Local Network IPs - 10.0.0.0/8 or 192.168.0.0/16?

mike9010 asks: "After reading a few articles on the net about networking, I have come up with a question. It seems that most of them say to use 192.168.0.0/16 for a local network. Why not use 10.0.0.0/8 though? It is my understanding that it can hold a lot more IP addresses, and it is also prettier." What local network range are you using for your networks?

What about 172.16.0.0/12?

[Sunlighter]

This is an intermediate one that isnt widely used.

I dont think it matters too much; few businesses have as many as 64,000 computers, so the 192.168 is big enough. But the 10 makes it easy to do interesting things with the other numbers, like making the first number the department number, etc.

Re:What about 172.16.0.0/12?

[Magic+Thread]

I use 172.16.0.0/12. That way I don't have any problems connecting over VPN to networks that use 10.0.0.0/16 or 192.168.0.0/8.

Re:What about 172.16.0.0/12?

[nocomment]

That's exactly it.

Here at my company I use the 10/8 wherever I can.

Set it up something like this

10.0.0.0 = IT
10.0.1.0 = dhcp range

10.1.0.0 = IT at a different site
10.1.1.0 = dhcp range 2nd site

10.4.0.0 = test systems
10.5.0.0 = production nat

The ranges have been changed to protect the weak ;-) But you get the idea. I have seen a /24 fill up which was a huge pain so I use a /16 for the dhcp range. I will never ever run out of IP's.

There's a couple of 192.168 network scattered about, but this makes things really easy.

I do use the 192.168.0.* range on my home LAN though.

Re:What about 172.16.0.0/12?

[macwhiz]

I use a /24 chunk of 172.16.0.0/12, because it's a chunk that is easy for me to remember -- it maps to my birth date.

Plus, if I wind up with more than 254 networked devices in the house, I'll either go bankrupt paying the power bill, or the girlfriend will kill me once she finds her way through the Cat5 to throttle my neck.

Re:What about 172.16.0.0/12?

[0x0d0a]

I dont think it matters too much;

Well...I'd want the default subnet mask to be correct, so barring other concerns, I'd choose the IP range that has the subnet mask correct.

Re:What about 172.16.0.0/12?

[dhwebb]

I totally agree. I have customers with software support who can't connect remotely via VPN because of this. I ran into this problem twice and quickly re-ip'd to cure this issue. I have never seen anyone else use this range.
I have seen small networks setup with the MS autoconfig addresses of 169.254.*.*. Nobody ever took the time to ip address the machines or put in a dhcp server.

Re:What about 172.16.0.0/12?

[fm6]

Plus 10.*.*.* is easier to remember than the alternatives!

Re:What about 172.16.0.0/12?

[alatesystems]

Well...I'd want the default subnet mask to be correct, so barring other concerns, I'd choose the IP range that has the subnet mask correct.

CIDR, an acronym for Classless Inter-Domain Routing makes this irrelevant.

Oh yes, and an Everything2 Node for your reading pleasure.

Chris Benard

Re:What about 172.16.0.0/12?

[raju1kabir]

Well...I'd want the default subnet mask to be correct, so barring other concerns, I'd choose the IP range that has the subnet mask correct.

Well, it's been many years since "default subnet mask" was a useful concept, but I'll keep that in mind in case I'm ever swept back to 1985 by a time vortex.

Oh, wait, you learned networking from an MCS"E" study guide, right? Because I don't think anyone else is still teaching that paleolithic stuff.

Why not?

[iCEBaLM]

There's no reason why not. I have no idea why every manufacturer wants the masses to use the pretty confusing IP range when 10.0.0.0./8 is easier to remember/type.

I use it myself. Nothing wrong with it.

-- iCEBaLM

Re:Why not?

[Wolfrider]

--I use 10-series on my home LAN, and I don't NEED no steenkin' subnets!

we use 10/8

[chongo]

We use the 10/8 within our internal network. We have subnets such as 10.10/16 and 10.20/16 on which several LANs operate, usually at the /24 level.

Use of 10/8 can be a fine choice.

I use

[The+Clockwork+Troll]

I use the 66.35.192.0/18 block.

It doesn't seem to conflict with anything important.

Re:I use

[shfted!]

For those that don't get it's, it's the Troll's home IP address (the Troll uses Cable & Wireless).

Re:I use

umm

FP...

[DemoLiter2]

I use 10.0.0.x, but Windows keeps assigning IP's from 192.168 range by default.

Re:FP...

[sofar]

No it doesn't, it insists on using 169.254.MS.BS ip addresses, especially when multiple wins servers or a lagging dhcp server is around, which goofs up everyone's networking. somehow M$ thought "ATIPA" was a good idea.... morons.

Re:FP...

[man_ls]

APIPA is Windows way of doing "dhcp-less dhcp" for "fast" networks, where there's no DHCP server. I.e. a quick meeting workgroup. with no external network connection.

All the services will work over APIPA fine...file sharing, etc. just no central server is required to do it.

Re:FP...

169.254/16 is, in fact, the standard address block for self-assigned IP addressing. All network devices that support TCP/IP are required (to the extent that RFC and best practice can require anything) to self-assign an address in 169.254/16 in the event that DHCP requests fail.

Join the 21st century, fella.

Re:FP...

[mhesseltine]

IIRC, the 169.254.xx.yy address range is also used for Zeroconf / Rendezvous networking, being plugged by Apple, as well as an implementation on Mandrake. The August issue of Linux Magazine just did a write-up on it.

Re:FP...

[afidel]

These are not BS. This was an IP block set aside for future use and Apple, MS, Sun, and others decided to use it for local link zero config stuff. This was codified by the ietf and is specified in RFC 3330 and other places.

Why? Why not? Because.

[MattCohn.com]

There is no real reason to use one or the other except that many devices come with built in static IP addresses. I've seen some with 10.x addresses, others with 192.168.x addresses. I guess not looking at that, it just comes down to choice. I like 192.168 and use it on my home network... but my work network uses 10. JUST GO FOR IT MAN!

What if your provider has a private network too?

[epsalon]

The 10.x.x.x IPs are used for larger networks. Suppose you switch ISPs and get connected with an ISP with a NAT, or you VPN with some other network. Chances are they will be 10.x.x.x. In general use 10.x.x.x if you're running a large network and 192.168.x.x for a smaller network.

This makes slashdot?

Geezuz....

And no, it's not from the "matters-of-personal-opinion" dept., it's from the rtfm-and-plan-your-network-appropriately dept.

It really doesn't matter...

[sybarite]

Unless you have a very large number of networks or hosts. Then the 10.0.0.0/8 private address range gives you more room to subnet for different locations. There is also the 172.16.0.0/12 network.

Don't go with the flow

[EvilOpie]

Personally, I do 172.16.10.x since everyone else uses either 10.0.0.0 or 192.168.0.0 Now granted this limits me to 256 IP's, but since I only have 3 computers on the network, it's not a problem. Of course it would be trivial to change that so its like a class B address, instead of a class C.

Though honestly, you could use whatever you wanted with the proper network setup. After all, if the stuff isn't visible to the rest of the world, then it doesn't matter what you use. Worst case scenerio is that you might stumble upon a computer in the real world with the same IP address as you, but that'd be rare. It might not even be a problem if you accessed it by a DNS entry through a DNS server that was external to your network, but I can't say that for sure.

Re:Don't go with the flow

[jareds]

Though honestly, you could use whatever you wanted with the proper network setup. After all, if the stuff isn't visible to the rest of the world, then it doesn't matter what you use. Worst case scenerio is that you might stumble upon a computer in the real world with the same IP address as you, but that'd be rare. It might not even be a problem if you accessed it by a DNS entry through a DNS server that was external to your network, but I can't say that for sure.

You're wrong. How the computer obtains the IP address is irrelevant. When it attempts to send a packet to that IP address, it will be routed to the computer with that address on the private network rather than the one in the real world.

Re:Don't go with the flow

[schon]

Now granted this limits me to 256 IP's

So if you're concerned about that, why not just change the mask to /16 instead of /24? Considering that the 172.(16-32).x.x addresses are all /16's anyway.

honestly, you could use whatever you wanted with the proper network setup.

Please, PLEASE, PLEASE, never do any network setup. Ever. Until such time as you understand what you're talking about.

Worst case scenerio is that you might stumble upon a computer in the real world with the same IP address as you, but that'd be rare.

Depending on the range, "rare" is pretty subjective.

It's not the specific IP address, but the whole network. When you take an IP address belonging to someone else, you are not only limiting yourself from talking to that one IP address, but you're limiting yourself from talking to every computer on that IP network.

It might not even be a problem if you accessed it by a DNS entry through a DNS server that was external to your network

Before giving out advice, please learn a little bit about IP. DNS means NOTHING .

Re:Don't go with the flow

[cranesan]

>>So if you're concerned about that, why not just
>>change the mask to /16 instead of /24?
>>Considering that the 172.(16-32).x.x addresses
>>are all /16's anyway.
>>...
>>Please, PLEASE, PLEASE, never do any network
>>setup. Ever. Until such time as you understand
>>what you're talking about.

Notice the author of the post you replied to said the exact same thing you said...
>>Of course it would be trivial to change that so
>>its like a class B address, instead of a class
>>C.

Don't go around assuming people don't know about networking, etc. Just because you took your little class at ITT Tech and they made you memorize which address spaces have which official "Class" Designations. Anyone who actually works on internet routers knows that the Class system is entirely ignored.. for the last 10 years or so we've been using another system called "Classless InteRdomain Routing" (CIDR)

So, as you said,
"Please, PLEASE, PLEASE, never do any network setup. Ever. Until such time as you understand what you're talking about."

Re:Don't go with the flow

[paultt]

beware that if you use a local IP range that match public internet IPs, yr locals will no more be able to talk to those public... see that funny post with SCO and the like addresses... :-)

Re:Don't go with the flow

[schon]

Don't go around assuming people don't know about networking

I didn't. This guy claims that it's OK to use someone else's routable address space, if you believe that anyone who thinks this knows enough to adminster an IP network, then you're worse than he is.

