Click here to watch the IPv4 Subnetting Video or you can watch at youtube.com here

Subnetting

Subnetting works pretty much the same way as the IP addressing: four octets, 256 possibilities, 0 - 255.
Except here we are determining the different between 2 IP addresses being on the same network or different networks, when we get to IP routing we'll discuss in great detail how we accomplish routing between multiple networks and subnets.

As I showed you earlier:

This table represents how subnetting is calculated, we figure out which side of the IP address is the network side (if two hosts are in the same network they can communicate without a need of a layer 3 router and layer 3 switch.

Say we have two IP address:
192.168.0.1 & 192.168.1.1

Based on a 192.168.0.0/16 or 192.168.0.0 255.255.0.0, these two IP addresses would be on the same network and thus would not require a layer 3 device to communicate.

192.168.0.1
255.255.0.0
192.168.1.1
255.255.0.0

Now if we give each IP a new custom subnet mask:
192.168.0.1/24 & 192.168.1.1/24

These two IPs would NOT be on the same network and would need a layer 3 device to allow them to communicate.

In this case you have:
192.168.0.1
255.255.255.0
192.168.1.1
255.255.255.0

You'll see here that all of the bits from the first 3 octets are used: 11111111.11111111.11111111.00000000
This tells you that if the first three octets are not equal they are in different networks

Here's the tricky part:

When getting away from the thought of a classful network address we come to classless, which basically means "Classless InterDomain Routing" or CIDR for short, this is where the notation comes into play.

192.168.0.0/28 is an example of CIDR notation rather than spelling out the whole subnet mask: 255.255.255.240 or 8 + 8 + 8 + 4

We really need to use our math brain when it comes to subnetting:

When you look at the table above it might not make much sense yet but take this example as a easing of that tension:

If you have a network address: 192.168.240.0/28 all you need to do is look at the octet that changes to determine where the network boundaries lie:
A /28 is 240, and it's in the 4th octet. This tells you the subnet mask must be: 255.255.255.240
Also, becuase you understand the math a /28 is 256 - 240 = 16. So every 16 addresses in the 4th octet is a new network:

192.168.0.0/28
192.168.0.16/28
192.168.0.32/28
192.168.0.48/28
192.168.0.64/28
192.168.0.80/28
192.168.0.96/28
192.168.0.112/28
192.168.0.128/28
192.168.0.144/28
192.168.0.160/28
192.168.0.176/28
192.168.0.192/28
192.168.0.208/28
192.168.0.224/28
192.168.0.240/28
192.168.1.0/28
192.168.1.16/28
192.168.240.0/28
192.168.255.208/28
192.168.255.224/28
192.168.255.240/28


Based on the calculations above we deduce that every 16 in the 4th octet is a new network and RFC 1918 states Private address space is between 192.168.0.0 - 192.168.255.255

We also have the ability to do more math! 256 * 256 = 65,536 / 16 = 4096
Also, because we have 12 network bits to choose from (keep in mind Class C has 16 bits we cannot change we can count the bits available: 28 - 16 = 12) we can do 2 to the 12 power, 2^12 which equals = 4096.

So based on our calculations, we have a possible 4096 networks as maximum using 192.168.0.0/28.

This can be done with any octets you are working with, you just NEED TO REMEMBER RFC 1918:
Class - Network
A - 10.0.0.0 to 10.255.255.255 - 10.0.0.0/8 or 10.0.0.0 255.0.0.0 - 24-bit block
B - 172.16.0.0 to 172.31.255.255 - 172.16.0.0/12 or 172.16.0.0 255.240.0.0 - 20-bit block
C - 192.168.0.0 to 192.168.255.255 - 192.168.0.0/16 or 192.168.0.0 255.255.0.0 - 16-bit block

The last idea about IPv4 is determing network/subnet counts and host counts. Understanding how to design an IPv4 network to allow the proper amount of networks vs the proper amount of hosts.

In networking itself and for exam time you may inevitably be asked a certain subnetting question:

If you have a network that requires a maximum of 500 hosts, a network that requires 255 hosts, and a network that requires 1500 hosts; using the 192.168.0.0 class C network provide us the proper network and subnet masks.

First of all we need to be aware: the first and last IP address in a subnet is reserved for the network-id and the broadcast address: ie. 192.168.0.0/24: 192.168.0.0 is the network-id and 192.168.0.255 is the broadcast address.

