Let me state two things upfront. Firstly, if you want to work as a network engineer, network security engineer, or do anything serious which involves networking, you need to understand subnetting. Not “kind of understand it,” not “I know how to use the calculator” but instead actually understand it from the ground up.
Secondly, yes, subnet calculators exist. They are useful. They are not a substitute for knowing what they are doing on your behalf. The moment something breaks at 2 AM, the calculator won’t tell you why the traffic is routing the wrong way. Your proper understanding of subnetting will.
Why Subnetting Matters
The surface-level answer is addressing efficiency. IPv4 gives us a 32-bit address space, which means roughly 4.29 billion possible addresses. That sounds like a lot until you realize thats classful addressing. The original plan for organizing those addresses was wasting them at an alarming rate. We’ll get to that story in a moment.
But address efficiency is only part of it. There are three real reasons network engineers care about subnetting and all three matter equally.
Traffic isolation. Put 5,000 devices on a single network and let every broadcast packet such as ARP requests, DHCP discovery frames, certain routing protocol hellos hit every one of them. Broadcast domains scale badly. Subnetting breaks one large broadcast domain into many smaller ones. Traffic that doesn’t need to cross a subnet boundary doesn’t. The result is a more reliable, faster network.
Security segmentation. A normal network is a lateral movement playground. Once an attacker compromises one host on an undivided network, every other host is a ping away. Subnetting, combined with inter-subnet ACLs or firewall rules, forces traffic between segments to cross a controlled cjeckpoint. This is the network-layer foundation of Zero Trust architecture. You can’t enforce policy at boundaries that don’t exist.
Operational clarity. When your HR department, finance team, production servers, and IoT devices all live on separate subnets with distinct address ranges, troubleshooting becomes easier. You can read a source IP and immediately know what kind of device you’re looking at. In a SIEM or packet capture, that helps a lot
IP Address Structure
An IPv4 address is 32 bits. We write it as four decimal numbers separated by dots. The dotted-decimal notation is the one where each number represents 8 bits (one octet). So, 192.168.1.1 is really:
11000000.10101000.00000001.00000001192 .168 .1 .1
Each bit position in an octet has a place value:
Bit position: 7 6 5 4 3 2 1 0Place value: 128 64 32 16 8 4 2 1
Converting 192 to binary: 128 + 64 = 192, so bits 7 and 6 are set → 11000000. Converting 168: 128 + 32 + 8 = 168, bits 7, 5, and 3 set → 10101000.
This matters because everything about subnetting happens at the binary level. The dotted-decimal notation is just for human convenience. When a router makes a forwarding decision, it is doing binary arithmetic against every address in its routing table. You need to be able to understand that logic.
Every IPv4 address contains two logical parts:
- Network ID – identifies the network the device belongs to
- Host ID – identifies that specific device within the network
The subnet mask tells you where one ends and the other begins.
Classful Addressing and Why It Failed
Before 1993, IP addresses were organized into fixed classes. The class was determined by the leading bits of the address.
| Class | Leading Bits | Default Mask | Network Bits | Host Bits | Usable Hosts |
|---|---|---|---|---|---|
| A | 0 | 255.0.0.0 | 8 | 24 | 16,777,214 |
| B | 10 | 255.255.0.0 | 16 | 16 | 65,534 |
| C | 110 | 255.255.255.0 | 24 | 8 | 254 |
| D | 1110 | N/A (multicast) | – | – | – |
| E | 1111 | N/A (reserved) | – | – | – |
The problem RFC 1519 identified in September 1993 was straightforward: there was no class of appropriate size for mid-sized organizations. Class C offered 254 hosts – too small. Class B offered 65,534 hosts – far too large. Organizations needing 500 addresses had to take a Class B and waste over 65,000 addresses. This was draining the IPv4 pool and simultaneously bloating the global routing table because every allocated network required a routing table entry.
The RFC authors identified three converging crises: exhaustion of Class B address space, routing table growth beyond what routers of the era could handle, and eventual exhaustion of the entire 32-bit address space. CIDR was the answer to the first two. (IPv6 is the long-term answer to the third, though NAT and CIDR together extended IPv4’s usable life by decades.)
What is a Subnet
A subnet is a network within a network. More precisely, it’s what you get when you take the host portion of an address and carve some of those bits off for use as additional network identification.
