40.0/25networking中的第一个有效IP地址将是第一个在最右侧位置带有“1”的主机ID:

 11000000.10101000.00101000.00000001 - 192.168.40.1 - First valid host in the 192.168.40.0/25 network 

192.168.40.128networking中的第一个有效主机同样也是第一个在最右边位用“1”表示的主机ID:

 11000000.10101000.00101000.10000001 - 192.168.40.129 - First valid host in the 192.168.40.128/25 network 

每个networking中最后一个有效的主机将是主机ID, 除了最右边的位被设置为“1” 之外的每一位:

 11000000.10101000.00101000.01111110 - 192.168.40.126 - Last valid host in the 192.168.40.0/25 network 11000000.10101000.00101000.11111110 - 192.168.40.254 - Last valid host in the 192.168.40.128/25 network 

所以,这样,我们就创build了一个足够容纳我们的客户端计算机的networking,然后我们可以使用同样的原则来分解成更小的networking。 让我们来记下:

  • 客户端计算机 – 192.168.40.0/25 – 有效IP:192.168.40.1 – 192.168.40.126

现在,打破我们的服务器和交换机的第二个networking,我们做同样的事情。

我们有12台服务器电脑,但我们可能会多买6台。 让我们计划18,这使得我们下一个2的最高次幂为32.在二进制中,32是“100000”,它是6位长。 我们在192.168.40.128/25中留下了7位的子网掩码,所以我们有足够的位来继续“播放”。 再添加一个子网掩码给了我们两个networking:

 11000000.10101000.00101000.10000000 - 192.168.40.128 network ID 11111111.11111111.11111111.10000000 - Old subnet mask (/25) 11000000.10101000.00101000.10000000 - 192.168.40.128 network ID 11111111.11111111.11111111.11000000 - New subnet mask (/26) 11000000.10101000.00101000.10000001 - 192.168.40.129 - First valid host in the 192.168.40.128/26 network 11000000.10101000.00101000.10111110 - 192.168.40.190 - Last valid host in the 192.168.40.128/26 network 11000000.10101000.00101000.11000000 - 192.168.40.192 network ID 11111111.11111111.11111111.11000000 - New subnet mask (/26) 11000000.10101000.00101000.11000001 - 192.168.40.193 - First valid host in the 192.168.40.192/26 network 11000000.10101000.00101000.11111110 - 192.168.40.254 - Last valid host in the 192.168.40.192/26 network 

所以,现在我们把192.168.40.128/25分成两个networking,每个networking有26位子网掩码,或总共62个可能的主机ID – 2 ^(32-26)-2。

这意味着这两个networking都有足够的地址用于我们的服务器和交换机! 让我们做笔记:

  • 服务器 – 192.168.40.128/26 – 有效IP:192.168.40.129 – 192.168.40.190
  • 交换机 – 192.168.40.192/26 – 有效的IP地址:192.168.40.193 – 192.168.40.254

这种技术被称为可变长度子网掩码(VLSM),并且如果适当地应用,导致“核心路由器”具有更小的路由表(通过称为“路由汇总”的过程)。 就本例中的ISP而言,他们完全不知道我们如何划分192.168.40.0/24。 如果他们的路由器有一个绑定到192.168.40.206(我们的交换机之一)的数据包,他们只需要知道将它传递给我们的路由器(因为192.168.40.206匹配路由器的路由表中的networkingID和子网掩码192.168.40.0/24 )和我们的路由器将它到达目的地。 这使我们的子网路由离开他们的路由表。 (我在这里简化,但你明白了。)

您可以用同样的方式规划非常大的地理位置的networking。 只要你事先做了正确的“城市规划”(预测每个子networking中的主机数量,准确一些,注意未来),就可以创build一个大的路由层次结构,在核心路由器上“总结“到极less数的路线。 正如我们上面看到的,路由器路由表中的路由越多,执行其工作就越慢。 使用VLSMdeviseIPnetworking并保持路由表很小是一件好事(tm)。

例证的不切实际

这个答案中的虚构世界显然是虚构的。 通常情况下,您可以在现代交换式以太网上创build子网数量多于254(根据stream量configuration文件)。 正如已经指出的那样,在路由器之间使用/ 24networking与Real Life(tm)不一致。 它使得可爱的例子,但是是浪费地址空间。 通常情况下,一个/ 30或一个/ 31(请参阅http://www.faqs.org/rfcs/rfc3021.html了解/ 31的工作细节 – 他们超出了这个答案的范围)两个路由器之间严格点对点的链路。

Sub-netting

Sub-netting is not difficult but it can be intimidating. So let's start with the simplest possible step. Learning to count in binary.

