Subnetting Exercises

Exercise A

• 10.1.1.0 /24 is our network currently
• Must allow for 400 IoT sensors
• Application requires local multicast support
  • Delivering data to many host at once
  • By basically taking additional bits from the network part and giving it to the host is going to allows us to put more hosts in our particular subnet.

Step 1. Host Requirement

A /24 network provides 256 total IP addresses (254 usable for hosts, after reserving the network and broadcast addresses). With 400 sensors, 254 usable addresses are not enough.

To support at least 400 hosts you need a subnet that offers at least 400 + 2 (network and broadcast) = 402 addresses. The next standard subnet size that meets this requirement is a /23, which provides 512 addresses (510 usable).

• Calculation:
  • A /23 gives 2^(32-23) = 2⁹ = 512 addresses
  • Usable addresses = 512 − 2 = 510

Step 2. Choosing the New Network

Since the original assignment is 10.1.1.0/24, one common approach is to “borrow” an extra bit from the host portion to widen the subnet:

• A natural supernet would be 10.1.0.0/23.
• This block covers from 10.1.0.0 to 10.1.1.255, providing 512 addresses.

Step 3. Local Multicast Support

Local multicast traffic (for example, for group communications among IoT sensors) is handled separately from unicast addressing. In many networks, multicast groups use reserved ranges (like 224.0.0.0/24 for link-local control or administratively scoped ranges such as 239.0.0.0/8).

• Action: Ensure your network devices (switches/routers) are configured for multicast (via IGMP snooping, for example) and use a proper multicast range for your application.
• This configuration does not reduce the available unicast host addresses since multicast groups use a different address space.

Summary for Exercise A:

• New Subnet: Convert the /24 into a /23
  • Example: Use 10.1.0.0/23 (covers 10.1.0.0–10.1.1.255)
  • Provides 510 usable addresses (enough for 400 IoT sensors)
• Multicast: Configure multicast support on your network using appropriate multicast groups (such as using the administratively scoped range 239.x.x.x or the reserved 224.0.0.x range).

Exercise B

• network 10.5.10.0/24 has been allocated to your site
• Separate unified communications from users
• 40 phones
• 100 users
  • Take a network and make it smaller, unlike exercise A.
  • 2^7 = 128
  • 2 networks of 126 hosts per network

Step 1. Determine Subnet Sizes

1. Phones:
   • Requirement: 40 hosts
   • A /26 subnet provides 2^(32-26) = 64 addresses (62 usable), which is more than enough for 40 devices.
2. Users:
   • Requirement: 100 hosts
   • A /25 subnet provides 2^(32-25) = 128 addresses (126 usable), which meets the requirement.

Step 2. Allocate the Subnets within 10.5.10.0/24

One way to divide the 256-address block is:

• Users Subnet: Use the first half of the block
  • Subnet: 10.5.10.0/25
  • Address Range: 10.5.10.0 to 10.5.10.127
  • Usable Addresses: 10.5.10.1 to 10.5.10.126
• Phones Subnet: Use the next portion
  • Subnet: 10.5.10.128/26
  • Address Range: 10.5.10.128 to 10.5.10.191
  • Usable Addresses: 10.5.10.129 to 10.5.10.190
• Remaining Addresses:
  • The remaining block (10.5.10.192/26, 64 addresses) is unused and can be reserved for future needs or other services.

Summary for Exercise B:

• Users: 10.5.10.0/25 → 126 usable addresses (sufficient for 100 users)
• Phones: 10.5.10.128/26 → 62 usable addresses (sufficient for 40 phones)
• Extra: 10.5.10.192/26 remains unallocated

Exercise C

• Network 10.0.0/24 has been allocated to your site
• Separate unified communications from users
• Separate developers (20)
• Separate human resources (5)
• Separate accounting (5)
• 50 phones
  • Increment will include the number of devices.

