Field Guide · Networking
The addressing math the rest of networking rests on. It drives the local-vs-remote forwarding decision, the scoping of every firewall rule and ACL, and route summarization. The aim here is fluency: read 10.20.30.0/26 and know its size, its range, and its boundaries without reaching for a calculator. This is the reference deep-dive behind the overview in "Networking — Follow the Packet."
Everything in this guide is a consequence of one idea: a prefix length splits an address into a network part and a host part. Get that split right and the network address, the broadcast address, the usable range, and the forwarding decision all fall out of it. Get the mask wrong and connectivity breaks with no error message at all.
An IPv4 address is 32 bits, written as four 8-bit octets in dotted decimal. A prefix length — the /n in CIDR notation — says how many leading bits are the network portion; the rest are the host portion. The subnet mask is the same split written as an address: network bits are 1s, host bits are 0s. The network address is simply the address AND the mask.
Each octet is worth 8 bits. As bits fill in from the left, the mask octet takes one of these "magic" values — worth memorizing, because every fast subnet calculation starts here:
| bits set | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 |
|---|---|---|---|---|---|---|---|---|
| mask value | 128 | 192 | 224 | 240 | 248 | 252 | 254 | 255 |
And the prefix-to-mask-to-hosts relationship. Usable hosts is total minus two — one network address, one broadcast address — with two exceptions noted in the next section:
| Prefix | Mask | Addresses (232−n) | Usable hosts |
|---|---|---|---|
| /30 | 255.255.255.252 | 4 | 2 |
| /29 | 255.255.255.248 | 8 | 6 |
| /28 | 255.255.255.240 | 16 | 14 |
| /27 | 255.255.255.224 | 32 | 30 |
| /26 | 255.255.255.192 | 64 | 62 |
| /25 | 255.255.255.128 | 128 | 126 |
| /24 | 255.255.255.0 | 256 | 254 |
| /23 | 255.255.254.0 | 512 | 510 |
| /22 | 255.255.252.0 | 1,024 | 1,022 |
| /16 | 255.255.0.0 | 65,536 | 65,534 |
| /8 | 255.0.0.0 | 16,777,216 | 16,777,214 |
/31 (mask 255.255.255.254): 2 addresses, both usable — no network/broadcast reservation, intended for point-to-point links. It is a widely-implemented optimization; confirm your platform supports it before relying on it. /32 (255.255.255.255): a single host — used for loopbacks, host routes, and single-address firewall/ACL entries.
Four facts define any subnet. The network address is the address AND the mask — the lowest address, identifying the subnet rather than a host. The broadcast address has all host bits set to 1 — the highest address. The usable range is everything between them. The block size is 256 − mask_octet in the octet where the mask is neither 255 nor 0, and subnet boundaries fall on multiples of it.
The fast method is the "interesting octet": find the octet where the mask isn't 255 or 0, compute 256 − that value for the block size, and the boundaries are multiples of it. For 192.168.10.50/26: the mask is 255.255.255.192, block size 256 − 192 = 64, so blocks start at .0, .64, .128, .192. The .50 lands in the .0–.63 block:
A wider mask works the same way in a different octet. For 172.16.20.200/22 the interesting octet is the third: mask value 252, block size 256 − 252 = 4, so third-octet boundaries are .0, .4, .8 … .20, .24. Since .20 is on a boundary, the block is 172.16.20.0 – 172.16.23.255: network .20.0, broadcast .23.255, and 1,022 usable hosts. Compute the block size and the boundary; don't eyeball it.
This is why the mask is operationally half of every host's configuration. Before sending a packet, a host computes (dest_ip AND my_mask) and compares it with (my_ip AND my_mask). Equal means the destination is on the same subnet — resolve its MAC and deliver directly. Not equal means it is remote — send the frame to the default gateway instead.
This single mechanism explains a large class of "weird" connectivity bugs. A wrong mask changes which destinations a host believes are local: it may ARP directly for a host that is actually remote (and get no answer), or send same-subnet traffic uselessly to the gateway. Two hosts on the same wire with different masks can reach each other asymmetrically or not at all. Nothing is "invalid," so nothing is reported — the configuration is merely wrong.
Subnetting is borrowing host bits to make more, smaller networks: each bit borrowed doubles the subnet count and halves the hosts per subnet. Going from /24 to /26 borrows two bits — four subnets of 62 hosts each.