二进制

Binary is a base 2 counting system. Consisting of only two numbers (1 and 0). Counting proceeds in this manner.

 1 = 001 ( 0 + 0 + 1 = 1) 2 = 010 ( 0 + 2 + 0 = 2) 3 = 011 ( 0 + 2 + 1 = 3) 4 = 100 ( 4 + 0 + 0 = 4) 5 = 101 ( 4 + 0 + 1 = 5) 

So if you just imagine that each 1 is a place holder for a value (all binary values are powers of two)

 1 1 1 1 1 = 31 16 + 8 + 4 + 2 + 1 = 31 

So… 100000 = 32. And 10000000 = 128. AND 11111111 = 255.

When I say, "I have a subnet mask of 255.255.255.0", I really mean, "I have a subnet mask of 11111111.11111111.11111111.00000000." We use subnets as a short hand.

The periods in the address, separate every 8 binary digits (an octet). This is why IPv4 is known as a 32bit (8*4) address space.

Why Subnet?

IPv4 addresses (192.168.1.1) are in short supply. Sub-netting gives us a way to increase the amount of available networks (or hosts). This is for administrative reasons and technical reasons.

Each IP address is broken into two separate portions, the network and the host. By default a Class C address (192.168.1.1) uses the first 3 octets (192.168.1) for the network portion of the address. and the 4th octet (.1) as the host portion.

By default an ip address and subnet mask for a Class C adress looks like this

 IP 192.168.1.1 Subnet 255.255.255.0 

In binary like this

 IP 11000000.10101000.00000001.00000001 Subnet 11111111.11111111.11111111.00000000 

Look at the binary example again. Notice how I said the first three octets are used for the network? Notice how the network portion is all ones? That's all sub-netting is. Let's expand.

Given that I have a single octet for my host portion (in the above example). I can ONLY ever have 256 hosts (256 is the max value of an octet, counting from 0). But there's another small trick: you need to subtract 2 host addresses from the available ones (currently 256). The first address in the range will be for the network (192.168.1.0) and the last address in the range will be the broadcast (192.168.1.255). So you really have 254 available addresses for hosts in one network.

A Case Study

Let's say I gave you the the following piece of paper.

 Create 4 networks with 192.168.1.0/24. 

Let's take a look at this. The /24 is called CIDR notation. Rather than referencing the 255.255.255.0 we just reference the bits we need for the network. In this case we need 24bits (3*8) from a 32bit address. Writing this out in binary

 11111111.11111111.11111111.00000000 = 255.255.255.0 8bits + 8bits + 8bits + 0bits = 24bits 

Next we know we need figure out how many subnets we need. Looks like 4. Since we need to create more networks (currently we only have one) lets flip some bits

 11111111.11111111.11111111.00000000 = 255.255.255.0 = 1 Network OR /24 11111111.11111111.11111111.10000000 = 255.255.255.128 = 2 Networks OR /25 11111111.11111111.11111111.11000000 = 255.255.255.192 = 4 Networks (remember powers of 2!) OR /26 

Now that we've decided on a /26 let's start allocating hosts. A little simple math:

 32(bits) - 26(bits) = 6(bits) for host addresses. 

We have 6bits to allocate in each network for hosts. Remembering that we need to subtract 2 for each network.

 h = host bits 2^h - 2 = hosts available 2^6 - 2 = 62 hosts Finally we have 62 hosts in 4 networks, 192.168.1.0/26 

Now we need to figure out where the hosts go. Back to the binary!