* The math for this counting is 2^n-2, or 2^8-2, or 256-2, or 254 possible hosts.

Answering the previous question you have to ask yourself: How do we get our counts to the proper required bits.
500 hosts = 9 bits, 2^9-2 = 510
255 hosts, well 8 bits would be 2^8-2 or 256-2 or 254, so this wouldn't work. We would need, like the previous answer: 2^9-2 or 510.
1500 host = 11 bits, 2^11-2 = 2046.

We must go back to our counting:

All you have to do is look at this table and realize that each bit you take for either the network side or the host side will in essence double the amount of addresses availble to you
The easiest way I can think of doing this is starting at 8 bits, or /24, and going from there

If I need 1000 hosts I just think: 8=256, 9=512, 10=1024 and thats my answer: I need 10 bits in order to have 1000 hosts on a network.
If goes the same way for networks and subnetting, of course you must remember the RFC 1918 Private networks

If I have 192.168.0.0 and I need 1000 networks I think the same way and I need 10 bits to get me 1000

Looking at 192.168.0.0, I know it's normally a /16 so I add 10 to that and get /26, which is 255.255.255.192 or:

192.168.0.0
192.168.0.64
192.168.0.128
192.168.0.192
...
192.168.255.192

I will have 2^10 or 1024 possible networks with each network containing 2^6-2 or 62 hosts per network


Another way to look at 192.168.0.0/26

11000000.10101000.00000000.00000000
nnnnnnnn.nnnnnnnn.ssssssss.sshhhhhh

IPv6 is a 128-bit octal hexadeca, or eight (8) groups of sixteen (16) bit representational numbering system that allows you to address a computer system, much like your home address, it gives administrators and engineers the ability to segment geographic location, department, security boundaries, and even just to keep certain devices away from the more "chatty" systems; such as keeping phones off the same network as computers.

There are additional items to be aware of when it relates to IPv6, though the amount of changes over the years is very complicated
The most recent RFC 8200 IPv6 Specification has been released, standardized and is hopefully the LAST RFC we see; you can read the RFC here
The most recent full RFC 4291 Addressing Architecture can be RFC here

IPv6 has gone through the following RFCs throughout the years:
RFC 8200 Internet Protocol, Version 6 (IPv6) Specification - July 2017
RFC 2460 - December 1998, which is updated by: 5095, 5722, 5871, 6437, 6564, 6935, 6946, 7045, 7112
RFC 1883 - December 1995

For the addressing of IPv6
RFC 4291 IP Version 6 Addressing Architecture - Feburary 2006
Keep in mind that RFC 4291 has been updated severly times by: 5952, 6052, 7136, 7346, 7371, 8064
RFC 3513 - April 2003
RFC 2373- July 1998
RFC 1884 - December 1995

IPv6 is rather simliar to IPv4, it's just a much larger method of identification for computer systems. Unlike IPv4 and its use of the decimal converted binary notation, IPv6 now uses the hexadecimal converted binary notation.

IPv4 = 192.168.0.0/16
IPv6 = fe80:0000:0000:0000:0000:0000:0000:0000/64

As an example:
  1234:5678:9012:3456:7890:1234:5678:9012/64 - IPv6 doesn't use a subnet mask, IPv6 uses a mask length because a hexadeca would be seen as 65535:65535:65535:65535:0:0:0:0

Each hexadeca has the following possible numbering, providing 2^16 amount of addresses per octet or 25665536 possibilities:
  0000-FFFF : 0000-FFFF : 0000-FFFF : 0000-FFFF : 0000-FFFF : 0000-FFFF : 0000-FFFF : 0000-FFFF

Both of these labels describe the network, in this case you have eight sixteen bit hexadecimal notations. A bit is a representation of binary or 1 and 0, which means for every bit or character you have sixteen possible values; in decimal each character has 10 possible values: 0-9.

