1) What is Subnet Mask?

By Scott Seong An IP address has two components, the network address and the host address. A subnet mask separates the IP address into the network and host addresses (<network><host>). Subnetting further divides the host part of an IP address into a subnet and host address (<network><subnet><host>). It is called a subnet mask because it is used to identify network address of an IP address by perfoming bitwise AND operation on the netmask. A Subnet mask is a 32-bit number that masks an IP address, and divides the IP address into network address and host address. Subnet Mask is made by setting network bits to all "1"s and setting host bits to all "0"s. Within a given network, two host addresses are reserved for special purpose. The "0" address is assigned a network address and "255" is assigned to a broadcast address, and they cannot be assigned to a host. Examples of commonly used netmasks for classed networks are 8-bits (Class A), 16-bits (Class B) and 24-bits (Class C), and classless networks are as follows: Class Address CIDR CIDR CIDR CIDR A CIDR CIDR CIDR CIDR CIDR CIDR CIDR B CIDR CIDR CIDR CIDR CIDR CIDR CIDR C CIDR CIDR CIDR /4 /5 /6 /7 /8 /9 /10 /11 /12 /13 /14 /15 /16 /17 /18 /19 /20 /21 /22 /23 /24 /25 /26 /27 # of Hosts 240,435,456 134,217,728 67,108,864 33,554,432 16,777,216 8,388,608 4,194,304 2,097,152 1,048,576 524,288 262,144 131,072 65,534 32,768 16,384 8,192 4,096 2,048 1,024 512 256 128 64 32 Netmask (Binary) 11110000 00000000 00000000 00000000 11111000 00000000 00000000 00000000 11111100 00000000 00000000 00000000 11111110 00000000 00000000 00000000 11111111 00000000 00000000 00000000 11111111 10000000 00000000 00000000 11111111 11000000 00000000 00000000 11111111 11100000 00000000 00000000 11111111 11110000 00000000 00000000 11111111 11111000 00000000 00000000 11111111 11111100 00000000 00000000 11111111 11111110 00000000 00000000 11111111 11111111 00000000 00000000 11111111 11111111 10000000 00000000 11111111 11111111 11000000 00000000 11111111 11111111 11100000 00000000 11111111 11111111 11110000 00000000 11111111 11111111 11111000 00000000 11111111 11111111 11111100 00000000 11111111 11111111 11111110 00000000 11111111 11111111 11111111 00000000 11111111 11111111 11111111 10000000 11111111 11111111 11111111 11000000 11111111 11111111 11111111 11100000 Netmask (Decimal) 240.0.0.0 248.0.0.0 252.0.0.0 254.0.0.0 255.0.0.0 255.128.0.0 255.192.0.0 255.224.0.0 255.240.0.0 255.248.0.0 255.252.0.0 255.254.0.0 255.255.0.0 255.255.128.0 255.255.192.0 255.255.224.0 255.255.240.0 255.255.248.0 255.255.252.0 255.255.254.0 255.255.255.0 255.255.255.128 255.255.255.192 255.255.255.224

CIDR /28 CIDR /29 CIDR /30

16 8 4

11111111 11111111 11111111 11110000 11111111 11111111 11111111 11111000 11111111 11111111 11111111 11111100

255.255.255.240 255.255.255.248 255.255.255.252

Subnetting an IP network is to separate a big network into smaller multiple networks for reorganization and security purposes. All nodes (hosts) in a subnetwork see all packets transmitted by any node in a network. Performance of a network is adversely affected under heavy traffic load due to collisions and retransmissions. Applying a subnet mask to an IP address separates network address from host address. The network bits are represented by the 1's in the mask, and the host bits are represented by 0's. Performing a bitwise logical AND operation on the IP address with the subnet mask produces the network address. For example, applying the Class C subnet mask to our IP address 216.3.128.12 produces the following network address:
IP: 1101 1000 . 0000 0011 . 1000 0000 . 0000 1100 Mask: 1111 1111 . 1111 1111 . 1111 1111 . 0000 0000 --------------------------------------------1101 1000 . 0000 0011 . 1000 0000 . 0000 0000 Subnetting Network (216.003.128.012) (255.255.255.000) (216.003.128.000)

Here is another scenario where subnetting is needed. Pretend that a web host with a Class C network needs to divide the network so that parts of the network can be leased to its customers. Let's assume that a host has a network address of 216.3.128.0 (as shown in the example above). Let's say that we're going to divide the network into 2 and dedicate the first half to itself, and the other half to its customers.
216 . 216 . 3 . 128 . (0000 0000) 3 . 128 . (1000 0000) (1st half assigned to the web host) (2nd half assigned to the customers)