Anyone who actually works on internet routers knows that the Class system is entirely ignored.. for the last 10 years or so we've been using another system called "Classless InteRdomain Routing" (CIDR)

I'm sorry, but WHAT THE FUCK ARE YOU TALKING ABOUT ?!?!?! Where, in anything I wrote did I _EVER_ mention anything about classed networks? If you check (and I think you should) you'll see that I used CIDR notation.

"Please, PLEASE, PLEASE, never do any network setup. Ever. Until such time as you understand what you're talking about."

Please, PLEASE, PLEASE, never respond to any /. posts. Ever. Until such time as you are able to pass a second-grade reading comprehension test.

Pretty?

[Henry+V+.009]

Oh sure, it's prettier if you are into the modern reductionist view of IP address beauty. I, for one, continue to prefer form and substance. How can someone compare 192.168 with 10.0? Praising 10.0 is like calling a blank canvas a masterpiece. Some people would not know real IP art if it hit them in the face.

Re:Pretty?

[Chester+K]

Some people would not know real IP art if it hit them in the face.

I may not know art, but I know what I like!

Re:Pretty?

[sharkey]

How can someone compare 192.168 with 10.0? Praising 10.0 is like calling a blank canvas a masterpiece. Some people would not know real IP art if it hit them in the face.

Take it to the next level. 10.0.0.0/8 simply cannot match the sweat, blood and tears of 192.168.37.0/19 using NT4 DHCP+WINS+MSDNS.

Re:Pretty?

[mike9010]

Do you think girls with all that make up caked on their face is pretty? I don't. I think the uncovered human face is beauty in itself. So why should I clutter up a pretty 10. address with all that 192.168 makeup.

Re:Pretty?

I think the uncovered human face is beauty in itself.

You oughtta visit my corner of the planet then. After your eyes hemorrhage, then we can talk.

Re:What if your provider has a private network too

[undef24]

Listen to this guy. This is the reason why you should use 192.168 at home. Mod this post up.

I use..

[$exyNerdie]

I use 192.168.0.0-xxx for my home network because a lot of businesses use 10.0.0.xxx and I have faced network access issues when connecting through VPN to business networks...

10.0.0.0/8

[MazTaim]

I actually asked this question once. Nobody could really give me a good answer. I personally prefer 10.0.0.0 over 192.168.0.0. It does look pretier, it's easier to type, and you do have more IPs to play with. Who has need for all those IPs is beyond me, but I say you can never have too many IPs.

It does look prettier. here is how I broke down my NAT network

10.0.0.0-255 = Routers/Server - Kinda, sorta DMZ
10.0.1.0-255 = Wired Workstations
10.0.2.0-255 = Wireless Workstations
10.0.3.0-255 = Test stuffage

192.168.0.0 is the defacto standard for just about any router you buy off the shelf. Perhaps there is a valid reason?

Re:10.0.0.0/8

[tzanger]

I use something similar:

192.168.1.0/24 - LAN
192.168.2.0/24 - DMZ
192.168.3.0/24 - WLAN
192.168.4.0/24 - dialup (the firewall has 4 modems in it)

It's entirely subjective, but 10.0.0.0/8 is butt-ugly to me. :-)

Re:10.0.0.0/8

[MazTaim]

To each their own :)

Broadcast domains.

[cbiffle]

If you use same-size subnets in both cases, there's no difference between the 10-net and the 192-net.

If you're using 10/8 vs. 192/24, and have enough computers to justify that, you'll want to break it up into subnets to limit the size of your broadcast domains.

What ever you do PLEASE document it

[MerlynEmrys67]

Worked for a company doing networking software, so I kept a LARGE number of test devices/networks hanging off of my workstation on a test subnet... Problem was various company sites would drop off of my workstation when the IT dept. would randomly assign private addresses inside the company... I couldn't even get them to whack off a /16 for "test networks" because they thought that they would need all of the private address space scattered across all three ranges...

So my advice is whack off 1/4 of the 10/8 space - and reserve it for true "private addressing" and use all of the rest of the private addressing ranges as you see fit

Re:What ever you do PLEASE document it

[shfted!]

Don't you mean 10.x.x.x/10 ? Learn bitmasks ;D

Re:What ever you do PLEASE document it

[MerlynEmrys67]

I do know bitmasks VERY well... The private address space is 10/8... Go look it up at www.iana.org

Re:What ever you do PLEASE document it

[shfted!]

You misunderstood me; my bad. You said 1/4th of 10.0.0.0/8.... and I replied, meaning to say that 1/4th of 10.0.0.0/8 is 10.0.0.0/10... though that only specifies one quarter, not all of them. Sorry for the confusion!

Re:What ever you do PLEASE document it

[Motherfucking+Shit]

So my advice is whack off

For once, good advice in a Slashdot post!

Re:What ever you do PLEASE document it

and if you need something to look at...

Re:What if your provider has a private network too

[ArmorFiend]

furthermore, DO NOT use 192.168.0.XX. Because you might get a job with a vpn-ing company that uses that to. Get a random number under 256, and use that instead of 1.

e.g. I use 192.168.88.XX. I used to use 192.168.1.XX, but guess what, I got a job ...

it depends, of course.

[millia]

most minirouter/firewall/cable modem sharers use 192.168.0.0/24, that i've seen. works fine if you've under 254 hosts.

but most large internal networks do use 10/8, 10/16, or 10/24- it is a lot cleaner to setup, and does allow some neat organizational capabilities. i used 10/16 back in 97 when i set up my school district's WAN, and is still being used too.

in times past, an argument might have been made for 172.whatever/16-23, because the larger subnets are "slower" on a network- but we've got switches, so who cares! 10/16 it is! printers on one "class C"! english teachers on another! ip#s for all!

sorry, 10dot networks get me all fired up. we're still trying to get all of our state's districts behind a firewall, and i evangelize...

IP Subnetworking

[hawkstone]

From the IP subnetworking HOWTO:

There are also special addresses that are reserved for 'unconnected' networks - that is networks that use IP but are not connected to the Internet, These addresses are:-

* One A Class Network
10.0.0.0
* 16 B Class Networks
172.16.0.0 - 172.31.0.0
* 256 C Class Networks 192.168.0.0 - 192.168.255.0

The one most often used by home networking products is 192.168.1.x in my experience, not the full /16. They are designed to hold 254 addresses, no more. Why are these designed for only a small number of IP addresses? Well, the home routers often have 4 ports, with maybe wireless. Are you really going to have a few hundred clients? Anyway, it's probably best to stick with the 192.168.1.x for a small network if you're planning on connecting to one of these. If, not, do whatever floats your boat!

Re:IP Subnetworking

[rmohr02]

There's one D class "network" as well: 127.0.0.1

Re:IP Subnetworking

[happyDave]

I'm betting on a troll, but oh, hell, I'll bite:

127.0.0.1 is reserved for loopbacks. Class D first octet high order bits are 1110. That means Class D has a first octet decimal range of 224-239. Not 127.

Re:IP Subnetworking

And then of course there's class E.

Re:IP Subnetworking

[rmohr02]

I was going for Funny, and I said that because the parent mentioned class A, class B and class C networks. 127.0.0.1 is a way for a single machine to network with itself, and since all the numbers are constant, it would seem to be class D.

Re:IP Subnetworking

[hawkstone]

For what it's worth, I actually thought it was hilarious. :)

Re:IP Subnetworking

[michael_cain]

Just as a data point, I bought a CompUSA cable router last week (because it was $40 and all the other brands they carried were $50) and it insists on using 192.168.8/24 as the local subnet. No idea why they chose 8...

Re:IP Subnetworking

[hawkstone]

Really!? So I take it it was an OEM router rebranded as a CompUSA, kind of like what they do with Maxtor hard drives? If so, any idea who the original manufacturer was?

Re:IP Subnetworking

[michael_cain]

Not a clue. Featureless molded gray plastic case just says "CompUSA". Similarly for all of the packaging materials. The manual, written in clear American English, is also just marked "Copyright CompUSA". I haven't opened the case to look at the circuit board for hints.

Choose randomly

[Fluffy+the+Cat]

RFC 1918 recommends that you choose a network randomly in order to reduce the chances of colliding with any other internal network you may ever want to connect to.

Re:Choose randomly

[zcat_NZ]

We go one better; we've got a daemon that tunnels a single address from the 192.168/16 range, and via that we route our 10.x/16 and/or 10.x.y/24 LAN's into one big city-wide WAN. The 10.x/16 addresses are allocated so that they don't conflict within the WAN.

And most of us use DHCP too so if we bring machines to LUG meetings or whatever, they reconfigure themselves altomatically.

And to talk to my ADSL modem I'm using a 172.16.254.252/30 subnet.

The rfc's advice is all very good in theory, but I wonder how many slashdotters have "randomly" choosen 192.168.42/24 or 192.168.69/24 for their local network.

Re:Choose randomly

[PD]

I lost my D256 so that's kind of hard.

Re:Choose randomly

[happyDave]

There's always a way:
a d3 for the 100's place (use a d6, 1-2, 3-4, 5-6 for 0, 1, 2), a d6 for the 10's place (0-5), and the last place is tough: use a d8 and a d6, add the result, divide by 2, subtract 1. Gives you seven numbers 0-6.

Oh, please save me from geekdom. I can't believe I just did that.

Re:Choose randomly

[DA-MAN]

On my Linksys, it's 10.69.69.0/24

Re:Choose randomly

[vitroth]

You're not nearly geeky enough.

The right answer is 8 d2's, and simple binary arithmetic.

Or a perl one-liner.

Take your pick.

Re:Choose randomly

[in10d]

Maybe you're right.

Recently, we had a problem with connecting from an external private NAT'ted LAN to company private network, using MS VPN.

Both the client and VPN server are in private address space.
VPN server is exposed to internet with dedicated public IP address - through a Linux NAT box.

So traffic goes through NAT router, internet, and another NAT router.

