Learn TCP/IP Networking Subnetting
Lesson 5 of 12

Subnetting

18 min read

Subnetting — Dividing Networks into Smaller Pieces

Networks do not have to come in one-size-fits-all blocks. Subnetting is the practice of taking a larger network and dividing it into smaller, more manageable sub-networks — called subnets. Understanding subnetting is fundamental to almost everything in networking and network security: reading firewall rules, understanding attack surface, designing secure architectures, and interpreting the output of scanning tools.

This lesson explains what subnetting is, how to calculate subnet information by hand, and why subnetting matters for security.

The Problem That Subnetting Solves

In the early days of the internet, IP (Internet Protocol) addresses were handed out in large, fixed blocks called classes (Class A, Class B, Class C). An organization would apply for an address class and receive a massive allocation regardless of how many addresses they actually needed. A company that needed 300 hosts might receive an entire Class B block — which contains 65,534 usable addresses. The remaining 65,234 addresses were wasted.

Beyond address waste, putting all devices on one giant network creates problems. Every device must process every broadcast message. A single misconfigured device can affect every other device on the network. And from a security perspective, every device can directly communicate with every other device — which is rarely what you want.

Subnetting addresses all three of these problems: address waste, broadcast congestion, and flat network security risks.

What a Subnet Mask Is

An IP (Internet Protocol) address is 32 bits long, written as four groups of decimal numbers separated by dots — for example, 192.168.1.100. Each group (called an octet) represents 8 bits, and each octet ranges from 0 to 255.

A subnet mask is a second 32-bit number that works alongside an IP address. It identifies which portion of the IP address refers to the network and which portion refers to the individual host (device) within that network.

The rule is simple:

  • Bits that are 1 in the subnet mask → those are network bits
  • Bits that are 0 in the subnet mask → those are host bits

The network bits are always a contiguous block of 1s starting from the left. You will never see a subnet mask like 11001100... with alternating bits. Subnet masks start with all 1s and end with all 0s, with no mixing.

Here are the three most common subnet masks written in both dotted-decimal and binary:

255.0.0.0 Binary: 11111111.00000000.00000000.00000000 Network bits: 8 | Host bits: 24

255.255.0.0 Binary: 11111111.11111111.00000000.00000000 Network bits: 16 | Host bits: 16

255.255.255.0 Binary: 11111111.11111111.11111111.00000000 Network bits: 24 | Host bits: 8

To determine whether two IP addresses are on the same network, a device performs a bitwise AND operation between each IP address and the subnet mask. If the results match, the two addresses are on the same network and can communicate directly. If the results differ, the traffic must be sent to a router.

Default Subnet Masks by Class

Before CIDR (Classless Inter-Domain Routing, explained below) was introduced in 1993, IP addresses were assigned in fixed classes. These classes still appear in documentation and tools, so it is worth knowing them.

Class A

  • First octet range: 1 to 126
  • Default subnet mask: 255.0.0.0 (also written /8)
  • Network bits: 8 | Host bits: 24
  • Number of networks: 126 | Hosts per network: 16,777,214
  • Example: 10.0.0.0 is a Class A address

Class B

  • First octet range: 128 to 191
  • Default subnet mask: 255.255.0.0 (also written /16)
  • Network bits: 16 | Host bits: 16
  • Number of networks: 16,384 | Hosts per network: 65,534
  • Example: 172.16.0.0 is a Class B address

Class C

  • First octet range: 192 to 223
  • Default subnet mask: 255.255.255.0 (also written /24)
  • Network bits: 24 | Host bits: 8
  • Number of networks: 2,097,152 | Hosts per network: 254
  • Example: 192.168.1.0 is a Class C address

Class D and E are special: Class D (224 to 239) is used for multicast, and Class E (240 to 255) is reserved for experimental use. Neither is assigned to end-user hosts.

The note about 10.0.0.0, 172.16.0.0, and 192.168.0.0 is important: these are private address ranges defined in RFC (Request for Comments) 1918. They are not routable on the public internet and are used inside private networks — homes, offices, data centers. You will see them in virtually every subnetting example.