The web host will have the subnet mask of 216.3.128.128 (/25). Now, we'll further divide the 2nd half into eight block of 16 IP addresses.
216 . 3 . 128 . (1000 0000) 216 . 3 . 128 . (1001 0000) 216 . 3 . 128 . (1010 0000) 216 . 3 . 128 . (1011 0000) 216 . 3 . 128 . (1100 0000) 216 . 3 . 128 . (1101 0000) 216 . 3 . 128 . (1110 0000) 216 . 3 . 128 . (1111 0000) ----------------------------255 . 255 . 255 . (1111 0000) Customer Customer Customer Customer Customer Customer Customer Customer 1 2 3 4 5 6 7 8 --------Gets Gets Gets Gets Gets Gets Gets Gets 16 16 16 16 16 16 16 16 IPs IPs IPs IPs IPs IPs IPs IPs (14 (14 (14 (14 (14 (14 (14 (14 usable) usable) usable) usable) usable) usable) usable) usable)

(Subnet mask of 255.255.255.240)

CIDR - Classless Inter Domain Routing

Classless InterDomain Routing (CIDR) was invented to keep the Internet from running out of IP Addresses. The IPv4, a 32-bit, addresses have a limit of 4,294,967,296 (232) unique IP addresses. The classful address scheme (Class A, B and C) of allocating IP addresses in 8-bit increments can be very wasteful. With classful addressing scheme, a minimum number of IP addresses allocated to an organization is 256 (Class C). Giving 256 IP addresses to an organization only requiring 15 IP addresses is wasteful. Also, an organization requiring more than 256 IP addresses (let's say 1,000 IP addresses) is assigned a Class B, which allocates 65,536 IP addresses. Similarly, an organization requiring more than 65,636 (65,634 usable IPs) is assigned a Class A network, which allocates 16,777,216 (16.7 Million) IP addresses. This type of address allocation is very wasteful. With CIDR, a network of IP addresses is allocated in 1-bit increments as opposed to 8-bits in classful network. The use of a CIDR notated address can easily represent classful addresses (Class A = /8, Class B = /16, and Class C = /24). The number next to the slash (i.e. /8) represents the number of bits assigned to the network address. The example shown above can be illustrated with CIDR as follows:
216.3.128.12, with subnet mask of 255.255.255.128 is written as 216.3.128.12/25 Similarly, the 8 customers with the block of 16 IP addresses can be written as: 216.3.128.129/28, 216.3.128.130/28, and etc.

With an introduction of CIDR addressing scheme, IP addresses are more efficiently allocated to ISPs and customers; and hence there is less risk of IP addresses running out anytime soon. For detailed specification on CIDR, please review RFC 1519. With introduction of additional gaming, medical, applicance and telecom devices requiring static IP addresses in addition to more than 6.5 billion (July 2006 est.) world population, the IPv4 addresses with CIDR addressing scheme will eventually run out. To solve shortage of IPv4 addresses, the IPv6 (128bit) address scheme was introduced in 1993.

2) What is an IP Address?
No doubt you've heard the term "IP address." Unless you're a techie, though, you may not have more than a shadowy notion of what an IP address actually is or how it works. Let's explore the concept. An IP address is a fascinating product of modern computer technology designed to allow one computer (or other digital device) to communicate with another via the Internet. IP addresses allow the location of literally billions of digital devices that are connected to the Internet to be pinpointed and differentiated from other devices. In the same sense that someone needs your mailing address to send you a letter, a remote computer needs your IP address to communicate with your computer.

