We create IP networks which are made up of a group of consecutive IP addresses allocated to devices on that network. The division of addresses is called subnetting. A single group, or subnet, could contain just a couple of IP addresses or thousands depending on what devices will be a part of it. Routers separate different subnets.
Subnets allow us to group together logically distinct parts of the network. For example:
Different sites
Different security domains
Different companies
Different organizations / customers
What is our address space?
How many subnets do we need?
How many hosts will be on each subnet?
Here we focus on subnets which are all the same size. This can make life easier but it can also waste address space if you have different numbers of hosts on each subnet.
The number of subnets you require will be a combination of business needs (security, physical location, organization structure) and network design.
There can be business reasons for how you define subnets. From a security perspective you may want to have finance and human resources hosts on different subnets from the rest of your users. This provides layer 3 separation as part of a ‘defense in depth’ strategy making it harder for bad actors to reach important information on the network. If you have a network which is spread across different locations, they should probably have distinct subnets to help manage routing between the sites. Finally, if you’re a large technical organization then different teams may want their own IP space so that they can manage their own infrastructure without worrying about interfering with other parts of the company.
Subnets are separated by routers so your subnet implementation will depend on where you have routers in the network. For a small network, you may just have a few subnets connected to a single router which also allows traffic to and from the internet. Each different VLAN you have will also need to be assigned a subnet.
If you have multiple sites or large sites then you will probably have multiple routers which may have point to point (P2P) links configured between them. Each P2P link will also need its own subnet. Different types of WAN link may or may not need individual subnets between each site depending on your setup.
This can result in some subnets having many hosts whilst others (such as P2P links) may just have a couple.
Although it is often easiest to represent IP addresses in dotted decimal (e.g. 127.0.0.1), sometimes we must consider their binary representation. To do this, we represent each octet as 8 bits in binary and then combine them to make a single 32 bit number.
127
| 128 | 64 | 32 | 16 | 8 | 4 | 2 | 1 |
0 1 1 1 1 1 1 1
64 + 32 + 16 + 8 + 4 + 2 + 1 = 127
0
| 128 | 64 | 32 | 16 | 8 | 4 | 2 | 1 |
0 0 0 0 0 0 0 0
0
| 128 | 64 | 32 | 16 | 8 | 4 | 2 | 1 |
0 0 0 0 0 0 0 0
1
| 128 | 64 | 32 | 16 | 8 | 4 | 2 | 1 |
0 0 0 0 0 0 0 1
Then we combine them, starting with the most significant number which is the first octet:
01111111 00000000 00000000 00000001
01111111000000000000000000000001
With subnetting, we can imagine splitting any IP address into two parts: network, subnet and host.
For example, the bits could be allocated as follows:
nnnnnnnnsssssssshhhhhhhhhhhhhhhh
n = network bits
s = subnet bits
h = host bits
The number of bits allocated for each part will vary according to requirements and limitations as discussed below.
In some contexts, we just treat the address as two parts: network (or subnet) and host. For example:
nnnnnnnnnnnnnnnnhhhhhhhhhhhhhhhh
n = network/subnet bits
h = host bits
The Network portion of the address is fixed by the address space you have available – either allocated by your service provider or the private network which you are using internally. For example if you are using the 10.0.0.0/24 private address range, the network portion is the ‘10’ which is the first 8 bits of the address.
As the network architect, you get to decide the length of the next part of the address. This will depend on how many subnets you need. Here we’re assuming that each subnet is the same size. We must allocate enough bits of the address to the subnet portion to support the number of different subnets which we need. We can work this out as follows
2 ^ n >= x
n is the number of bits allocated
x is the number of subnets required
For example, if we need eight subnets (x = 8) then we could allocate 3 bits (n = 3):
2 ^ 3 = 8
The quickest way to work out the number of bits required is just to remember the powers of two (and you’ll have to round up).
The final bits of the address form the host portion. The more host bits you have, the more hosts can be on the subnet.
In each subnet there are two addresses which are reserved: the network address and the broadcast address. These addresses cannot be assigned to hosts.
The network address is the first address in the subnet range. It is given by setting all of the host bits to zero.