Connection gets established, but any further communication is impossible - because client local network is 192.168.1/24 (same as remote), and all traffic destined to remote network gets "intercepted" by routing process, and directed to LAN :/

Actually I don't know if it's a flaw in MS VPN system or network design problem. But having thousands of LANs with identcal IP addressing may be sometimes confusing - and such problems may occure more and more often. So "random" address classes could help, and RFC is right (again)

Re:Choose randomly

Sho' 'nuff, I use 192.168.69/24 (for wires, and 192.168.70/24 for the wireless) - does that make me part of an exclusive group? ;-) ...and I have to admit I've never even read the RFC, I just did it because of experience at a previous employer, trying to set up VPNs to various customers who were using the same range as each other/us!

Re:Choose randomly

[Glonoinha]

Still not random enough.

You want real honest to God random numbers, let a woman balance your checkbook.

I usually go for 10.0.x.0

[Fished]

I usually select a random /24 in the 10.0 range. I've found that things sometimes get weird when using vpn tunnels between networks with identical net numbers (i.e. 192.168.1.x), and I often use pptp tunnels to get access to various networks. By using the 10.0 range, and setting a different subnet number for each network I use, I avoid this problem. There's no reason you couldn't do the same on 172.16.

No real difference

[blate]

The 192.168 and 10 networks are functionally equivalent except that the 10 network is class A and the 192.168 is class B (i.e. 10 is bigger).

You will find that many off-the-shelf devices, like NAT/Routers from Linksys, Netgear, etc. use 192.168.x.x by default; some of them don't let you use anything else (I think Linksys locks you in to 192.168, but you can change the lower two octets).

I personally use a 10.x.x.x network in my test lab at work, because it allows me to choose network addresses that make sense and are somewhat human-readable. If you're setting up a network for a business, it might make sense to use a 10 network just for expandibility. Then again, if you need more than 64k addresses, you probably have bigger problems to deal with.

One thing I like about the 10 networks is that when you see their addresses scream across a packet dump, you can immediately recognize them as "fake" addresses.

One security/network citizenship point (assuming that your 10 or 192.168 network is behind a NAT connected to the outside world): your firewall/router should NEVER pass packets destined to or accept packets sourced from a fake address range (10/24, 192.168/16, etc.). This can lead to evil attacks, garbage traffic on or out of your network, and a whole host of problems.

I inadvertently flooded my company's T1 line while running a test because our sysadmins hadn't configured our firewall to block outbound packets destined to a 10 address. A bug in a server I was testing caused it to send data back to the wrong address and our router happily sent the data out over the T1. No major harm was done, but a few people couldn't read their Slashdot until we discovered what the problem was.

Bottom line: choose what works for you (which may be either address range).

Re:No real difference

[stefanlasiewski]

One security/network citizenship point (assuming that your 10 or 192.168 network is behind a NAT connected to the outside world): your firewall/router should NEVER pass packets destined to or accept packets sourced from a fake address range (10/24, 192.168/16, etc.). This can lead to evil attacks, garbage traffic on or out of your network, and a whole host of problems.

Speaking of internal address ranges and Linksys, anyone else notice you can see the HTTP (& Sometimes TFTP) ports on your external IP from within.

So if my ISP gives me the IP of 60.82.111.1 , I can see and connect to 60.82.111.1:80 from my computer on the 192.168/16 network . I can't see it from a computer which is not on 192.168/16 (which is good).

I'm no networking expert, but it seems to me that internal networks shouldn't be allowed to connect to an external interface. Am I crazy or is this asking to be spoofed?

Re:No real difference

[blate]

You can disable the HTTP port by turning off "Remote Management" on many Linksys devices (I use a BEFSR41). I'm not aware of TFTP ever being open on the outside on Linksys, but other boxes may vary.

And you're right, your firewall isn't going to let in a packet sourced from its inside interface. Well, most of the time. Some of the cheaper boxes, e.g., the older Netgear and D-Link boxes, do allow this routing path. You're correct: This path should not be allowed, as it may allow a mischevious outsider access to your network.

I'm pretty happy with the security provided by the Linksys NAT's. I've read in a couple places that NAT's don't really give you any security, but I find this to be false. All of the security probes I've run on my system come back with all green lights -- i.e., I'm secure. Does anyone have an explaination why such a configuration wouldn't be secure?

Re:No real difference

[MightyTribble]

192.168 is a class C network. The first three bits of the network address are set. For comparison, the first octet is thus:

Class A - networks 1 thru 126.
Class B - networks 128 - 191.
Class C - networks 192 - 224 ( I think - then there's the class D multicast space).

It's a minor quibble, I know, but you should know the difference between classes and how to tell which is which, otherwise you may look clueless to someone important. :)

Re:No real difference

[blate]

You are (technically) correct.

Being a somewhat younger lad, I've gotten used to calling /8 networks class A, /16 networks class B, and so on.

Kind of ironic, since almost all routing now is classless.

Anyway, thanks for keeping me on my toes :)

Re:No real difference

I don't know if this has been mentioned elsewhere or not, but some cable modem providers (specifically, cox and comcast) put their dhcp servers out on 172.16.x.x and 10.x.x.x. I have to allow bootps and bootpc from them or dhclient (or pump) gets confused and releases its ip.

Re:No real difference

[wolf-]

Microsoft pushed 10.x.x.x in its Small business server and its proxy server configurations.

It was terribly ironic when microsoft made the default "shared internet" settings 192.168.x.x

A user starts sharing his dialup in an office on XP, and that little DHCP server starts spreading 192s around.

Another MS flaw, consistancy with their flaws..

Re:No real difference

[stefanlasiewski]

You can disable the HTTP port by turning off "Remote Management" on many Linksys devices (I use a BEFSR41)

This is with "Remote Mangement" set to disabled. That was one of the first things that I've checked.

your firewall isn't going to let in a packet sourced from its inside interface

I just doublechecked, and from my computer (with the IP of 192.168.1.100), I can connect to port 80 on the Linksys's external IP address (IP is like 63.169.113.0), as well as port 80 on the internal IP address (192.168.1.1).

Interestingly, the connection doesn't show in the Incoming or Outgoing Log Table.

I think remote TFTP can be enabled (The "Remote Upgrade" option).

This is with latest Firmware: 1.44.2z, Dec 13 2002

Re:No real difference

[sigwinch]

One security/network citizenship point (assuming that your 10 or 192.168 network is behind a NAT connected to the outside world): your firewall/router should NEVER pass packets destined to or accept packets sourced from a fake address range (10/24, 192.168/16, etc.).

But I'd make an exception for ICMP and UDP echo replies, so you can ping/traceroute your upstream's internal routers.

Re:No real difference

[blate]

Hmm... well, that's odd. I'll have to try that on my box when I get home.

FYI, there's a new firmware out (for BEFSR41), circa June 20-something 2003. Nothing much changed, so far as I can tell.

Re:No real difference

[Yaztromo]

You will find that many off-the-shelf devices, like NAT/Routers from Linksys, Netgear, etc. use 192.168.x.x by default; some of them don't let you use anything else (I think Linksys locks you in to 192.168, but you can change the lower two octets).

Just FYI, but on my LinkSys BEFSR41 (firmware rev 1.44.2), all four octets are configurable.

Mind you, with only five hosts at the moment, I haven't bothered to change it out of the 192.168.x.x address space.

Yaz.

Re:No real difference

[mrpuffypants]

(I think Linksys locks you in to 192.168, but you can change the lower two octets).

Nope, Linksys routers can be changed all you want. My home network uses 10.10.10.x addressing and it works like a charm.

Re:No real difference

[raju1kabir]

192.168 is a class C network.

Actually it's 256 class C networks.

It's a minor quibble, I know, but you should know the difference between classes and how to tell which is which, otherwise you may look clueless to someone important.

Anyone who's still hung up on classful addressing is too clueless to be important.

Re:No real difference

[MightyTribble]

It was a typo - I should have said "192.168 *means* it's a class C network".

As for your closing comment ... If someone said to me "192.168.blah.blah is a class A network" that would be wrong, CIDR or not. If someone said that to me cold (i.e. I had no other basis for judging their technical skills), it would cause me to question their fundamental grasp of network knowledge. Just like I question your intellect when you make a sweeping statement like "Anyone who's still hung up on classful addressing is too clueless to be important". That, to me, tells me you're arrogant, rude and not as smart as you think you are. I'm sure you'll go far.

Re:No real difference

[raju1kabir]

That, to me, tells me you're arrogant, rude and not as smart as you think you are. I'm sure you'll go far.

Ah, but I already have.

What you haven't learned yet is that arrogance is a lot more important than smarts when it comes to going far. Rudeness, well, you can play that either way.

I use 127.0.0.1

[s88]

Its lightning fast! I always have 0 msec pings!
I highly recommend you try it.

Re:I use 127.0.0.1

[DrSkwid]

0ms, which OS/NIC is that ?

64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.043 ms
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.053 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.044 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.061 ms
64 bytes from 127.0.0.1: icmp_seq=4 ttl=64 time=0.052 ms

I had a situation where someone external to my network got lower pings to the game server sat on the LAN only 100Mbs away. It was NT adding the latency, dropping to 98 sorted it out.

Re:I use 127.0.0.1

[trouser]

Two systems I'm currently connected to report 0ms. And a whole bunch of others don't.

AIX 4.3
64 bytes from 127.0.0.1: icmp_seq=0 ttl=255 time=0 ms

GNU/Linux x86
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.0 ms

Re:I use 127.0.0.1

[DrSkwid]

it could be that they can't measure with enough accuracy.

Re:I use 127.0.0.1

[Psiren]

Surely the NIC doesn't matter, as it's never going to pass through it anyway.

Re:Please realize what RFC 2119 says about MUST

[arcadum]

Was your comment directed at the parent? If not can you point me to the discussion you were mentioning?

Flexibility

[DarkRyder]

I chose to use 10/8 because it gave me the opportunity to pick nifty subnets (kudos to anyone who can guess how I chose these):

10.30.1/24: DMZ (web, file servers)
10.50.1/24: Internal (computers owned by either me or my roommate)
10.60.1/24: Visitors (LAN party!)