CIDR — Classless Inter-Domain Routing

Classful addressing was wasteful and inflexible. CIDR, introduced in RFC 1519 in 1993, replaced it with a more flexible system. Instead of fixed classes, CIDR lets you specify any prefix length from /1 to /32.

CIDR notation combines the network address and the prefix length into a single expression:

192.168.1.0/24

The /24 means the first 24 bits are the network portion. The remaining 8 bits are the host portion. This is equivalent to a subnet mask of 255.255.255.0 — but CIDR notation is more compact and is the standard way to express networks today.

With CIDR, you can allocate exactly the right amount of address space:

  • An organization needing 500 hosts can be given a /23, which provides 510 usable host addresses — far better than wasting a /16.
  • A point-to-point WAN (Wide Area Network) link between two routers needs only two addresses and can be given a /30.
  • Multiple Class C blocks can be combined into a single routing entry through a process called supernetting or route aggregation: 192.168.0.0/22 covers the four networks 192.168.0.0 through 192.168.3.255.

CIDR made the internet's routing tables dramatically smaller (by aggregating many small routes into fewer large ones) and made address allocation far more efficient.

Why We Subnet — Three Core Reasons

1. Address Efficiency

Without subnetting, every network allocation is padded out to its class boundary. A department that needs 30 hosts would consume an entire Class C block (254 usable addresses), wasting 224 of them. With subnetting, you can assign a /27, which provides exactly 30 usable hosts and wastes nothing.

At the scale of the global internet, this efficiency was existential: the IPv4 (Internet Protocol version 4) address space contains about 4.3 billion addresses total, and without CIDR and subnetting those would have been exhausted even earlier than they were.

2. Network Segmentation and Broadcast Control

When a device sends a broadcast — a message intended for all devices on the network — every device in the same broadcast domain must receive and process it. This is fine on a small network of 20 devices. It becomes a serious performance problem on a flat network of 10,000 devices.

Each subnet is its own broadcast domain. Broadcasts do not cross router boundaries. By subnetting a large network into many smaller subnets, you limit broadcast traffic to only the devices that need to receive it. This improves performance and reduces the risk that a broadcast storm (an avalanche of broadcast traffic) from one area of the network affects all other areas.

3. Security Isolation

A flat network — one where every device is on the same subnet — means every device can directly communicate with every other device. If a single device is compromised (by malware, an intruder, or misconfiguration), the attacker has direct access to every other device on the network.

Subnetting creates logical boundaries. Traffic between subnets must pass through a router (or firewall). That router can enforce rules: "only the web server in the server subnet can initiate connections to the database subnet," or "no device in the guest wireless subnet can reach the corporate file server subnet." A compromised device in one subnet cannot directly reach devices in another subnet without passing through a controlled chokepoint.

This is a fundamental principle of network security architecture, sometimes called network segmentation or micro-segmentation. The 2020 SolarWinds breach — in which attackers compromised thousands of organizations through a malicious software update — demonstrated in painful detail what happens when internal network segments are insufficiently isolated. Once attackers were inside a target network, the lack of internal segmentation allowed them to move laterally (move from system to system) without encountering meaningful internal barriers.

Calculating Subnet Information

Given any network in CIDR notation, you can calculate four key pieces of information: the network address, the broadcast address, the usable host range, and the number of usable hosts.

The Four Values

Network address: The first address in the subnet. All host bits are set to 0. This address identifies the subnet itself and cannot be assigned to a host.

Broadcast address: The last address in the subnet. All host bits are set to 1. A packet sent to the broadcast address is delivered to every host on the subnet. This address also cannot be assigned to a host.

Usable host range: Every address between the network address and the broadcast address. These are the addresses you can assign to routers, servers, workstations, and other devices.

Number of usable hosts: Calculated as 2^(host bits) - 2. The -2 accounts for the two reserved addresses: the network address and the broadcast address.