Here is the underlying mechanic. A Class C network – say, 192.168.1.0 has 8 bits reserved for the host portion. Those 8 bits can represent 256 values (0-255), giving you 254 usable host addresses (the network address and broadcast address are reserved). But what if you don’t need 254 hosts on one network? What if you need five separate networks of 30 hosts each?
You borrow bits from the host portion and use them to create subnet IDs. Those borrowed bits extend the network identifier at the cost of reducing the pool of host addresses per subnet.
Each subnet is a separate broadcast domain with:
- Its own network address (all host bits zero)
- Its own broadcast address (all host bits one)
- Its own usable host range (everything in between)
- Its own subnet mask defining which bits are network and which are host
Subnets within the same parent network share the same network prefix but differ in their subnet bits. Devices in different subnets must communicate through a Layer 3 device – a router, a Layer 3 switch, or a firewall – even if they’re physically adjacent.
Subnet Masks Explained
A subnet mask is also a 32-bit number written in dotted decimal format. Every bit set to 1 in the mask corresponds to a network bit in the address. Every bit set to 0 corresponds to a host bit.
The standard Class C mask:
Decimal: 255 .255 .255 .0Binary: 11111111.11111111.11111111.00000000
The first 24 bits are all ones → those 24 bits are the network portion. The last 8 bits are all zeros → those 8 bits are the host portion.
This is where the rule comes from: subnet mask bits are always contiguous. You will never see a valid subnet mask like 11111111.00000000.11111111.00000000. The ones always occupy the leftmost positions without gaps.
Valid subnet mask octets
Because of this contiguity rule, the only valid decimal values for any octet in a subnet mask are:
0, 128, 192, 224, 240, 248, 252, 254, 255
Written in binary, these are:
0 = 00000000 (0 bits set)128 = 10000000 (1 bit set)192 = 11000000 (2 bits set)224 = 11100000 (3 bits set)240 = 11110000 (4 bits set)248 = 11111000 (5 bits set)252 = 11111100 (6 bits set)254 = 11111110 (7 bits set)255 = 11111111 (8 bits set)
If you see a subnet mask octet with any other value, something is wrong.
The Binary AND Operation
Here is the operation that makes all of this work. When a device needs to determine whether a destination IP is on the same subnet, it performs a bitwise AND between the destination address and its own subnet mask. If the result matches the device’s own network address, the destination is local.
Bitwise AND works bit by bit:
1 AND 1 = 11 AND 0 = 00 AND 1 = 00 AND 0 = 0
Example. A device has IP 192.168.1.45 with mask 255.255.255.0. It wants to reach 192.168.1.200. Is that host local?
192.168.1.45 = 11000000.10101000.00000001.00101101255.255.255.0 = 11111111.11111111.11111111.00000000AND = 11000000.10101000.00000001.00000000Result = 192.168.1.0 ← network address
Now apply the same mask to the destination:
192.168.1.200 = 11000000.10101000.00000001.11001000255.255.255.0 = 11111111.11111111.11111111.00000000AND = 11000000.10101000.00000001.00000000Result = 192.168.1.0 ← same network address
Both AND operations yield 192.168.1.0. The host is local and no routing required. The device sends an ARP request and communicates directly.
A cross-subnet example. Same device, same mask, destination 192.168.2.10:
192.168.2.10 = 11000000.10101000.00000010.00001010255.255.255.0 = 11111111.11111111.11111111.00000000AND = 11000000.10101000.00000010.00000000Result = 192.168.2.0 ← different network
The result doesn’t match 192.168.1.0. The traffic goes to the default gateway.
This AND operation happens inside every networked device, every time it sends a packet. Routers run it against their routing table entries. Firewalls run it against their ACL rules. This is the fundamental mechanism of IP routing at the host level.
CIDR Notation
CIDR (Classless Inter-Domain Routing) notation was standardized in RFC 1518 and RFC 1519 in September 1993, later consolidated and updated in RFC 4632. The notation solves a readability problem: writing out a 32-bit subnet mask in dotted decimal is verbose and error-prone. CIDR replaces it with a prefix length – a single number representing how many consecutive bits are set to one.
