Listen to this Post
Introduction:
Subnetting is the silent guardian of every enterprise network—it transforms chaotic IP address allocation into structured, efficient, and secure communication paths. Without subnetting, even a medium-sized company would drown in broadcast storms, exhausted IP ranges, and impossible troubleshooting. Mastering this skill isn’t just about passing the CCNA or CCNP; it’s about gaining surgical control over network segmentation, performance, and cyber resilience.
Learning Objectives:
– Calculate network IDs, broadcast addresses, and usable host ranges for any given subnet mask and CIDR.
– Implement Variable Length Subnet Masking (VLSM) to minimize IP waste in real-world scenarios.
– Apply subnetting to firewall rules (FortiGate) and cloud security groups for effective isolation.
You Should Know:
1. The Binary Shortcut – Subnetting Without a Calculator
Most engineers panic when they see binary, but subnetting becomes second nature once you memorize the 8-bit octet values (128,64,32,16,8,4,2,1). This section turns theory into a step-by-step mental math process.
Step‑by‑step guide – Finding the network address in 5 seconds:
1. Write the IP address (e.g., 192.168.10.45/26). The /26 means 26 network bits → 6 host bits.
2. The interesting octet is the 4th (since /26 > 24). Block size = 256 – 192 (where 192 = 128+64 from the 4th octet’s subnet mask) = 64.
3. Find the multiple of 64 just below 45 → 0, 64 → network address = 192.168.10.0.
4. Broadcast = next network minus 1 → 192.168.10.63.
5. Usable hosts = 64 – 2 = 62 addresses (10.1 to 10.62).
Linux command to verify:
`ipcalc 192.168.10.45/26`
Windows PowerShell:
`[System.Net.IPAddress]::new( ( [System.Net.IPAddress]::Parse(“192.168.10.45”).Address -band [System.Net.IPAddress]::Parse(“255.255.255.192”).Address ) )`
2. VLSM in Action – Designing a Real Office Network
VLSM allows you to use different subnet masks within the same classful network, avoiding the waste of fixed-length masks. Imagine you have 192.168.1.0/24 and need subnets for: IT (60 hosts), HR (25 hosts), Admin (10 hosts), and a point-to-point link (2 hosts).
Step‑by‑step guide:
1. Sort by largest host requirement first: 60 hosts needs a /26 (block 64) → 192.168.1.0/26.
2. Next, 25 hosts → needs /27 (block 32). Start where previous ended: 192.168.1.64/27.
3. 10 hosts → needs /28 (block 16). Start at .96 → 192.168.1.96/28.
4. 2 hosts → needs /30 (block 4). Start at .112 → 192.168.1.112/30.
5. Verify no overlap: .0–.63, .64–.95, .96–.111, .112–.115. All clean.
Cisco CLI example (configure an interface):
interface GigabitEthernet0/0 ip address 192.168.1.1 255.255.255.192 no shutdown
3. CIDR Cheat Sheet & Wildcard Masks for ACLs
CIDR (Classless Inter-Domain Routing) replaces classful thinking. Wildcard masks are the inverse of subnet masks and are critical for OSPF and access lists.
Step‑by‑step guide to convert subnet mask to wildcard:
– Subnet mask 255.255.255.240 (/28) → invert each octet: 0.0.0.15.
– Use wildcard in an ACL to match a subnet: `access-list 100 permit ip 192.168.1.0 0.0.0.15 any`
Windows command – list all subnets on your PC:
`route print -4`
Linux – show routing table with CIDR:
`ip route show | grep -E ‘\/[0-9]+’`
4. FortiGate Firewall Segmentation Using Subnets
Security relies on subnet boundaries. On a FortiGate NSE4, you can create VLAN subinterfaces each with its own subnet, then enforce policies between them.
Step‑by‑step FortiGate CLI:
1. Create VLAN 10 for IT (192.168.10.0/24):
`config system interface`
`edit “IT-VLAN”`
`set vlanid 10`
`set interface “port1″`
`set ip 192.168.10.1 255.255.255.0`
`next`
2. Create VLAN 20 for HR (192.168.20.0/24).
3. Add firewall policy to block HR from IT but allow IT to HR:
`config firewall policy`
`edit 0`
`set srcintf “HR-VLAN”`
`set dstintf “IT-VLAN”`
`set action deny`
`set schedule “always”`
`next`
5. Troubleshooting Subnet Misconfigurations (Ping & Traceroute)
A common exam and real‑world scenario: two hosts in different subnets cannot ping each other even though the switch is fine. The issue is often a wrong default gateway or misconfigured subnet mask.
