Subnetting is the act of doing exactly what it sounds like - taking a network and dividing it into smaller “sub-networks”. This maybe done for a variety of reasons, primarily to separate certain kinds of computers from other kinds of computers and putting more strict rules in place to govern that communication.

For example let’s say you have a web server that is only accessible locally, and you have 2 groups of desktop machines. The IT department that supports the webservers, and the normal users who just access it. You want the IT department to be able to manage the webservers, let’s say over SSH, but there is no reason a normal user will ever SSH into the web server. You can create 3 Subnets, 1 for the webservers, 1 for the IT department, and 1 for normal users, you can then use routing or firewall rules to say the users subnet can talk to the webservers on ports 443 and 80 (for accessing the web server) and say the IT department can do that but also on port 22 (the SSH port). Now all users can get to the website hosted on the webservers but only the computers in the IT subnet can get to the SSH port opened on the webserver.

The big difference between a subnetted network and a flat network (a network with only one subnet) is it allows you to say, traffic between these specific groups of hosts needs to go through routing logic before it’s delivered. So how is this achieved? Well let’s look at what makes a network a network, here is where I’ll introduce the OSI model as well.

The OSI model is simply a model used to describe how data moved a crossed the network, it goes up through 7 layers:

Data Link

Let’s go through the ones we need for now.


The Physical layer is probably the easiest to understand. This is the physical stuff that deals with network traffic, for example, the cables, wifi radio waves, and network cards. This is the material that transmits the data.

## Data Link The Data Link layer is where Switches operate and the MAC address reins over traffic. Data is split up into “Frames” in this layer and there’s a bit of control we have over the flow and shape of traffic, but that’s a topic for another time. The most important thing to remember about the Data Link Layer at this point is that it’s where Switches and MAC address work.

## Network

Ah yes, layer 3, the Network layer. This is where a large part of the magic that we care about from a networking perspective happens (hence the name). This is where routers, firewalls, routing logic, routing protocols, and a ton of other cool stuff we will talk about lives. Layer 3 is where your IP address matters. Pieces of data in layer 3 are known as packets, and how these packets are handled is the job of Layer 3 network devices like routers and switches. Now I know what you are thinking; wait you said switches are a layer 2 device. That is correct but Layer 3 Switches are different. Layer 3 switches are basically switches that know how to route as well.

Why do we need to know all of this to understand subnetting? Because it’s important to know what layer subnets divide the network on. Subnets divide the network on layer 3, which means to connect 2 subnets together you need a layer 3 device like a router or a layer 3 switch. This is important to keep in mind later.

Classful Subnetting

Now before we get deeper into the weeds let’s talk about classfull subnetting. Classful subnetting is kind of the old way of doing things. It’s deciding what class of network you need and using it’s default subnetmask. There are 3 classes that we care about.

Class A: begins with a 10. and has a subnetmask of
Class B: begins with a 172.16. and has a subnetmask of
Class C: begins with a 192.168. ans has a subnetmask of

This in theory works great, but what if we have a network with only 2 devices in it? Even using the smallest class of subnet we can that’s wasting 251 addresses (after you count the addresses for the hosts, the network address, and the broadcast address). That’s a ton of addresses burned!

Back to the Most Basic

To understand what a Subnet is, you first have to understand what an IP address is. I’m sure you’ve all seen the classic example of right? This is easy for us to read, but this is not how a computer sees it. Like with most things computers are happiest in binary. Have you ever wondered why there are “.”s in ip addresses? It’s because that represents the value of 1 byte, or 8 bits. In case you didn’t know a bit is a binary digit, either a 1 or a 0. So since each section separated by “.”s is 8 bits it’s called an octet, and the numbers in each octet can be expressed in Binary. For example in binary is 11000000.10101000.00000001.00000001. Why do we care? Because subnet masks are the same way, for example the default subnetmask for is - or in binary, 11111111.11111111.11111111.00000000. Again, why do we care? I’m so glad you asked! Last time I explained that Subnetmasks tell computers and routers which part of the IP address is the network ID and which part is the host ID. They do this by telling the device which bits are turned on (set to 1) to make them network bits, and which bits are turned off (set to 0) making them host bits.

For example take the binary of and put it on top of the binary for it’s subnetmask: * 11000000.10101000.00000001.00000001 * 11111111.11111111.11111111.00000000 any bit with a 1 underneath is is a “1” under it is a network bit, and any bit with a “0” underneath is is a host bit. Pretty cool huh?

Variable Length Subnetting

I guess, but why do we care? Let’s go back to our previous example of having a network with only 2 hosts. As previously stated using the most efficient classfull subnet mask ( would waste 251 address since we need 4, one for the network address, one for the broadcast, and 2 for our hosts. Now what if we customized the subnetmask to suite our needs? What if the majority of the subnet mask was network bits, and very few were host bits? Having only 1 bit would only give us 2 addresses, .1 and .0… so let’s try with 2.

11111111.11111111.11111111.11111100 or

That leaves 2 bits for the host portion, the possibilities of which are 00 10 01 11 oh look, exactly as many as we need! so now on this network .0 will be the network address, .1 and .2 will be avail be for a host, and .3 is the broadcast address.

So now we’ve taken a network and split it into a smaller network that’ll be just enough for what we need without wasting a ton of IP addresses that will never be used.

as an aside there is also another shorter way to write out subnets, simply use /<# of bits in the network address> for example saying with a subnet mask of can be rewritten to because if you convert the subnetmask into binary (11111111.11111111.11111111.00000000) you’ll see there are 24 bits set to 1. if we take our other example and apply the same logic you’ll see that the subnetmask(11111111.11111111.11111111.11111100) has 30 bits set to 1 so it would be /30.

Bringing it Back to Hacking

Well this one is a bit trickier to bring back, we can say that it’ll explain how a network can be divided up, and how segmentation can work. It also can help us do more exact and less wasteful scans. For example if you see that your subnetmask is you know that the first 3 octets will be the same a crossed all devices on that subnet.


I hope all this made sense. This is definitely not the best explanation out there and I highly recommend looking up some subnetting guides, and practice sheets online in addition to this, as it was a very brief overview. Our next talk will be over Routing, and how packets get sent to other subnets and networks.