Step 1. Determine the Required Subnet Sizes

1. Phones (Unified Communications):
   • Requirement: 50 devices
   • Needed addresses: 50 + 2 = 52
   • Block size: The next power-of-two is 64 addresses → /26 (64 total; 62 usable)
2. Developers:
   • Requirement: 20 devices
   • Needed addresses: 20 + 2 = 22
   • Block size: Next power-of-two is 32 addresses → /27 (32 total; 30 usable)
3. Human Resources:
   • Requirement: 5 devices
   • Needed addresses: 5 + 2 = 7
   • Block size: Next power-of-two is 8 addresses → /29 (8 total; 6 usable)
4. Accounting:
   • Requirement: 5 devices
   • Needed addresses: 5 + 2 = 7
   • Block size: → /29 (8 total; 6 usable)
5. Users:
   • Although no number is given, we must “separate unified communications from users.” After allocating the above groups, the remaining addresses can be used for users.
   • Total addresses in /24: 256
   • Allocated so far: Phones (64) + Developers (32) + HR (8) + Accounting (8) = 112
   • Remaining: 256 − 112 = 144 addresses
   • Because subnets must be sized as a power-of-two, we choose a contiguous block that fits within the /24. A /25 provides 128 addresses (126 usable), which is the largest standard block that fits without “borrowing” from the rest of the /24. This leaves a small extra block (16 addresses) that can be reserved for future use.

Step 2. Subnet Allocation via VLSM

One effective approach is to divide the /24 into two main portions:

1. Users Subnet:

   • Allocation: 10.0.0.0/25
   • Range: 10.0.0.0 – 10.0.0.127
   • Total addresses: 128 (usable: 126)
   • This subnet serves the general users (non‐unified communications).

2. Unified Communications & Departments:

   • Remaining block: 10.0.0.128/25
   • Range: 10.0.0.128 – 10.0.0.255 (128 addresses total)

   Now, subdivide the 10.0.0.128/25 block into the following subnets:

   • Phones:
     • Allocation: 10.0.0.128/26
     • Range: 10.0.0.128 – 10.0.0.191
     • Total addresses: 64 (usable: 62)
     • Sufficient for 50 phones.
   • Developers:
     • Allocation: 10.0.0.192/27
     • Range: 10.0.0.192 – 10.0.0.223
     • Total addresses: 32 (usable: 30)
     • Sufficient for 20 devices.
   • Human Resources:
     • Allocation: 10.0.0.224/29
     • Range: 10.0.0.224 – 10.0.0.231
     • Total addresses: 8 (usable: 6)
     • Sufficient for 5 devices.
   • Accounting:
     • Allocation: 10.0.0.232/29
     • Range: 10.0.0.232 – 10.0.0.239
     • Total addresses: 8 (usable: 6)
     • Sufficient for 5 devices.
   • Spare:
     • After these allocations, the remaining addresses in the 10.0.0.128/25 block run from 10.0.0.240 to 10.0.0.255, totaling 16 addresses (a /28). This block can be reserved for future growth.

Step 3. Final Summary of the Allocation

• Users Subnet (General Users):
  • Network: 10.0.0.0/25
  • Range: 10.0.0.0 – 10.0.0.127
  • Usable Hosts: 126
• Unified Communications & Departments (in 10.0.0.128/25):
  1. Phones:
     • Network: 10.0.0.128/26
     • Range: 10.0.0.128 – 10.0.0.191
     • Usable Hosts: 62 (for 50 phones)
  2. Developers:
     • Network: 10.0.0.192/27
     • Range: 10.0.0.192 – 10.0.0.223
     • Usable Hosts: 30 (for 20 devices)
  3. Human Resources:
     • Network: 10.0.0.224/29
     • Range: 10.0.0.224 – 10.0.0.231
     • Usable Hosts: 6 (for 5 devices)
  4. Accounting:
     • Network: 10.0.0.232/29
     • Range: 10.0.0.232 – 10.0.0.239
     • Usable Hosts: 6 (for 5 devices)
  5. Spare for Future Use:
     • Network: 10.0.0.240/28
     • Range: 10.0.0.240 – 10.0.0.255
     • Total addresses: 16 (14 usable)

Final Comments

• VLSM Efficiency:
  Each subnet is sized to the next highest power-of-two that meets the requirement. Although there is some address “waste” (for example, a /26 for 50 phones provides 62 usable addresses), this is inherent in IPv4 subnetting.