The format is: IP address/prefix length
Examples:
| CIDR | Subnet Mask | Network Bits | Host Bits | Total Addresses | Usable Hosts |
|---|---|---|---|---|---|
| /8 | 255.0.0.0 | 8 | 24 | 16,777,216 | 16,777,214 |
| /16 | 255.255.0.0 | 16 | 16 | 65,536 | 65,534 |
| /24 | 255.255.255.0 | 24 | 8 | 256 | 254 |
| /25 | 255.255.255.128 | 25 | 7 | 128 | 126 |
| /26 | 255.255.255.192 | 26 | 6 | 64 | 62 |
| /27 | 255.255.255.224 | 27 | 5 | 32 | 30 |
| /28 | 255.255.255.240 | 28 | 4 | 16 | 14 |
| /29 | 255.255.255.248 | 29 | 3 | 8 | 6 |
| /30 | 255.255.255.252 | 30 | 2 | 4 | 2 |
Converting between CIDR and dotted decimal:
To go from CIDR prefix to mask, write that many ones followed by zeros to fill 32 bits:
/26 → 11111111.11111111.11111111.11000000 = 255.255.255.192
To go from a dotted decimal mask to CIDR, count the ones:
255.255.240.0 = 11111111.11111111.11110000.00000000 = 20 ones → /20
Why “classless”? Before CIDR, the class of the address (A, B, or C) implied the mask. A 10.x.x.x address was Class A, so routers knew without being told that the mask was /8. CIDR breaks this assumption. The prefix length travels with the address in routing advertisements. Routers no longer infer the mask from the address – they use what they’re told. This is why CIDR-aware routing protocols (OSPF, EIGRP, BGP-4) always include the prefix length in route announcements.
Subnetting a Network: Step-by-Step Guide
Let’s work through the scenario from the source material in full binary detail.
The problem: You have a Class C network 192.168.1.0/24. You need five separate networks, each supporting no more than 30 hosts. How do you subnet it?
Step 1: Determine how many subnets you need
You need 5 subnets. You need to borrow enough bits from the host portion to create at least 5. The formula is:
2^n ≥ required subnets (some engineers subtract 2 for network/broadcast subnets, but modern practice per RFC 1812 allows all-zeros and all-ones subnets)
Using the traditional approach (subtract 2):
- 2 bits: 2² – 2 = 2 subnets (not enough)
- 3 bits: 2³ – 2 = 6 subnets (enough)
You borrow 3 bits.
Step 2: Calculate the new prefix length
Original: /24 (24 network bits)
Borrow 3 bits: /27 (27 network bits)
Step 3: Calculate hosts per subnet
Host bits remaining: 32 – 27 = 5 bits
Hosts per subnet: 2⁵ – 2 = 30 usable hosts
That matches the requirement.
Step 4: Calculate the subnet mask
27 bits of ones:
11111111.11111111.11111111.11100000= 255.255.255.224
Step 5: Calculate the block size (subnet increment)
The block size is 2^(host bits) = 2⁵ = 32. Subnets start at multiples of 32 in the final octet.
Step 6: List all subnets
| Subnet | Network Address | First Host | Last Host | Broadcast |
|---|---|---|---|---|
| 1 | 192.168.1.0 | 192.168.1.1 | 192.168.1.30 | 192.168.1.31 |
| 2 | 192.168.1.32 | 192.168.1.33 | 192.168.1.62 | 192.168.1.63 |
| 3 | 192.168.1.64 | 192.168.1.65 | 192.168.1.94 | 192.168.1.95 |
| 4 | 192.168.1.96 | 192.168.1.97 | 192.168.1.126 | 192.168.1.127 |
| 5 | 192.168.1.128 | 192.168.1.129 | 192.168.1.158 | 192.168.1.159 |
| 6 | 192.168.1.160 | 192.168.1.161 | 192.168.1.190 | 192.168.1.191 |
You have 6 usable subnets (the 7th would start at .192 and the 8th at .224). You only need 5, so subnets 1 through 5 satisfy the requirement, with subnet 6 available for future use.
Step 7: Verify in binary
Let’s verify subnet 3 in binary to make sure the AND operation works:
Address: 192.168.1.65 = 11000000.10101000.00000001.01000001Mask: 255.255.255.224 = 11111111.11111111.11111111.11100000AND: = 11000000.10101000.00000001.01000000Result: 192.168.1.64 ← network address for subnet 3 ✓
The host bits (.......00001) are cleared. The network bits (.....010) are preserved. The result is 192.168.1.64 – the correct network address for that subnet.
VLSM: Variable Length Subnet Masking
Equal-size subnets are a starting point. Real networks rarely have equal-size requirements. An enterprise might have a data center segment needing 500 hosts, a management network needing 10 hosts, and point-to-point WAN links needing exactly 2 hosts. Allocating a /24 to the WAN links wastes 252 addresses per link.
