Network Subnetting Reference Sheet

network subnetting using subnet masks

I learned network subnetting using subnet masks. To me, the masks are easy–if you just convert the number into binary, then you know which numbers in an IP address are static (part of the base network) and which are not. But, the new convention is to identify networks with the slash notation such as /24 or /28. I don’t have these memorized and keep having to look them up. So, I decided to document them here for future reference. See the screen shot for a table of translations (aka a cheat sheet).

By convention, the first IP address in the subnet is normally the gateway address. The last IP address in the subnet is the broadcast address. This means that there are two less host addresses available for devices on your network–one IP has already been given to the gateway and another to the broadcast address.

Additionally, it’s interesting to remember that there are three private IP networks that are set aside as non-routable on the Internet, per RFC 1918. (See http://tools.ietf.org/html/rfc1918 for further information.) You should be using one of these non-routable 10.0.0.0 or 172.16.0.0 or 192.168.0.0 within your network. Even though these IPs should not route on the Internet, it’s a good idea to add firewall access control list (ACLs) rules that block these private IPs from incoming packets and require these private IPs on outgoing packets.

Of course, I’m assuming you are using NAT (network address translation) at your network ingress point. I generally have one NAT defined at the ingress and another defined for the wireless access point (AP). You might notice that this means my AP is not the same device as the router. This is on purpose so that I define port ACLs on the ingress router and enable stateful fire walling on the AP. This helps speed up the AP because its not busy dropping packets that the ACLs can more quickly trash.