The broadcast address is the last address in the subnet range. It is given by setting all of the host bits to one.
nnnnnnnnssssssss0000000000000000
nnnnnnnnssssssss1111111111111111
Because we must account for the fact that we can’t use the first and last addresses in a subnet range, the total number of hosts supported by a subnet is calculated as
(2 ^ m) – 2 = y
m is the number or host bits
y is the number of IP addresses available for hosts
When we are configuring a router or assigning IP addresses to other people, we need an easy way of describing how many bits are available for hosts and how many are fixed (the network/subnet portion). We do this with subnet masks. A subnet mask is another binary number which uses ones to represent fixed parts of the address (network / subnet bits) and zeros to represent the host bits.
If we have been allocated a 16 bit fixed network address and then define a subnet with a further 8 bits then our subnet mask would be as follows:
nnnnnnnnnnnnnnnnsssssssshhhhhhhh
11111111111111111111111100000000
We typically convert this back to dotted decimal notation:
11111111 11111111 11111111 00000000
255 255 255 0
Therefore, our subnet mask is 255.255.255.0. If we were assigning the first subnet (0) with a network address of 10.10 then we could specify the subnet as follows:
10.10.0.0 255.255.255.0
The network address will be at 10.10.0.0. The broadcast address is 10.10.0.255. All hosts will be assigned addresses in the range of 10.10.0.1 to 10.10.0.254.
Specifying a full, dotted decimal subnet mask is not always the best way of describing a subnet. Classless Interdomain Routing (CIDR) is a term to describe the allocation of subnets using the network prefix and host bits – the system we discussed above. This replaced the historic policy of having classful networks with rigid allocations. CIDR notation describes a subnet by using a decimal number to specify the number of bits which define the network prefix of the address. This is given as a prefix indicated with a slash appended to the network address of the subnet. For example 192.168.0.0/16 would define the subnet from 192.168.0.0 to 192.168.255.255.
10.10.1.0 255.255.255.0
Subnet Mask (255.255.255.0) in Binary
11111111 11111111 11111111 00000000
Network Bits = 24
CIDR Notation: 10.10.1.0/24
Sometimes we start with the number of hosts required rather than with the number of subnets. In this case, we must work out how many host bits we need to support the number of hosts. We can start with the equation used above. Then rearrange to account for the 2 hosts we lose due to the broadcast and network addresses. Finally work out what power of two is required to have sufficient hosts.
(2 ^ m) – 2 = y
m is the number or host bits
y is the number of IP addresses available for hosts
2 ^ m = y + 2
For example, if we needed to support 50 hosts, y = 50 and we need to be in the 10.0.0.0 private address space.
2 ^ m - 2 = y
m is the number or host bits
y is the number of IP addresses available for hosts
2 ^ m - 2= 50
Now we can try a few values of m, based on the powers of two that we know:
(2 ^ 5) - 2 = 32 – 2 = 30 which is too small
(2 ^ 6) - 2 = 64 – 2 = 62 which will support the 50 hosts we need
Now that we know the number host bits required (y) is 6, we can find the number of network bits by subtracting y from 32.
Network Bits = 32 – Host Bits = 32 – 6 = 26
Therefore in CIDR notation we could allocate the following subnet: 10.0.0.0/26
We can then use the network bits to calculate the full subnet mask:
8 8 8 2
11111111 11111111 11111111 1100000000
255 255 255 192
So we could specify the subnet as 10.0.0.0 255.255.255.192
Finally, for this subnet we can calculate the network and broadcast addresses for this subnet:
10 0 0 0
nnnnnnnn nnnnnnnn nnnnnnnn nnhhhhhh
00001010 00000000 00000000 00000000
The network address simply has all the host bits set to zero so it will be 10.0.0.0.
For the broadcast address, we must ‘flip’ the host bits to be all ones. We don’t touch the network bits.
nnnnnnnn nnnnnnnn nnnnnnnn nnhhhhhh
00001010 00000000 00000000 00111111
10 0 0 63
Therefore the first subnet range will be 10.0.0.0 to 10.0.0.63 with hosts from 10.0.0.1 to 10.0.0.62.
We could then choose to allocate the next range as 10.0.0.64/26 which would be from 10.0.0.64 to 10.0.0.127.