Re:Flexibility

You are a major dork for using symmetric decimal for subnets. Real geeks use symmetric binary to hide their handy work :)
00001010.00011000.01010000 -> 10.24.80
00001010.00100100.01010000 -> 10.36.80 ...
00001010.11011011.01010000 -> 10.219.80
00001010.11100111.01010000 -> 10.231.80

Re:Flexibility

[DarkRyder]

You're only two-thirds right. Yes, I'm a major dork. Yes, they're palindromes (symmetrical). But they're also prime!

10301 - Prime palindrome that can be expressed as 101^2 + 101^1 - 101^0
10501 - Prime palindrome that can be expressed as the sum of three consecutive primes (3491, 3499, and 3511) and is the middle of three consecutive primes which add up to another prime palindrome!
10601 - Prime palindrome that can be expressed as the sum of three consecutive primes

They're also all valid US Zip Codes. They correspond, respectively, to Staten Island, Amawalk, and White Plains, all in New York state.

Gee, I'm such a fun-loving guy. I can't imagine why I don't have a girlfriend...

e-Smith / Mitel's 192.168.ver.xxx scheme...

I don't know if it's been consistently followed,
but e-Smith server (now Mitel Networks' SME-server)
seemed to use the Subj pattern, eg:

SME Server ver 5.5 used 192.168.55.xxx

It made putting a new version of the server
(eg, in test mode) feel safer, as one wouldn't
have two boxes trying to use one IP -default-
IP address on the same network.

Of course, one could easily set the new server's
IP adr - after completing tests - to enable the
box to join an existing network.

Off Topic:What if your provider has a private...

[arcadum]

Bahhhh!

I was set to comment on your three journal entries, and more, but they all have been archived. Anyway, I added you to my freinds list, what ever that does...

NAT within NAT

[epine]

One detail to bear in mind: sometimes you need to NAT within NAT. You can end up with nested NAT zones. 10.x.x.x does *NOT* NAT well within 10.x.x.x I've had to debug routing table illness for this situation several times.

My company makes a security product with its own Linux host, and the host operates cameras with a private NAT of its own. In one version, we had the Linux host and cameras behind an 802 network gateway, and the gateway performed NAT. We had the gateway configured to create a 10.x.x.x network address space within the private NAT zone. Then one day I brought the system home and plugged it into my own 10.x.x.x private network.

Do you think the Linux host inside the 10.x.x.x address space behind the 802 gateway NAT could access my local DNS server at 10.0.0.1 upstream from the 802 gateway? Not a chance.

For this reason, I tend to use all three zones for different purposes, depending on the size of the zone, and whether I think the zones might someday become nested.

HP-UX 11 + (obsoleted) RFCs + 10.0.0.X = bad news

[rklrkl]

Apparently, there are some now-obsoleted RFCs (RFC1878 and/or RFC1122) which don't allow a subnet portion of all ones or all zeros (binary).

Rather incredibly, HP-UX 11 actually won't let you use a 10.0.0.X address by default because it blindly (and wrongly) follows these ancient RFC specs ! If you don't believe me, check out this discussion , which thankfully does indeed have the fixes in the thread (patch PHNE_20633 and a hack to nddconf).

Yep, we use 10.X.X.X addresses and got bitten by this with our HP-UX boxes :-(

Hi, I'm ignorant. Pleeztameecha!

[mstorer3772]

I get all the mask/subdomain stuff, but what's the / at the end of the IP address mean?

Disabling APIPA

[Futurepower(R)]

Disabling Auto IP-address generation

Re:Off Topic:What if your provider has a private..

Try here
(posting anonymously to avoid karma penalty)

Pedantic correction:

[Asprin]

192.168.0.0/16 doesn't exist.

It's really a set of 256 (254, really because you aren't supposed to use 0 or 255) /24 networks:
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
...
192.168.254.0/24

Now, if you set up your internal routing and gateways correctly, the difference doesn't matter, but TECHNICALLY, since 192 starts with the binary digits '110', it's a class C (/24) network.

FYI.

Which (10.0.0.0/8 or 192.168.0.0/24) you use doesn't matter unless you need to connect your network to somebody else's, but a bad decision (or evaluation of capacity) early on can come back to create problems if your network grows beyond the address space you planned for it. GOOD DESIGN IS ESSENTIAL to preventing problems down the road. Usually the # of hosts you need on your network segments drives the decision. Some larger networks will use the /24 blocks for local departmental LANs, and hook them together with /8 block addresses on the internetwork routers, but there are gobs of ways to do it.

I'd recommend searching Cisco's site for white papers on network design, or maybe googling for TCP/IP tutorials.

Re:Pedantic correction:

[cookd]

That explains it. I've always wondered why the default netmask was always wrong for my 192.168 network.

Re:Pedantic correction:

[UnrefinedLayman]

Here's a question that I've wanted answered for a long time, which I've been unable to get answered adequately:

What is the difference between a class A, class B and class C address/block?

I read several answers to this question, one of which was on howstuffworks.com (which I now cannot find), and that one said that it depended on the numbering: anything that began with 1-12(?) was class A, 12-190(?) was class B, and anything above that was class C. Other answers said it depended on how many subnets you have, for example 10.x.x.x would be class A, 128.218.x.x would be class B, and 66.54.12.x would be class C (those are all made up addresses, the numbers had nothing to do with it).

What's most embarrassing is that it was a question on a post-interview questionairre (for a job I subsequently got). I still don't know if I got that answer right though. Can someone answer that question authoritatively for me?

Re:Pedantic correction:

[Asprin]

Webopedia TCP/IP Entry
Sangoma's TCP/IP Routing Tutorial

In a nutshell, the IP address space was designed so that information about routing was built in to the addresses themselves by dividing it into two parts: a network (n) part and a host (h) part. Since they wanted as much flexibility as possible to assign big networks and little networks with just enough hosts, they broke the address space into classes A,B,C, etc. that could be determined by inspection of value of the first octet.

To deterimine the class of the address, you first you have to write out the first octet of the address in binary.

If the first octet starts with 0 binary (meaning the first octet itself is between 0 and 127 decimal), then it is a CLASS A address. The first octet is the network address and the last three octets are taken together to be the host address (n.h.h.h). This means it has a netmask of /8 or 255.0.0.0 and there are 2^24 individual hosts available for addressing and/or subnetting. Note that the loopback 127.0.0.1 and the 10.0.0.0 nets are both class A.

If the first octet starts with 10 binary (meaning the first octet is between 128 and 191), it's a CLASS B with two octets for the net address and two for the host (n.n.h.h). It has a netmask of /16 or 255.255.0.0 with 2^16 hosts to address or subnet.

If the first octet starts with 110 binary (meaning it's between 192 and 223 decimal), it's a CLASS C with three octets to specify the network and one for the host (n.n.n.h). These have netmask /24 or 255.255.255.0 with 2^8=256 host addresses.

Of course, this is all goes out the window with CIDR. High-speed dedicated routers brought the realization that the class-ful blocks we unnecessary and you could just use the subnet mask itself to determine routing. This allowed them to use more flexible rules to arbitrarily divide the address blocks into smaller chunks like /2, /3, /15. etc.

Re:What if your provider has a private network too

[Stephen+Samuel]

furthermore, DO NOT use 192.168.0.XX....

I think that it's actually a suggestion of the RFCs that you avoid using networks 0 and 1, and use random numbers instead -- precisely to minimize the probability of address space collisions if you end up merging nets with another entity.

The one nice thing about 192.168/16 is that it's a class-C block in the old class-full address system and so many programs which pay attention to that will give you a /24 netmask and broadcast numbers by default. It's not that much of a bonus, but it sometimes helps for quick & dirty network setups.

I'd say that if you have a big enough network, then use 10/8 or 172.16/12 otherwise, if you're like my home network (6 machines on 2 subnets(!)), 192.168/16 is far more than enough.
In terms of collision avoidance, though, I'd have to agree that I've almost never seen someone using 172.16/12 in a production environment. I sometimes wonder just how many people even know that it exists.

Neither

[anthony_dipierro]

Use IPv6 for your internal network.

Re:Neither

[linzeal]

Does this have any security advantages if you only use ipv6 stacks in your machines behind a nat firewall/router setup?

Re:Neither

[anthony_dipierro]

No.

Re:Neither

[digitalsushi]

Yes. It implies you were smart enough to get ipv6 running in mid 2003, presumably indicating you are educated enough to secure the rest of your ipv4 network. :D

Re:Neither

[anthony_dipierro]

Yes, there is a correlation, but that is not an advantage, it is merely coincidence.

Re:Neither

[mike9010]

Actually, I have been using IPv6 on my computer for awhile, and I got my /48 block from freenet6, and will do that too, but I still need something for IPv4. And besides, IPv4 numbers are easier to remember than IPv6

Re:Hi, I'm ignorant. Pleeztameecha!

[Nasarius]

It's called a bitmask. That's how many bits are static. 8 bits per byte...

Re:Hi, I'm ignorant. Pleeztameecha!

[Medieval_Gnome]

It is a method of indicating how many bits in the address are part of the 'network' number, as opposed to the 'host' number. For example..

In 10.0.0.0/8 that means there are 8 bits that identify the network (10.x.x.x) and 24 bits (IP addresses are 32 bits, 8 bits are already used for network; 32-8=24) for the machine number (the x.15.53.45)

So now, for '192.168.0.0/16'. The 192.168 part is the network part, and the '/16' means the last 16 bits are used for hosts. When the slash-number is larger, that means the person with that IP range has less IPs. /24 means the user has 254 hosts at their disposal, while a /8 means over 16 million.

I really hope this helps, sorry I'm not the greatest at explaining things.

Re:Hi, I'm ignorant. Pleeztameecha!

[shfted!]

It's to seperate the bitmask. An IPv4 address is 32 bits long, in big endian order (biggest value goes first, like our decimal system). The /XX is simply an abbreviated way of writing a subnet that starts with n 1's and ends with 32-n 0's. For instance, 10.0.0.0/8 means the 10.x.x.x network with a subnet mask of 255.0.0.0. 192.168.0.0/16 means the 192.168.x.x network with a subnet mask of 255.255.0.0. 192.168.123.128/26 means the 192.168.123.[128 to 192] network, with a subnet mask of 255.255.255.64.