Keep in mind that the previous table is using eight (8) bits only and are only half of each octet
As an example: FE80 = 11111110 1000000 :

There are a few other items you need to be aware of when writing IPv6
You can use a :: in place of multiple octets that are consecutive 0000, example FE80:0000:0000:0000:1234:5678:9012:3456 can be written as FE80::1234:5678:9012:3456
You can also remove leading 0 within in octet, example FE80:0000:0000:0000:0001:0002:0003:0004 can be written as FE80::1:2:3:4


Address Type Identification


Anycast addresses are taken from the unicast address spaces (of any scope) and are not syntactically distinguishable from unicast addresses

IPv6 unicast addresses are aggregatable with prefixes of arbitrary bit-length, similar to IPv4 addresses under Classless Inter-Domain Routing
There are a few different types of IPv6 addresses assign to a nodes interface: Global Unicast, Site-Local, and Link-Local; as of RFC 3879 Site-Local addresses have been deprecated and are no longer recognized

Unicast addresses are considered subnet prefix & Interface ID - n-bits for the network mask length and 128-n for the interface identifier

Interface Identifiers
Interface identifiers in IPv6 unicast addresses are used to identify interfaces on a link. They are required to be unique within a subnet prefix.
Example: Example: FE80::d9e5:1832:257a:fe7a%4

Unspecified Address
The unspecified address: 0:0:0:0:0:0:0:0 must never be assigned to a node and it indicates the absence of an address

Loopback Address
Loopback address: 0:0:0:0:0:0:0:1 or ::1 is used to send a packet from a node to itself, it must not be assigned to any interface, it is treated as a Link-Local scope, its equivalent in IPv4 is 127.0.0.1

Global Unicast Address
The global unicast address consists of 3 parts:
Global Routing Prefix - n - the value assigned to a site
Subnet ID - m
Interface ID - 128-n-m bits - the IP address assigned to that particular interface

All Global Unicast addresses other than those that start with binary 000 have a 64-bit interface ID field or n + m = 64

IPv6 Address with embedded IPv4 address
IPv4 compatible IPv6 Address
::192.168.0.0/96
IPv4-Mapped IPv6 Address
::FFFF:192.168.0.0/96

Link-Local Address
Link-Local addresses are for use on a single link. Link-Local addresses have the following format:

By default your Windows 10 desktops and servers have a Link-Local address automatically assigned, if you go to the command prompt in Windows and type "ipconfig" you will see the IPv6 Link-Local address along with the IPv4 address; "ipconfig/all" will show you other information such as your MAC address

First 10-bits are always 11111110 11 or FE80, the next 54-bits are 0, and the last 64-bits are pseudo random unique on the link
Example: FE80::d9e5:1832:257a:fe7a%4

Anycast Address
An IP address taken from the unicast address space that is applied to multiple interfaces amongst mulitple nodes, thus the first node that sees the traffic destined to this IP address will respond to the conversation.

Multicast Address
Like IPv4 the multicast address provides an address meant to be from a one-to-many flow, for IPv6 multicast you have to be aware of its specifications:
The first eight (8) bits are always 11111111 or FF, the next 4-bits are flags, the next 4-bits are the scope, and the rest is the group ID of the multicast address.

There are four sets of flags: 0 R P T
High order bit is always 0 for initialization

T = 0 is a permanent assigned or well-known multicast address, assigned by the Internet Assigned Numbers Authority (IANA).
T = 1 is a non-permanently-assigned transient or is a dynamically assigned multicast address

P = 0 indicates a multicast address that is not assigned based on the network prefix
P = 1 indicates a multicast address that is assigned based on the network prefix
If P = 1, T MUST be set to 1

R = 0 indicates that the multicast address does NOT contain an embedded RP address
R = 1 indicates a multicast address that embeds the address on the RP

Multicast Scope
0 - Reserved
1 - Interface Local Scope
2 - Link-Local Scope
3 - Reserved
4 - Admin-Local
5 - Site-Local
6 - Unassigned
7 - Unassigned
8 - Unassigned
9 - Unassigned
A - Unassigned
B - Unassigned
C - Unassigned
D - Unassigned
E - Global Scope
F - Reserved

Examples:

NTP servers based on scope:
FF01::101 means all NTP servers on the same interface and the same node as the sender
FF02::101 means all NTP servers on the same link as the sender
FF05::101 means all NTP servers in the same site as the sender
FF0E::101 means all NTP servers in the Internet

When looking at Multicast, in terms of routing protocols we see that FF02 is the equivalent to routing protocols in IPv4
Example: EIGRP IPv4 Multicast = 224.0.0.10, EIGRP IPv6 Multicast = FF02::A

Other examples:

Access-lists are used for many purposes within Cisco, we will discuss how access-lists are used and configured as well as the various uses for them within Cisco networking.

