10-Dot Subnetting

A back-to-basics look at subnetting.

The advent of TCP/IP was such a good thing that it took the world by storm. Everyone wanted to get in on the TCP/IP action. For a while the protocol's acceptance was so popular that there was a fear we'd run out of IP addresses. In the mid-1990's, there was a push to update TCP-IP from version 4 (IPv4) to version 6 (IPv6—don't ask, no one knows why there wasn't a version 5), an upgrade that would substantially increase the number of allowable IP addresses. (Because IP v4 is predicated on a 32-bit addressing scheme, there are 232 possible addresses. IPv6 uses a 128-bit addressing scheme, so there are scads more addresses available-2128.)

The move to IPv6 has died down in the U.S., but it's gaining popularity in other countries, especially in Asia. A large backbone that has been developed worldwide utilizes IPv6, called the "6bone."

So, why didn't we run out of IP addresses? Two good reasons:

  1. The creators of TCP-IP set aside a reserved group of IP addresses that could be used on private networks (i.e. not allowed out on the Internet) as follows:

    Class A: 10.0.0.1 - 10.255.255.254
    Class B: 172.16.0.1 - 172.31.255.254
    Class C: 192.168.0.1 - 192.168.255.254

  2. Protocols such as Network Address Translation (NAT), Classless Inter-Domain Routing (CIDR) and Network Address Port Translation (NAPT) were developed to allow bfor the translation of internal addresses to addresses that could be used on the Internet. Today routers and firewalls can quickly NAT addresses and allow for seamless interaction between users on a private network using reserved IP network addresses and on the Internet using standard IP addresses.

Suppose that your company, in the early days of TCP-IP went out and purchased a couple of valid (non-private) Class C network address ranges. Each Class C network can yield up to 256 addresses, so your company could theoretically grow to 512 addresses (though there are a few limitations like the 0th and the 255th addresses—i.e. 192.168.0.0 and 192.168.0.255). But there are some intrinsic problems with this. First of all, since these are public addresses, if you're not careful to set up some kind of security it's possible for scurrilous Internet types to hack into your private network. Secondly, what happens when your network outgrows those 512 addresses? With the distinct lack of IPv4 networks available today (through www.iana.org) you might be out of luck getting your hands on an entirely new Class C network.

So, using a private network range of addresses is a godsend. Easy to implement, well-known and understood, easily NAT-ted through routers and firewalls, a private network is the way to go.

That being said, which one do you pick: Class A, Class B or Class C? Class C private numbers are fine for people who are experimenting with subnetting and for small applications—training rooms or small companies, for example. For companies that won't exceed more than 65,534 addresses, a Class B private network is fine. However, most companies I've worked for simply opt to get into the Class A 10.xxx.yyy.zzz network, lovingly called "10-Dot". I think this is because 10-Dot addresses are easy to work with and understand, or at least easier than 172.16.something-or-other.

Implementing a 10-Dot network gives you 4,294,967,296 addresses to use—less the amount of 0th and 255th addresses you use in your subnetting. Most companies won't ever use in excess of 4 million addresses, so 10-Dot is a great choice, regardless of company size. As a result of this, lots of companies are migrating to a 10-Dot internal network.

A side-benefit to the 10-Dot network: Because companies had to pay a lot of money for their public addresses, they can save a few bucks by not renewing them. Yes, your company will need a few public addresses (such as for the DMZ and firewalls servers, routers, etc.), but those should be available through your ISP.

Now, you've decided to implement a 10-Dot network in your company and you convince your management that it's a good idea. How do you go about getting this work done?

Subnetting Basics
First you need to understand the idea of subnetting. It's a very simple concept that gets taken to esoteric extremes. By manipulating the subnet mask for a given range of addresses, you, in effect, isolate different ranges of addresses from one another. I've written articles on the finer aspects of subnetting, as have thousands of others, but for our purposes, we really don't need to get fancy. A basic 10-Dot implementation doesn't take a lot of effort. In this article we'll assume your company is small and doesn't have layer upon layer of technical complexity. Design engineers would be needed to assist in large 10-Dot rollouts.

