Quick Links
Subnetting a large network improves security, increases performance, and organizes your network in a logical way. But some of the calculations are tough. The Linux ipcalc command makes the planning stage easy.
What Is Subnetting?
Subnetting is a way to break a large network into smaller, connected pieces. Each piece is called a subnet. You might choose to organize your network so that your sales team uses one subnet, HR use another subnet, customer support use yet another subnet, and so on.
There are significant benefits to this. The first has to do with security and control. Without subnetting, everything is one big "flat" network. With subnetting, you can decide which subnets can talk to other subnets. Different subnets have different IP address ranges and use different subnet masks, which we'll talk about in a moment.
Your router must be configured to allow traffic from one subnet to reach another subnet. And, because the router is a managed device, that gives you control over the type of traffic and interaction that is allowed between different subnets.
Subnetting can also prevent unauthorized users and malware from roaming through your network unchecked. Or at the very least, it'll slow them down. Think of it like a submarine. If you get a hull breach in one section, you can close bulkhead doors so the rest of the vessel doesn't get flooded. Subnets are like those bulkhead doors.
Often, there are performance benefits purely from the act of subnetting a large network. If your network is big enough and busy enough, that performance increase will come from the reduction of network traffic inside each subnet. The drop in ARP traffic alone might make things seem more responsive.
And of course, once your network is compartmentalized, it's easier for your IT staff to understand, maintain, and support your infrastructure.
IP Addresses and Subnet Masks
That all sounds great, and it is. But it means we need to be very particular in our IP addressing. We need to use part of the IP address for the network ID, and part of the IP address for the device addressing. With subnets, we also need to use part of the IP address for the subnet.
IPv4 IP addresses use four three-digit numbers separated by periods. It's called dot-decimal notation. The range of these numbers is 0 to 255. The first two numbers are the network ID. The third is used to hold the subnet ID, and the fourth number is used to hold the device address. That's in simple cases.
Numbers are represented inside computers as sequences of binary values. If there are so few devices in the subnet that there are unused high bits in the device address number range, these "spare" binary bits can be used by the subnet ID.
How does the router or any other network device know what the composition of the IP address is? What indicates whether the subnet ID is wholly contained in the third number or if it poaches some of the high bits of the fourth number? The answer to that is the subnet mask.
The subnet mask looks like an IP address. It is four three-digit numbers, and the range of the numbers is from 0 to 255. But they really need to be thought about in their binary form.
Every binary bit that is a 1 in the subnet mask means the corresponding bit in the IP address refers to the network ID or subnet ID. Everything that is a zero in the subnet mask means the corresponding bit in the IP address refers to a device address.
Let's take a typical IP address and apply a subnet mask to it. The subnet mask has 255 for each of the first three numbers, and 0 for the fourth.
- IP address: 192.168.1.0
- Subnet mask: 255.255.255.0 = 11111111.11111111.11111111.00000000
In binary 255 is 11111111. If the subnet mask bits are set to one, the corresponding bits in the IP address refer to the network ID and subnet ID. 255 in the subnet mask means all of the bits in the corresponding number in the IP address refer to the network ID or subnet ID.
The fourth number is zero, meaning no bits are set to one. So that number refers to the network device addresses. So our subnet mask of 255.255.255.0 means the first three numbers of the IP address hold the network ID and subnet ID, and the last number is reserved for network device addresses.
That means that a side effect of all this is that the subnet mask also determines how many bits in the IP address can be used to identify individual devices. In other words, the subnet mask determines which bits in the IP address identify the subnet and how many devices that subnet can contain.
Altering the subnet mask has a dramatic effect on the network. That's why we need to get it right.
The ipcalc Command
The ipcalc makes it easy to work out what the subnet masks and IP addresses need to be to correctly subnet your network. ipcalc was already installed on Fedora 36. We had to install it on Ubuntu 22.04 and Manjaro 21.
The command for Ubuntu is:
sudo apt install ipcalc
To install ipcalc on Manjaro, use:
sudo pacman -Sy ipcalc
As a minimum, we need to pass an IP address to ipcalc. If that's all we pass, ipcalc assumes a subnet mask of 255.255.255.0. It provides a readout of information about the network and the IP address.
ipcalc 192.168.1.0
The output contains dot-decimal values and their equivalent binary values. This is what each bit of information means.
- Address: 192.168.1.0. The IP address that we provided.
