← Home

Field Guide · Networking

Subnetting
& CIDR

The addressing math the rest of networking rests on. It drives the local-vs-remote forwarding decision, the scoping of every firewall rule and ACL, and route summarization. The aim here is fluency: read 10.20.30.0/26 and know its size, its range, and its boundaries without reaching for a calculator. This is the reference deep-dive behind the overview in "Networking — Follow the Packet."

block = 256 − mask /n = network bits wrong mask breaks silently

Everything in this guide is a consequence of one idea: a prefix length splits an address into a network part and a host part. Get that split right and the network address, the broadcast address, the usable range, and the forwarding decision all fall out of it. Get the mask wrong and connectivity breaks with no error message at all.

01

What a Prefix Means

An IPv4 address is 32 bits, written as four 8-bit octets in dotted decimal. A prefix length — the /n in CIDR notation — says how many leading bits are the network portion; the rest are the host portion. The subnet mask is the same split written as an address: network bits are 1s, host bits are 0s. The network address is simply the address AND the mask.

192.168.10.50 /24 network — first 24 bits host — last 8 bits 19211000000 16810101000 1000001010 5000110010 mask /24 11111111 . 11111111 . 11111111 . 00000000 = 255.255.255.0 network = address AND mask = 192.168.10.0 · host portion = .50
The prefix draws the line; the mask is that same line written as an address. Everything else follows.
02

The Numbers to Know Cold

Each octet is worth 8 bits. As bits fill in from the left, the mask octet takes one of these "magic" values — worth memorizing, because every fast subnet calculation starts here:

bits set12345678
mask value128192224240248252254255

And the prefix-to-mask-to-hosts relationship. Usable hosts is total minus two — one network address, one broadcast address — with two exceptions noted in the next section:

PrefixMaskAddresses (232−n)Usable hosts
/30255.255.255.25242
/29255.255.255.24886
/28255.255.255.2401614
/27255.255.255.2243230
/26255.255.255.1926462
/25255.255.255.128128126
/24255.255.255.0256254
/23255.255.254.0512510
/22255.255.252.01,0241,022
/16255.255.0.065,53665,534
/8255.0.0.016,777,21616,777,214
Two exceptions to "minus two"

/31 (mask 255.255.255.254): 2 addresses, both usable — no network/broadcast reservation, intended for point-to-point links. It is a widely-implemented optimization; confirm your platform supports it before relying on it. /32 (255.255.255.255): a single host — used for loopbacks, host routes, and single-address firewall/ACL entries.

03

Network, Broadcast, Range, Block Size

Four facts define any subnet. The network address is the address AND the mask — the lowest address, identifying the subnet rather than a host. The broadcast address has all host bits set to 1 — the highest address. The usable range is everything between them. The block size is 256 − mask_octet in the octet where the mask is neither 255 nor 0, and subnet boundaries fall on multiples of it.

The fast method is the "interesting octet": find the octet where the mask isn't 255 or 0, compute 256 − that value for the block size, and the boundaries are multiples of it. For 192.168.10.50/26: the mask is 255.255.255.192, block size 256 − 192 = 64, so blocks start at .0, .64, .128, .192. The .50 lands in the .0–.63 block:

192.168.10.0/26 · mask 255.255.255.192 · block size 64 .0NETWORK 62 usable hosts.1 – .62 .63BROADCAST next blocks begin at .0 · .64 · .128 · .192 (steps of the block size, 64)
Network at the bottom, broadcast at the top, usable hosts between — and the next subnet starts one block up.

A wider mask works the same way in a different octet. For 172.16.20.200/22 the interesting octet is the third: mask value 252, block size 256 − 252 = 4, so third-octet boundaries are .0, .4, .8 … .20, .24. Since .20 is on a boundary, the block is 172.16.20.0 – 172.16.23.255: network .20.0, broadcast .23.255, and 1,022 usable hosts. Compute the block size and the boundary; don't eyeball it.

04

The Local-vs-Remote Decision

This is why the mask is operationally half of every host's configuration. Before sending a packet, a host computes (dest_ip AND my_mask) and compares it with (my_ip AND my_mask). Equal means the destination is on the same subnet — resolve its MAC and deliver directly. Not equal means it is remote — send the frame to the default gateway instead.

(dest_ip AND mask) == (my_ip AND mask) ? every host runs this for every packet equal not equal SAME SUBNETARP / NDP for the destinationdeliver directly on the wire DIFFERENT SUBNETARP / NDP for the gatewaysend to the gateway (next hop) the IP destination is identical either way — only the frame's destination MAC differs
A wrong mask silently flips this answer — which is why a masking error breaks connectivity with no error at all.

This single mechanism explains a large class of "weird" connectivity bugs. A wrong mask changes which destinations a host believes are local: it may ARP directly for a host that is actually remote (and get no answer), or send same-subnet traffic uselessly to the gateway. Two hosts on the same wire with different masks can reach each other asymmetrically or not at all. Nothing is "invalid," so nothing is reported — the configuration is merely wrong.

05

Subnetting, VLSM & Summarization

Subnetting is borrowing host bits to make more, smaller networks: each bit borrowed doubles the subnet count and halves the hosts per subnet. Going from /24 to /26 borrows two bits — four subnets of 62 hosts each.