"IP" stands for Internet Protocol, so an IP address is an Internet Protocol address. What does that mean? An Internet Protocol is a set of rules that govern Internet activity and facilitate completion of a variety of actions on the World Wide Web. Therefore an Internet Protocol address is part of the systematically laid out interconnected grid that governs online communication by identifying both initiating devices and various Internet destinations, thereby making two-way communication possible. An IP address consists of four numbers, each of which contains one to three digits, with a single dot (.) separating each number or set of digits. Each of the four numbers can range from 0 to 255. Here's an example of what an IP address might look like: 78.125.0.209. This innocuous-looking group of four numbers is the key that empowers you and me to send and retrieve data over our Internet connections, ensuring that our messages, as well as our requests for data and the data we've requested, will reach their correct Internet destinations. Without this numeric protocol, sending and receiving data over the World Wide Web would be impossible. IP addresses can be either static or dynamic. Static IP addresses never change. They serve as a permanent Internet address and provide a simple and reliable way for remote computers to contact you. Static IP addresses reveal such information as the continent, country, region, and city in which a computer is located; the ISP (Internet Service Provider) that services that particular computer; and such technical information as the precise latitude and longitude of the country, as well as the locale, of the computer. Many websites provide IP address look-up services to their visitors, free of charge. If you're curious about your own IP address, you can locate these websites by performing a Google search. Dynamic IP addresses are temporary and are assigned each time a computer accesses the Internet. They are, in effect, borrowed from a pool of IP addresses that are shared among various computers. Since a limited number of static IP addresses are available, many ISPs reserve a portion of their assigned addresses for sharing among their subscribers in this way. This lowers costs and allows them to service far more subscribers than they otherwise could. Static IP addresses are generally preferable for such uses as VOIP (Voice over Internet Protocol), online gaming, or any other purpose where users need to make it easy for other computers to locate and connect to them. Easy access can also be facilitated when using a dynamic IP address through the use of a dynamic DNS service, which enables other computers to find you even though you may be using a temporary, one-time IP address. This often entails an extra charge, however, so check with your ISP.

Static IP addresses are considered somewhat less secure than dynamic IP addresses, since they are easier to track for data mining purposes. However, following safe Internet practices can help mitigate this potential problem and keep your computer secure no matter what type of IP address you use

3)

ARP

ARP stands for address resolution protocol. It is used to transform an IP address to its corresponding physical network address. It is at the lower levels of networking protocol (layer 2of OSI model) and it is usually run in the device drivers of the network OS. ARP is generally seen on Ethernet networks and on physical networks. The original design and implementation of ARP was documented by the RFC 826. To setup ARP on an Ethernet network, the hardware present will be given a physical MAC address, which will always be unique (6 bytes), this is essential to ensure delivery of the messages efficiently. The sending devices will thus have to first find out the MAC address through the IP address ( These IP-to-MAC address mappings are derived from an ARP cache maintained on each device). If an IP address is not given the device will have to get a new mapping before it is able to send messages to a target. To get a new mapping the sending device will use the local subnet to send an ARP request broadcast message. The IP address to which the message was sent will respond by the host offering a reply which will allow the sending device to update its cache and continue to send messages to the intended target.

4) What is ARP Cache Poisoning? Address Resolution Protocol (ARP) spoofing, also known as ARP flooding, ARP poisoning or ARP Poison Routing (APR), is a technique used to attack an Ethernet wired or wireless network. ARP Spoofing may allow an attacker to sniff data frames on a local area network (LAN), modify the traffic, or stop the traffic altogether. The attack can only be used on networks that actually make use of ARP and not another method of address resolution. The principle of ARP spoofing is to send fake, or "spoofed", ARP messages to an Ethernet LAN. Generally, the aim is to associate the attacker's MAC address with the IP address of another node (such as the default gateway). 5) What is the ANDing process? When a source host attempts to communicate with a destination host, the source host uses its subnet mask to determine whether the destination host is on the local network or a remote network. This is known as the ANDing process. The AND function has the following properties: If the two compared values are both 1, the result is 1. If one of the values is 0 and the other is 1, the result is 0. If both of the compared values are 0, the result is 0. The source and destination IP addresses are compared to the source's subnet mask using the ANDing process. An AND result is created for each of the addresses. If the result is the same, the hosts are on the same network. If the result is different, the destination host is on a remote network. All traffic destined for that remote host should

be directed to the router indicated in the source host's routing table. If no explicit route is defined in the routing table, the traffic is directed to the source host's default gateway. For example two hosts that want to communicate. Host A (with IP address 172.16.2.4) wants to communicate with Host B (with IP address 172.16.3.5). If the subnet mask for Host A is 255.255.0.0, will the hosts communicate using local transmissions or will they send information to the default gateway? Using the ANDing process. When converted to binary, the address 172.16.2.4 is as follows:
10101100 00010000 00000010 00000100

When converted to binary, the address 172.16.3.5 is as follows:

10101100 00010000 00000011 00000101

If the ANDing process is performed, the result for Host A using its subnet mask of 255.255.0.0 is
HOST A's IP Address 10101100 00010000 00000010 00000100 Host A's Subnet Mask 11111111 11111111 00000000 00000000 ANDING Result 10101100 00010000 00000000 00000000