• Separation of Traffic:
  Placing general users on a separate /25 (10.0.0.0/25) cleanly separates them from the unified communications and departmental subnets (all in 10.0.0.128/25).

• Future Growth:
  The spare /28 block (16 addresses) provides room for future expansion if additional departments or services are required.

Exercise D

• Network 10.16.0.0/16 has been allocated to your site
  • 10.16.0.0 -> 10.17.255.255
• Network 10.17.0.0/16 has been allocated to your site
• Consolidate these 2 entries in a routing table

To consolidate 10.16.0.0/16 and 10.17.0.0/16 into one routing table entry, you need to find a summary route that covers both ranges.

1. Identify the Ranges:
   • 10.16.0.0/16: Covers 10.16.0.0 to 10.16.255.255.
   • 10.17.0.0/16: Covers 10.17.0.0 to 10.17.255.255.
2. Check for Contiguity:
   • The two subnets are contiguous since 10.17.0.0 immediately follows 10.16.255.255.
3. Determine the Summary Prefix:
   • Two contiguous /16 networks can be summarized as a /15.
   • A /15 network provides 2^(32-15) = 2^17 = 131072 addresses, which exactly covers the two /16 networks (each /16 has 65536 addresses).
4. Calculate the Summary Address:
   • The summary address is the first address of the lower block: 10.16.0.0.
   • With a /15 mask (255.254.0.0), the summary route covers from 10.16.0.0 to 10.17.255.255.

• Summary Route: 10.16.0.0/15
  This single entry will replace the two /16 entries in your routing table, efficiently summarizing the route.

Exercise E

• Network 192.168.5.5 /28
  • Some subnetting is happening.
    • Subnet mask? extends into that 4th octet
• What is the subnet mask?
• What is the network?
• What is the first usable host?
• What is the last usable host?
• What is the directed broadcast addresses?

Step 1. Determine the Subnet Mask

• CIDR Notation: /28
• Binary Mask: 11111111.11111111.11111111.11110000
• Dotted Decimal: 255.255.255.240

Step 2. Identify the Network Address

Given the IP 192.168.5.5/28:

• The block size in the last octet for a /28 is 16 (since 256/16 = 16).

• Subnet ranges are: 0–15, 16–31, etc.

• 192.168.5.5 falls in the first block, so the network address is the first address of that block.

• Network Address: 192.168.5.0

Step 3. Determine the Usable Host Range

• First Usable Host:
  The first usable address is one greater than the network address:
  192.168.5.1

• Directed Broadcast Address:
  The broadcast address for a /28 subnet is the last address in the block. Since the block spans 16 addresses, the broadcast address is:
  192.168.5.15

• Last Usable Host:
  One less than the broadcast address:
  192.168.5.14

Final Answers

• Subnet Mask: 255.255.255.240
• Network: 192.168.5.0/28
• First Usable Host: 192.168.5.1
• Last Usable Host: 192.168.5.14
• Directed Broadcast Address: 192.168.5.15

Exercise F (Firewall on a stick)

• A layer 2 switch with a trunk link to a router

• A router on a stick

  • 1 single wire that goes into the router.
  • If the router is replaced by a firewall, this would be a firewall on a stick.

• Client has suffered compromise of web server.

