Demystifying CIDR, VLSM, Route Summarization and Supernetting Dr. Rajan Shankaran Classless Inter-Domain Routing (CIDR) Introduction Classless Inter-Domain Routing (CIDR) is a method for allocating IP addresses and IP routing. The Internet Engineering Task Force introduced CIDR in 1993 to replace the previous addressing architecture of classful network design in the Internet. Its goal was to slow the growth of routing tables on routers across the Internet, and to help slow the rapid exhaustion of IPv4 addresses. The term CIDR is used more generally than the original intent of the RFCs. • Used Synonymously with Route Summarization: Process of summarizing multiple classful networks together. • Supernetting But actual purpose of CIDR is as follows: Administrative assignment of large address blocks and the related summarized routes for the purpose of reducing the size of the routing tables. CIDR uses the notion of classless addressing. Classless addressing: To have variable length blocks that belong to no IP address class. Example: A block of 2, 4, 128 addresses. In general, a block can range from very small to very large. Advantages • Efficient address Allocation ISP can now carve out a block of its registered address space that specifically meets the needs of the client, provides additional room for growth, and does not waste any resource. • Allows Route Aggregation: It controls the growth of Internet’s Routing tables. Note: As stated earlier, the reduction of routing information requires that the Internet be divided into addressing domains. Within a domain, detailed information is available about all networks that reside in the domain. Outside of a domain, only the common (summary) network prefix is advertised. 1 CIDR Procedure CIDR encompasses several concepts. It is based on the variable-length subnet masking (VLSM) technique, which allows the specification of arbitrary-length prefixes. CIDR introduced a new method of representation for IP addresses, now commonly known as CIDR notation, in which an address or routing prefix is written with a suffix indicating the number of bits of the prefix, such as 192.0.2.0/24 for IPv4, and 2001:db8::/32 for IPv6. CIDR introduced an administrative process of allocating address blocks to organizations based on their actual and short-term projected needs. The aggregation of multiple contiguous prefixes resulted in a network, which whenever possible are advertised as aggregates, thus reducing the number of entries in the global routing table. CIDR involves two activities: • • Administrative: A hierarchy of ISPs where larger ISPs control large blocks of addresses and assign smaller blocks to smaller ISPs and customers. Technical: It involves the process of route summarization/aggregation with VLSM. CIDR Administrative Procedures ISPs are assigned contiguous blocks of addresses. Regional authorities are assigned large address blocks, so when individual companies ask for registered public addresses, they ask their regional registry to assign an address block. Addresses assigned by regional registry will be aggregatable into one large geographical region of the world. Example: LACNIC (Latin American and Caribbean Internet Address Registry): Administers IP addresses space of Latin American and Caribbean region for the Internet Community. The aggregatability of the CIDR IPv4 address space gives you the best of both worlds: You can use very long (and therefore very precise) network prefixes where you have to, and very short, less-precise network prefixes where you can. In other words, the closer you are to the destination network, the greater the precision you require of the network address. The farther you get from that destination, the less precise the network prefix can be. Thus, this scheme facilitates hierarchical routing table architecture. Hierarchical Routing Table Architecture Three levels of ISPs are defined • • • Local Regional National. Address blocks are assigned in the same way. A local ISP is given a block A.B.C.D/n. It 2 can then create sub blocks of /m where m may vary for each customer. Rest of the Internet does not have to be aware of this division. All packets are routed to the local ISP at A.B.C.D/n which means that there is only one entry for all customers on the Internet. Inside the ISP, the routes must recognize the sub-blocks and route the packet destined to a customer. The method of searching the RT is based on “longest prefix match” principle. CIDR Technical Procedures: VLSM with Route Aggregation/Summarization Note: Aggregation and Summarization mean the same. Variable Length Subnet Mask (VLSM) VLSM, which is closely related to CIDR. VLSM allows an organization to use more than one subnet mask within the same network address space. VLSM involves subnetting a subnet to maximize addressing