Page 141 / 234 Scroll up to view Page 136 - 140
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
Networks, Routing, and Firewall Basics
B-5
May 2004, 202-10030-02
Subnet addressing allows us to split one IP network address into smaller multiple physical
networks known as subnetworks. Some of the node numbers are used as a subnet number instead.
A Class B address gives us 16 bits of node numbers translating to 64,000 nodes. Most
organizations do not use 64,000 nodes, so there are free bits that can be reassigned. Subnet
addressing makes use of those bits that are free, as shown below.
Figure 8-2:
Example of Subnetting a Class B Address
A Class B address can be effectively translated into multiple Class C addresses. For example, the
IP address of 172.16.0.0 is assigned, but node addresses are limited to 255 maximum, allowing
eight extra bits to use as a subnet address. The IP address of 172.16.97.235 would be interpreted as
IP network address 172.16, subnet number 97, and node number 235. In addition to extending
the number of addresses available, subnet addressing provides other benefits. Subnet addressing
allows a network manager to construct an address scheme for the network by using different
subnets for other geographical locations in the network or for other departments in the
organization.
Although the preceding example uses the entire third octet for a subnet address, note that you are
not restricted to octet boundaries in subnetting. To create more network numbers, you need only
shift some bits from the host address to the network address. For instance, to partition a Class C
network number (192.68.135.0) into two, you shift one bit from the host address to the network
address. The new netmask (or subnet mask) is 255.255.255.128. The first subnet has network
number 192.68.135.0 with hosts 192.68.135.1 to 129.68.135.126, and the second subnet has
network number 192.68.135.128 with hosts 192.68.135.129 to 192.68.135.254.
The following table lists the additional subnet mask bits in dotted-decimal notation. To use the
table, write down the original class netmask and replace the 0 value octets with the dotted-decimal
value of the additional subnet bits. For example, to partition your Class C network with subnet
mask 255.255.255.0 into 16 subnets (4 bits), the new subnet mask becomes 255.255.255.240.
Note:
The number 192.68.135.127 is not assigned because it is the broadcast address
of the first subnet. The number 192.68.135.128 is not assigned because it is the network
address of the second subnet.
7262
Class B
Network
Subnet
Node
Page 142 / 234
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
B-6
Networks, Routing, and Firewall Basics
May 2004, 202-10030-02
The following table displays several common netmask values in both the dotted-decimal and the
masklength formats.
NETGEAR strongly recommends that you configure all hosts on a LAN segment to use the same
netmask for the following reasons:
So that hosts recognize local IP broadcast packets.
Table 8-1.
Netmask Notation Translation Table for One Octet
Number of Bits
Dotted-Decimal Value
1
128
2
192
3
224
4
240
5
248
6
252
7
254
8
255
Table 8-2.
Netmask Formats
Dotted-Decimal
Masklength
255.0.0.0
/8
255.255.0.0
/16
255.255.255.0
/24
255.255.255.128
/25
255.255.255.192
/26
255.255.255.224
/27
255.255.255.240
/28
255.255.255.248
/29
255.255.255.252
/30
255.255.255.254
/31
255.255.255.255
/32
Page 143 / 234
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
Networks, Routing, and Firewall Basics
B-7
May 2004, 202-10030-02
When a device broadcasts to its segment neighbors, it uses a destination address of the local
network address with all ones for the host address. In order for this scheme to work, all devices
on the segment must agree on which bits comprise the host address.
So that a local router or bridge recognizes which addresses are local and which are remote.
Private IP Addresses
If your local network is isolated from the Internet (for example, when using NAT), you can assign
any IP addresses to the hosts without problems. However, the IANA has reserved the following
three blocks of IP addresses specifically for private networks:
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
NETGEAR recommends that you choose your private network number from this range. The
DHCP server of the FVL328 Firewall is preconfigured to automatically assign private addresses.
Regardless of your particular situation, do not create an arbitrary IP address; always follow the
guidelines explained here. For more information about address assignment, refer to RFC 1597,
Address Allocation for Private Internets,
and RFC 1466,
Guidelines for Management of IP
Address Space
. The Internet Engineering Task Force (IETF) publishes RFCs on its Web site at
www.ietf.org
.