 11111111.11111111.11111111.00,000000 [the comma is the new network/hosts division] Begin to calculate: 11000000.10101000.00000001.00,000000 = 192.168.1.0 [First IP = Network Adress] 11000000.10101000.00000001.00,000001 = 192.168.1.1 [First Host IP] 11000000.10101000.00000001.00,000010 = 192.168.1.2 [Second Host IP] 11000000.10101000.00000001.00,000011 = 192.168.1.3 [Third Host IP] And so on ... until ... 11000000.10101000.00000001.00,111110 = 192.168.1.62 [Sixty Second Host IP] 11000000.10101000.00000001.00,111111 = 192.168.1.63 [Last IP = Broadcast Address] So ... On to the NEXT network .... 11000000.10101000.00000001.01,000000 = 192.168.1.64 [First IP = Network Address] 11000000.10101000.00000001.01,000001 = 192.168.1.65 [First Host IP] 11000000.10101000.00000001.01,000010 = 192.168.1.66 [Second Host IP] And so on ... until ... 11000000.10101000.00000001.01,111110 = 192.168.1.126 [Sixty Second Host IP] 11000000.10101000.00000001.01,111111 = 192.168.1.127 [Last IP = Broadcast Address] So ... On to the NEXT network .... 11000000.10101000.00000001.10,000000 = 192.168.1.128 [First IP = Network Address] 11000000.10101000.00000001.10,000001 = 192.168.1.129 [First Host IP] Etc ... 

In this way you can calculate the entire subnet.

Wild Cards A wild card mask is an inverted subnet mask.

 11111111.11111111.11111111.11000000 = 255.255.255.192 [Subnet] 00000000.00000000.00000000.00111111 = 0.0.0.63 [Wild Card] 

Further

Google for the terms 'super-netting', and 'VLSM (variable length subnet mask)', for more advanced topics.

I can see now that I took too long in responding … sigh

A brief history lesson: originally, unicast IPv4 addresses were divided into 3 classes, each with an associated 'default' mask length (called the classful subnet mask)

  • Class A: Anything in the range 1.0.0.0 -> 127.255.255.255. Classful subnet mask of 255.0.0.0 (/8 in CIDR notation)
  • Class B: Anything in the range 128.0.0.0 -> 191.255.255.255. Classful subnet mask of 255.255.0.0 (/16 in CIDR notation)
  • Class C: Anything in the range 192.0.0.0 -> 223.255.255.255. Classful subnet mask of 255.255.255.0 (/24 in CIDR notation)

The idea was that different sized organisations could be allocated a different class of IP address, to make efficient use of IP address space.

However, as IP networks grew, it became clear that this approach had its problems. To name but three:

In a classful world, all subnets had to have a mask of /8, /16, or /24. This meant that the smallest subnet that could be configured was a /24, which allowed for 254 host addresses (.0 and .255 being reserved as the the network and broadcast addresses, respectively). This was tremendously wasteful, particularly on point-to-point links with only two routers attached to them.

Even after this restriction was relaxed, earlier routing protocols (eg RIPv1 ) did not advertise the mask length associated with an IP prefix. In the absence of a specific mask, it would use either the mask of a directly connected interface in the same classful network, or fall back to using the classful mask. For example, if you wanted to use the network 172.16.0.0 for inter-router links with /30 masks, all subnets from 172.16.0.0 – 172.16.255.255 would have to have a /30 mask (16384 subnets, each with 2 useable IPs).

The routing tables of internet routers began to take up more and more memory; this was/is known as the 'routing table explosion'. If a provider had 16 contiguous /24 networks, for example, they would need to advertise all 16 prefixes, rather than a single summary that covered the entire range.

Two related refinements allowed us to move beyond the above limitations.

  1. Variable Length Subnet Masks (VLSM)
  2. CIDR (Classless inter domain routing)

VLSM refers to the ability of a routing protocol to support different subnet masks within the same classful network. 例如:

 192.168.1.0/24 

Could be split into:

 192.168.1.0/25 192.168.1.128/26 192.168.1.192/27 192.168.1.224/27 

Which allowed for much more efficient use of address space; subnets could be sized correctly for the number of hosts/routers that would be attached to them.

CIDR takes VLSM and extends it the other way; in addition to splitting a single classful network into smaller subnets, CIDR allows for the aggregation of multiple classful networks into a single summary. For example, the following Class B (/16) networks:

 172.16.0.0/16 172.17.0.0/16 172.18.0.0/16 172.19.0.0/16 

Can be aggregate/summarised with a single prefix:

 172.16.0.0/14 

In terms of subnetting: a subnet mask is 32 bits long. The mask length denotes how many bits identify the network portion of the address. 例如:

 10.1.1.0/24 
  • The classful subnet mask is /8
  • The actual subnet mask is /24
  • 16 bits (24-8) have been 'borrowed' for the use of subnetting.