efficiency. With careful attention to IP address space design, subnet masks with fewer bits assigned to the network address can be used to aggregate subnet masks with more bits assigned to the network address. This results in smaller routing tables. To summarize, CIDR allows routers to group routes together using route summarization to reduce the amount of routing information carried by the core routers and VLSM helps optimize the available address space. In other words, CIDR is applied more at the ISP/Provider level, whereas VLSM is a mechanism used by the recipient of an address block to use the assigned address block more efficiently using variable masks----. In addition, Internet providers are also able to allocate a scalable number of addresses, in blocks using VLSM, to organizations based on how many addresses are needed. Note that a provider may allocate blocks to child ISPs using variable length masks (masks that are not aligned along classful boundaries) Route Aggregation/Summarization In large internetworks, hundreds, or even thousands, of network addresses can exist, it is often problematic for routers to maintain this volume of routes in their routing tables. Route summarization (also called route aggregation) can reduce the number of routes that a router must maintain, because it is a method of representing a series of network numbers in a single summary address. Note: A summary route is announced by the summarizing router if at least one specific route in its routing table matches the summary route. Recall that this kind of route summarization, or aggregation, is possible only if a classless routing protocol are run, such as OSPF or EIGRP. Classless routing protocols carry the prefix length and subnet mask with the 32-bit address in routing updates. So, what exactly is Route aggregation/summarization? It is a method of generating a more general route given the presence of a specific route. Route aggregation is also used by regional and national networks to reduce the amount of routing information passed around. For instance, with careful allocation of network addresses to clients, one regional network can just announce one route to other regional networks instead of hundreds. This practice works when the large internet service provider has a continuous range of IP addresses to manage. 3 The process of route summarization in CIDR can be classified as: • • Inclusive summary routes based: A small range of addresses which includes all routes/subnets shown and possibly including subnets that do not currently exist. Exclusive summary routes based: As few as possible summarized routes that include all to be summarized address ranges that an organization actually owns but excluding all other routes/subnets Procedure for finding Inclusive Summary Routes 1. Write down the binary version of each component subnet, one on top of the other. 2. Inspect the binary values to find how many consecutive bits have exact same value in all component subnets. The number of exact bits is the prefix length. 3. Write a new number at the bottom of the list by copying the bits from the prior number: y being the prefix length. Write Binary 0s for the remaining bits. 4. Convert the new number to decimal, 8 bits at a time. Example: In the table below, Router A has the following networks in its routing table: 172.168.32.0/24 172.168.33.0/24 172.168.34.0/24 172.168.35.0/24 Find the inclusive summary route. 4 Solution First, you must convert the addresses to binary format and align them in a list as shown in the table below. Address 172.168.32.0 172.168.33.0 172.168.34.0 172.168.35.0 1st Octet 10101100 10101100 10101100 10101100 2nd Octet 10101000 10101000 10101000 10101000 3rd Octet 00100000 00100001 00100010 00100011 4th octet 00000000 00000000 00000000 00000000 Second, locate the bits where the common pattern of digits ends (those in red). Lastly, count the number of common bits. The summary route should be your lowest IP address, followed by a slash, followed by the number of common bits. Summarized route is 172.168.32.0/20 (or 255.255.240.0) As you can see, the first 20 bits of the IP address are the same. Hence, the best summary route can be advertised as 172.168.32.0/20. For summarization to work properly, multiple IP addresses must share the same highest-order bits and should only be implemented within classless routing protocols such as EIGRP, OSPF, RIP v.2, IS-IS for IP, and BGP. Example: Inclusive Summary Route For the address block given below, find the inclusive summary route and the best possible exclusive summary route. 