A Dive Into Subnetting


Hello homies and homets! PySec/Airth here coming at you with some 1337 subnetting. This article was originally posted on Null Byte but since I joined the 0x00sec team and there are a ton of new comers, I decided to re-upload some of them so people won’t get confused with the rest of the posts I will upload in the future.Today’s topic is subnetting as you have probably guessed by the title. So, Ever wondered what that "/24" or the "/27" etc mean? Well, I’m about to teach you how and why we use it. Many people know what a subnet mask is but not that many know how to create and read one. There are two types of subnet creation:

  • Based on Network Requirements

  • Based on Host Requirements

In this article we will focus on Network Requirements. Let’s get right into it!

DISCLAIMER: Binary knowledge is mandatory in order to comprehend the concepts that will be shown below.

Let’s look at a situation that would require custon subnetting, shall we?

Let’s assume that our company has purchased the IP address with the default subnet mask and want to use it to address our network. Wait a second, “purchased”? Why did the company need to buy the IP address? Well, keep in mind that when we are working with IP addresses, there are the private ones and the public ones. You don’t have to pay for the private ones, you can create them, make them up and design your own internal network but those IP addresses don’t work on the Internet, they are blocked by every Internet Service Provider. Which IP addresses are public or private isn’t today’s discussion. So if you are not familiar with those terms I would advice you to google yourself around.

Let’s go back to our example. So our company has purchased the address with a subnet mask, which means we can’t go outside of the 180.20.5 block. Why? If you have read Part 1 of my IP addressing series you would hopefully know by now that if you line up the first 3 octets of your IP address with the first 3 octets of your subnet mask, you get the network that you belong to. In our case we belong to the 180.20.5 network. So we get 1 network with that subnet mask and the 4th octet of the subnet mask represents the hosts. In our case, 256(counting from 0 to 255) but in reality the address represents the network and the is the broadcast address so 254 are the actual usable hosts.

There’s a problem to that though. Let’s have a look at our company’s topology:

Let me ask you this question. How many network do you see in this picture? Think, think, think. Don’t look below because you will see the answer!

Gotcha! Don’t be sneaky!

Hopefully you didn’t cheat! The answer is 5. Did you get it right? If you did, post it below in the comment section. If you didn’t get it right, no worries, neither did I when I was new to networking.

Every interface of a router represents the end of a network and the beginning of a new one. That’s really handy for them and for us because if one of those computers send a broadacst on their network, it will stay in their network thanks to our router. But hey! Those 5 networks are an issue for our company. Our company has 5 networks, but we purchased an address that gives us 1 network.

Welcome to Subnetting

Subnetting is a way of partitioning a single physical network into more than one smaller logical sub-networks (subnets). In other words, it sacrifices how many hosts you can have per network in order to get more networks. So essentially, we “play around” with the host bits. Now you may be asking “Bits? I only see decimal, in that case 0, representing the hosts. I don’t see any bit.” Remember that warning in the beginning of the article? Binary is coming at you shortly.

Firstly, let’s discuss about the process of “playing around”:

* Convert the number of networks to binary

* Reserve bits in subnet mask and find the increment

* Use the increment in order to find the network ranges

As the first step says, I converted the 5 networks of our company to binary. 5 equals to 0000 0101 in binary or 101 because 0s don’t affect the number’s value. So 5 takes 3 bits in reality, right? We can’t get the number 5 with any less than 3 bits.

Now what does the 2nd step mean? Well, the way we do this is by taking the subnet mask and look at it the way our devices look at it, in binary.

What does it mean to reserve bits in the subnet mask though? Well, we have to look at step 1, specifically, at 5’s binary representation. 5 takes 3 bits in binary as we agreed above. Now I want you to take a mental leap with me. 255 in the subnet mask represents the network, 0 represents the hosts, right? Is it ok to make the statement:

-1s represent the network and 0s represent the hosts.

Hm? All good with that statement? Makes sense, right? Ok good. So let’s start putting some of the pieces together. I can’t get the number 5 with any less than 3 bits and we’ve just agreed on the statement “1s represent the network and 0s represent the hosts”. So what does it mean to reserve bits in the subnet mask?