VLSM solves this by allowing different prefix lengths within the same parent address space. It’s the extension of CIDR – classless addressing applied not just between organizations but within a single addressing plan.
VLSM design process:
- List all required subnets, sorted from largest to smallest
- Allocate the largest subnet first from the available address space
- Allocate the next largest from the remaining space
- Repeat until all requirements are met
Example. You have 10.0.0.0/24. You need:
- LAN A: 100 hosts
- LAN B: 50 hosts
- LAN C: 25 hosts
- Link AB: 2 hosts (point-to-point)
- Link BC: 2 hosts (point-to-point)
Sorted and allocated:
| Requirement | Hosts Needed | Prefix | Network | Usable Range |
|---|---|---|---|---|
| LAN A (100 hosts) | 100 → /25 (126 hosts) | /25 | 10.0.0.0/25 | 10.0.0.1-10.0.0.126 |
| LAN B (50 hosts) | 50 → /26 (62 hosts) | /26 | 10.0.0.128/26 | 10.0.0.129-10.0.0.190 |
| LAN C (25 hosts) | 25 → /27 (30 hosts) | /27 | 10.0.0.192/27 | 10.0.0.193-10.0.0.222 |
| Link AB (2 hosts) | 2 → /30 (2 hosts) | /30 | 10.0.0.224/30 | 10.0.0.225-10.0.0.226 |
| Link BC (2 hosts) | 2 → /30 (2 hosts) | /30 | 10.0.0.228/30 | 10.0.0.229-10.0.0.230 |
Remaining space: 10.0.0.232/29 through 10.0.0.255 which is available for future allocation.
A flat FLSM approach using /25 for everything would have required 5 × 128 = 640 addresses from a /24 that only holds 256. VLSM fits everything into the /24 with room left over.
Route Aggregation and Supernetting
CIDR doesn’t just split networks down. It also combines them up. This is route aggregation, also called supernetting or route summarization.
The idea is that if you control several contiguous subnets, you can advertise them to other networks as a single prefix instead of multiple separate routes. This shrinks routing tables, which is exactly what RFC 1519 was designed to do.
Example. An ISP controls four /24 networks:
203.0.113.0/24203.0.114.0/24203.0.115.0/24203.0.116.0/24
Instead of advertising four separate routes, they can check whether these aggregate cleanly. In binary:
203.0.113.0 = 11001011.00000000.01110001.00000000203.0.114.0 = 11001011.00000000.01110010.00000000203.0.115.0 = 11001011.00000000.01110011.00000000203.0.116.0 = 11001011.00000000.01110100.00000000
The first 21 bits are identical across all four. So these can be summarized as 203.0.112.0/21 – one route covering all four /24s (and a few more). ISPs do this constantly. Without aggregation, the global BGP routing table would be an order of magnitude larger.
The aggregation constraint: Networks aggregate cleanly only when they’re contiguous and aligned on a bit boundary. 192.168.1.0/24 and 192.168.3.0/24 do not aggregate cleanly because 192.168.2.0/24 sits between them and would have to be included in any supernet covering both.
Special Cases: /31 and /32
Two prefix lengths deserve specific mention because they break the standard rules.
The /32 host route. A /32 mask is all ones – 255.255.255.255. There are no host bits. A /32 represents exactly one IP address. You see /32 routes in routing tables to force specific traffic toward a particular interface or next-hop, and in firewall ACLs to match a single host. They’re not a subnet in the traditional sense.
The /31 point-to-point link. A /31 gives exactly two addresses. By the normal rules, you’d subtract 2 for network and broadcast, leaving zero usable hosts which is useless. RFC 3021 (January 2001) resolved this by defining that /31 subnets on point-to-point links don’t require a broadcast address. With only two endpoints and a direct link, broadcasts are meaningless anyway. Both addresses become host addresses. Modern routers and routing protocols support this, and /31 links are common on router-to-router connections to conserve address space.
RFC 1918: Private Address Space
RFC 1918 defines three blocks of IPv4 address space reserved for private use:
| Block | CIDR | Address Count | Traditional Class |
|---|---|---|---|
| 10.0.0.0–10.255.255.255 | 10.0.0.0/8 | 16,777,216 | Class A |
| 172.16.0.0–172.31.255.255 | 172.16.0.0/12 | 1,048,576 | 16 Class Bs |
| 192.168.0.0–192.168.255.255 | 192.168.0.0/16 | 65,536 | 256 Class Cs |
These ranges are not routed on the public internet. Any packet carrying a source or destination from these ranges that reaches a public internet router gets dropped. Inside your network, you subnet freely from these ranges. NAT (Network Address Translation) handles the translation between your private addresses and whatever public IP your organization owns when traffic needs to leave.