172.31.20.0/24 172.31.21.0/24 172.31.22.0/24 172.31.23.0/24 172.31.24.0/24 Let us look at the interesting (third) octet in binary format: 00010100 00010101 00010110 00010111 00011000 The first 4 bits are common to all the addresses. The mask: /20. The inclusive summary is: 172.31.20.0/20. This is an inclusive summary since it includes 16 addresses (24-20= 4, 24addresses) with a range starting from 172.31.20.0 to 172.31.35.255, some of which do not physically exist. To find the best exclusive summary, examine the first four addresses to identify the 5 common bits. First six bits are common to all. The mask is /22. The summary route 172.31.20.0/22 neatly summarizes the first 4 addresses. The last address is advertised as it is. So, in a nutshell, the router responsible for this block will advertise the following: 172.31.20.0/22, 172.31.24.0/24 Another Example Router D has the following networks in its routing table: 172.16.12.0/24 172.16.13.0/24 172.16.14.0/24 172.16.15.0/24 To determine the summary route on router D, determine the number of highest-order (leftmost) bits that match in all the addresses. To calculate the summary route, follow these steps: Step 1 Convert the addresses to binary format and align them in a list. Step 2 Locate the bit where the common pattern of digits ends. (It might be helpful to draw a vertical line marking the last matching bit in the common pattern.) Step 3 Count the number of common bits. The summary route number is represented by the first IP address in the block, followed by a slash, followed by the number of common bits. The first 22 bits of the IP addresses from 172.16.12.0 through 172.16.15.255 are the same. Therefore, the best summary route is 172.16.12.0/22. 6 CIDR Route Aggregation Rules • Number of Addresses in a Block There is only one condition on the number of addresses in a block; it must be a power of 2 (2, 4, 8, . . .). A household may be given a block of 2 addresses. A small business may be given 16 addresses. A large organization may be given 1024 addresses. • Beginning address The beginning address must be evenly divisible by the number of addresses. For example, if a block contains 4 addresses, the beginning address must be divisible by 4. If the block has less than 256 addresses, we need to check only the rightmost byte. If it has less than 65,536 addresses, we need to check only the two rightmost bytes, and so on. Example: Which of the following can be the beginning address of a block that contains 16 addresses? 205.16.37.32 190.16.42.44 17.17.33.80 123.45.24.52 Solution The address 205.16.37.32 is eligible because 32 is divisible by 16. The address 17.17.33.80 is eligible because 80 is divisible by 16. Route Aggregation versus VLSM With VLSM, you break a block of addresses into smaller subnets; in route summarization, a group of subnets is rolled up into a summarized routing table entry. CIDR versus Variable Length Subnet Mask (VLSM) When an IP network is assigned more than one subnet mask, it is considered a network with "variable length subnet masks" since the extended-network-prefixes have different lengths. CIDR and VLSM are essentially the same thing since they both allow a portion of the ISP address space to be recursively divided into smaller pieces. However, in VLSM the recursion is performed on the address space previously assigned to an organization and is invisible to the Global Internet. On the other hand, CIDR permits the recursive allocation of an address block to a high-level ISP, mid-level ISP and a low-level ISP and finally to an organization’s private network and this recursion is therefore visible on the Global Internet. Therefore, VLSM does not directly result in the reduction of routing entries of the network prefixes in the Internet backbone since every distinct network that is assigned to an organization must still appear in the router’s RT. In a nutshell, 7 CIDR uses VLSM to allocate IP addresses to subnets according to individual needs rather than by class. This type of allocation allows the network/host boundary to occur at any bit in the address. Networks can be further divided or subnetted into smaller and smaller subnets. Note: In classful world, we summarize at classful boundaries, whereas classless protocols can summarize with VLSM's and this need not be done at classful boundaries. However, just as in VLSM, CIDR requires the following: • The routing protocols must carry network prefix information with each route advertisement. • All routers must implement a consistent forwarding algorithm based on the longest prefix match. For route aggregation, addresses must be assigned so that they are topologically significant. • 8 Supernetting Supernetting refers to the case where multiple IP subnets reside on a single physical network. For instance, it is perfectly possible to have two separate subnets on the same Ethernet. There needs to be a router between the subnets to let them talk, and the packets will pass on the Ethernet twice: once from source to router; once from router to destination. Certainly the router that