- Netmask: 255.255.255.0 = 24. The subnet mask. 255.255.255.0 is used if no subnet mask was provided on the command line. The 24 means there were 24 bits set to 1 in the subnet mask. These are used for the network ID and the subnet ID. These are counted from the left. The bits set to 1 will be an unbroken sequence of 1's. There cannot be any 0 bits among them. We know 8 bits set to 1 in binary gives us 255 in decimal. So 24 means three sets of 8 bits all set to 1. In dot-decimal that gives us 255.255.255. The rest of the bits will be 0, giving us 255.255.255.0. So by counting the bits set to 1 and presenting that as a decimal number like 24, we can convey an entire subnet mask. This is called Classless Inter-Domain Routing notation.
- Wildcard: 0.0.0.255. This is used in Cisco network devices as part of the allow list/block list settings.
- Network: 192.168.1.0/24. This is the network IP address and subnet described in CIDR notation. If there is a router connected to this subnet, it is often allocated the lowest IP address in the permissible range.
- HostMin: 192.168.1.1. The lowest IP address a device connected to this subnet can have.
- HostMax: 192.168.1.254. The highest IP address a device connected to this subnet can have.
- Broadcast: 192.168.1.255. This is the broadcast address. Network packets sent to this IP address are echoed to all devices in the subnet.
- Hosts/Net: 254. The maximum number of devices you can connect to this subnet. In this example, our device IP address range is 0 to 255, which means we can identify 256 different IP addresses (0 through 255). But we lose one IP address for the network IP address (the ".0" address) and we lose one for the broadcast IP address (the ".255" address).
- Class C, Private Internet: The class of the network.
The class of a network is indicated by the number of bits used for the network ID and subnet ID, plus a few bits used to contain the class of the network, called leading bits.
- Class A: Leading bits 0. IP addresses start with 0. Default subnet: 255.0.0.0. CIDR notation is /8.
- Class B: Leading bits 10. IP addresses start with 128. Default subnet: 255.255.0.0. CIDR notation is /16.
- Class C: Leading bits 110. IP addresses start with 192. Default subnet: 255.255.255.0. CIDR notation is /24.
- Class D: Leading bits 1110. IP addresses start with 224. Default subnet: undefined. CIDR notation is /4.
Changing the Subnet Mask
The ipcalc command can't change any settings so we can try whatever we want without fear of affecting anything. Let's see what effect changing the subnet mask has on our network.
You can use either CIDR or dot-decimal notation. With CIDR, a space is optional. These commands are all equivalent.
ipcalc 192.168.1.0/16
ipcalc 192.168.1.0 /16
ipcalc 192.168.1.0 255.255.0.0
This greatly increases the number of devices you can connect to that network. The network device addressing for this network starts at 192.168.0.0 and finishes at 192.168.255.254.
We lose one address for the network address and one for the broadcast address, as before. But that still gives us a whacking 65,534 possible devices.
But they'd all still be in one subnet.
Using ipcalc with Subnets
Let's say we want to add three subnets to our network, with capacity for 20, 15, and 80 hosts respectively. We can use the -s (split) option and follow it with our desired subnet sizes.
ipcalc 192.168.1.0 -s 20 15 80
The first section is the same as we have seen previously, where ipcalc gives an analysis of the network containing the IP address we provide on the command line. Our subnets are described in the following three sections.
In summary, the information we're given is:
First subnet:
- Subnet mask: 255.255.255.224
- First device address: 192.168.0.129
- Last device address: 192.168.0.158
- Subnet capacity: 30 devices
Second subnet:
- Subnet mask: 255.255.255.224
- First device address: 192.168.0.161
- Last device address: 192.168.0.190
- Subnet capacity: 30 devices
Third subnet:
- Subnet mask: 255.255.255.128
- First device address: 192.168.0.1
- Last device address: 192.168.0.126
- Subnet capacity: 126 devices
Note the green entries in the binary values. These are the bits that have been reserved for the subnet.
Also, note that because the first and second subnets have the same subnet mask of 27, three bits in the hardware field have been used for the subnet indicator. In the first subnet, the bits are 100 and in the second they are 101. This difference allows the router to correctly direct network traffic.
It Can Escalate Quickly
It'll be apparent that in a larger or more complicated network, it's very easy for a mistake to creep in. With ipcalc, you can be certain your values are right. You still have to configure your network, but at least you know that the values you're using are correct.
ncG1vNJzZmivp6x7qbvWraagnZWge6S7zGhva2tlZYBwssinm2arpZe7psCMppiso6NivK95y6KlrrBdnr2krcucZg%3D%3D