The idea behind subnetting a network and the use of subnet masks isn’t an incredibly difficult concept, but the details surrounding network subnetting have changed a bit through the years. Subnetting has practically nothing to do with network security, and it has little to do with minimizing the use of IPv4 addresses. Subnetting is simply a way to design and interconnect groups of networks.
You might think, why subnet at all? Let’s just all use separate IP addresses and not worry so much about splitting things into smaller chunks. Unfortunately, we quickly run into problems when my IP address in Tallahassee needs to talk to your IP address in Sydney. It’s practically impossible for our Internet routers to maintain an entire table of everyone’s individual IP address; the lookup process would be painfully slow, and the amount of memory needed to maintain such a massive list would be impractical. Instead, most routers have a much smaller table that contains groups of networks, or subnets. These network routing tables provide routers with the information they need to pass the packets along in the right direction.
This is a concept that’s similar to old-school telephone systems in the United States. The entire county is split into “area codes,” and we have individual “exchanges” within a single area code. If 212-555-1212 needs to call 305-555-1212, the telephone switches in the 212 area code simply pass the request to the telephone switches in the 305 area code. The 212 phone switches don’t have a list of every possible phone number in the 305 area, and they don’t need to. The 305 phone switches transfer the call to the local 555 exchange, which then can direct the phone call to the local 1212 number.
One of the legacy terms that we often throw around is a “class” of subnet, and the topic of class-based IP networks is important enough to appear in your certification exam requirements document. However, designing your network subnets using terms like “Class A,” “Class B,” or “Class C” is completely antiquated. We haven’t subnetted networks using strict classes since 1993.
When the Internet was relatively young, we didn’t need to define specific subnet masks at all. You could simply look at the first four bits of an IP address, and you’d automatically know the subnet mask based on predefined “classes.” As the Internet grew, we quickly realized that we would need a more precise way to split our networks apart, and we moved from class-based addressing to a more flexible addressing scheme called Classless Inter-Domain Routing, or CIDR (pronounced “cider”). Note the use of the word “classless” there.
To help continue our confusion around class-based subnets, we sometimes fall back on some of these ancient subnetting names when we refer to some of our modern subnet masks. We’ll sometimes say that a network has a “class C subnet.” This is a shortcut to describe our subnet mask as 255.255.255.0 without having to say the entire thing. It takes a long time to say “two-fifty-five dot two-fifty-five dot two-fifty-five dot zero!” Instead, we say “it’s a Class C.” What we’re really saying is “the subnet mask for this network is coincidentally the same as the old-style class C addresses.”
Here’s how subnetting is used in the real-world. If you were connecting a company to the Internet for the first time, you’d hire an ISP to provide you with a network connection. You’d connect this Internet connection to a router, and you’d connect your company’s internal network to another port on the same router. The Internet provider will provide you with a single IP address. Notice that I didn’t say an IP address range; IPv4 addresses are at a premium, and you probably don’t need more than one “public” IP address in most situations. Nearly every company uses a feature in their router called Network Address Translation to translate every internal IP addresses to this single public IP address.
This ability of our routers to provide network translation means that network administrators can split the company networks into as many pieces as they’d like. This works perfectly with RFC 1918, which provides blocks of private IP addresses that can be used for internal or “private” networks. These private IP addresses are not routable over the Internet. Even if you tried, the Internet routers would drop your packets immediately.
One of the address ranges provided in RFC 1918 is 10.0.0.0/8. Without any type of subnetting, this CIDR block describes a single network address that can have over sixteen million hosts. That’s not practical on anybody’s network, so it makes perfect sense to split this up into smaller chunks.
This is a critical point when building a network. How do you split the network up into subnets that can efficiently route and separate traffic, but not so small that the networks can’t grow? You want to consider the size of your company, the number of devices that you’d ever need on a single subnet, and the estimated growth of your organization. You really don’t want to get this one wrong; you’ll spend a lot of time later on reconfiguring your entire network with a different subnetting scheme.
Let’s say that you have 1,000 remote locations, but none of the remote sites are very large. Your headquarters location has a few hundred people, but they all work on different floors (and you’ll put each floor on different subnets). Given this information, you might want to use a subnet mask that will split the 10.0.0.0 network into thousands of pieces that would allow for a couple of hundred users on each network.
If we used a subnet mask of 255.255.0.0 with our network address of 10.0.0.0, we would support over 65,000 users per network but we could only have about 250 networks. Since we have over 1,000 remote locations, this subnet mask wouldn’t work for us.
A commonly seen subnet mask for this configuration would be 255.255.255.0. You could even use 255.255.254.0, or perhaps even 255.255.252.0, but we don’t often do that because of the math involved. Us human beings try to use subnet masks that use all ones or all zeros in a single octet because it’s easier to calculate the network information in our heads. This probably shouldn’t be a consideration when deciding on your company’s network subnetting scheme, but it’s one of those things that you often see in the real world.
With a network address of 10.0.0.0 and a subnet mask of 255.255.255.0, you would have a lot of networks! The range of your networks would be 10.0.0.0 through 10.255.255.0. This would allow you to have over 65,000 networks, and the remaining octet would allow for 254 different host addresses on each network. This fits perfectly with our need for over 1,000 networks and a requirement of a couple of hundred users per network.
How the subnet mask is used
We now have an IP address and subnet mask scheme, and we can start rolling out IP addresses to different networks. Let’s say that we’ve assigned a network address to a remote location of 10.25.6.0. With our subnet mask of 255.255.255.0, this means that a user’s workstation might be given this configuration:
IP address: 10.25.6.55
Subnet mask: 255.255.255.0
Default gateway: 10.25.6.1
Here’s an interesting fact about subnet masks; unlike IP addresses, the subnet mask isn’t transmitted in the traffic flow between devices. The subnet mask is only used by the local computer, and it’s only used to help the computer determine which network it belongs to.
In our example, the combination of our computer’s IP address of 10.25.6.25 with our subnet mask of 255.255.255.0 means that the computer knows to send local network traffic directly to devices in the IP address range of 10.25.6.1 through 10.25.6.255. If the IP address of a destination computer is ever anything different, the computer knows that the traffic needs to leave the local network and it will send the packet to the default gateway of 10.25.6.1. The default gateway is IP address of the local router, and the router has the all of the information it needs to send packets from the local network to other networks (and perhaps the Internet).