The result for Host B is

HOST B's IP Address 10101100 00010000 00000011 00000101 Host A's Subnet Mask 11111111 11111111 00000000 00000000 ANDing Result 10101100 00010000 00000000 00000000

As you can see, the two results match. This indicates that, as far as Host A is concerned, the two hosts are on the same physical network. Communication can occur directly between the two hosts. In fact, the same holds true because host B would have the same subnet mask since the hosts are on the same network. Day 5, "The Art of Subnet Masking," further examines the art of subnet masking. It also examines the use of nonstandard subnet masking to further segment a group of IP addresses into smaller segments. This process, which ignores the default subnet masks used by address classes, is commonly referred to as Classless Internet Domain Routing (CIDR). 5) What is a Default Gateway? What Happens if I Don't Have One? A gateway is a routing device that knows how to pass traffic between different subnets and networks. A computer will know some routes (a route is the address of each node a packet must go through on the Internet to reach a specific destination), but not the routes to every address on the Internet. It wont even know all the routes on the nearest subnets. A gateway will not have this information either, but will at least know the addresses of other gateways it can hand the traffic off to. Your default gateway is on the same subnet as your computer, and is the gateway your computer relies on when it doesnt know how to route traffic. The default gateway is typically very similar to your IP address, in that many of the numbers may be the same. However, the default gateway is not your IP address. 6) Can a workstation computer be configured to browse the Internet and yet NOT have a default gateway? No. Never. A work station computer can brows the Internet only if it has a default gateway.

7)

What is APIPA?

APIPA, also known as Automatic Private IP Addressing, is a feature used in Windows operating systems. It comes into action only when DHCP (Dynamic Host Configuration Protocol) servers are available. When the DHCP client first comes on, it will try to establish a connection with the DHCP server in order to get an IP address. It is when this server is (or at a later point becomes) unavailable, that APIPA will kick in. As the client is unable to connect with the server, APIPA will automatically try to configure itself with an IP address from an specially reserved range. (This reserved IP address range goes from 169.254.0.0 to 169.254.255.255). After an IP address is obtained using APIPA, the client will then verify that their IP address is a unique one on the LAN. This is done utilizing ARP. According to Microsoft guidelines, APIPA will also check regularly to see whether the DHCP servers are available. If at any point it does become available, then the APIPA service will discontinue itself de-allocating the IP address it has obtained, and allow the DHCP server to allocate a dynamic IP address. When APIPA takes over and your client has been assigned an IP address, the client will be able to communicate with other computers also on that LAN which have also been configured by APIPA, or failing that, which have been assigned a static IP address in the range mentioned earlier (so and IP address like 169.254.x.x, where ".x.x" are the identifiers unique to that particular computer). However, if you are connected to the internet without a NAT, or even a proxy server, or you use routers, you might want to turn the APIPA feature off. For more information on this you can go to straight to the source at Microsoft's Help and Support pages on "How to use automatic TCP/IP addressing without a DHCP server" at this address http://support.microsoft.com/kb/q220874/ All the information you need to on how to turn APIPA off, is contained here. In essence the APIPA service is a fail-safe device put in place by Microsoft to make sure that everything runs smoothly. There is nothing that you need to do about it as it all happens in the background, and at speeds and times of which you are unaware of. In fact, by the time you detect that your DHCP server is unavailable, and you try to rectify the matter, APIPA would have already taken the proper steps necessary to keep your client running smoothly.

8) What is an RFC Name a few if possible not necessarily the numbers just the idea behind them?
Answer:
Improve

A Request For Comments (RFC) document defines a protocol or policy used on the Internet. An RFC can be submitted by anyone. Eventually, if it gains enough interest, it may evolve into an Internet Standard Each RFC is designated by an RFC number. Once published, an RFC never changes. Modifications to an original RFC are assigned a new RFC number.

8) What Answer:

is RFC 1918?
Improve

RFC 1918 is Address Allocation for Private Internets The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets: 10.0.0.0 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 192.168.255.255 (192.168/16 prefix) We will refer to the first block as "24-bit block", the second as "20-bit block", and to the third as "16-bit" block. Note that (in pre-CIDR notation) the first block is nothing but a single class A network number, while the second block is a set of 16 contiguous class B network numbers, and third block is a set of 256 contiguous class C network numbers.

9) Whats CIDR?
The Classless Inter Domain Routing (CIDR) standard is already in effect and most newer routers supports it. In a few years it is likely to be the way IP addressing is handled. It is already becoming common for ISP and major providers to use this scheme.
IP Address Tracking Made Free & Easy!