Step‑by‑step debugging on Linux/Windows:
1. On host A (192.168.1.10/24), run: `ip a` (Linux) or `ipconfig` (Windows). Check mask is 255.255.255.0.
2. On host B (192.168.2.20/24), verify its mask. If both are /24, they are in different networks. They need a router.
3. Check if default gateway is set: `route -1` (Linux) or `route print` (Windows). Gateway must be in the same subnet as the host.
4. Ping gateway first: `ping 192.168.1.1`. If fails, mask or cable issue.
5. Enable ICMP redirects on router: Cisco `ip routing` then `ip route 0.0.0.0 0.0.0.0
6. Cloud Hardening with Subnets (AWS/Azure Example)
In cloud environments, subnets become Availability Zone‑level isolation. A misconfigured subnet route table can expose internal databases.
Step‑by‑step AWS hardening:
1. Create a VPC with CIDR 10.0.0.0/16.
2. Add public subnets (10.0.1.0/24) with an Internet Gateway attached to the route table.
3. Add private subnets (10.0.2.0/24) with no Internet Gateway – only NAT Gateway or VPN.
4. For a database subnet (10.0.3.0/28), use Network ACLs to allow only port 3306 from the app subnet.
– NACL inbound rule: Allow TCP 3306 from 10.0.2.0/24, Deny all else.
Azure CLI command to list subnets:
`az network vnet subnet list –resource-group MyRG –vnet-1ame MyVNet`
7. Subnetting Automation with Python (for Network Engineers)
Instead of manual tables, write a quick script to generate subnet details. This is invaluable for large‐scale audits.
Step‑by‑step script example (Linux/WSL or Windows Python):
import ipaddress
network = ipaddress.ip_network('192.168.1.0/26', strict=False)
print(f"Network: {network.network_address}")
print(f"Broadcast: {network.broadcast_address}")
print(f"Netmask: {network.netmask}")
print(f"Hosts: {list(network.hosts())[:5]}...") First 5 hosts
for subnet in network.subnets(new_prefix=28):
print(f"Subnet /28: {subnet}")
Run with `python3 subnet_tool.py`. This helps verify VLSM designs instantly.
What Undercode Say:
– Subnetting is not optional – even with IPv6, you must understand prefix boundaries and aggregation for route filtering and security zones.
– Practice with real gear or simulators – daily mental math on /26 to /30 boundaries eliminates exam anxiety and cuts down incident response time.
Analysis (10 lines):
Subnetting remains the most underrated skill in modern networking. While many engineers rely on calculators, those who internalize binary shortcuts debug routing loops in minutes instead of hours. The move to cloud and SD‑WAN has made VLSM even more critical – every route table, every security group, and every VPN tunnel depends on correct CIDR definitions. Attackers often exploit overly broad subnet permissions (e.g., /16 instead of /28 for a management network). Mastering subnetting directly reduces your blast radius. Moreover, certifications like CCNA and CCNP devote nearly 30% of exam weight to subnetting; failing here means failing the test. From a career standpoint, a network engineer who can design a zero‑waste IP plan using VLSM is worth twice as much as one who guesses. Finally, the discipline of subnetting teaches systematic thinking – break a large problem into smaller sub‑problems, solve each, then re‑assemble. That’s the essence of all engineering.
Prediction:
– +1 Subnetting will become a core prerequisite for AI‑driven network automation – AI agents need strict IP boundaries to safely push config changes.
– +1 As IoT deployments explode, VLSM will be the only way to cram millions of sensors into limited private IPv4 address space, extending IPv4’s lifetime by another decade.
– -1 Misunderstanding subnetting will lead to more cloud data breaches in 2026–2027, where over‑permissive route tables expose storage buckets to the public internet.
– -1 Without mandatory subnetting drills in training programs, entry‑level engineers will increasingly rely on “default” cloud VPC settings, causing cross‑tenant traffic leaks in multi‑tenant environments.
▶️ Related Video (80% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
[Join Undercode Academy for Verified Certifications](https://undercode.co.uk/certifications/)
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[[email protected]](mailto:[email protected])
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: [Sayed Hamza](https://www.linkedin.com/posts/sayed-hamza-jillani-9a6b95204_networking-subnetting-ccnp-ugcPost-7468233984473452544-dPaB/) – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
[💬 Whatsapp](https://undercode.help/whatsapp) | [💬 Telegram](https://t.me/UndercodeCommunity)
📢 Follow UndercodeTesting & Stay Tuned:
[𝕏 formerly Twitter 🐦](https://x.com/undercodeupdate) | [@ Threads](https://www.threads.net/@undercodetesting) | [🔗 Linkedin](https://www.linkedin.com/company/undercodetesting/) | [🦋BlueSky](https://bsky.app/profile/undercode.bsky.social)