Almost always, if written in binary, subnets will look like a bunch of ones, then a bunch of zeros. Sometimes, it's convenient to have a subnet that does *NOT* designate a contiguous network segment. For instance, you might have 192.168.2.[64 to 127] and 192.168.3.[64 to 95]. In this case, this is a network 192.168.[2-3].[64-95] with a subnet mask of 255.255.253.32 (which can't be represented in the / form). Don't try this though, as certain buggy OS's might get confused.

Re:What if your provider has a private network too

[crapulent]

Uhh, the whole point of NAT is that the numbering scheme you use inside your private network is completely shielded from other networks. If you use 10.0.0.0/8 for your own small LAN that's behind a NAT gateway it won't matter one squat what numbering scheme is used anywhere else, since the gateway -translates- between them, hence "network address translation."

CIDR!

[tachyonflow]

Welcome to the world of classless routing!

192.168.0.0/16 certainly does exist. The first three bits has not dictated the netmask for years. See RFC1817 for more information on this. Here's a relevant excerpt (emphasis added):

Classless Inter-Domain Routing (CIDR) ([RFC1518], [RFC1519]) is deployed in the Internet as the primary mechanism to improve scaling property of the Internet routing system. Essential to CIDR is the generalization of the concept of variable length subnet masks (VLSM) and the elimination of classes of network numbers (A, B, and C). The interior (intra-domain) routing protocols that support CIDR are OSPF, RIP II, Integrated IS-IS, and E-IGRP. The exterior (inter-domain) routing protocol that supports CIDR is BGP-4. Protocols like RIP, BGP-3, EGP, and IGRP do not support CIDR.

Re:CIDR!

[Asprin]

/corrected.

I use several ranges...

[fok]

172.22.0.0/24 where I work;
172.22.0.0/16 and 172.16.0.0/16 in one of the clients;
192.168.200.0/24 at home;
192.168.0.0/24 on another client;
10.1.0.0/16 where I study and work;
10.1.1.0/24 on lan games;

That's great in theory

[Curien]

Your home network is 192.168.0.0/24. Your work network uses the same address space. From your home computer, you VPN into your work network. Now, try to copy a file from your fileserver at home to your fileserver at work.

Yeah, NAT sure does work great, doesn't it!

Re:That's great in theory

[afidel]

The VPN solution should give you a NAT'd VPN address. For instance when I VPN into work I get a 10.X address. I have a 192.168 internal address and a real routable IP address from my ISP. The only one that matters for transfers is the VPN address of 10.X

Re:That's great in theory

[Curien]

Read my comment again. What do you do if your VPN address and your local address are in the same address space?

Re:That's great in theory

[beswicks]

This is REALLY not insightful, how is it possible to connect from my computer 192.168.2.1 to a computer on another network with 192.168.2.1 as its ip? how does anything understand what is going on? It cannot, NAT can map a network to an IP address in a different range, but it cannot magically MERGE two networks with the same range.

Just because you know what you want to do doesn't mean the computer does.

Re:That's great in theory

[beswicks]

Accually I'm sure you could metge two IP ranges by mapping the addresses individually but that isn't what i'm talking about.

TMTOWTDI

[krangomatik]

If you are talking about a 'large-ish' local network then splitting 10/8 into smaller blocks looks pretty good on paper. You can split it into /16s and delegate those to departmental level net admins who will then divide them into /24s for individual VLANS. It helps if you do a big plan upfront. This way if let say you know that HR, accounting, and marketing are restricted to one site you can assign them a glob of /16s that you can summarize on the routers to keep the routing tables nice and small. You can also assign ranges to classes of machines. For example if you knew that all your 'all company' web servers lived in the 10.10.10/24 range and the Citrix farm that fronts for your HR system lived in the 10.10.11/24 range and you had a subnet with users that just needed access to the HR system and the 'all company' web servers you could write a quick acl to permit http and https to 10.10.10/24 and ica to 10.10.11/24. This is a lot easier that consulting your IP database and looking up the IPs of all the web servers and all the HR Citrix boxen and crafting a nasty long ACL.
Now, if you're just talking about your home LAN it prolly doesn't matter what you use. If you're planning on VPNing into your work network life will be easier if you pick a range that doesn't overlap with any of the RFC1918 addys they use.
As for the people who are suggesting that if you have a large network you need to pick ranges that don't overlap with networks you plan to interface with, I wouldn't worry too much. Most companies that interface with with other networks on regular basis have ranges of 'legit' IPs that they use for extranet connections. Or they're used to playing the firewall NAT game. Doing the "network to firewall/NAT to outside agency firewall/NAT to outside agency network" thing usually isn't that bad. People get good at it after while. Once you've done a few it'll be just another annoyance. :P

It's the police!

We've traced the troll, and... it's coming from inside Slashdot! Get out of Slashdot now!

paper or plastic?

[josepha48]

It seems to me that this is kinda the same thing. 192.168/16 is actually a lot of address space, unless you are a really big company. One thing you could do is implement an ipv6 network and than do a ipv6 to 4 nat to access the internet.

Alternately, nat allows a natted ipaddress to be natted again and again. So you could setup a 192.168.1.x network then each 192.168.1 consists of 192.168.0.x networks. That should give you about 255 * 255 or 65025 ip addresses to play with. It would be interesting to know if it worked and you have a 192.168.0.1 address that gets natted to 192.168.1.1 and gets natted again to then to your public ip address.

I think the 10's give more addresses without double natting so it depends on how much you expect your network to grow.

Re:paper or plastic?

[ratboy666]

The "NAT" feature can't give you more than ports number of machines. So, 64K machines is maximum for NAT.

Re:What if your provider has a private network too

[pruneau]

I concur: for example, my ISP DHCP server uses an adress in the 10.x.x.x range, even though I'm getting a real internet-routable IP. Remember that DHCP does just require layer two connectivity, plus maybe some collaboration from the local router (a.k.a gateway).

This probably presents the advantage of:

• Preventing waste of relatively precious IP space.
• Protecting the DHCP server from the internet, since packets outside my ISP network will not be routed to it.

just my .3.5.168.192 cents.

I use...

[Permission+Denied]

For my home network, I use 192.16.42.0/21.

Why?

1. I take great amusement out of telling this to people. That network and netmask defines exactly what's permissible on my home network, so only the two /24s defined by the above will work with my NAT box. This confuses a great many people.
2. It should be obvious why I chose The Number 42.

Re:I use...

[legend]

Hopefully you don't try to access Los Alamos hosted Web Sites. http://ws.arin.net/cgi-bin/whois.pl?queryinput=192 .16.42.0

Re:I use...

[Permission+Denied]

Bah, that was supposed to be 172.16.42.0/21. Eh, no sleep.

Re:Please realize what RFC 2119 says about MUST

[MerlynEmrys67]

Yes, click the link in his sig... talking about how IE is not a Web Browser... He significantly misquotes an RFC

There can only be one!

I use a /24 chunk of 172.16.0.0/12, because it's a chunk that is easy for me to remember -- it maps to my birth date.

On the 17th day of February, in the year of our Lord 1600, I was born a highlander. I am Colin McLeod of Clan McLeod and I cannot die.

Re:There can only be one!

[bofkentucky]

Hey, me and Connor McCeod share a birthday, cool beans.

Re:There can only be one!

[Echnin]

Funny. I was told I looked like Colin McLeod. I use a 10.x.x.x network, though.

Router: 10.0.0.1
Me: 10.0.0.2
Mother's PowerBook: 10.0.0.49
Father's PowerBook: 10.0.0.50
A friend when we're having a LAN: 10.0.0.3
Friend 2: 10.0.0.4
Friend 3: 10.0.0.5.

Er. Exciting, isn't it? Guess I better turn off the karma bonus.

Re:There can only be one!

[DrZaius]

Congratulations on the LAN! Is it a boy or a girl?

Re:There can only be one!

[Glonoinha]

>Friend 2: 10.0.0.4
>Friend 3: 10.0.0.5.

Three friends? Who are you and what have you done with the real Echnin?

Re:There can only be one!

[Wolfrider]

...And they call 3 friends, and so on, and so on...

Re:There can only be one!

No, it goes like this:

"I am Conner MacLeod of the Clan MacLeod. I was born in 1518 in the village of Glenfinnan on the shores of Loch Sheol. And I am immortal."

Can't stand people who don't get classic quotes right.

Sometimes in firmware

[bluGill]

I've had to work with some firmware where a ip address in the 10.x.x.x range was burned into firmware for the out-of-band port. (that is a ehternet port intended only for use with a crossover cable direct to a laptop for techs to debug with) Using that device on a 10.x.x.x network didn't always work. We did burn firmware for large customers who used the 10.x.x.x networks, but we didn't like it.

Microsoft and VPN

[ka9dgx]

I had to install a firewall becase of the continuing problems with the RPC Open Door issues with Windows Servers. I found to my horror that the Microsoft VPN client in Win98, etc. totally ignores the subnet mask you give it, and decideds to to use a /8 subnet mask for the VPN route, and there's no way around it.

The only sane way out of this (aside from looking at the Windows VPN Client Source and posting a patch to the group... oh.... yeah, not open source)... is to use the ONLY available /8 address out there for a VPN server... 10.0.0.x/8.

It's only caused one conflict, but it's far safer than the original instance, in which the VPN clients suddenly thought the entire 66.x.y.z address space was on our wire. This caused no end of problems and complaints because the users then couldn't make use of their ISP's 66.?.?.? services. Think about this, it shuts off 1/2% of the internet at random

--Mike--

A completely pointless question

[fm6]

I like 192.168 and use it on my home network...

OK, I have to know: what is so appealing about 192.168.*.*? Is 10.*.*.* just too minimalistic for you?

Re:A completely pointless question

[MattCohn.com]

Entering all those zeros in a row... it just throws me. Many times I'll enter "10.0.0.0." when I just ment to enter "10.0.0.". You know the drill. Those fingers get started and they just don't stop. "192.168.0." is easy to enter too, but doesn't suffer from the repitition problem.

