IPv4 Addressing - Subnetting ====================================== .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is Subnetting IPv4?** Subnetting in IPv4 is the process of dividing a larger IP network into smaller, more manageable subnetworks (subnets), each with its own range of IP addresses. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Why is Subnetting IPv4 useful?** Subnetting improves network performance and security by reducing broadcast domains, optimizing IP address usage, and simplifying routing. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How it works?** Subnetting uses subnet masks (e.g., /24) to define how many bits of the IP address are used for the network portion. The remaining bits are used for host addresses within that subnet. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Where is Subnetting IPv4 used?** It is used in enterprise networks, service provider networks, data centers, and any IP-based infrastructure requiring organized and efficient IP address management. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which OSI layer does this protocol belong to?** Subnetting operates at the Network Layer (Layer 3) since it deals with IP addressing and routing. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is Subnetting IPv4 Windows specific?** No, subnetting is not Windows specific. It is part of the IP protocol and is implemented across all platforms that use IPv4. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is Subnetting IPv4 Linux specific?** No, subnetting is not Linux specific. It is universally supported across all operating systems that use IPv4 networking. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which Transport Protocol is used by Subnetting IPv4?** Subnetting is not tied to any transport protocol. It affects IP addressing and routing, and works with both TCP, UDP, and other transport protocols. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which Port is used by Subnetting IPv4?** Subnetting does not use any specific port. It is a method of structuring IP addresses, not a service or application. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is Subnetting IPv4 using client-server model?** No, subnetting is not a communication protocol. It is a method of dividing IP address spaces and does not follow a client-server model. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is a subnet mask?** A subnet mask is a 32-bit number that masks an IP address, dividing the IP address into network and host portions. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is CIDR notation?** Classless Inter-Domain Routing (CIDR) notation represents the subnet mask as a suffix to the IP address, e.g., 192.168.1.0/24. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How many hosts are available in a /24 subnet?** A /24 subnet allows for 254 usable hosts (256 total minus network and broadcast addresses). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the difference between network address and broadcast address?** The network address identifies the subnet itself, and the broadcast address is used to send messages to all hosts within that subnet. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is subnet zero?** Subnet zero is the first subnet in a subnetted network, traditionally avoided but now commonly used. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the formula to calculate the number of subnets?** Number of subnets = 2^n, where n is the number of bits borrowed for subnetting. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is Variable Length Subnet Masking (VLSM)?** VLSM allows different subnet masks within the same network, optimizing IP space utilization. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Can subnetting reduce network congestion?** Yes, by reducing broadcast domains and limiting traffic scope within each subnet. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the difference between subnetting and supernetting?** Subnetting divides a network into smaller parts; supernetting combines multiple networks into a larger one. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How does subnetting improve security?** It isolates network segments, making it harder for attackers to access the entire network. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Can subnetting be applied to IPv6?** Yes, but IPv6 uses a different addressing scheme and typically does not require subnetting for address conservation. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is a subnet broadcast domain?** The set of devices that receive broadcast traffic within a subnet. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How do you calculate the number of hosts per subnet?** Hosts per subnet = 2^h - 2, where h is the number of host bits. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the smallest subnet possible in IPv4?** A subnet with 2 usable IP addresses (/30 mask). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the largest subnet possible in IPv4?** A /8 subnet, allowing approximately 16 million hosts. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How does subnetting affect routing tables?** It allows routers to aggregate routes and improves routing efficiency. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What tools help with subnet calculations?** Subnet calculators and command-line tools like `ipcalc`. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How does subnetting help in IP address conservation?** By allocating IP space more precisely to subnet sizes based on need. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is a subnetting example with a /26 mask?** A /26 subnet provides 64 IP addresses with 62 usable hosts. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is subnetting mandatory in IPv4?** It is not mandatory but highly recommended for efficient network management. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow Topics in this section, * :ref:`Learnings in this section ` * :ref:`Terminology ` * :ref:`Version Info ` * :ref:`Subnetting Version&IEEE Details ` * :ref:`Subnetting Basic Setup on Ubuntu using IPv4 ` * :ref:`Subnetting Protocol Packet Details ` * :ref:`Subnetting Usecases ` * :ref:`Subnetting Basic Features ` * :ref:`Reference links ` .. _Subnetting_step1: .. tab-set:: .. tab-item:: Learnings in this section * In this section, you are going to learn .. _Subnetting_step2: .. tab-set:: .. tab-item:: Terminology * Terminology .. _Subnetting_step3: .. tab-set:: .. tab-item:: Version Info * Version Info .. _Subnetting_step5: .. tab-set:: .. tab-item:: Subnetting Version&RFC Details * rfc details .. _Subnetting_step18: .. tab-set:: .. tab-item:: Subnetting Basic Setup on Ubuntu using IPv4 **Subnetting and Inter-Subnet Ping Test** Objective: To demonstrate inter-subnet communication between two Linux VMs using: - IPv4 subnetting (/27) - Netplan-based IP assignment on Ubuntu VMs - Cisco router for routing between subnets - Manual default route configuration on VMs - ICMP (ping) to verify end-to-end connectivity Subnet Details (/27 = 255.255.255.224) - **Subnet A** → ``192.168.1.0/27`` - Range: ``192.168.1.1 – 192.168.1.30`` - **Subnet B** → ``192.168.1.32/27`` - Range: ``192.168.1.33 – 192.168.1.62`` * Step-1: IP Assignment (Ubuntu VMs via Netplan) * test1 – ``192.168.1.10/27`` Netplan file: .. code-block:: shell test1:~$sudo nano /etc/netplan/.yaml network: version: 2 ethernets: eth0: addresses: [192.168.1.10/27] test1:~$sudo netplan apply * test2 – ``192.168.1.40/27`` Netplan file: .. code-block:: shell test2:~$sudo nano /etc/netplan/.yaml network: version: 2 ethernets: eth0: addresses: [192.168.1.40/27] test2:~$sudo netplan apply * Step-2: Then add default route manually: .. code-block:: shell test1:~$sudo ip route add default via 192.168.1.1 test2:~$sudo ip route add default via 192.168.1.33 * Step-3: Cisco Router Configuration (R1) .. code-block:: shell enable configure terminal interface FastEthernet0/0 ip address 192.168.1.1 255.255.255.224 no shutdown interface FastEthernet0/1 ip address 192.168.1.33 255.255.255.224 no shutdown ip routing exit write memory .. note:: * The router is configured to route traffic between the two /27 subnets. * Step-4: Ping Test Results From test1 (``192.168.1.10``) to test2 (``192.168.1.40``): Execute ping: .. code-block:: shell test1:~$ping 192.168.1.40 Expected result: Successful ICMP replies confirming inter-subnet connectivity. * Step-5: Wireshark Capture :download:`Download wireshark capture ` **Deny Subnet1 Access to Subnet2 using UFW** * To block all incoming traffic from Subnet1 (192.168.1.0/27) to Subnet2 (192.168.1.32/27) using `ufw` firewall on the VMs in Subnet2. Network Setup: Host | IP Address | Subnet | test1 | 192.168.1.10 | Subnet 1 (192.168.1.0/27) | test2 | 192.168.1.20 | Subnet 1 (192.168.1.0/27) | test3 | 192.168.1.40 | Subnet 2 (192.168.1.32/27) | test4 | 192.168.1.41 | Subnet 2 (192.168.1.32/27) | * Step-1: Apply the block on **test3** and **test4** (i.e., targets in Subnet2): .. code-block:: shell test3:~$sudo ufw deny from 192.168.1.0/27 to any test3:~$sudo ufw reload test3:~$sudo ufw status verbose test4:~$sudo ufw deny from 192.168.1.0/27 to any test4:~$sudo ufw reload test4:~$sudo ufw status verbose .. note:: * This rule denies all incoming connections from any host in `192.168.1.0/27`. * Step-2: Test Steps Perform these tests from **test1** or **test2** (Subnet1): 1. Test SSH: .. code-block:: shell test1:~$ssh user@192.168.1.40 # Expected: Connection refused or timed out 2. Test HTTP (if running a service on VM3 or VM4): .. code-block:: shell test1:~$curl http://192.168.1.41 # Expected: Connection refused or timeout * Expected Result: All **incoming traffic from Subnet1 should be denied** on Subnet2 VMs. * Step-3: You can confirm this with: .. code-block:: bash test3:~$sudo tail -f /var/log/ufw.log * Step-4: Cleanup To remove the deny rule from test3 and test4: .. code-block:: shell test3:~$sudo ufw delete deny from 192.168.1.0/27 test3:~$sudo ufw reload test4:~$sudo ufw delete deny from 192.168.1.0/27 test4:~$sudo ufw reload * Step-5: Wireshark Capture :download:`Download wireshark capture ` **Allow Specific Traffic (HTTP) from Subnet1 to test3 (Subnet2)** * To deny all incoming traffic from Subnet1 (192.168.1.0/27) to test3, but explicitly allow HTTP (TCP port 80) connections. Network Setup Host | IP Address | Subnet | test1 | 192.168.1.10 | Subnet 1 (192.168.1.0/27) | test2 | 192.168.1.20 | Subnet 1 (192.168.1.0/27) | test3 | 192.168.1.40 | Subnet 2 (192.168.1.32/27) | * Step-1: Firewall Configuration on VM3 Run these commands on test3 (the web server): .. code-block:: shell test3:~$sudo ufw deny from 192.168.1.0/27 test3:~$sudo ufw allow from 192.168.1.0/27 to any port 80 proto tcp test3:~$sudo ufw reload test3:~$sudo ufw status verbose * Step-2: Test Steps from test1 or test2 (Subnet1) 1. Test ICMP (ping): .. code-block:: shell test1:~$ping 192.168.1.40 # Expected: Fail (blocked) 2. Test SSH: .. code-block:: shell test1:~$ssh user@192.168.1.40 # Expected: Fail (blocked) 3. Test HTTP: .. code-block:: shell test1:~$curl http://192.168.1.40 # Expected: Success (allowed) * Expected Results: Attempt Result Ping test3 from test1/test2 Blocked SSH VM3 from test1/test2 Blocked HTTP VM3 from test1/test2 Allowed * Step-3: Cleanup on test3 Remove the firewall rules: .. code-block:: shell test3:~$sudo ufw delete allow from 192.168.1.0/27 to any port 80 proto tcp test3:~$sudo ufw delete deny from 192.168.1.0/27 test3:~$ sudo ufw reload * Step-4: Wireshark Capture :download:`Download wireshark capture ` **Block All Traffic from test1 to test2** * Prevent any communication initiated from **test1 (192.168.1.10)** to **test2 (192.168.1.11)**. * Step-1: Reset UFW to a clean state and enable it: .. code-block:: shell test2:~$sudo ufw reset test2:~$sudo ufw enable test2:~$sudo ufw allow ssh # Allow SSH for management test2:~$sudo ufw reload * Step-2: Block all traffic from test1: .. code-block:: shell test1:~$sudo ufw deny from 192.168.1.10 to any test1:~$sudo ufw reload * Step-3: Test connections from test1 to test2: .. code-block:: shell test2:~$nc -zv 192.168.1.11 80 # Expected: Fail (connection refused/timeout) test2:~$ssh user@192.168.1.11 # Expected: Fail (no connection) * Expected Result: All connection attempts from test1 to test2 should be blocked by test2’s firewall. * Step-4: Cleanup (On test2) Remove the deny rule and reload UFW: .. code-block:: shell test2:~$sudo ufw delete deny from 192.168.1.10 to any test2:~$ sudo ufw reload * Step-5: Wireshark Capture :download:`Download wireshark capture ` **Allow Only SSH from test1 to test2, Deny Others** * Permit only SSH connections from test1 (192.168.1.10) to test2 (192.168.1.11), blocking all other traffic from test1. * Step-1: Reset UFW and enable it: .. code-block:: shell test2:~$sudo ufw reset test2:~$sudo ufw enable test2:~$sudo ufw allow ssh # Allow SSH globally for management * Step-2: Set firewall rules to allow SSH from test1, then deny everything else from test1: .. code-block:: shell test2:~$sudo ufw allow from 192.168.1.10 to any port 22 proto tcp test2:~$sudo ufw deny from 192.168.1.10 to any test2:~$sudo ufw reload > Note: Order matters. The allow rule is evaluated before the deny rule. * Step-3: Test connectivity from test1 to test2: .. code-block:: shell test2:~$ssh user@192.168.1.11 # Expected: Success test2:~$ ping 192.168.1.11 # Expected: Fail (ICMP not allowed) * Expected Result: Only SSH connections from VM1 to VM2 are permitted; all other traffic from VM1 is blocked. * Step-4: Cleanup (On test2) Remove the rules and reload UFW: .. code-block:: shell test2:~$sudo ufw delete allow from 192.168.1.10 to any port 22 proto tcp test2:~$sudo ufw delete deny from 192.168.1.10 to any test2:~$sudo ufw reload * Step-5: Wireshark Capture :download:`Download wireshark capture ` .. _Subnetting_step19: .. tab-set:: .. tab-item:: Subnetting Basic Setup on Ubuntu using IPv6 * setup .. _Subnetting_step6: .. tab-set:: .. tab-item:: Subnetting Protocol Packet Details * packet details .. _Subnetting_step7: .. tab-set:: .. tab-item:: Subnetting Usecases * usecases .. _Subnetting_step8: .. tab-set:: .. tab-item:: Subnetting Basic Features **Subnetting - Testcases** .. csv-table:: :file: ./IPv4_Addressing_Subnetting/IPv4_Feature6_Subnetting_TestCases.csv :widths: 10,10,30,20 :header-rows: 1 .. _Subnetting_step17: .. tab-set:: .. tab-item:: Reference links * Reference links