When designing internal address schemes, 10.0.0.0/8 gives maximum flexibility for large organizations. 192.168.0.0/16 is standard for home and small office networks. 172.16.0.0/12 tends to appear in enterprise environments running out of the 10.x space.
Subnetting in Security
Firewall ACLs and security group rules: Every ACL entry that references a network range uses CIDR notation. When you write a rule permitting 10.0.0.0/8 from a jump host, you’re telling the firewall to match the AND operation on source addresses. Misconfiguring the prefix length is one of the most common sources of overly permissive firewall rules – a /16 where you meant /24 silently grants access to 65,536 addresses instead of 256.
Network forensics and traffic analysis: When you’re working through a packet capture, source and destination addresses only become meaningful when you know the network layout. Identifying that 10.10.5.47 and 10.10.5.200 are on the same /24 (same broadcast domain, no routing between them) versus a /27 (they’re on different subnets and that direct TCP connection shouldn’t exist) requires instant subnet math. In incident response, that distinction is the difference between “internal east-west traffic” and “this is anomalous.”
SIEM rules and correlation logic: Most SIEM platforms let you define network zones using CIDR ranges. If you’re writing detection logic for “connections from untrusted to trusted segment,” you need to correctly express what those segments are. A misconfigured CIDR range in your SIEM means missed alerts or false positives.
Threat intelligence enrichment: Threat intel feeds often provide indicators in CIDR format – malicious ranges associated with hosting providers, Tor exit nodes, known C2 infrastructure. Tools like ipcalc, Python’s ipaddress module, or similar libraries let you quickly check whether an observed IP falls within a flagged range. That check is a subnet membership test – the same AND operation described earlier.
Cloud network security: In AWS, GCP, or Azure, every VPC and subnet is defined with a CIDR block. Security groups and network ACLs reference CIDR ranges. Misconfigured VPC peering with overlapping CIDRs is a common source of cloud network incidents. Understanding the address space prevents it.
Quick Reference Cheat Sheet
Subnet mask conversion table (last octet)
| CIDR | Last Octet Mask | Block Size | Hosts |
|---|---|---|---|
| /24 | 0 (255.255.255.0) | 256 | 254 |
| /25 | 128 (255.255.255.128) | 128 | 126 |
| /26 | 192 (255.255.255.192) | 64 | 62 |
| /27 | 224 (255.255.255.224) | 32 | 30 |
| /28 | 240 (255.255.255.240) | 16 | 14 |
| /29 | 248 (255.255.255.248) | 8 | 6 |
| /30 | 252 (255.255.255.252) | 4 | 2 |
| /31 | 254 (255.255.255.254) | 2 | 2* |
| /32 | 255 (255.255.255.255) | 1 | 1 |
*RFC 3021 – both addresses usable on point-to-point links
Key formulas
- Subnets per borrowed bits: 2^n (or 2^n – 2 with traditional all-zeros/all-ones subnet exclusion)
- Hosts per subnet: 2^h – 2 (where h = host bits)
- Block size: 2^h
- Network address: IP AND Mask
- Broadcast address: IP OR (NOT Mask), or network address + block size – 1
- First usable host: Network address + 1
- Last usable host: Broadcast address – 1
How to find the network address from any IP and prefix
- Convert IP and mask to binary
- Perform bitwise AND
- Convert result back to decimal
Wrapping Up
Subnet calculators are fine for verification. They’re a terrible place to start if you don’t already know what the numbers mean. If a tool tells you the network address is 10.0.128.0/20, you should be able to work backward in your head, count 20 bits of network, understand that you’ve got 12 host bits, and immediately know you’re looking at a block of 4,096 addresses starting at a multiple of 4,096. That kind of number sense develops from understanding the binary, not from reading output.
The other thing worth knowing: subnetting skill compounds. VLAN design, routing protocol configuration, cloud VPC architecture, firewall rule authoring, IDS/IPS signature writing – all of it rests on your ability to reason about network ranges. Time spent on the binary math now pays off in every one of those areas later.
This post first appeared at - The CyberSec Guru