Let's say that you work for a company of 500 people. You have five basic divisions of people in your company:

  • Sales
  • Marketing
  • Manufacturering
  • IT
  • Administration

All users reside in a single campus on two floors. The IDF on floor two and an MDF on floor one are connected by fiber-optic cable. You have a rack of switches in both the IDF and MDF.

Let's also assume that you have one entry point to the Internet, a router, a Microsoft Internet Security and Acceleration (ISA) server, a couple of DMZ servers and a few internal servers, including a Microsoft Exchange server. You have a telephone switch that uses an IP address.

As a general rule of thumb, it's a good idea to logically separate servers and other hardware from people. Additionally, good subnetting principles call for the isolation of distinct people groups. So, given that information and a 10-Dot schema, we might come up with the following subnets:

  • Router, firewalls and DMZ internal NICs—10.0.1.zzz
  • Servers—10.0.2.zzz
  • Switches in MDF and IDF and telephone switch—10.0.3.zzz
  • Printers—10.0.4.zzz
  • Sales—10.0.5.zzz
  • Marketing—10.0.6.zzz
  • Manufacturing—10.0.7.zzz
  • IT—10.0.8.zzz
  • Administration—10.0.9.zzz

Getting Started With The 10-Dot Network and Subnetting
Note that you can simply refer to the number in the 3rd octet as the subnet number for a given group of computers or people. Thus you'd say servers are in the two, printers in the four and sales in the five subnets, respectively.

To effectively put things into place, you'd use a Class C 255.255.255.0 subnet mask. In fact, the key to the whole thing is the subnet mask. By utilizing different numbers on the 3rd octet, coupled with a Class C mask, you've effectively isolated your network to distinct groups, giving 254 (remember the 0th and 255th addresses) possible addresses for each subnet. Therefore, as an example, the Sales group in the five subnet can hook up 254 devices, whether those devices are user workstations or other gear.

Now for the sticky part. A router is required for subnetting to work. If you don't have a router and you implement a simple scheme such as the one above, the Sales group won't be able to communicate with the Marketing group and vice-versa. (Alternatively, you can have Layer 3 switches. The point is you have to have some sort of routing protocol in place to handle subnetting.) The majority of difficulty you'll encounter when implementing a 10-Dot scheme will be reconfiguring the router to handle the new subnets.

Miscellaneous Concerns
When considering a 10-Dot implementation of whatever size, there are some things you'll want to keep in mind:

  • You have to reconfigure DHCP scopes.
  • You have to reconfigure printers, servers and other gear with static IP addresses.
  • You may have to perform a manual IPCONFIG /Release and IPCONFIG /Renew (or WINIPCFG release and renew) on each workstation involved in the conversion, so they will pick up the new IP address.
  • You'll have to manually change pplications, ODBC configurations and other configuration files that have statically coded-in IP addresses. (Applications in which the developers naively compiled in the static address—stuff never changes, does it?—will have to recompile their apps).
  • As needed, you'll have to check and reconfigure DNS and WINS servers, to make sure that name-resolution continues to be available to hosts on the network.
  • You'll have to do some advance planning and work with ISPs and with your firewall and DMZ servers to make sure Internet clients (e-mail for example) can still get inside and that internal clients can still hit the Web.
  • You may have to consider a brand new VLAN design in your switches.

Here's where the whole thing can go wrong: lack of planning. 10-Dot subnetting seems so simple that Admins don't take time to think through their migration. Let's say that you have 25 Sales people that you decide to cut over on Friday evening. How will you support those 25 so that they have complete access to the other users in the building on Monday morning, even though you have not yet migrated the others? The idea of maintaining parallel IP addressing schemes always crops up in 10-Dot migrations.

Therefore, any admin considering a 10-Dot network should be sure to sit down with stakeholders and other IT-savvy people to develop a project plan that clearly denotes the steps and activities involved in such a migration—even a small one.

Featured