Example 1: 192.168.1.0/24

Prefix length: 24 Host bits: 32 - 24 = 8

Network address: 192.168.1.0 (all host bits = 0) Broadcast address: 192.168.1.255 (all host bits = 1) Usable host range: 192.168.1.1 to 192.168.1.254 Number of usable hosts: 2^8 - 2 = 256 - 2 = 254

This is the most commonly seen subnet in home and small office networks.

Example 2: 10.0.0.0/8

Prefix length: 8 Host bits: 32 - 8 = 24

Network address: 10.0.0.0 Broadcast address: 10.255.255.255 Usable host range: 10.0.0.1 to 10.255.255.254 Number of usable hosts: 2^24 - 2 = 16,777,216 - 2 = 16,777,214

This is the large private address block commonly used inside corporate networks and cloud virtual networks.

Example 3: 172.16.5.0/28

Prefix length: 28 Host bits: 32 - 28 = 4

Network address: 172.16.5.0 Broadcast address: 172.16.5.15 (binary: ...0000 becomes ...1111, decimal 15) Usable host range: 172.16.5.1 to 172.16.5.14 Number of usable hosts: 2^4 - 2 = 16 - 2 = 14

A /28 is a small subnet suitable for a few devices — a server cluster, a management interface segment, or a link between two pieces of network equipment.

Subnetting a Network: Splitting One /24 into Four /26 Subnets

This is one of the most common subnetting exercises because it illustrates the core mechanics clearly.

You are given: 192.168.1.0/24. You need to divide it into four equal subnets.

Four subnets requires 2^2 = 4, so you need to borrow 2 bits from the host portion. A /24 becomes a /26.

A /26 has:

  • Network bits: 26
  • Host bits: 32 - 26 = 6
  • Usable hosts per subnet: 2^6 - 2 = 64 - 2 = 62

The block size for a /26 is 256 - 192 = 64 (where 192 is the decimal value of the fourth octet of the subnet mask 255.255.255.192). Each subnet therefore spans 64 addresses.

Subnet 1: 192.168.1.0/26 Network address: 192.168.1.0 Broadcast address: 192.168.1.63 Usable hosts: 192.168.1.1 to 192.168.1.62 Count: 62 usable hosts

Subnet 2: 192.168.1.64/26 Network address: 192.168.1.64 Broadcast address: 192.168.1.127 Usable hosts: 192.168.1.65 to 192.168.1.126 Count: 62 usable hosts

Subnet 3: 192.168.1.128/26 Network address: 192.168.1.128 Broadcast address: 192.168.1.191 Usable hosts: 192.168.1.129 to 192.168.1.190 Count: 62 usable hosts

Subnet 4: 192.168.1.192/26 Network address: 192.168.1.192 Broadcast address: 192.168.1.255 Usable hosts: 192.168.1.193 to 192.168.1.254 Count: 62 usable hosts

Notice that the four broadcast addresses (63, 127, 191, 255) and the four network addresses (0, 64, 128, 192) together account for all 256 addresses in the original /24. No address is lost or double-counted. The original 254 usable hosts from the /24 become 4 x 62 = 248 usable hosts across the four /26 subnets — 6 addresses are consumed as the four network addresses and the four broadcast addresses of the new subnets, offset by the two addresses (original network and broadcast) that were already unusable.

VLSM — Variable Length Subnet Masking

VLSM (Variable Length Subnet Masking) is the ability to use different prefix lengths on different subnets within the same network. This is how real networks are designed in practice.

Consider an organization with these requirements:

  • Headquarters LAN (Local Area Network): 200 hosts
  • Branch office LAN: 50 hosts
  • Data center server segment: 14 hosts
  • WAN link between main router and branch router: 2 hosts
  • Management segment for network devices: 6 hosts

Without VLSM, you would assign a /24 to every segment, wasting hundreds of addresses. With VLSM, you can allocate precisely:

  • Headquarters: /24 (254 usable hosts — fits 200)
  • Branch office: /26 (62 usable hosts — fits 50)
  • Data center: /28 (14 usable hosts — fits 14 exactly)
  • WAN link: /30 (2 usable hosts — fits 2 exactly)
  • Management: /29 (6 usable hosts — fits 6 exactly)

The WAN link example is particularly important. A point-to-point connection between two routers needs exactly two IP addresses — one for each router's interface. A /30 gives 2^2 - 2 = 2 usable hosts. Allocating a /24 to that link would waste 252 addresses. VLSM eliminates that waste.