Re:A completely pointless question

[Bombcar]

You probably have a hard time spelling banana or Mississippi, don't you? :)

Re:A completely pointless question

[fm6]

I'll enter "10.0.0.0." when I just ment to enter "10.0.0.". You know the drill.

Well no, I don't. My mistakes tend to be more, well, cerebral. Like entering "168.192" or "129.186". That's why I like network 10. There's a ten in front? There's a 0.0 in the middle? Is the sequence number at the end correct? Then I got it right!

You've probably figured it out by now: I'm not an IT person.

Re:A completely pointless question

[bhtooefr]

My school network uses 10.0.0.* for their network. We're currently up to 90 (well, I took 255 for my box when I brought it in), but many of those aren't actually used. We hand-assign IPs.

Re:A completely pointless question

[Mr+Z]

Using the broadcast address for your machine? Cute. I'm sure the network administrators love you.

--Joe

Re:A completely pointless question

[bhtooefr]

OK, so I'm a hopeless BOFH. It's not like any of the admins were with in 50 miles of the building at the time, it was temporary, and I didn't know that using .255 was a very bad idea. It worked, though...

Re:A completely pointless question

[fm6]

Well, his network might be set up so that 0 is the broadcast address. Anyway, I'd bet there aren't any network administrator, as such. Doesn't sound like a network under central control. For one thing, an administrator would have set up a DHCP server, rather than letting people pick their own IP addresses.

Re:A completely pointless question

[Wolfrider]

( sniff ) Hmm, smells like bhtooefr took a tcpdump! ;-)

Re:A completely pointless question

[raju1kabir]

Well, his network might be set up so that 0 is the broadcast address

An IP ending in 0 (or any even number) can't be a broadcast address.

Re:A completely pointless question

Yes, an thu wurd Potatows two...

Yures Truely,

Dan Kwale

Re:A completely pointless question

[raju1kabir]

Using the broadcast address for your machine? Cute. I'm sure the network administrators love you.

There's no particular reason why 10.0.0.255 should have to be a broadcast address.

Re:A completely pointless question

[Mr+Z]

If the network is 10.0.0.0/24, as the original post implied, then yes there is. If it has some other netmask smaller than /24, then no. (If the netmask is larger than /24, then his address is still a broadcast address on that particular network.)

--Joe

Re:A completely pointless question

[raju1kabir]

Fair enough. I missed that context ("10.0.0.*").

Re:A completely pointless question

[fm6]

http://osr5doc.ca.caldera.com:457/NetConfigG/confi gparamsC.broadcast_address.html

Re:A completely pointless question

[raju1kabir]

Okay, fine, a broadcast address can't end in zero unless you are using extremely obsolete software.

In which case, I guess you can either upgrade or - check the URL - spend your time suing people who have developed more modern software.

Re:A completely pointless question

[fm6]

No, I'd rather make my living suing people who post redundant crap on slashdot.

Re:A completely pointless question

[raju1kabir]

No, I'd rather make my living suing people who post redundant crap on slashdot.

Sounds like fun. How are the hours? Full bennies?

Re:A completely pointless question

[fm6]

Strictly freelance. But very lucrative, because there are so many idiots who just have to keep trying to get in the last word, long after they've run out of actual things to say.

Newbie Alert

[jjwahl]

10.x.x.x/24.

I've inherited a couple of networks like that and when other IT types like consultants, etc... and I start discussing addressing detail I feel compelled to tell them that *I* didn't choose the 10.x.x.x/24 - I inherited it.
I promise!!
Does this mean I'm insecure????

Sigh.

Large mixed example...

[Vrallis]

I work for a large un-named company with a very large WAN (both private frame relay and software VPN tunnels over the internet), with VPN connections to outside companies.

Cisco-trained people, who have IP conservation drilled into their heads early on, almost drop dead at our lack of conservation. When I designed all this mess, I was trying to keep addresses 'logical'...as stated above, using department numbers and the like to help out the others on our staff that aren't the least bit network -savvy.

Internally, we use 10/8. We use a large /16 for our central office LAN, with the third octet used to distinguish between groups. 10.10.1 and 10.10.2 are our primary central servers and computer room equipment, and most of the rest are by department.

For our WAN, I used layered steppings. 10.220 between routers, 10.120 between routers and a back-office server in each location, and 10.20 for a back-office network handled by that server. The third octet here is our store number. All of these are /24s.

We connect with our software vendor, who runs an ASP for some of our customer stores. They use a 172.16/12. I worked out a similar 'layering' method for the remote systems there as well.

The only conflict we've come up with is another company we need to connect to also uses 10/8 for their network. We had to use a pair of Cisco VPN concentrators to do the double-translation to setup a tunnel between us. Fortunately, we only need access to a single system on their side, so it's not a major point.

DHCP isn't used at all in our organization. Once upon a time, someone higher-up was convinced (somehow??) that DHCP was inherently completely insecure, and we were just begging for trouble by using it. We aren't wireless, we're 100% hard-wired. The only issue is that the firewall I run is setup to allow internet access only for specified addresses. DHCP is simply a matter of maintenance, so I'm going to push it on, now that this misunderstanding has been corrected.

Also, we use the 192.168/16 block for people's home networks that connect via a VPN connection. There are only a couple of us, so this isn't much of an issue.

10.0.0.0 is faster to type

[scrimmer]

I use the 10.0.0.0 network on all my machines from home. I tend to keep the numlock turned on, and I can type, for example, the IP address 10.0.0.42 on my keypad much faster than, say, 192.168.0.42.

Re:10.0.0.0 is faster to type

[raju1kabir]

Wouldn't it be faster still in the long run to set up a local name server and give your machines short names?

Re:What if your provider has a private network too

[Yottabyte84]

The Davis Joint Unified School District uses it on thier WAN (12 schools, and 15 T1s) (or is it a MAN?)

They use 172.26.0.0/16

I have a big map of all thier windows hosts and drive shares from 2002 sitting on my laptop. :-)

Re:Please realize what RFC 2119 says about MUST

[darkonc]

I think that what he's talking about is that IE seems to always try to guess the type of a file by it's extension, but it is only allowed to to that if there's no explicit content type. This makes IE broken (shock, shock), but I wouldn't say that makes it into 'not a browser'.

Re:Please realize what RFC 2119 says about MUST

[darkonc]

On second thought, the most appropriate place to respond t his web browser comment would have been on his journal page -- not an unrelated article..

use 24/8

[smoon]

This will 'black hole' all of the crap that you get from @home and roadrunner zombie worms. Unless of course you're on one of these networks...

A good scheme for the 10 network is to split it into class B's for large locations and class C's for smaller locations as such:

10.X.
where X is the location number 1 for new york, 2 for LA, 3 for hamburg, etc.
10.1.Y
where Y is 0 for routers/network devices, 1 for servers, 2 for remote access, 3 for static addresses, and 4-10 for DHCP addresses. 11-254 (255) are reserved for future use.

Then use 192.168 addresses for individually firewalled segments within the 10.x structure, and 172 addresses for data center stuff like mainframes, backup boxes, secret gigabit backbone links, etc.

Of course this all gets kind of complicated especially for a small home network with less than a dozen active devices, so you can pop over to arin and find a netblock that isn't assigned or in use and then have a 'designer' internal network number. Works great until some major provider gets the netblock... What the heck -- you're behind a NAT box right? 1.2.3.X here we come!

10.x.x.x reserved for cable?

[zakezuke]

It's too late at night for me to actually look it up. For some odd reason, I thought 10.x.x.x got reassigned to cable providers but seems to be exclusivly used on their routers.

Personaly, I use 10.x.x.x simply because it's less keystrokes when I want to ping something.

However, your actual choice should be based on the your needs, for example, many items such as network modems have assigned to them an ip address, and it's nice to be in their range so you can check up on them.

As long as you choose something, document it, it's cool.

Yes, mod as flamebait, but it's true.

[Outland+Traveller]

The correct answer to this question is RTFM. If you have to ask this question, you're not competent to plan out a large network.

Re:Yes, mod as flamebait, but it's true.

[Packets]

The correct answer to this question is RTFM. If you have to ask this question, you're not competent to plan out a large network.

I disagree, This question has been one thats plagued me for a long time.

I don't see any reason to use anything other than 10.0.0.0/8 in my home situation, but I go to lans and other peoples networks that use 192.168.0.0/24 or 16 (or, ignorantly, a mixture on a single network)

The only place I can track down the 'standard' usage of 192.168.0.0 in home networks is actually to tutorials on how to setup a home network. The 'wingate' manual was a culprit here, amongst many others. Its crazy but It seems to be true. Any other comments about why some people only know about 192.168.x and not 10.x? I'm at a loss.

Thing is, 192.168.0.0/24 is defacto, and 10.0.0.0 is sensible, but less used. Thats why the question was asked. He was confused by the way that on one hand you have something sensible, and on the other hand you've got something that everybody does. He was trying to find out if there was a bona fide reason.

Others have mentioned that if you're NATing within NAT its good to not use the same net address. If you're NATing to a network that's 10.0.0.0/8, use 192.168 or that 172.x one.

Re:Yes, mod as flamebait, but it's true.

[Outland+Traveller]

This all comes down to using the simplest solution that does the job.

192.168.1/24 is great for home setups (192.168.0/24 is broken for some really ancient TCP/IP stacks). The elegance of a simple class C subnet can't be beat.

172.16/16 subnets are the next size up on the private IP scale.

10/8 subnets are larger still.

Sure.. you *could* go right for the 10/8 even though you have only three computers, a router, and a network printer. You could also install "Windows 2000 Advanced Enterprise Server" for your 1CPU desktop system. You could also pop in a Redhat CD and choose "install everything".

If you're a professional, you want to place limits on everything you do related to computers, because as soon as your back is turned entropy takes over. The less variables at play, the easier it is to properly troubleshoot issues. "Use the minimum amount necessary" is not just good security advice .

Obviously you want to give yourself some rule to grow, but part of planning for growth is reserving the big blocks (10/8) for situations where they are truly needed. (For example, VPNs to hundreds of branch offices and partners companies).

Re:Yes, mod as flamebait, but it's true.