For an access-list to work correctly you have to use all of the previous information and knowledge in order to create a proper selection of IPs, you must select the IP address or network that needs to be deemed interesting and then specify its inverse mask:
example 192.168.100.0 0.0.0.255
As you see here the subnet mask is inverted, ie. the inverse of the mask.

One of the other items we will be looking at here is the concept of an ip prefix-list, which in an of itself an access control list however it uses the CIDR notation rather than an inverse mask:
example 192.168.100.0/24 le 32 ge 1
We will cover this after the ACLs theory and implementation.

access-list access-list-number {permit | deny} {source [source-wildcard] | host hostname | any}

ip access-list standard {access-list-name}
[sequence-number] {permit | deny} {source [source-wildcard] | host hostname | any}

access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [fragments] [time-range time-range-name] [log]

ip access-list extended {access-list-name}
[sequence-number] {permit | deny} protocol source source-wildcard destination destination-wildcard [option option-value] [precedence precedence] [tos tos] [fragments] [time-range time-range-name] [log]

Applies the access-list to an interface inbound or outbound
ip access-group {access-list-number | access-list-name} {in | out}

Access-lists can be by number or by name, the name option is extended only.

Access control list configuration examples:

1. Standard Access-list 1-199 & 1300-1999
• The standard numbered access-list is a single line, if you mess up typically you will have to delete the entire access-list and recreate it
• access-list 1
• access-list 1 permit any
• access-list 1 permit 192.168.100.0 0.0.0.255
• access-list 1 deny any log <-- typically done to see a counter of denies
• Specifying the ip as type of access-list allows for the use of sequence numbers, you can add/remove sequence numbers individually. Default sequence is every 10
• ip access-list standard 1
• 10 permit any
• 100 permit 192.168.100.0 0.0.0.255
• 1000 deny any log <-- typically done to see a counter of denies
• no 10
• 10 permit 192.168.0.0 0.0.255.255
2. Extended Access-list 200-399 & 2000-2699
• The Extended ACL allows for the specification of to and from addresses as well as matching on protocols: such as ip, tcp, udp, eigrp, etc.
• The standard numbered access-list is a single line, if you mess up typically you will have to delete the entire access-list and recreate it
• access-list 200 permit ip
• access-list 200 permit ip any any
• access-list 200 permit ip host 192.168.100.1 host 192.168.101.1
• access-list 200 permit ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
• access-list 200 permit ip host 192.168.100.1 192.168.200.0 0.0.0.255
• access-list 200 permit ip 192.168.100.0 0.0.0.255 host 192.168.200.1
• access-list 200 permit tcp
• access-list 200 permit tcp any any
• access-list 200 permit ip host 192.168.100.1 eq 80 host 192.168.101.1
• access-list 200 permit ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255 eq 80
• access-list 200 permit ip host 192.168.100.1 eq 443 192.168.200.0 0.0.0.255 eq 443
• access-list 200 permit ip 192.168.100.0 0.0.0.255 host 192.168.200.1 eq 443
• access-list 200 permit ip host 192.168.200.1 eq 443 192.168.100.0 0.0.0.255
• access-list 200 permit udp any any
• access-list 200 permit eigrp any any
• access-list 200 permit bgp any any
• Specifying the ip as type of access-list allows for the use of sequence numbers, you can add/remove sequence numbers individually. Default sequence is every 10
• ip access-list extended 200
• permit ip any any
• permit tcp any any eq 443
• permit tcp any eq 443 any
• no 30 <-- removes the previous sequence number, 30
• 100 permit udp any any
• 200 permit udp any eq bootps any eq bootpc
• 1000 permit eigrp any any
• 10000 deny ip any any
• 30 permit udp any eq 43 any <-- recreates 30 with different values

Keep in mind there are quite a few other things to consider:
All of the permit statements can be deny, permit or deny
You have to permit or deny based on protocol: ip, tcp, udp, eigrp, etc
The network selection, if not a single host, is determined using the source-wildcard/inverse subnet mask
You can also specify other items such as "precedence" "tos" "fragments" "time-range" and "log"

*All access-lists have an implicit "deny" at the end of the list, you will not see it. As mentioned above many admins include a deny any or deny any any with the log or log-input command to get a counter of hits for those denied packets

Here are some other numbering schemes for more advanced options (keep in mind most of these are informational and will probably never use them):