VLSM (Variable-Length Subnet Masking) is using different prefix lengths for different needs inside one block, rather than one fixed size everywhere: a point-to-point link takes a /30 or /31, a user LAN a /24. The discipline is to assign the largest subnets first, then carve smaller ones from the remaining space, so blocks don't overlap. Keep an IPAM record; overlaps are the classic VLSM failure.
Summarization (supernetting, aggregation) is the reverse: representing several contiguous networks with one shorter prefix — 10.1.0.0/24 through 10.1.3.0/24 summarize to 10.1.0.0/22. It keeps routing tables small, and it is the main reason to plan address allocation deliberately.
You can only aggregate a group of subnets that sits on a single shorter-prefix boundary. That is why an addressing plan that assigns blocks on clean boundaries — with room to grow — pays off later, and why scattered, hand-picked allocations can never be summarized. The plan is not bureaucracy; it is what makes the routing table small.
These IPv4 allocations are stable and worth recognizing on sight:
| Range | What it is |
|---|---|
10.0.0.0/8 · 172.16.0.0/12 · 192.168.0.0/16 | Private (RFC 1918). Not routable on the public internet; the common source of overlap when two private networks interconnect. |
100.64.0.0/10 | CGNAT shared space (RFC 6598). Used by carriers between customer and provider NAT; you don't own it and can't port-forward through it. |
127.0.0.0/8 | Loopback (commonly 127.0.0.1). |
169.254.0.0/16 | Link-local / APIPA. Auto-assigned when DHCP fails — seeing one means "no DHCP reached," not an address conflict. |
224.0.0.0/4 · 0.0.0.0/8 · 255.255.255.255 | Multicast · "this network" · limited broadcast. |
RFC 1918 ranges are an addressing scope, not a trust boundary. They overlap across organizations and VPNs, and an "internal" address is not a trusted one — it says where an address may be routed, nothing about who is behind it. Treating "private" as "safe" is a recurring mistake; the threat of a hostile host on the internal network is exactly what zero-trust addressing assumptions exist to counter.
The logic is identical: a prefix splits network from host, longest-prefix match forwards, and the AND-with-mask decision is the same. What changes:
Addresses are 128 bits, written in hex groups (e.g. 2001:db8:abcd:1::1); leading zeros in a group drop, and one run of all-zero groups compresses to :: (once per address). /64 is the standard LAN size — host autoconfiguration (SLAAC) generally expects it, so don't subnet a LAN longer than /64 unless you know the consequences. Site allocations are commonly /48 (giving 65,536 /64s), and ISPs often delegate /56 or /48 to customers — delegation policy varies, so verify with your provider. There is no broadcast address (IPv6 uses multicast), so the all-host-bits math from §03 doesn't apply, and every interface always has a link-local address in fe80::/10.
The practical upshot: in IPv6 you rarely count hosts per subnet — a /64 is astronomically large — you plan the prefix hierarchy instead: which /48 contains which /56 contains which /64.
Mask octet as bits fill left to right: 128 · 192 · 224 · 240 · 248 · 252 · 254 · 255.
Block size = 256 − (interesting-octet mask value); subnet boundaries are multiples of it. Usable hosts = 2(32−n) − 2 — except /31 (2 usable, point-to-point) and /32 (1, a single host).
(dest AND mask) == (my_ip AND mask)? Same subnet → resolve the destination's MAC, deliver directly. Different → send to the gateway. A wrong mask flips this silently.
Private (RFC 1918): 10/8 · 172.16/12 · 192.168/16; CGNAT (RFC 6598): 100.64/10; APIPA 169.254/16 = no DHCP. Private is an addressing scope, not a security boundary. IPv6: /64 LAN (SLAAC expects it), /48 site — plan the prefix hierarchy, don't count hosts. Summarize only contiguous, aligned blocks.
The subnet arithmetic here is stable and standard. The private and shared-space allocations are RFC 1918 and RFC 6598 respectively; the /31 point-to-point behaviour is widely implemented but confirm your platform supports it, and IPv6 delegation sizes (/56 vs /48) are provider policy — verify with yours. One caveat is load-bearing rather than incidental: private ranges are an addressing scope, not a security control — they overlap across organizations and VPNs, and an "internal" address is not a trusted one. For the exact inspection commands (ip addr, ip route get, ipcalc) see the Diagnostic Command Card; for the overview this sits beneath, "Networking — Follow the Packet"; and use the Triage Decision Trees when a masking error is the suspect. Terms are in the Glossary; 00 · Start Here indexes the set.