My guide to IPv4 Subnets

Whenever you work with networks and IP addresses, you will come across subnets. This is a quick article that describes subnets, what they are used for and how they are defined.

Martin Hodges
8 min readNov 30, 2023

IP Addresses

The Internet works by routing information between computers. Every computer is given a unique Internet Protocol (IP) address and this is used to find a computer and deliver the information.

There are two versions of IP, version 4 and 6. These are referred to as IPv4 and IPv6. For the purposes of this article, I am only describing IPv4 subnets as this is the most common version in use, particularly for private subnets.

So here is a fictional example of an IP address:

Example IP Address

The top row is the binary form. For IPv4, it is a 32 bit number, shown here broken into 8 bit words. Below this is the decimal representation of each word and below that the typical way an IP address is written,

The thing is, given the billions of computers and devices on the Internet, how does it know where this computer is?

Subnets

A subnet is segment of the network that connects two or more computers or servers. Servers on the subnet can talk directly to each with their information just being sent over the subnet and no where else.

Servers and subnets connected by the Internet

For example, Server 1 and Server 2 are on the same subnet (Subnet 1) and can freely talk to each other. If Server 1 wants to talk to Server 6, it knows it is not on its subnet and so it sends its information to a gateway (Gateway 1) which knows how to route the information across the Internet to Gateway 2 and then on to Subnet 2, where Server 6 is located.

Seems fairly logical but how does each server know which subnet it is on and which subnet the destination server is on?

It knows this from the IP address. Let’s take another look at our fictional IP address.

Subnet addresses

You can now see that the subnet is identified by the most significant bits of the IP address (ie: those to the left). In this case, the subnet address is formed from the first 24bits, giving 15.65.32.0.

The remainder is used to identify the server (or host) on the subnet, eg: 99. Typically, the full IP address is used as the server IP address, 15.65.32.99.

Subnet mask

In the example, I have shown that the subnet address is made up of the first 24 bits, but how does the network know this is the case?

When working with subnets you have to give it the subnet address (15.65.32.0) and the portion of the address that is the subnet address part. Whilst it may be tempting to say that it is obvious that the subnet address is 15.65.32, it is not clear when it comes to addresses such as 10.0.0.0.

You can define the portion in two ways:

  • 15.65.32.0 / 255.255.255.0
  • 15.65.32.0 / 24

The first is called a network mask as it defines the pattern that identifies the bits to be used as the subnet address, ie if you take an IP address and logically and it with its subnet mask, you will be left with the subnet address.

Note that masks must be a contiguous set of 1’s followed by a contiguous set of 0’s. ie: 11101110 cannot be used in a network mask.

The second form is known as the Classless Inter-Domain Routing or CIDR block. This is simply the number of 1's defined by the mask.

Whilst I have shown the subnet mask defining a set of 3 8 bit words, this does not have to be the case and these are valid subnet addresses.

  • 15.65.32.0 / 240.0.0.0
  • 15.65.32.0 / 27

Defining a subnet

Back to our example network. Let’s give it some IP addresses.

Network with IP addresses

You should now understand why Server 1, 2 and 3 have IP addresses all starting with 15.65.32 and why Server 4, 5 and 6 start with 123.10.0. It is because this defines the subnet they are on.

When designing a subnet, there are three things you need to define:

  1. The subnet ID, eg: 123.10.0.0
  2. The subnet mask, eg: 255.255.255.0
  3. The address of the gateway (generally but not always on address 1, eg: 123.10.0.1

Now we can see that when Server 1 wants to talk to Server 6, it can tell it is no on its subnet (15.65.32.0) and so the information is sent to Gateway 1 to route over the Internet. The information arrives at Gateway 2 and is handed over to Server 6.

How the Internet knows where to find Gateway 2 is beyond the scope of this article.

Special addresses

In the above example, it looks like that you could attach 256 servers to the 123.10.0.0 / 24 subnet. In practice you cannot.

Firstly, you generally need a gateway to route your traffic to the Internet or other subnets. This will take one address (normally .1).