[Miniluv]

Its simple. IP address conservation should be a habit. Always pick the smallest usable subnet. Obviously that needs to take into account growth, but if you think your home network is going to run out of addresses on 192.168.0.0/16 then you should sober up before implementing.

Moo

[Chacham]

Perhaps the answer is in the RFC that defines it? RFC 1918 states (Section 5):

If a suitable subnetting scheme can be designed and is supported by the equipment concerned, it is advisable to use the 24-bit block (class A network) of private address space and make an addressing plan with a good growth path. If subnetting is a problem, the 16-bit block (class C networks), or the 20-bit block class B networks) of private address space can be used.

So, the answer is to use Class A when you design it, unless subnetting might cause issues.

On another note. Routers seem to default to Class C, and might not be changeable. Windows defaults to Class B, but is very changeable. Class C, however, is by far the most common. So, for compatibility in a small company, i'd use Class C, and switch to class A (and make a good plan) you you start to have decents networks in more than one location.

IPV6

Don't be a poofter. Use IPV6.

You are not limited if you are using NAT

[macemoneta]

It doesn't matter what address you use on your internal network, so long as you use NAT. You can pick ANY valid IP address; anyone you connect to will only see the external address, not the internal network address range.

Every company in the world could use the same internal address range, and return all their privately held addresses. They only need:

(number of externally visible servers / 65535)

Internet visible addresses. For most every company in the world, that's just one address.

Many companies (especially the larger, older ones) use "real" adddresses internally, for historical reasons. Many have also switched to DHCP, which would make giving up those addresses easier. Why does the printer in the corner that is only accessible to the local net need a unique Internet address?

Unfortunately, IP addresses are like spectrum; once a company has them, it's a corporate resource. The idea of giving them up (without compensation) is insane.

Badly allocated Private IP space headaches

[bofus]

Management of your IP space is extremely important, if you are working in an environment that has more than a few sites/divisions/business units, etc. There is a lot of good information available about IP network design. Overall, the guiding principle is this:

Reasonably estimate how many hosts will ever exist on a subnet, and use the RFC1918 netblock size that will best handle the hosts, and predicted expansion.

For example, don't use 10.0.0.0/8 for your local LAN if you only have 20 machines. Decisions like this will come back to haunt you, especially if your organization starts developing a need to have routed links to vendors/remote sites/etc.

With CIDR you can easily slice and dice your IP subnets allocations into correctly sized networks for the intended purpose. In very large enterprises, I've used 172.16/12 blocks broken down into /24s (or larger) for campus or business units, and 192.168.x.x /25-31 blocks for WAN links, point to point, etc.

10/8 is something we stay away from, due to so many bad vendor documents that suggest that 10/8 is the preferred way to configure everything. A good example is MS Windows server clustering. Following the MS config documentation "to the letter" will result in the cluster blackholing 10/8. The documentation that accompanys this product instructs the user to configure the "cluster hearbeat" network connection (generally 2 hosts) using 10.0.0.0 with a Class A subnet mask. This means that the clustered servers will *never* be able to talk to any other host using a 10-net address. Digging a little further into the maze of MS documentation one will find articles on proper IP address allocation for hearbeat connections, but the MCSE Rocket Scientists that I deal with apparently didn't read past page 1. They decided that because the heartbeat was a "private" network they could just go ahead and allocate any IP range, and it would not affect the server's ability to communicate. DOH!

Anyway, in general, if you concentrate on efficiently allocating your private IP space you will have far fewer headaches in the future. I've heard plenty of stories about people having to re-engineer idiotically designed 10/8 networks, but I can't ever recall hearing someone complain about how hard it is to fix a routed 192.168/24 network.

Re:Badly allocated Private IP space headaches

I kinda doubt you've used /31 netmasks for anything (at least anything that has actually WORKED). A /30 network, which alots for exactly 2 hosts is commonly used for WAN links. A /31 network simply can't be a network by definition.

Re:Badly allocated Private IP space headaches

[bofus]

I wasn't going to reply to this, I hoped someone else would. In the interest of correctness, it's important to point out that AC's post claiming that a /31 is not a network is somewhat misleading, if not outright incorrect.

Any networking device that supports RFC3021 can be configured to use a /31 network mask. /31 networks are generally used for point-to-point WAN links.

http://www.ietf.org/rfc/rfc3021.txt

1.0.0.0/8

If you want something that's REALLY fast to type, there's also 1/8 (1.x.x.x)

It's reserved by the IANA and currently not in use. Plus, it gives you the pleasure of not using official IP addresses.

In fact, there are many unused /8 adresses if you search the IANA whois database (http://ws.arin.net/cgi-bin/whois.pl)

Re:What if your provider has a private network too

[Zathrus]

The same can be said for pretty much any of the internal network addresses. You might change jobs and they'll use 192.168.88.* for their internal network.

A few months ago I changed my network to 192.168.2.* for this reason -- because work used 1.*. My coworkers also changed their networks for the same reason, each of us picking various numbers randomly (one moved to 10.0.0.*). My cubemate changed to 100. Apparantly TechOps got tired of people having problems when VPN'd in though, so they decided to change all the network IPs as well. To 192.168.100.*. My coworker was annoyed.

A lot of stuff comes preconfigured to use 192.168.1.* though, so no matter what you change your network to, be sure you know enough to change it back when needed. If you ever need to flash the firmware on the device or reset it to factory defaults you'd better be able to talk to it to change it back to whatever address range you actually want.

192.42.172.*?

[WillAdams]

This is the default for NeXTstep---any explanation / history behind it?

I've deja-googled, but not found much which explains this....

William

ping 10.0.0.1 == ping 10.1

Call me lazy or efficient, but I like being able to use the shorter address.

Most routers can be configured for what DHCP block they will give out, even if the router is a 192.168.x.x address.

Re:Hi, I'm ignorant. Pleeztameecha!

[a9db0]

A simple, straightforward basic answer to the question, without delving into the technopaedic minutiae that would no doubt needlessly confuse the questioner. Thank you.

Now, what the hell are you doing on slashdot?

Feb 17 = Start of Biblical Great Flood

[devinjones]

Genesis 7:11 - And on the 17th day of the second month of the 300th year of Noah's life, the rains began to fall.

It's cool to have your birthday mentioned in the bible, you know, like that other guy.

My school

[shish]

I'm a fan of 192.168, but my school something like has thus:

Main server 90.0.0.0
Room 1 main: 90.0.1.0
Room 1 boxes: 90.0.1.*
Room 2 main: 90.0.2.0
Room 2 boxes: 90.0.2.*
Room 3 main: 90.0.3.0
Room 3 boxes: 90.0.3.*

Is this scheme phuX0red, or some netware specific thing? It's been buging me for a while, so any explanations appreciated...

Re:My school

[FCKGW]

It looks like those IP's are in a reserved block for whatever reason and aren't used on the Internet. Other than the weird IP range, I like the idea of having the room number in one of the octets.

Forget Classes

[Royster]

You can use any one of the 255 192.168.x.0/16 networks or group them up into a 192.168.0.0/24 network. Or you could grab a /16 some where in 10.0 and subnet it to a smaller network.

Subnetting has been completely divorced from classes for about 10 years now.

Re:What if your provider has a private network too

[bhtooefr]

My router defaults to 192.168.0.*. .1 for the router, .100+ for clients. My DSL modem (built in router, but a hub won't work with it - it's locked down to one DHCP client) uses 192.168.1.1 for itself, and 192.168.1.2 for the client.

It's either laziness or efficiency, take your pick

[FCKGW]

I use 10.0.0.0/8 at home just because it's really easy to type. The subnet I keep most of my machines in is 10.0.0.0/24, and my DMZ is 10.1.1.0/24. I give out IP's within them like this: 10.x.x.1-9 is routers 10.x.x.10-19 is computers with static IP's 10.x.x.20-99 is the DHCP range 10.x.x.100-109 is network stuff that will do DHCP 10.x.x.110-199 is servers 10.x.x.200-254 is other stuff like VMware virtual machines This is just perfect because I can type any commonly-used IP on my home LAN using just the 0, 1, and period keys. My router is 10.0.0.1, main rig is 10.0.0.10, computer on the other end of the house is 10.0.0.11, wireless AP is 10.0.0.101, file server is 10.0.0.110, web server is 10.1.1.110, and backup server will be 10.0.0.111. I'm even lazy when I type. Or efficient, depending on your viewpoint. ;-) Work network is 192.168.2.0/24, because that's what the guy who set it up used. If I set up a network for someone else, I just use the default IP range on their router, which usually ends up being 192.168.0.0/24, and all other reasonable defaults, to make it easy to work on and makes a "reset to defaults" much less painful. Of course, I change stupid defaults: I turn off remote configuration if it's on, change the admin password, etc. If it's wireless, then I turn WEP on to its highest setting, change the SSID, turn off SSID broadcast, filter by MAC address, and whatever else I can do.

Re:It's either laziness or efficiency, take your p

[FCKGW]

Oops, I forgot to change "HTML Formatted" to "Plain Old Text" again. And I forgot to preview, too. Sorry. Here's what it should've looked like:

I use 10.0.0.0/8 at home just because it's really easy to type. The subnet I keep most of my machines in is 10.0.0.0/24, and my DMZ is 10.1.1.0/24. I give out IP's within them like this:

10.x.x.1-9 is routers
10.x.x.10-19 is computers with static IP's
10.x.x.20-99 is the DHCP range
10.x.x.100-109 is network stuff that will do DHCP
10.x.x.110-199 is servers
10.x.x.200-254 is other stuff like VMware virtual machines

This is just perfect because I can type any commonly-used IP on my home LAN using just 0, 1, and period. My router is 10.0.0.1, main rig is 10.0.0.10, computer on the other end of the house is 10.0.0.11, wireless AP is 10.0.0.101, file server is 10.0.0.110, web server is 10.1.1.110, and backup server will be 10.0.0.111. I'm even lazy when I type. Or efficient, depending on your viewpoint. ;-)

Work network is 192.168.2.0/24, because that's what the guy who set it up used.

