Network Layer and IP Addressing – Subnetting, CIDR, ARP, DHCP and ICMP Explained
What You Will Learn
- What the network layer does and how routing works
- IPv4 address structure, classes, and private address ranges
- Subnetting: calculating network ID, broadcast, usable hosts
- CIDR notation and supernetting (route aggregation)
- ARP, RARP, DHCP, and ICMP — what each does
- NAT — how home routers share one public IP
- IPv6 — structure, advantages, and dual-stack
1. Network Layer Overview
The network layer (Layer 3 in the OSI model) is responsible for logical addressing and routing — getting packets from a source host to a destination host across multiple networks, potentially traversing many routers along the way.
While the Data Link layer handles communication between two directly connected devices on the same network, the Network layer handles end-to-end delivery across different networks. Every time a packet crosses from one network to another, it passes through a router — a device that operates at Layer 3.
Key Network Layer Functions
- Logical Addressing: Assigns IP addresses to identify source and destination hosts globally
- Routing: Determines the best path for packets through the network of routers
- Packet Forwarding: Moves packets from input to output interface based on routing table
- Fragmentation: Breaks large packets into smaller pieces if the next link’s MTU (Maximum Transmission Unit) is smaller
- Logical Network Separation: Separates networks into distinct logical entities (subnets)
2. IPv4 Address Structure
An IPv4 address is a 32-bit number, written as four groups of decimal numbers (0–255) separated by dots — called dotted-decimal notation.
In binary: 11000000.10101000.00001010.00000101
Each of the four groups is called an octet (8 bits).
Range: 0.0.0.0 to 255.255.255.255 = 2³² = 4,294,967,296 total addresses
An IPv4 address has two parts:
- Network portion: Identifies which network the device is on — shared by all devices on the same subnet
- Host portion: Identifies the specific device within that network — unique per device
The subnet mask determines which bits belong to the network portion (mask bits = 1) and which to the host portion (mask bits = 0).
Special IPv4 Addresses
| Address | Meaning |
|---|---|
| 0.0.0.0 | This host on this network (unspecified/default route) |
| 127.0.0.1 (127.x.x.x) | Loopback — refers to the device itself; used for testing |
| 255.255.255.255 | Limited broadcast — broadcast to all devices on the local network |
| x.x.x.255 (host bits all 1s) | Directed broadcast — broadcast to all hosts on a specific subnet |
| x.x.x.0 (host bits all 0s) | Network address — identifies the subnet; not assignable to a host |
Private IP Address Ranges (RFC 1918)
| Range | CIDR | Number of Addresses | Typical Use |
|---|---|---|---|
| 10.0.0.0 – 10.255.255.255 | 10.0.0.0/8 | 16,777,216 | Large enterprise networks |
| 172.16.0.0 – 172.31.255.255 | 172.16.0.0/12 | 1,048,576 | Medium networks |
| 192.168.0.0 – 192.168.255.255 | 192.168.0.0/16 | 65,536 | Home and small office networks |
Private addresses are not routable on the public internet — routers will not forward packets from/to these ranges. NAT (Network Address Translation) is used to connect private networks to the internet.
3. IP Address Classes
The original IPv4 design divided the address space into classes based on the first few bits. This classful system is largely superseded by CIDR, but understanding classes is foundational.
| Class | First Bits | First Octet Range | Default Mask | Networks | Hosts/Network | Purpose |
|---|---|---|---|---|---|---|
| A | 0 | 1–126 | /8 (255.0.0.0) | 126 | 16,777,214 | Very large networks |
| B | 10 | 128–191 | /16 (255.255.0.0) | 16,384 | 65,534 | Large networks |
| C | 110 | 192–223 | /24 (255.255.255.0) | 2,097,152 | 254 | Small networks |
| D | 1110 | 224–239 | — | — | — | Multicast |
| E | 1111 | 240–255 | — | — | — | Reserved/Experimental |
4. Subnetting
Subnetting divides a large network into smaller sub-networks (subnets) by borrowing bits from the host portion of the address. This improves security, reduces broadcast traffic, and enables more efficient IP allocation.
