Introduction

First of all, before understading the concept of segmentation it was consider important to metion what is CIDR notation. The explanation of network segmentation was made with the illustration of three image so that it was easier to explain and understand.

What is CIDR notation?

CIDR, known as Classless Interdomain Routing, generalizes the notion of subnet addressing. As with subnet addressing, the 32-bit IP address is divided into 4 octects + '/' + decimal number between 0 and 32, which represents the number of bits that represent the network portion, and often referred to as the prefix (network prefix) of the address.

An organization is typically assigned a block of contiguous addresses, that is, a range of addresses with a common prefix. In this case, the IP addresses of devices within the organization will share the common prefix. That is, when a router outside the organization forwards a datagram whose destination address is inside the organization, only the leading x bits of the address need be considered. This considerably reduces the size of the forwarding table in these routers, since a single entry of the form a.b.c.d/x will be sufficient to forward packets to any destination within the organization.

The remaining 32-x bits of an address can be thought of as distinguishing among the devices within the organization, all of which have the same network prefix. These are the bits that will be considered when forwarding packets at routers within the organization. Besides the assigned block, that block can be subnetted, for example, a.b.c.d/24.

Before CIDR was adopted, the network portions of an IP address were constrained to be 8, 16, or 24 bits in length, an addressing scheme known as classful addressing, since subnets with 8-, 16-, and 24-bit subnet addresses were known as class A, B, and C networks, respectively. However, with the growth of the number of the organizations the classful addressing is not scalable.

The example below shows a command that disable the default feature of Cisco IOS (Internetwork Operating System).

What is Network Segmentation?

Network segmentation is when different parts of a computer network, or network zones, are separated by devices like bridges, switches and routers. Many network administrators like to use this to allow additional security features or they may need to provide separation just to keep the network organized and without overhead. Before going deeper into this topic I'll start at the beginning. Indeed, a simple way to divide two networks can be done by using two different switches.

First example:

The question is: is it scalable? What if there are 50 networks?

Answer: Of course not.

In fact, it would make a lot more sense if we could combine these switches together (just one switch), but still maintain the separation between the two networks. This task is accomplish with Virtual Local Area Networks (VLANs). This maintains separation of the broadcast domains. Let's see the Figure above.

Second example:

Before analysing the figure above imagine that we have two switches with 50 VLANs. We would need 50 separate ethernet cables going between these two switches. Although that functionally could be used, it certainly adds a lot of additional overhead and uses a lot of interfaces on each switch.

Instead of extending separate ethernet links for each individual VLAN, we can extend a single connection and communicate all VLANs across that single connection. We refer to this as VLAN trunking. Trunk links are normally used between switches and the frames used in that connections have additional fields to identify the VLAN (12 bits) they belong to.

Subnetting

Subnetting allows network administrators to reduce network-wide threats by quarantining compromised sections of the network and by making it more difficult for trespassers to move around an organization's network.

But, how can this subnetting be achieved? Imagine, that 192.168.0.0/24 refers to a block of addresses assigned to a specific company and you, as network administrator, was asked to divided that block in 4 subnets.

Let's see how could this process be done:

This is all based on power of 2. To have 4 subnets it is necessary to divide the 192.168.0.0/24 by 4.

REFERENCES

1 - Computer Networking, "A Top-Down Approach", KUROSE ROSS, SEVENTH EDITION

2 - https://www.comptia.org/blog/security-awareness-training-network-segmentation

3 - https://www.professormesser.com/network-plus/n10-008/n10-008-video/vlans-and-trunking-n10-008/

4 - https://www.sciencedirect.com/topics/computer-science/virtual-local-area-network-tag