This means that, assuming the entire 10.0.0.0/8 network is subnetted into /24s, that there will be 65536 (2 ^ 16) subnets within this range. (This is assuming that the platform you are using supports subnet numbers of 0 and 255. See Cisco's ip subnet-zero).

There are 8 bits remaining in the 'host portion' of the address. This means there are 256 available IP addresses (2 ^ 8), of which 2 are reserved (10.1.1.0 is the network address, 10.1.1.255 is the subnet directed broadcast address). This leaves 254 usable IP addresses on this subnet. ((2^8) – 2)

Network ranges: networks are always referenced by 2 numbers: one to determine the network, and another to determine which computer (or host) is on that network. As each nertwork address is 32 bits long, both numbers have to fit in these 32 bits.

Network numbering is important, as its this that ICANN hands out when you ask for a network IP range. If we didn't have it, no-one would be able to tell the difference between my network and AT&Ts. So while these numbers must be unique, no-one else wants to assign numbers to the hosts that are on my network. Hence the split – the first part is managed by the network people, the second part is all mine to give to whatever machines I want.

The network number isn't fixed at a certain number of bits – for example, if I had only 200 machines to manage myself, I'd be perfectly happy with a network number that used 24 bits, leaving me with only 8 bits for myself – which is enough for up to 255 hosts. As the network number uses 24 bits, we can have lots of them, meaning lots of people can have their own networks.

In the past this was referred to as a class C network. (class B used 16 bits for network number, and class A used 8 bits, so there are only a few class A networks in existence).

Nowadays, this naming convention has fallen out of fashion. It was replaced with the concept called CIDR. CIDR explicitly puts the number of bits for your hosts after the slash. So my example above (the class C) is now referred to as a CIDR /24.

This does give us a little more flexibility, before if I had 300 hosts to manage, I'd need a class B network! Now, I can just get a /23 CIDR, so I have 9 bits for me, and 23 bits for the network number. ICANN may not have these kind of networks out, but if I have an internal one, or am renting a partial network from an ISP, this makes it easier to manage – especially as all their customers can be given a /29 (leaving me .. 3 bits or a maximum of 8 machines) which allows more people to have their own little slice of the available IP addresses. Until we get IPv6, this is quite important.


However… while I know a /24 CIDR is the equivalent of the old Class C network, and a /16 is class B and a /8 is a class A… I am still stumped trying to calculate a /22 in my head. Fortunately there are tools that do this for me 🙂

However – if you know a /24 is 8 bits for hosts (and 24 bits for network), then I know a /23 gives me an extra bit which doubles the number of hosts.

While the above is correct (sorry, TL;DR), calculating subnets still causes many network administrators a lot of grief. There actually is a very easy way to do subnet calculation, you can do most of it in your head, and there is very little you have to memorize. For most applications, it's not even necessary to understand the binary representation, though it is helpful for a complete understanding of subnetting. Here I will only discuss IPv4; IPv6 is outside of the scope of this discussion.

Remember this:

There are three key things to remember: all subnets are based on powers of two, and there are two key numbers: 256 and 32. More on that later.

First, lets look at a table containing powers of 2:

 2^0 = 1 2^1 = 2 2^2 = 4 2^3 = 8 2^4 = 16 2^5 = 32 2^6 = 64 2^7 = 128 2^8 = 256 

Calculating powers of 2 is easy: each integer increase in the power doubles the result. 1+1=2, 2+2=4, 4+4=8, 8+8=16, and so on. The total number of addresses in a subnet must always be a power of 2 .

Since each octet of an IPv4 subnet goes up to 256, 256 is a very important number and forms the basis for the rest of the math.

Sizing the subnet

We'll start with an easy question: "how many addresses in a subnet if the mask is 255.255.255.248?" We will ignore the first three octets for now and look at the last. Here is how easy it is: subtract 248 from 256. 256 minus 248 equals 8. There are 8 addresses available (including the network and broadcast addresses). The reverse also works: "if I want to have a subnet with 16 addresses, what will the subnet mask be?" 256 minus 16 equals 240. The subnet mask will be 255.255.255.248.