How to Subnet — Step by Step
Step 1: Convert prefix to subnet mask
/26 → 26 ones + 6 zeros = 11111111.11111111.11111111.11000000 = 255.255.255.192
Step 2: Find Network Address (AND of IP with subnet mask)
192.168.10.100 AND 255.255.255.192:
100 in binary = 01100100
192 in binary = 11000000
AND = 01000000 = 64
Network address = 192.168.10.64
Step 3: Find Broadcast Address (set all host bits to 1)
Host bits = 6, host portion of 64 = 01000000 → set host bits to 1: 01111111 = 127
Broadcast = 192.168.10.127
Step 4: Usable host range
First host = 192.168.10.65 (network + 1)
Last host = 192.168.10.126 (broadcast – 1)
Total usable hosts = 2^6 – 2 = 62
Subnetting Quick Reference
| Prefix | Subnet Mask | Addresses | Usable Hosts | Block Size |
|---|---|---|---|---|
| /24 | 255.255.255.0 | 256 | 254 | 256 |
| /25 | 255.255.255.128 | 128 | 126 | 128 |
| /26 | 255.255.255.192 | 64 | 62 | 64 |
| /27 | 255.255.255.224 | 32 | 30 | 32 |
| /28 | 255.255.255.240 | 16 | 14 | 16 |
| /29 | 255.255.255.248 | 8 | 6 | 8 |
| /30 | 255.255.255.252 | 4 | 2 | 4 |
| /32 | 255.255.255.255 | 1 | 0 (host route) | 1 |
Need at least 50 hosts → need at least 6 host bits (2^6 – 2 = 62 hosts)
Host bits = 6 → prefix = 32 – 6 = /26
Subnets: 2^(26-24) = 4 subnets ✓
Subnet 1: 192.168.1.0/26 (hosts: .1 – .62, broadcast: .63)
Subnet 2: 192.168.1.64/26 (hosts: .65 – .126, broadcast: .127)
Subnet 3: 192.168.1.128/26 (hosts: .129 – .190, broadcast: .191)
Subnet 4: 192.168.1.192/26 (hosts: .193 – .254, broadcast: .255)
5. CIDR and Supernetting
CIDR (Classless Inter-Domain Routing) was introduced in 1993 to replace the rigid class-based system. It allows any prefix length from /0 to /32, enabling flexible allocation of IP address blocks.
Supernetting (route aggregation) is the opposite of subnetting — it combines multiple contiguous networks into a single routing entry, reducing the size of routing tables.
Four networks: 200.10.0.0/24, 200.10.1.0/24, 200.10.2.0/24, 200.10.3.0/24
All have 200.10.0.0 – 200.10.3.255 in common.
Common prefix: 200.10.0.0 in binary: 11001000.00001010.00000000.00000000
Last two bits of third octet vary (00, 01, 10, 11) → common prefix = 22 bits
Aggregated route: 200.10.0.0/22
One routing entry covers all 4 networks (1024 addresses)
6. ARP and RARP
ARP (Address Resolution Protocol) bridges the gap between Layer 3 (IP addresses) and Layer 2 (MAC addresses). When a device knows a destination IP address on its local network, it needs the MAC address to construct the Ethernet frame.
ARP Process
- Device A wants to send to 192.168.1.10 (on the same subnet)
- A checks its ARP cache — if 192.168.1.10’s MAC is cached, use it directly
- If not cached: A broadcasts an ARP Request: “Who has 192.168.1.10? Tell 192.168.1.5”
- All devices on the subnet receive the broadcast; only 192.168.1.10 responds
- 192.168.1.10 sends an ARP Reply (unicast): “192.168.1.10 is at MAC AA:BB:CC:DD:EE:FF”
- A stores this in its ARP cache (with a timeout, typically 20 minutes) and sends the packet
RARP (Reverse ARP) was the predecessor to DHCP — a diskless workstation could broadcast its MAC address and receive back its IP. Largely obsolete, replaced by DHCP/BOOTP.
IPv6 replacement for ARP: NDP (Neighbour Discovery Protocol) using ICMPv6 Neighbour Solicitation and Neighbour Advertisement messages.
7. DHCP
DHCP (Dynamic Host Configuration Protocol) automatically assigns IP addresses and network configuration to devices when they join a network, eliminating the need for manual configuration.