routes between the two subnets could have two network cards on the same Ethernet, but it may even be possible to have two logical interfaces, each with their own IP address and netmask, run through a single physical card (nothing in the hardware to stop it). This concept is called "One Armed Routing" If Supernetting is not deployed you use 2 interfaces, split up your subnets into 2 groups it makes for a cleaner, traffic load per segment. It can be implemented by using one router, to communicate to the outer world and just use both C subnets, with simple switching. If no communication to outside world is necessary, then the router can be taken out. Note: Most good OSes (read: Linux but not Win9X) allow you to assign multiple IP addresses to a single network interface. The Linux kernel calls this "IP aliasing". You can even use Linux to connect the two subnets together using a single interface and the kernel's built-in routing support (called "IP forwarding"). With Supernetting, an organization can combine several class C address blocks to create a larger range of addresses. In this process, several class C networks are combined to create a supernet. By doing this, an organization can apply for a set of class C address blocks instead of just one. The organization can then use these addresses in one Supernetwork. Supernetting Procedure Rules 1. The number of blocks must be a power of 2. 2. The block must be contiguous in the address space. 3. Even Divisibility condition: The third byte of the first block must be evenly divisible by the total number of blocks: 4. Single Interface condition: The last critical precondition for Supernetting is that the two or more network blocks that are to be aggregated must be connected to the same interface. There is one additional prerequisite for Supernetting, you MUST EITHER be running static routing EVERYWHERE or be using a classless routing protocol such as RIP2 (or OSPF) which include subnet mask information and can pass Supernetting information in orderfor this to work. Standard RIP does not transmit the subnet mask information. Third criteria of even divisibility Even divisibility is determined by dividing the octet that contains the boundary between host and network address fields by the number of networks you are trying to supernet together. For example, if you were to combine two /24 networks, the third octet of the first network address must be divisible by 2. If you wanted to combine eight /24 networks, the first network’s third octet would have to be divisible by 8. 9 Fourth criteria of single interface Otherwise, why bother? If they are connected to different interfaces, you must route between the two networks. In practical terms, this rule does not preclude you from creating a supernet from two networks that are connected to different router interfaces. However, this rule forces you to reconfigure your physical topology so that the combined supernet connects to only one interface. (Refer to figures 1 and 2) Supernet Mask It is the reverse of a subnet mask. It is used to aggregate a set of classful C addresses. A subnet mask that divides a block into 8 sub blocks has three more 1s than the default mask. A supernet mask that combines 8 blocks into one super block has three less 1s than the default mask. Figure 1: Before Supernetting: Two /27s routed together Figure 2: After Supernetting: Two /27 networks supernetted to form a /26 Examples Example 1: A company needs 600 addresses. The following set of class C bocks can be used to form supernet for this company. 198.47.32.0, 198.47.33.0, 198.47.34.0, 198.47.35.0 It satisfies the first three requirements of Supernet 10 rules. The number of blocks is to the power of 2. The blocks are contiguous. The third byte of the first block is divisible by the number of blocks. Example 2: Finding Supernet mask We need to make a Supernet mask out of 16 class blocks. What is the Supernet mask? Solution The default subnet mask for Class C: 255.255.255.0 16 class blocks require 4 bits. Therefore, we need to change 4 1s to 0s in the default mask. So, the mask is: 255.255.240.0 * Using the Supernet mask to find the first address Example 3: A Supernet has the first address of 205.16.32.0 and a Supernet mask of 255.255.248.0. A router receives three packets with the following destination addresses: -205.16.37.44 -205.16.42.56 -205.17.33.76 Which packet belongs to the Supernet? Solution By ANDING the three addresses’s with the mask we see that only the 205.16.37.44 yields the first address of the block 205.16.32.0. Therefore, this address belongs to the Supernet. Example 4: An organization requires 2000 addresses to cater to a large multimedia laboratory. Suggest a suitable Supernetting scheme to cater to this requirement. Solution We will use eight Class C networks, or CIDR /21, to