Next every subnet has a broadcast address to send information to all servers on the subnet. This is given the host address of all 1’s. In the case of 123.10.0.0 / 24 this would be 123.10.0.255. In the case of 123.10.0.0 / 16, this would be 123.0.255.255.

Broadcast traffic does not leave the subnet.

Finally, the subnet ID itself takes an address, eg: 123.10.0.0.

This leaves 254 addresses for servers and other devices in the case of a /24 subnet mask.

From this you can now see that, for large networks, smaller subnet masks may be required. For example, if you have 10,000 servers, you will need a subnet mask of 32–15 = /17.

The thing is, the range of IPs provided by IPv4 is limited. In fact, because, generally a subnet is not filled with servers and devices there is also a lot of the address space wasted. This is why IPv6 was created, to resolve this problem.

Before IPv6 though, private subnets were introduced and are still used extensively today.

Private subnets

The idea of the Internet is to connect computers together. Effectively any computer on the Internet can talk to any other.

There are two problems with this approach:

  1. There are not enough IPv4 addresses on the internet to give every device its own IP address
  2. There are some computers/servers that should not be accessible from the Internet (eg: your database servers)

We cannot just give multiple servers the same IP address as things go wrong as it is not clear where information should be sent. Information can only be sent to one server!

The way both of these challenges have been solved is by using private subnet addresses.

A private subnet is given an address which is not routable over the Internet.

Now, if there are two private subnets, they can allocate the same IP addresses to their servers without causing any routing problems.

There are two ways to make your subnet unroutable:

  1. Disconnect your network from the Internet
  2. Use a private subnet address range

#1 is not very practical but ‘air gapping’ networks is common in highly secure environments. Typically we use #2, private subnet address ranges.

The globally agreed private subnet address ranges are:

  • 10.0.0.0/8 (255.0.0.0)
  • 172.16.0.0/12 (255.240.0.0)
  • 192.168.0.0/16 (255.255.0.0)

If you use subnet addresses within any of these ranges (eg: 10.0.0.0 / 24), your information cannot be routed over the Internet. You can send or receive information.

Doesn’t this sound as impractical as disconnecting your network from the Internet?

Well, there are ways to connect your private subnet to the Internet by way of revese proxies, bridges, gateways with NAT etc. These topics are beyond the scope of this article.

Virtual Private Clouds

Most cloud providers allow you to create a Virtual Private Cloud or VPC. When you create a VPC, you are basically saying to your cloud provider ‘please create me a private subnet’.

Cloud providers manage their networks using Software Defined Network (SDN) tools. This allows them to be able to create thousands of private subnets on demand without the need for changing cables in their data centres!

The effect of creating a VPC is exactly the same as you would do when you create your own subnet.

VPC Architecture

After creating a VPC, you can then create your own Virtual Private Server (VPS) within that VPC. When you create your VPC, you can decide if it is going to have a single network interface or two (or more!).

In the example above, you can see that Server 1 has been given a single interface, which is connected to the VPC private subnet.

In the case of Server 4, it has been given two, one connected to the private subnet and one connected to the Internet.

You can now install the appropriate reverse proxy (eg: NGINX) or gateway software on Server 4 to allow the other servers to work with requests coming in from the Internet. By having only a single way in to your private network, it is easier to secure your VPC.

There is more to the VPC story as Server 1 to Server 3 need to know how to route requests to the Internet so you can do things like download packages an updates. This requires the definition of static routes and Network Address Translation (NAT) configurations. These are specific to your cloud provider.

Summary

In this article we looked at how an IP address is used in conjunction with its subnet to allow information to be routed between computers.

We then looked at how a subnet is defined and how this affects the number of devices that can be added to the subnet. You will have also seen that the number of devices is affected by the allocation of some addresses for special functions, such as gateways, broadcasting and the subnet itself.

Finally we saw how private subnets can be used to secure servers and make them inaccessible to people on the Internet. Private networks also expands the number of servers that can be used. We then extended this principle to the use of Virtual Private Clouds (VPCs).

--

--