VLSM requires a routing protocol that includes the subnet mask in its routing updates. Modern routing protocols (OSPF — Open Shortest Path First, EIGRP — Enhanced Interior Gateway Routing Protocol, BGP — Border Gateway Protocol) all support VLSM. Older protocols like RIPv1 (Routing Information Protocol version 1) did not.

Common CIDR Prefix Quick Reference

Prefix Subnet Mask Host Bits Usable Hosts
/8 255.0.0.0 24 16,777,214
/16 255.255.0.0 16 65,534
/24 255.255.255.0 8 254
/25 255.255.255.128 7 126
/26 255.255.255.192 6 62
/27 255.255.255.224 5 30
/28 255.255.255.240 4 14
/29 255.255.255.248 3 6
/30 255.255.255.252 2 2
/32 255.255.255.255 0 1 (host route — a single specific IP)

The /32 is a special case. It has no host bits and represents exactly one IP address. It is used in routing tables to specify a route to a single host — a "host route." You will see /32 routes in firewall rules targeting a specific IP address and in BGP (Border Gateway Protocol) routing for specific server addresses.

Security Relevance of Subnetting

Understanding subnetting is not just a technical requirement for network administrators. It is directly relevant to cybersecurity work at every level.

Network Scanning and Attack Surface

When you run a network scanner like Nmap (Network Mapper), the range of targets is specified in CIDR notation. Understanding the prefix length tells you immediately how many hosts you are dealing with:

  • Scanning 192.168.1.0/24 means scanning up to 254 hosts — fast and manageable.
  • Scanning 10.0.0.0/8 means scanning up to 16,777,214 potential addresses — a major undertaking.

Nmap's default behavior changes based on whether a target appears to be a local network or a remote one. Misreading a CIDR range in a penetration testing scope can lead to scanning systems outside your authorized scope — a serious legal and professional problem.

Firewall Rules and ACLs

ACLs (Access Control Lists) — the rules in firewalls and routers that permit or deny traffic — are almost always written in CIDR notation. Reading and writing them correctly is essential.

Consider these two hypothetical rules:

  • Allow source 10.0.0.0/8 to reach the database server (this allows any of 16 million addresses)
  • Allow source 10.1.2.0/24 to reach the database server (this allows only 254 addresses)

If you misread /8 as /24 or vice versa, you will either block legitimate traffic or leave your database server exposed to far more of the network than intended. Real firewall misconfigurations of this type are a common cause of unintended network exposure.

Segmentation as Defense

The principle of network segmentation says: put different types of systems — and different types of users — in different subnets, and control what traffic is allowed between them. Practical examples include:

  • A finance subnet isolated from the general employee subnet. Even if an employee workstation is compromised, the attacker cannot directly reach finance servers.
  • A server subnet accessible from the employee network only on specific ports (for example, only TCP port 443 — HTTPS — is permitted from employee subnets to the web server subnet).
  • A guest wireless network completely isolated from the corporate network. Guests can reach the internet but cannot reach any internal systems.
  • An IoT (Internet of Things) device subnet — printers, cameras, HVAC sensors — isolated from user workstations, since IoT devices are frequently insecure and should not be able to reach sensitive systems if compromised.

The 2020 SolarWinds supply chain breach illustrated the consequences of inadequate internal segmentation. Attackers who entered networks through the compromised SolarWinds Orion software update were able to move laterally across internal networks because insufficient segmentation meant that a compromised server could directly contact many other internal systems. Post-breach guidance from CISA (Cybersecurity and Infrastructure Security Agency) explicitly recommended improved network segmentation as a key mitigation.