DHCP DORA Process
| Step | Message | From → To | Description |
|---|---|---|---|
| 1 | Discover | Client → Broadcast | Client broadcasts: “I need an IP address” |
| 2 | Offer | Server → Client | Server offers an available IP address with lease time |
| 3 | Request | Client → Broadcast | Client broadcasts acceptance (in case multiple servers offered) |
| 4 | Acknowledge | Server → Client | Server confirms; client configures its network interface |
DHCP provides: IP address, subnet mask, default gateway, DNS server addresses, lease duration.
A DHCP lease can be renewed before it expires. If the lease expires, the client must go through DORA again. This allows IP addresses to be reused when devices leave the network.
8. ICMP
ICMP (Internet Control Message Protocol) is a companion protocol to IP, used for error reporting and network diagnostics. It is NOT a transport protocol — it doesn’t carry user data. Instead, it carries messages about the IP network itself.
Common ICMP Message Types
| Type | Message | When Used |
|---|---|---|
| 0 / 8 | Echo Reply / Echo Request | ping — tests reachability and round-trip time |
| 3 | Destination Unreachable | Router cannot deliver a packet; includes sub-codes (host unreachable, port unreachable, fragmentation needed) |
| 11 | Time Exceeded | Packet’s TTL (Time to Live) reached 0; used by traceroute |
| 5 | Redirect | Router tells sender to use a different gateway for better routing |
| 12 | Parameter Problem | Invalid IP header fields |
How Ping and Traceroute Work
ping: Sends ICMP Echo Request to the target; target replies with Echo Reply. Measures round-trip time and packet loss.
traceroute: Sends packets with increasing TTL values (1, 2, 3…). Each router that decrements TTL to 0 sends back an ICMP Time Exceeded message — revealing its identity (IP address) and distance (RTT). This traces the complete path from source to destination.
9. NAT – Network Address Translation
NAT allows an entire private network to access the internet using a single public IP address. Your home router performs NAT — all your devices (laptop, phone, TV) share one public IP when browsing the internet.
How NAT Works (PAT — Port Address Translation)
- Device 192.168.1.10 opens a connection to google.com:443, using source port 54321
- Router records: {192.168.1.10:54321 ↔ public_IP:60001}
- Router rewrites packet: source = public_IP:60001, sends to Google
- Google responds to public_IP:60001
- Router looks up port 60001 in its NAT table → forwards to 192.168.1.10:54321
| NAT Type | Mapping | Use Case |
|---|---|---|
| Static NAT | One private IP ↔ one public IP (permanent) | Hosting servers behind NAT |
| Dynamic NAT | Private IP ↔ available public IP from a pool | Corporate networks with IP pools |
| PAT (NAPT) | Many private IPs ↔ one public IP (using ports) | Home routers, ISPs |
10. IPv6
IPv6 was developed to solve IPv4’s fundamental problem: address exhaustion. With 128-bit addresses, IPv6 provides 3.4 × 10³⁸ addresses — effectively unlimited.
IPv6 Address Format
Written as eight groups of four hexadecimal digits, separated by colons: 2001:0db8:85a3:0000:0000:8a2e:0370:7334
Shorthand rules:
- Leading zeros in each group can be omitted:
0db8→db8 - One or more consecutive all-zero groups can be replaced with
::(only once per address):2001:db8::8a2e:370:7334
IPv6 Address Types
| Type | Prefix | Description |
|---|---|---|
| Global Unicast | 2000::/3 | Globally routable public addresses (equivalent to public IPv4) |
| Link-Local | fe80::/10 | Valid only on the local link; auto-configured; cannot be routed |
| Unique Local | fc00::/7 | Private addresses (equivalent to RFC 1918 in IPv4) |
| Multicast | ff00::/8 | One-to-many; replaces IPv4 broadcast |
| Loopback | ::1/128 | Equivalent to 127.0.0.1 in IPv4 |
| Unspecified | ::/128 | Equivalent to 0.0.0.0 in IPv4 |
Key IPv6 Improvements over IPv4
- No broadcast: IPv6 uses multicast and anycast instead of broadcast, reducing network traffic
- Simplified header: Fixed 40-byte header (fewer fields than variable-length IPv4 header) for faster router processing
- SLAAC: Stateless Address Autoconfiguration — devices can generate their own IPv6 address without a DHCP server
- Built-in IPSec: Security (authentication and encryption) is a mandatory part of the IPv6 specification
- No fragmentation at routers: Routers don’t fragment IPv6 packets; end hosts do (using Path MTU Discovery)
- NDP replaces ARP: Neighbour Discovery Protocol uses ICMPv6 instead of the broadcast-heavy ARP
11. Common Misconceptions
- “The network address is the first usable host”: The network address (host bits all 0) and the broadcast address (host bits all 1) cannot be assigned to hosts. For a /24 network, .0 is the network address and .255 is the broadcast — usable hosts are .1 through .254 (254 hosts, not 256).