• DMZ network is 192.168.50.0/24

• Isolate 20 servers

• 4 applications require a cluster of up to 6 systems in 1 VLAN

• Isolate 20 servers: In many secure designs, each server is placed into its own small subnet (so that traffic between servers can be strictly controlled).
• 4 application clusters: Each application “cluster” can have up to 6 systems in one VLAN (so the entire cluster must fit in a subnet that supports 6 hosts).

Because this is a “firewall on a stick” configuration, one physical (or trunked) firewall interface carries all VLANs as separate subinterfaces, and routing/filtering is performed between these logical interfaces.

Step 1. Sizing the Subnets

For the 20 Isolated Servers

For an individual host that is isolated (with only one device in the subnet plus a gateway), you typically need only 2 usable addresses. The smallest IPv4 subnet that provides 2 usable IP addresses is a /30.

• /30 subnet: 4 IP addresses total (1 network, 2 usable, 1 broadcast).
• For 20 servers: 20 × /30 = 20 × 4 = 80 addresses

Example Allocation:

• 192.168.50.0/30
• 192.168.50.4/30
• 192.168.50.8/30
• …
• 192.168.50.76/30
  (Each /30 provides one host address for the server and one for the firewall’s subinterface.)

For the 4 Application Clusters

Each cluster can have up to 6 systems. To support 6 hosts, you need a subnet that provides at least 6 + 2 = 8 addresses. The smallest subnet that does this is a /29.

• /29 subnet: 8 IP addresses total (1 network, 6 usable, 1 broadcast).
• For 4 clusters: 4 × /29 = 4 × 8 = 32 addresses

Example Allocation:
After the 20 isolated server subnets (which use addresses 0–79), the next available address is 80. You could assign:

• Cluster 1: 192.168.50.80/29 (addresses 80–87)
• Cluster 2: 192.168.50.88/29 (addresses 88–95)
• Cluster 3: 192.168.50.96/29 (addresses 96–103)
• Cluster 4: 192.168.50.104/29 (addresses 104–111)

Step 2. Reviewing the Address Usage

• Total addresses in DMZ /24: 256
• Used for isolated servers: 20 × 4 = 80 addresses
• Used for application clusters: 4 × 8 = 32 addresses
• Total used so far: 80 + 32 = 112 addresses
• Remaining addresses: 256 − 112 = 144 addresses (available for other functions such as a dedicated (compromised) web server, additional devices, or future growth)

Step 3. Implementing “Firewall on a Stick”

In a firewall on a stick design, you use a single physical interface on the firewall that is configured as a trunk. Each VLAN (with its assigned subnet) is defined as a subinterface. For example:

• Subinterface for Isolated Server 1:
  • VLAN X, IP range 192.168.50.0/30
  • Firewall enforces rules to prevent lateral movement between server subnets.
• Subinterface for Application Cluster 1:
  • VLAN Y, IP range 192.168.50.80/29
  • Firewall rules can allow intra-cluster communication while isolating the cluster from other segments.

Each subinterface is assigned its respective IP address (typically the first usable address serves as the gateway), and the firewall is configured with policies that restrict traffic between these VLANs. This “stick” design is effective for DMZ segmentation because it uses a single physical link while still isolating broadcast domains and controlling inter-VLAN traffic.

Final Summary

• DMZ Network: 192.168.50.0/24
• For 20 Isolated Servers:
  • Use 20 separate /30 subnets (each providing 2 usable addresses).
  • Example: 192.168.50.0/30, 192.168.50.4/30, …, 192.168.50.76/30
• For 4 Application Clusters:
  • Use 4 separate /29 subnets (each providing 6 usable addresses).
  • Example: 192.168.50.80/29, 192.168.50.88/29, 192.168.50.96/29, 192.168.50.104/29
• Firewall on a Stick:
  • A single trunked interface on the firewall carries all these VLANs via subinterfaces.
  • The firewall enforces inter-VLAN routing and security policies to isolate the compromised web server and prevent lateral movement between the isolated segments.