DMZ — Demilitarized Zone

A DMZ (Demilitarized Zone) is a specific subnet architecture used for publicly accessible services — web servers, mail servers, VPN (Virtual Private Network) concentrators, and similar systems that must be reachable from the internet.

The DMZ is positioned between two firewalls (or two firewall rule sets): one facing the internet and one facing the internal network. A device on the internet can reach the web server in the DMZ. But if that web server is compromised, the attacker cannot directly reach internal systems — there is a second firewall between the DMZ and the internal network.

This architecture uses subnetting as a security control. The DMZ is its own subnet. The internal network is one or more separate subnets. The routing and firewall rules enforce the separation.

Private vs. Public Addressing and Security Implications

RFC 1918 private addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) are not routed on the public internet. A host using a private address cannot be directly reached from the internet — it must go through a NAT (Network Address Translation) device that maps the private address to a public one. This provides a degree of obscurity (though not real security by itself).

When performing reconnaissance, knowing whether a target uses private or public addressing tells you about the network topology. Seeing RFC 1918 addresses in packet captures or DNS (Domain Name System) responses from an internal host tells you those are internal systems, not directly internet-facing.

The Bottom Line

Subnetting divides a large IP address space into smaller, bounded networks called subnets. The subnet mask (or CIDR prefix length) tells you where the network portion of an IP address ends and the host portion begins. From a subnet's network address and prefix length, you can calculate its broadcast address, usable host range, and number of usable hosts using the formulas: broadcast = all host bits set to 1, usable hosts = 2^(host bits) - 2. CIDR notation (like 192.168.1.0/24) replaced rigid classful addressing to use the address space more efficiently. VLSM allows different subnets within the same larger network to have different sizes — matching the size of each subnet to the actual need. From a security perspective, subnetting enables network segmentation, which is a fundamental architectural control: it limits how far an attacker can move once inside a network by forcing inter-subnet traffic through routers and firewalls where rules can be enforced.

Check Your Understanding

  1. A network engineer assigns 192.168.10.0/27 to a new department. How many usable host addresses does this subnet provide, and what is the broadcast address?

  2. You are reviewing a firewall ACL (Access Control List) and see a rule that allows all traffic from the source network 10.0.0.0/8 to reach the payment processing server. A colleague says this is equivalent to a rule allowing 10.5.0.0/24. Are they correct? Explain the difference in terms of how many hosts are covered by each rule.

Something to Think About

  1. A small company has five departments: Engineering (80 staff), Sales (40 staff), Finance (15 staff), HR (Human Resources, 8 staff), and a Server Room (10 servers). They have been given the address block 192.168.50.0/24 to work with. How would you subnet this block using VLSM to give each department its own subnet, sized as appropriately as possible? What security benefit does this design provide compared to putting everyone on the same /24?

  2. The SolarWinds breach spread across many victim networks partly because internal segmentation was insufficient. If you were designing a corporate network from scratch, which types of systems would you place in separate subnets, and what specific rules would you put between them? Think about not just which subnets exist, but what traffic you would allow between them — and, critically, what traffic you would deny by default.

References

  1. Official Specification. RFC 1519 — "Classless Inter-Domain Routing (CIDR): an Address Assignment and Aggregation Strategy". Internet Engineering Task Force. — The original CIDR RFC establishing prefix-length notation and route aggregation, replacing classful addressing.

  2. Official Specification. RFC 1918 — "Address Allocation for Private Internets". Internet Engineering Task Force. — Defines the three private IPv4 address ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) used in most subnetting examples.

  3. Official Guidance. NIST SP 800-114 Rev. 1 — "Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security". National Institute of Standards and Technology. — Covers network segmentation principles as they apply to enterprise remote access architectures.

  4. Real-World Incident. CISA — "Advisory AA20-049A: Ransomware Impacting Pipeline Operations". Cybersecurity and Infrastructure Security Agency. — Documents an attack that spread partly due to insufficient network segmentation, with specific recommendations for subnetting as a security control.

// share