- “A /16 subnet mask is always 255.255.0.0”: This is only true if the prefix starts at a byte boundary. CIDR allows any prefix length. A /17 mask = 255.255.128.0, not easily aligned to a class boundary.
- “ARP is only for local networks”: ARP is indeed only for local link communication (same subnet). When sending to a different subnet, the device ARPs for the default gateway’s MAC address, not the final destination’s. The gateway then routes the packet onwards.
- “NAT is a security feature”: NAT is primarily an address conservation mechanism, not a security feature. The fact that internal devices are not directly addressable from the internet is a side effect, not the purpose. Firewalls provide actual security; NAT just translates addresses.
- “IPv6 has replaced IPv4”: IPv6 adoption is growing but the internet still runs predominantly on IPv4. Most infrastructure supports dual-stack (both protocols). Complete IPv4-to-IPv6 migration has been “imminent” for decades and remains ongoing as of 2025.
12. Frequently Asked Questions
How do you calculate subnet mask and number of hosts?
For prefix /n: subnet mask = n bits of 1 followed by (32-n) bits of 0. Usable hosts = 2^(32-n) – 2. Example: /26 → 255.255.255.192, hosts = 2^6 – 2 = 62. Network address (host bits = all 0s) and broadcast (host bits = all 1s) cannot be assigned. Number of subnets when borrowing b bits = 2^b. The block size = 256 – last non-255 octet of subnet mask.
What is the difference between ARP and RARP?
ARP resolves a known IP address to an unknown MAC address — broadcasts “who has IP x.x.x.x?” and receives the MAC in reply. Used by all devices every time they send to an on-subnet IP for the first time. RARP does the reverse: known MAC, unknown IP — a diskless device broadcasts its MAC to get an IP assigned. RARP is obsolete, replaced by DHCP. IPv6 replaces ARP with NDP (Neighbour Discovery Protocol) using ICMPv6 messages.
What is CIDR notation and how does it work?
CIDR (Classless Inter-Domain Routing) writes IP addresses with their prefix length: e.g., 192.168.1.0/24. The /24 means the first 24 bits are the network portion; the remaining 8 bits are for hosts (2^8 = 256 addresses, 254 usable). CIDR allows any prefix from /0 to /32, replacing the rigid Class A/B/C system. It also enables supernetting (route aggregation): multiple contiguous /24 networks can be summarised as a single shorter-prefix route, shrinking routing tables.
What is NAT and why is it used?
NAT (Network Address Translation) lets multiple private-addressed devices share one public IP address. The router maintains a translation table mapping internal (private IP + port) to external (public IP + port). Outgoing packets have their source address rewritten; incoming responses are translated back. NAT was created to conserve IPv4 addresses as they ran out. PAT (Port Address Translation) is the most common form — your home router uses it for all devices on your Wi-Fi.
What is the difference between IPv4 and IPv6?
IPv4: 32-bit addresses (4.3 billion total), dotted decimal notation, variable-length header, uses ARP, supports broadcast, optional IPSec. IPv6: 128-bit addresses (practically unlimited), hexadecimal colon notation, fixed 40-byte header, uses NDP instead of ARP, no broadcast (multicast/anycast only), mandatory IPSec support, SLAAC for auto-configuration. IPv6 was designed to fix IPv4’s address exhaustion and simplify network management for modern internet scale.