3.5 Subnetting & DHCP
The Mathematics of Network Boundaries
In a small home network, your router gives your phone an IP address, and everything magically works. But when you are building an enterprise network with 5,000 computers, 400 security cameras, and 50 servers across different VLANs, you cannot rely on magic. You have to understand the exact mathematical boundaries of your networks and how to automate the distribution of addresses.
1. The DHCP Lifeline (The D.O.R.A. Process)
Manually typing IP addresses into thousands of computers is impossible. The Dynamic Host Configuration Protocol (DHCP) automates this.
When a brand-new computer is plugged into a network switch, it has no IP address, no idea where the router is, and no idea how to talk to the internet. It initiates a 4-step sequence called D.O.R.A.:
-
Discover: The PC sends a massive broadcast shout to the entire local network: "Is there a DHCP server out here? I need an IP!"
-
Offer: The enterprise DHCP server hears the shout, checks its pool of available addresses (the Scope), and replies: "I have
192.168.10.50available." -
Request: The PC replies back: "I accept
192.168.10.50. Please reserve it for me." -
Acknowledge: The server finalizes the transaction, records the PC's MAC address in its database, and gives the PC a "Lease" (e.g., this IP is yours for exactly 8 hours).
Enterprise Reservation: Servers and network printers should never have changing IP addresses. Instead of manually typing a static IP on the server itself, engineers create a "DHCP Reservation." They tell the DHCP server: "Whenever you see the physical MAC address of the printer, always give it
10.0.0.100." This keeps all IP management centralized on one server.
2. The Subnet Mask: The Decoder Ring
An IP address like 192.168.1.50 is just a string of numbers. By looking at it, a computer does not know if that IP is sitting on the desk next to it, or if it is located in a datacenter in Japan.
To figure this out, the computer uses the Subnet Mask.
-
A classic subnet mask looks like this:
255.255.255.0. -
The
255means "Network". The0means "Host" (the individual computer). -
If two computers have the exact same Network portion, they are on the same local switch. They can talk directly.
-
If the Network portions are different, the computer knows it must send the data to the Default Gateway (the Router) to reach the outside world.
3. CIDR Notation and Network Math
Writing out 255.255.255.0 is tedious. Modern engineers use CIDR (Classless Inter-Domain Routing) Notation. Instead of writing the mask, they write a slash followed by the number of "Network Bits."
-
The /24 Network: A
/24is exactly the same as255.255.255.0. It gives you 254 usable IP addresses. This is standard for a home router or a single small office VLAN. -
The Bounds of the Network: Every subnet has two IPs you cannot assign to a computer:
-
The Network Address (The very first IP): e.g.,
192.168.1.0. This identifies the network itself. -
The Broadcast Address (The very last IP): e.g.,
192.168.1.255. If you send a packet to this IP, the switch copies it and blasts it to every single PC on the network.
-
-
Scaling Up: What if you have 400 computers on one floor? A
/24network (254 hosts) is too small. An engineer will change the CIDR to a/23. A/23network gives you 510 usable hosts, effectively merging two/24networks together mathematically.
4. (Addition) Rogue DHCP and Security Hacking
Stuff to add: What happens if a well-meaning employee brings a cheap Wi-Fi router from home and plugs it into the corporate wall jack so they get better signal at their desk?
That home router has its own DHCP server turned on by default. It becomes a Rogue DHCP Server. When other enterprise PCs ask for an IP address, the rogue home router might answer faster than the corporate server. It hands out fake, dead-end IP addresses, completely taking down the internet for the entire floor. In enterprise switches, engineers must enable a security feature called DHCP Snooping, which explicitly blocks DHCP offers from unauthorized switch ports.