Single IP Address Operation Using NAT
In the past, if multiple computers on a LAN needed to access the Internet simultaneously, you had
to obtain a range of IP addresses from the ISP. This type of Internet account is more costly than a
single-address account typically used by a single user with a modem, rather than a router. The
FVL328 Firewall employs an address-sharing method called Network Address Translation (NAT).
This method allows several networked computers to share an Internet account using only a single
IP address, which may be statically or dynamically assigned by your ISP.
The router accomplishes this address sharing by translating the internal LAN IP addresses to a
single address that is globally unique on the Internet. The internal LAN IP addresses can be either
private addresses or registered addresses. For more information about IP address translation, refer
to RFC 1631,
The IP Network Address Translator (NAT)
.
The following figure illustrates a single IP address operation.
Page 144 / 234
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
B-8
Networks, Routing, and Firewall Basics
May 2004, 202-10030-02
Figure 8-3:
Single IP Address Operation Using NAT
This scheme offers the additional benefit of firewall-like protection because the internal LAN
addresses are
not
available to the Internet through the translated connection. All incoming
inquiries are filtered out by the router. This filtering can prevent intruders from probing your
system. However, using port forwarding, you can allow one PC (for example, a Web server) on
your local network to be accessible to outside users.
MAC Addresses and Address Resolution Protocol
An IP address alone cannot be used to deliver data from one LAN device to another. To send data
between LAN devices, you must convert the IP address of the destination device to its media
access control (MAC) address. Each device on an Ethernet network has a unique MAC address,
which is a 48-bit number assigned to each device by the manufacturer. The technique that
associates the IP address with a MAC address is known as address resolution. Internet Protocol
uses the Address Resolution Protocol (ARP) to resolve MAC addresses.
If a device sends data to another station on the network and the destination MAC address is not yet
recorded, ARP is used. An ARP request is broadcast onto the network. All stations on the network
receive and read the request. The destination IP address for the chosen station is included as part of
the message so that only the station with this IP address responds to the ARP request. All other
stations discard the request.
192.168.0.2
192.168.0.3
192.168.0.4
192.168.0.5
192.168.0.1
172.21.15.105
Private IP addresses
assigned by user
Internet
IP addresses
assigned by ISP
Page 145 / 234
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
Networks, Routing, and Firewall Basics
B-9
May 2004, 202-10030-02
Related Documents
The station with the correct IP address responds with its own MAC address directly to the sending
device. The receiving station provides the transmitting station with the required destination MAC
address. The IP address data and MAC address data for each station are held in an ARP table. The
next time data is sent, the address can be obtained from the address information in the table.
For more information about address assignment, refer to the IETF documents RFC 1597,
Address
Allocation for Private Internets,
and RFC 1466,
Guidelines for Management of IP Address Space
.
For more information about IP address translation, refer to RFC 1631,
The IP Network Address
Translator (NAT)
.
Domain Name Server
Many of the resources on the Internet can be addressed by simple descriptive names such as
www.NETGEAR.com
. This addressing is very helpful at the application level, but the descriptive
name must be translated to an IP address in order for a user to actually contact the resource. Just as
a telephone directory maps names to phone numbers, or as an ARP table maps IP addresses to
MAC addresses, a domain name system (DNS) server maps descriptive names of network
resources to IP addresses.
When a PC accesses a resource by its descriptive name, it first contacts a DNS server to obtain the
IP address of the resource. The PC sends the desired message using the IP address. Many large
organizations, such as ISPs, maintain their own DNS servers and allow their customers to use the
servers to look up addresses.
IP Configuration by DHCP
When an IP-based local area network is installed, each PC must be configured with an IP address.
If the computers need to access the Internet, they should also be configured with a gateway address
and one or more DNS server addresses. As an alternative to manual configuration, there is a
method by which each PC on the network can automatically obtain this configuration information.
A device on the network may act as a Dynamic Host Configuration Protocol (DHCP) server. The
DHCP server stores a list or pool of IP addresses, along with other information (such as gateway
and DNS addresses) that it may assign to the other devices on the network. The FVL328 Firewall
has the capacity to act as a DHCP server.

Rate

4 / 5 based on 1 vote.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top