If I set up a network for someone else, I just use the default IP range on their router, which usually ends up being 192.168.0.0/24, and all other reasonable defaults, to make it easy to work on and makes a "reset to defaults" much less painful. Of course, I change stupid defaults. I turn off remote configuration if it's on, change the admin password, etc. If it's wireless, then I turn WEP on to its highest setting, change the SSID, turn off SSID broadcast, filter by MAC address, and whatever else I can do.

Bzzzt. Thanks for playing!

[Mr+Z]

The broadcast address is defined as the bitwise inverse of your netmask logically ORed with your IP address.

More accurately, the broadcast address is that network address with the host field assigned a value of all 1s. Since the host field in an IP address is in the low-order bits, and since netmasks are a contiguous string of 1s followed by a contiguous string of 0s, this is equivalent to the statement I made above.

Lots more detail in RFC 917.

--Joe

Re:Bzzzt. Thanks for playing!

[fm6]

OK, you're right. But that's the second time today I've had the gameshow thing thrown at me, and I do believe I'm tired of it! :(

Re:Bzzzt. Thanks for playing!

[Mr+Z]

I guess this is your lucky day! ;-)

Would you like to see what's behind door #2?

(Ok, so I'm feeling like a bit of a smart-ass right now. Blame it on the scotch.)

--Joe

Re:HP-UX 11 + (obsoleted) RFCs + 10.0.0.X = bad ne

Yup! This dates back to at least HP-UX 9.x as I recall getting bit by the same issue 6-7 years ago. At that time HP also said they were just following the spec - but other vendors didn't seem to comply.

What does that say about the upkeep of HP-UX over the years!

Re:Bzzzt. Thanks for playing!

[fm6]

If you need Scotch to be a smartass, you're the only one on Slashdot!

Re:What if your provider has a private network too

[Krunch]

I know of a school which use 172.16 for their dorms and that's also the network range we used for the PDC LAN Party 3 (200-300 ppl).

192.168.1.x

[Yablo]

Network of champions. I used to have a 10.x network, which was far easier to type, but I was having all kinds of problems connecting to the VPN at work. After about 5 minutes, I said fuck it, and changed it over to 192.168.

Broadcast Storm

[il_seba]

More than a hundred PCs on the same network segment and you are looking for big trouble and slowness from broadcast storms.

Go for Variable Length Subnet Mask and deploy VLANs containing not more than 40/60 clients each.

Use DHCP-assigned 10.0.0.0/24 subnets.

This way you can even aggregate subnets for wan or site-to-site routing.

Example:

Site-1 / VLAN-1 > 10.1.1.0/24
Site-1 / VLAN-2 > 10.1.2.0/24
Site-1 / VLAN-3 > 10.1.3.0/24

Site-2 / VLAN-1 > 10.2.1.0/24
Site-2 / VLAN-2 > 10.2.2.0/24
Site-2 / VLAN-3 > 10.2.3.0/24

Site-3 / VLAN-1 > 10.3.1.0/24
Site-3 / VLAN-2 > 10.3.2.0/24
Site-3 / VLAN-3 > 10.3.3.0/24

Site-1 as a whole is seen as 10.1.0.0/16

Site-2 as a whole is seen as 10.2.0.0/16

Site-3 as a whole is seen as 10.3.0.0/16

Re:Please realize what RFC 2119 says about MUST

[lewp]

On topic (to at least contribute something):

I'm of the mind you should use the proper IP range for the network you have. I've got a home network with 6 machines on it at present that sees an extra host or two when friends bring their laptops over and maybe an additional 4-5 when I'm playing with VMware extensively. Work uses 10/8, and even if my network grows tenfold I won't exhaust the space available in 192.168.0/24, so I use that.

Of course, in the event my situation changes, I could re-IP this dinky network in under five minutes. This is a little bit more of a danger for me using 0 than for people who choose a random number as the third octet, but I don't lose sleep over it. Shit happens.

Ultimately the right IP range to use is the one that gets your network working before you get fired (that sounds remarkably similar to something out of the Camel Book). There's always going to be a chance you're going to need to re-IP because of network growth or need to communicate with someone using the same space as you. Make an educated guess at the growth and changing of your network over the next few years and pick the range that fits it, or a larger one if that suits you. Or just use 10/8 and be pretty damn sure you won't run out of space. Of course, if you know you're going to need to hook up with someone else's network, it might not be a bad idea to ask them what they use while you're designing your own network.

Off topic:

The excerpt quoted in his journal does, in fact, point out IE's RFC ignorance w.r.t. HTTP/1.1. The RFC states that the server SHOULD send a Content-type header. This means, if you're a lazy implementer, that your server doesn't HAVE to send this header. In the event that a user agent encounters such a server, and only in that situation, it may attempt to use other methods to determine the content type of the document.

Since IE does this even when the server DOES include a Content-type header, IE's HTTP/1.1 implementation is broken.

Of course, the poster is also wrong, since he states that all web browsers must implement HTTP/1.1. Of course, HTTP/1.1 is not the first iteration of HTTP, and there are many browsers that predate it. They are, however, most assuredly browsers in every sense of the word.

IE is a browser, just a fairly braindead one.

lol - duh!

[DrSkwid]

llalalalalalalalllalllallla a lalallallalalal

Re:What if your provider has a private network too

[jmenezes]

Cambridge, Ma school department uses 172.25
the city uses 172.24, and the hospital uses 172.26

10/8 vs. 10.*/16, 10.*.*/20, 10.*.*/24 Subnets

[billstewart]

Picking the right subnet size is important, just for keeping track of things, and the big questions have tended to be "Do I use Class A/B/C subnet sizes or a 10.*.*/20?" Sure, the hardware almost always supports Variable Length Subnet Masking, but humans aren't always that good at it.

If you're not going to have more than ~250 hosts per segment or more than ~250 segments, I've generally taken the approach of "pick a random number R in 21..250 for the second octet, and create a bunch of 10.R.*/24 subnets" - it makes it easy to merge with other networks later on. (As when my department's lab got merged with several others - didn't have to renumber anything because nobody else was 10.116.*)

We did pick one 10.X.Y.* range to split up into /30 subnets for virtual circuits between labs, but that's the only VLSM we messed with. And little LANs that are sure to get NATted by appliances still get to be 192.168, and the couple of routers that look like the Cisco CCNA certification book lab are 172.16 because it's for training.

Re:What if your provider has a private network too

[Stephen+Samuel]

Cambridge, Ma school department uses 172.25 the city uses 172.24, and the hospital uses 172.26

24, 25, and 26. Obviously, they were all put together by the same people....

172.30.0.0/24

[Tony-A]

Has one advantage. The primary server is 172.30.0.30
It's also obscure enough that it's unlikely to clash with anyone elses LAN.

Re:Bzzzt. Thanks for playing!

[Tony-A]

Assuming the netmask is 255.255.255.0.
If the netmask is anything from 255.0.0.0 through 255.255.254.0 inclusive, his 10.0.0.255 would be perfectly valid.
If the LAN was small and lightly loaded he would probably be quite survivable even sitting on the broadcast address.

It's not necc. all about the number of hosts

[freebase]

Typically, 192.168 is used in consumer grade equipment. Let's face it - not many home networks need a lot of IP's, and those few that do don't really need to worry about route summarization. The 172.16 block is usually used in a small to medium business that would have multiple locations and more devices than a typical home network. Route summarization may or may not be used, or needed.

The 10. block is used in large networks both because of the number of available addresses and because it allows you to do some cool things with route summarization on a large WAN infrastructure. Route summarization reduces route table size, processor load, and overall complexity in the network, which are all good things :).

Say I have a building that has 18 wiring closets in it. I could build the network in such a way that each wiring closet is a VLAN. Each VLAN gets it's own, unique IP Network.

If I needed to, I could have multiple VLANs in the closet based on departments, job functions, or almost any other criteria. Assume I've built two VLANs in each closet, for a total of 36 VLANS, at least. I may have other VLANs dedicated to servers, routers, firewalls, etc.

If I have 192 ports built into each closet, planning for worst case, and make sure I have at least 192 addresses available in each of my 36 VLANs. I'd have to remember to add to the count for a router/gateway address, and any growth I could anticipate in that closet.

If I plan to add additional ports, or think it's a possibility, I might want to add another 192 addresses to the network. It's a &$*%^ to come back and re-address later - invariably there will be some mission critical device no one documented that has a static address, under someone's desk.

Based on these numbers, I'd need at least 386 addresses. Since 2^8 is only 256 addresses, I need to go to 2^9 (512 addresses).

I count bits from right to left, and I see that to have the nine bits of host address, I need to use a 23 bit network mask (32-9=23 bits of network mask).

Now remember I have two VLANs in each closet, and to make things easy, I'll build them both to my worst case scenerio. I'll need a 23 bit network for both.

Given that I've pushed my Layer 3 to the edge, I could advertise both 23 bit networks back to the core. However, if I used contigous 23 bit networks, I could also summarize them into a single 22 bit route to be advertised towards the core.

This means my core would only need to have 18 routes to route traffic to all 36 VLANs.

If you scale this approach across a WAN, you can see summarization allows you to simplify your routing and control over the network.

Reason: Family history

[Max+Hyre]

My Scots ancestors would be rolling in their graves if the knew I was wasting over sixteen million addresses! I'll stay with the thrifty 192.168.x.x, thanks, and save the rest for a rainy day.

it doesn't have to be....

[swg101]

At home, I use 10.*, but I chose the subnet that I wanted. So it is easy to remember 10.11.12.*/24 and there is not a string of zeros.

no stinkin' subnets here

[1eyedhive]

no need for a subnet on my home LAN, nor a VPN at this point. The home net: 192.168.2.0 (it's .2.x because the guy who gave me a linux router setup 2 years back had his lan as .1 and set the software as .2, never bothered to change to 1 *shrug*) Router: 192.168.2.254 (top, easy to remember) Server: 192.168.2.200 (easy to remember) DHCP address space: 201-253 Static share box (runs all dem nasty file sharing programs, must be addressable drectly from the firewall) .100 i used 10.x for awhile (easier to type) but then the router changed and it was easier to change 2 static boxes than the entire networking config of the router (shorewall, local net, DHCPD, etc).