Summary Address Blocks
With IPv4
To summarize a block of IP ranges, the subnets must consist in multiple sequential number in one of the octets. The block must be X number in a row, where X is a power of 2 and the first number in the sequence must be a multiple of X. The sequence will always end before the next multiple of X.
Example :
- 128 numbers in a row can be summarized (0 to 127 – 128 to 255).
- 64 numbers in a row can be summarized (0 – 64 – 128 – 192).
- 32 numbers in a row
- 16 numbers in a row…
The range 172.16.0.0 – 172.31.0.0 for example can be summarized. The first number of the sequence is a power of 2 (16) and (31 – 16)+1 = 16. This sequence contains 16 numbers in a row at on the second octet.
The corresponding mask can be find by using 256-N. Here 256 – 16 is 240 so the mask will be 255.240.0.0 or 172.16.0.0/12.
With IPv6
The same concept as IPv4 applies. Blocks of /64 subnets can be summarized into larger blocks with a smaller mask. With IPv6 VLSM i s not necessary as most IPv6 subnets will be /64 and by so able to contain any number of hosts. The number of subnets in the block should be a power of 2 and the starting number should also be a power of 2.
Example : 2001:AAAA:BBBB:A480::/64 to 2001:AAAA:BBBB:A4BF::/64.
0x80 = 128 and 0xBF = 191. 128 is a multiple of 2.
If we apply the same rule as IPv4 : (191 – 128)+1 = 64. So this is a block of 64 contiguous subnets. 6 bits are required to do 64 so 6 bits needs to be taken off the network portion, 64 – 6 is 58.
The final summarized prefix is 2001:AAAA:BBBB:A480::/58.
IP Addressing Needs
Modern networks have requirements with the services they support and this has a direct impact on how IP addressing is conceived :
- IP Telephony : typically requires its own subnets to be able to support QoS needs properly.
- Videoconferencing : as with IP Telephony, Videoconferencing as its own needs for IP subnets to support the high bandwidth and loss/latency sensitivity.
- Layer 3 at the edge : Edge layer 3 switching can create demand for a new number a small subnets.
- NAC : Some 802.1X and NAC deployments can dynamically assign VLANs based on logins or roles.
- Other Corporate requirements : Internal policies can lead to additional IP subnets. Production and Testing networks can have the requirements of being separated.
Role Based Addressing
When using the Role Based Addressing technique, the most easiest way to go is the usage of the 10.x.x.x range. The most simple scheme is 10.CLOSET.VLAN.x/24, this has the advantage of not implying binary arithmetic but will not be suitable if networks have more than 254 hosts if more than 254 closets are present.
Alternative way to go is to use the 172.16/32 private range and use bit splitting. Host bits can be reserved to ensure the necessary space is left for end-hosts. The remaining bits can then be used for splitting.
Example with 6 bits reserved for the host portion : 172.0001 xxxx . xxxx xxxx . xxhh hhhh. 14 bits are left for the splitting and can be used as follow :
172.16.cccc cccR . RRhh hhhh where :
- c represents Closets or Layer 3 switches. 7 bits are presents so 128 identification is possible.
- R represents Roles. 3 bits allows 8 Role to be defined (for Telephony, Video, NAC…).
- h represents Hosts. 6 bits allows 62 hosts per subnet.
With the technique, a large enterprise network can be addressed and 4 bits in the second octet are still available.
Regarding Routing protocols which important IP addressing requirements such as OSPF, splitting can also be used to be able to summarize areas.
Bit Splitting for IPv6
Usually ISP gives a /48 prefix to enterprise. As IPv6 subnets should be /64 bits, this leaves 16 bits for 65535 subnets.
- Split by Areas : If routing protocols like OSPF are used, the addressing should support the summarization at ABRs. The first 4 bits can be used to present the area number and VLANs can be coded into the last 12 bits. This would support 16 areas and 4096 VLANs.
- IPv4 mapping : If IPv4 addressing is based on 10/8 and all subnets are using /24 or shorter, the middle 16 bits of the IPv4 address can be mapped to the IPv6 address. By converting the second and third bit to hexadecimal, 16 bits can be assigned to the /48 IPv6 prefix assigned. No more than 16 bits should be used for this to work and IPv4 addressing should be correct.
- Role Based Addressing : As with IPv4, it’s possible to reserve some bits for specific usage.
VPN Clients
When role-based security is deployed, it is convenient to create different grouping for VPN clients. These groupings might match the function of the user inside the enterprise, then different groups can have a different IP pool.
ACLs and NAC can be simpler to write when access control is need and routing back to client is easier.
Leave a Reply