give us 2,048 possible addresses. The 2,048 possible addresses are calculated by taking eight networks that will have 256 addresses each (8 x 256 = 2048). We must subtract two for the network and broadcast addresses (as in a subnetted network), giving us 2048 – 2 = 2046 possible addresses. The first address of the block given to the organization is: 192.168.16.0 (This satisfies all the rules of Supernetting). Starting with 192.168.16.0, all "connected" networks must be consecutive in the numbering of the third octet. Table below outlines the networks and available addresses. Network Available Addresses Usage Circumstances 192.168.16.0 1-255 192.168.17.0 0-255 First address not available All addresses available in range 11 192.168.18.0 0-255 All addresses available in range 192.168.19.0 0-255 All addresses available in range 92.168.20.0 0-255 All addresses available in range 192.168.21.0 0-255 All addresses available in range 192.168.22.0 0-255 All addresses available in range 192.168.23.0 0-254 Last address not available Note: Note that certain IP addresses are valid with atypical numbers in the last octet of the address. For example, both 192.168.19.0 and 192.168.22.255 are valid addresses for a client, but they may not be available for use by all clients that connect to this network. This is because certain operating systems may not allow these types of addresses to be assigned as an IP address, since they may view the address as a network or broadcast address and as invalid for use as a client address (based on standard TCP/IP usage). Specifically, Windows NT and 2000 do not allow the use of the X.X.X.255 or X.X.X.0 IP addresses. The resulting networks will start at 192.168.16.0 and increase in single increments up to 192.168.23.0. The supernet mask (functions as a subnet mask for all involved network devices/systems) for these networks will be 255.255.248.0. This same supernet and default gateway will be used for all the networks on this supernet. CIDR and Supernetting CIDR is not a process of summarizing multiple classful (such as class C in Supernetting) together. Instead it works on variable length blocks called network prefixes that can be carved out of any type of address space (A, B or C). Also, when CIDR is deployed, there is no need for Supernetting since an organization is granted the right size block. If an organization is granted a block and later it needs a larger block, a new block can be granted, and the original block can be recycled. Furthermore, an organization can use subnetting in its allocated block of addresses. As an example, if the site prefix given to an organization is /17, the subnet prefix length can be 20 to create 8 subnets. (23). -CIDR is an administrative procedure for arranging the Internet architecture in a hierarchy. Supernetting is simply a technical procedure for summarizing contiguous Class C addresses. Route Aggregation with CIDR versus Supernetting 12 Both CIDR and Supernetting achieve route aggregation but by using slightly different mechanisms. Supernetting and aggregation are extremely similar concepts, especially mathematically. The rules that select addresses in a block are different. In fact, it is how they are implemented that makes them distinct. * Aggregation is what routers do to reduce their workload. They try to shorten network prefixes to minimize the total number of prefixes that must be advertised externally either to the rest of the network or to the Internet. Supernetting, by virtue of its single-interface rule, requires physical consolidation of networks as opposed to just a logical consolidation of the network addresses into a smaller prefix. * In CIDR, aggregation works on masks of variable length whereas Supernetting is used to aggregate classful C prefixes. Figures below better demonstrate CIDR aggregation versus Supernetting. Figure 3: CIDR Route Aggregation with an extended prefix of /23 Figure 4: The Pair of /24 Networks Are Supernetted into a /23 In the top figure you can see that interconnectivity between the two /24 networks is 13 achieved via the same router. This router recognizes that the two networks are numerically contiguous, and it advertises just a single /23 network prefix to the Internet. Thus, the Internet can reach both networks using just 23 bits of their network addresses. Inbound packets get only as far as the router shared by the /24 networks. That router must then examine the destination address of each inbound packet to determine which of its two /24 networks the packet is destined for. Making such a determination requires the router to make a routing decision based on all 24 bits of the two network prefixes. Note: According to addressing principles, you can have multiple IP subnets on a single physical network, and you can have a single IP subnet that spans. 14
