For networking pros, subnetting is an essential skill. Follow these steps to ensure reliable performance and security in IPv4 networks.
Subnetting is a fundamental practice for accommodating network growth and improving network performance and security, but it can be time-consuming and frustrating. While subnet calculators are available, subnetting is far more than just numbers and remains a core skill for networking professionals.
While there are obvious organizational variables that impact your overall subnetting plan, there are universal best practices you should follow. In this article, I cover several best practices to ensure your network's IPv4 subnetting strategy is both efficient and scalable. I focus on Internet Protocol version 4 since it's the most widely used IP version in the enterprise today.
Before getting into the details of subnetting best practices, it's important to first consider the big picture. So our first step is understanding RFC 1918 addressing.
RFC 1918 and NAT
Very few organizations own enough internet-routable public IP addresses to use for all internal subnetting and routing purposes. Fortunately, the combination of RFC 1918 reserved IP subnets combined with Network Address Translation (NAT) alleviates most of these types of public address shortage problems. In fact, the combination works so well, it's the sole reason why most companies have put off moving toward IPv6.
For those who aren't familiar with RFC 1918 addressing, these are IPv4 blocks of addresses designated by the Internet Engineering Task Force (IETF) and intended for private use. The caveat, however, is that these IP addresses cannot be routed on the internet. That means devices configured with an RFC 1918 address must use NAT at the internet edge to translate their private IP address into one that's publicly routable. Private address spaces designated by RFC 1918 include:
- 10.0.0.0 - 10.255.255.255 -- or 10.0.0.0/8
- 172.16.0.0 - 172.31.255.255 -- or 172.16.0.0/12
- 192.168.0.0 - 192.168.255.255 -- or 192.168.0.0/16
Businesses commonly leverage a single public IP or a small public IP block for their internet connectivity needs. Companies always use fewer public addresses than private IP addresses because network administrators can allow hundreds or even thousands of private IP addresses to share a single public address using a NAT extension feature called Port Address Translation (PAT).
On the next pages, I discuss seven subnetting best practices for IPv4 networks.
(Image: Profit_Image/Shutterstock with modification)
Use the three RFC 1918 blocks for different purposes
It often makes sense to use completely different RFC 1918 IP blocks for special-use networks. For example, if you use the 10.0.0.0/8 space for campus LAN addressing, perhaps consider using the 192.168.0.0/16 block for WAN links and the 172.16.0.0/12 block for untrusted networks and DMZ addressing. Doing so helps administrators to rapidly identify network segments, which ultimately speeds up design and troubleshooting efforts.
(Image: Cinematic Boy/Shutterstock)
Segment networks with a purpose
When planning an overall company IPv4 subnetting strategy, some serious thought should be put into how networks are divvied up. For example, if you work for a global organization with hundreds of remote sites, but half of those sites reside in the US, you may want to split a /8 network in two. That lets you neatly divide the IP block into two /9 networks. In our example, this would mean that US-based networks could use the 10.0.0.0/9 IPv4 space while 10.128.0.0/9 could be designated for international sites. Each location can then be further subnetted as needed.
(Image: Lisbeth Young/Shutterstock)
Keep broadcast domains to a minimum
For end-user networks, it is common to limit an IP subnet to a /24. This gives you 254 IP addresses per subnet. Limiting subnets to a /24 helps to significantly reduce broadcast overhead that can impact performance on devices residing within the subnet. However, if you must increase a subnet beyond a /24, make sure it never exceeds a /22, or 1022 devices. Any more devices than this in a single broadcast domain will certainly cause unnecessary congestion.
Segment endpoints by device type
When creating subnets for endpoints at the network-access layer, it's better to segment devices into various subnets based on what the device is, rather than by department or business function. For example, consider configuring separate IP subnets for wired users, wireless users, IP phones, printers, servers, and IoT as opposed to splitting up devices by business department such as accounting, marketing and sales. This will allow for consistency between locations on the same organizational network, and also help streamline security policy enforcement for end devices.
(Image: Production Perig/Shutterstock)
Create a management network
Management of network devices is typically performed via a management IP address through a web GUI or with the SSH protocol. To protect against unauthorized management access, it's wise to create a separate IP subnet that's specifically for management IPs. That way, administrators can easily create and apply access control lists (ACLs) that limit the ability for unauthorized devices to reach the management subnet.
Use an IP address management tool
For small companies, administrators may be able to get away with managing IPv4 subnets using an Excel spreadsheet. But for midsize to large organizations, it's far easier and efficient to use one of the many IP address network management tools available on the market today. Not only do these tools help keep IP subnets organized in a centralized location, many offer added benefits including the ability to identify overlapping subnets, maintain lists of DHCP and reserved IP addresses, plus reporting capabilities for compliance purposes.
(Image: maradon 333/Shutterstock)
Plan for the future
The key to any successful IPv4 subnetting strategy is consistency. Many administrators get caught up trying to make their subnets the perfect size for current needs. Yet, inevitably, the company expands, and those smaller subnets are no longer large enough to handle the increasing number of devices that need to connect. Keep in mind that even for large companies, there are plenty of IPv4 addresses available in the RFC 1918 space. Your goal should be to plan for today as well as future network and IP expansion.