It means I pick up right where the 1s leave off and I say “I need 3 network bits and the rest can stay hosts.” Alright alright, wait a second. Isn’t 5 101 in binary? Why did I put 111 in the last octet and not 101? Well, it doesn’t really matter at all what the binary number is. All it matters is how many bits does it take to get the number 5. If we had the number 20 for example, then its binary representation would be 10100. All I’m after is how many bits it takes in order to be represented in binary, which is 5.

Believe it or not, at this point we already know what our subnet is going to be for this entire network. How? We can take the new binary version of the subnet mask and convert it back to decimal.

The first 3 octets haven’t changed and frankly they can’t change because that’s what we were given. We can only subnet the host bits because that’s our playground. The 0s are the ones we can modify while the first 3 octets of the subnet mask help us identify the network. So we will convert the last octet back to decimal and voila! Our new subnet mask is The way most people write that is Why “/27”? Because 27 are the network bits! Count them! See, doesn’t it make sense now? Alright, we have our subnet mask but doesn’t really mean anything. We still have to find our network ranges. So we did the reservation. Now it’s time for the increment. What’s that increment though?

The increment is the lowest network bit converted back to a decimal number. In our case, 32.

Off to the last step. Now we have to use that increment. This is where all gets put together. 32 is our increment and the IP that were given is and we can find out how many IP addresses we can get per network. How we do that?

Bam! Here are our 5 networks. In reality there are more than 5 as you can see from the picture but we care about the 5 first ones since 5 is our network requirement. So we could assign the first range for the router link, the second one for the network between one of the computers and its router and so on. Be careful! The first and last address of each range aren’t usable. Why? The first one represents the network and the last one is the Broadcast address.

Time to answer some questions. Some of you may be curious and may be thinking “Wait a second, this is giving me more than 5 networks.” That’s obvious from the picture as well. Yes, it does give you more than 5 because of how binary works. So you can think of it as that this process will give you at least 5 networks. But hey, I’m not writing this article just to write it. I will prove it to you. How do we know it’s going to give us more than 5 networks or how do we know how many hosts we will have per network?

There’s a really simple formula for that. All you have to do in order to find the amount of networks you are going to get is to calculate 2^number of subnet bits you ended up adding. In our example, 2^3, which equals to 8. So we will get 8 networks. You don’t believe me? Enough of me proving it to you, time for you to see it by yourselves. I will just give you a small hint; .255 is the last possible value of an octet and our network is

Do you want to know how to find the number of hosts per network? I bet with a tiny bit of thought you can guess that pretty easily. The formula is 2^number of 0s, so 2^5 = 32. But remember, whenever you find the number of hosts, always substract 2. Which makes sense because if you look back at the picture above, the first range is Counting from 0 to 31 gives us 32 and so do the other ranges as well.

You just completed an extremely essential part of your learning career. I know I know, too much to grasp, but trust me, more to come soon, this is just the beginning but if you understood the method and the image behind it, you have nothing to be scared of. You are well on your way to become a subnetting wizard. Here’s an exercise for you:

In this scenario you’ve got to deal with a class C network once again with the IP and the subnet mask Your objective is to break that network into 50 networks.

Remember, this is just the beginning. Next article we will discuss about subnetting other classes of addresses. I hope this article has been informative for you and I would like to thank you for taking the time to read it. Feel free to post your answer of the assignment in the comment section and in case you didn’t understand something fully, make sure you research it a little bit before you ask. Have an amazing day and stay awesome.

P.S -1s represent the network and 0s represent the hosts.




:clap: Well written, giving a foundation to the fresh meat of our world!



Yep, you always gotta start from the ground up. Ain’t that right mate?

1 Like

(oaktree) #4

Or the left bit, because, you know…


Routing Protocols ~ OSPF ~ Part II
(Leader & Offsec Engineer & Forum Daddy) #5

Awesome guide man! I always sort of got sub-netting, but never properly. This has definitely helped me to understand it! Thanks! I look forward to your next one!



You can check your subnetting practice with a Subnet Calculator


closed #7

opened #8

(oaktree) closed #9