Forget the excel spreadsheets! SolarWinds FREE desktop tool, IP Address Tracker, gives you a unified view of your IP address space and shows you which IP addresses are in use and which arent. Eliminates manual errors and ensures IP addresses are listed in the right place. Download Now The old Classfull IP Addressing scheme provided for Class A, B and C networks: Starting bits for the first octet 0 10 110 1110 1111 How many networks per Class? 126 2^14=16384 2^21=~2 Million How many hosts per network? (2^24)-2=~16 Million (2^16)2=~65000 (2^8)-2=254 Range of the first octet 1-126 128-191 192-223 224-239 240-255 127=Loopback

Class type

Class A Class B Class C Class D Class E

The default Subnet Masks for these networks are: Class type Number of bits used Number of bits used Default Subnet Mask

for the Network ID Class A Class B Class C 8 16 24

for the Host ID 24 16 8 255.0.0.0 255.255.0.0 255.255.255.0

The problem with such a scheme is that we are bound to blocks of IP addresses and if we don't need all of them (for example if a small company would need 100 computers they would still have to use a class C network) or if we need more than we can get (for example if a medium sized company needed 1000 computers per network they couldn't use a class C network - they'd need a class B network) we can do nothing about it. The inefficiencies are mainly in the block assignments. You get a class C network and use only a hundred of those. That means there are suddenly 154 unused and unavailable addresses. On the bigger scale some investigations have indicated that while we are running out of address blocks to assign only a very small percentage of the total addresses are being used. (less than 10%). Of course these networks could be subnetted on a local level, but that would only be good for our local networks, not for the Internet traffic. With the expansion of smaller networks the route table additions are increasing rapidly. The capacity is being overtaxed. What good is an Internet address is you can't get where you want or some can't find you. Thus, a need is developing for modifying the way it is handled. One method of solving the problem is to use subnetting. Another is to have all the smaller networks use the privately assigned address space and use proxies. That way only one external address is being employed. Not exactly true since the NAT (Network Address Translation) needs to provide a public address for each IP address in the internal system when in use. However, this would most certainly solve some the problems. The new scheme that has been developed for this purpose is called CIDR.

How does CIDR work? How does it differ from Classfull IP Addressing? How will it solve it's problems?
The class system is being replaced with a prefix anywhere from 13 to 27 bits which serves as a generalized network prefix. Thus a new IP address might look like this 192.168.255.48/25. The first 25 bit in the address are used to identify the network, while the remaining 7 bits are used to identify the host. Instead of using the old Classfull IP Addressing scheme where the previous IP address was identified as a class C IP address (the first octet is in the range of 192 to 223) and thus we would be forced to use the remaining last octet (the last 8 bits) as the Host ID, we will now use only the last 7 bits as the Host ID and thus have 25 bits for the Network ID instead of the old 24 bits. CIDR blocks and number of Host IDs per segment:

CIDR Block

Number of Equivalent Class C networks

Number of Network ID bits 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13

Number of Host ID bits 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19

Total number of Host addresses per segment= (2 ^# of Host ID bits) 32 64 128 256 512 1,024 2,048 4,096 8,192 16,384 32,768 65,536 131,072 262,144 524,288

Number of usable Host addresses per segment= (2 ^# of Host ID bits)-2 30 62 126 254 510 1,022 2,046 4,094 8,190 16,382 32,766 65,534 131,070 262,142 524,286

/27 /26 /25 /24 /23 /22 /21 /20 /19 /18 /17 /16 /15 /14 /13

1/8 Class C 1/4 Class C 1/2 Class C 1 Class C 2 Class C 4 Class C 8 Class C 16 Class C 32 Class C 64 Class C 128 Class C 256 Class C = 1 Class B 512 Class C = 2 Class B 1024 Class C=4 Class B 2048 Class C=8 Class B

This would then allow the big blocks to be provided to the ISPs who would then rent them out on an as needed basis to the users. The allocation might be bigger or smaller blocks depending on needs. It would allow for a much more efficient assignment off the IP address space.

10) You need to view at network traffic. What will you use? Name a few tools?
Depends what type of traffic I want to monitor and the network design. I really liked using Fluke Networks OptiView Network Analyzer. Software though I would say wireshark, sitrace, Iris Network Traffic Analyzer, Airsnare, Packetcapsa. Backtrack (a linux live CD) has tons of different applications

that you can use to monitor and view network traffic.