Now if we want to expand beyond 256 addresses (historically, a "class C"), it gets only a tiny bit more complicated: if our last octet is 0 and our third octet is, say, 240, (255.255.240.0) then we do the math on the third octet and find that there would be 16 addresses. So we multiply 16 by 256 (the number of addresses in the last octet) to get 4,096. If both the last two octets are 0, (ex. 255.240.0.0) then we take the subtraction result from the second octet (we'll say it's 16 again), multiply but 256 (addresses in the third octet), multiply again by 256 (addresses in the last octet) to get 1,048,576 addresses. 那样容易! (OK, so the reverse is a little more difficult. If we want a subnet with 1,048,576 addresses, we'll have to divide that number by 256 a couple of times to get a number we can subtract from 256.)

Network address

Now that we know how to calculate the subnet mask, how do we figure out what the network address is? That's easy: it's always a multiple of the number of addresses in our subnet. So if we have 16 addresses in our subnet, the possible network addresses will be 0, 16, 32, 48, 64, and so on up to 240. (Note that 0 is a valid multiple of any number, as any number multiplied by 0 equals 0.)

And, of course, the broadcast address will be the last address in the scope. So if we have 16 address in our subnet, and we've chosen a network address of 10.3.54.64, the broadcast address will be (64+16-1=79) 10.3.54.79.

CIDR Notation

So how about CIDR notation? How do translate that to and from an IPv4-style subnet mask?

Remember our powers of two? Well, now we have another key number to remember besides 256: 32. Remember, CIDR notation describes the number of significant bits in the IPv4 address, and there are 32 bits in an IPv4 address, 8 for each octet. So if we have a subnet mask of 255.255.255.240, that is 16 addresses. If we look at our "powers of 2" table above, we see that 16 is two to the fourth power (2^4). So we subtract that power number — 4 — from 32 and get 28. Our CIDR notation for a subnet mask of 255.255.255.240, our CIDR notation is /28.

And if we are given a CIDR of /28, we subtract that (28) from 32 to get 4; raise 2 to that (4th) power (2^4) to get 16; then subtract that (16) from 256 to get 240; or 255.255.255.240.

I also feel that there should atleast be a mention of NATs, because they are used so commonly in modern networks in place of Subnets, because of IPv4 address exhaustion,among other things. (Also, when I was first learning about subnets, I was very confused as to how subnetting relates to the networks created by WiFi routers).

NAT (network address translation) is a technique (commonly) used to create private networks by mapping one address space (IP:Port) to another. Majorly, this is used to create a private network of multiple private IPs behind one public address, for example, in Wifi routers, by organizations(like a university or a corporation), or sometimes by ISPs.

The actual address translation is done transparently in NAT capable nodes, usually routers. It may be of many forms, Full Cone, Address Restricted, Port restricted etc. or a mixture of these, which dictates how the connections across the node may be initiated.

Full details can be found on Wikipedia , but for example consider a Wifi router with 2 devices connected to it. The public IP of the router is 10.9.20.21/24 , and the IP of the devices(Private IPs) are A: 192.168.0.2 , B: 192.168.0.3 and that of the router is R: 192.168.0.1 . Thus if A wants to connect to server S: 10.9.24.5/24 , (which is actually on a different subnet wrt the router here):

  1. A sends an IP packet to R (which would be the default gateway) with the source IP 192.168.0.2 , src port (say) 14567 , and destination IP: 10.9.24.5 (Although port is actually a part of the TCP header).
  2. The router(which is NAT capable) maps the port 14567 to device A and changes the source on the IP packet to 10.9.20.21 (which is the public IP of the router). This is in contrast to subnetting described above, where the IP packets are actually never changed .
  3. S recieves the series of TCP packets(with src IP: 10.9.20.21 , src Port: 14567 ) and send response packets with those values in the destination fields.
  4. R checks the destination port, which is 14567 and forwards the packet to A .
  5. A receives the response packet.

In the above situation, if B tried to open a connection on the same source port ( 14567 ), it would be mapped to a different port by R (and the port in the outgoing packet changed) before sending to S . That is, there would also be port translation instead of just IP.

Two things to note here:

  1. Due to this address translation, it is often not possible to initiate a connection to devices in the private network without using some special techniques.
  2. The restriction on the total TCP connections from same device to a server (65536 = 2^16) now applies collectively to all devices behind the NAT, in the NAT form used above.