VLSM (Variable-Length Subnet Masking) is using different prefix lengths for different needs inside one block, rather than one fixed size everywhere: a point-to-point link takes a /30 or /31, a user LAN a /24. The discipline is to assign the largest subnets first, then carve smaller ones from the remaining space, so blocks don't overlap. Keep an IPAM record; overlaps are the classic VLSM failure.

Summarization (supernetting, aggregation) is the reverse: representing several contiguous networks with one shorter prefix — 10.1.0.0/24 through 10.1.3.0/24 summarize to 10.1.0.0/22. It keeps routing tables small, and it is the main reason to plan address allocation deliberately.

Summarization needs contiguous, aligned blocks

You can only aggregate a group of subnets that sits on a single shorter-prefix boundary. That is why an addressing plan that assigns blocks on clean boundaries — with room to grow — pays off later, and why scattered, hand-picked allocations can never be summarized. The plan is not bureaucracy; it is what makes the routing table small.

06

Reserved & Special Ranges

These IPv4 allocations are stable and worth recognizing on sight:

RangeWhat it is
10.0.0.0/8 · 172.16.0.0/12 · 192.168.0.0/16Private (RFC 1918). Not routable on the public internet; the common source of overlap when two private networks interconnect.
100.64.0.0/10CGNAT shared space (RFC 6598). Used by carriers between customer and provider NAT; you don't own it and can't port-forward through it.
127.0.0.0/8Loopback (commonly 127.0.0.1).
169.254.0.0/16Link-local / APIPA. Auto-assigned when DHCP fails — seeing one means "no DHCP reached," not an address conflict.
224.0.0.0/4 · 0.0.0.0/8 · 255.255.255.255Multicast · "this network" · limited broadcast.
Private is not a security control

RFC 1918 ranges are an addressing scope, not a trust boundary. They overlap across organizations and VPNs, and an "internal" address is not a trusted one — it says where an address may be routed, nothing about who is behind it. Treating "private" as "safe" is a recurring mistake; the threat of a hostile host on the internal network is exactly what zero-trust addressing assumptions exist to counter.

07

IPv6 — What Changes

The logic is identical: a prefix splits network from host, longest-prefix match forwards, and the AND-with-mask decision is the same. What changes:

Addresses are 128 bits, written in hex groups (e.g. 2001:db8:abcd:1::1); leading zeros in a group drop, and one run of all-zero groups compresses to :: (once per address). /64 is the standard LAN size — host autoconfiguration (SLAAC) generally expects it, so don't subnet a LAN longer than /64 unless you know the consequences. Site allocations are commonly /48 (giving 65,536 /64s), and ISPs often delegate /56 or /48 to customers — delegation policy varies, so verify with your provider. There is no broadcast address (IPv6 uses multicast), so the all-host-bits math from §03 doesn't apply, and every interface always has a link-local address in fe80::/10.

The practical upshot: in IPv6 you rarely count hosts per subnet — a /64 is astronomically large — you plan the prefix hierarchy instead: which /48 contains which /56 contains which /64.

08

Common Pitfalls

  1. Wrong mask, no error. The most common silent fault — it breaks the local-vs-remote decision (§04) without anything being reported invalid.
  2. Off-by-one on network or broadcast. Assigning the network or broadcast address to a host, or a fencepost error in the usable range. Recompute with the block-size method.
  3. Overlapping subnets in a VLSM plan. Carving smaller blocks without tracking what's allocated. Assign largest-first and keep an IPAM record.
  4. Assuming non-contiguous or unaligned blocks can be summarized. They can't — summarization needs a clean shared boundary.
  5. Subnetting an IPv6 LAN longer than /64. Breaks SLAAC.
  6. Treating private ranges as "safe." They are an addressing scope, not a security control, and they overlap across organizations and VPNs.
  7. Hand-picking random subnets instead of an allocation plan — which guarantees future overlap and prevents route summarization.

Subnetting on one card

Magic numbers

Mask octet as bits fill left to right: 128 · 192 · 224 · 240 · 248 · 252 · 254 · 255.

The fast method

Block size = 256 − (interesting-octet mask value); subnet boundaries are multiples of it. Usable hosts = 2(32−n) − 2 — except /31 (2 usable, point-to-point) and /32 (1, a single host).

Local-vs-remote

(dest AND mask) == (my_ip AND mask)? Same subnet → resolve the destination's MAC, deliver directly. Different → send to the gateway. A wrong mask flips this silently.

Ranges & IPv6

Private (RFC 1918): 10/8 · 172.16/12 · 192.168/16; CGNAT (RFC 6598): 100.64/10; APIPA 169.254/16 = no DHCP. Private is an addressing scope, not a security boundary. IPv6: /64 LAN (SLAAC expects it), /48 site — plan the prefix hierarchy, don't count hosts. Summarize only contiguous, aligned blocks.

The subnet arithmetic here is stable and standard. The private and shared-space allocations are RFC 1918 and RFC 6598 respectively; the /31 point-to-point behaviour is widely implemented but confirm your platform supports it, and IPv6 delegation sizes (/56 vs /48) are provider policy — verify with yours. One caveat is load-bearing rather than incidental: private ranges are an addressing scope, not a security control — they overlap across organizations and VPNs, and an "internal" address is not a trusted one. For the exact inspection commands (ip addr, ip route get, ipcalc) see the Diagnostic Command Card; for the overview this sits beneath, "Networking — Follow the Packet"; and use the Triage Decision Trees when a masking error is the suspect. Terms are in the Glossary; 00 · Start Here indexes the set.