Subnet Basics: What Subnetting Is and How It Works
Subnetting divides a large IP network into smaller sub-networks, improving security and performance. A subnet mask defines which part of an IP address identifies the network.
Subnetwork
Subnetting is how large IP address ranges are divided into smaller, more manageable networks. It is used in every network from home routers to enterprise data centres, and it plays a key role in security, performance, traffic management, and efficient use of the limited IPv4 address space.
What Is a Subnet
A subnet (subnetwork) is a logical subdivision of an IP network. Devices within the same subnet can communicate directly with each other without involving a router. Traffic that needs to travel between different subnets must pass through a router or layer 3 switch that connects them. This boundary between subnets is where firewalls, access control lists, and security policies are applied.
Think of a subnet as a neighbourhood within a city. Houses on the same street can communicate directly. To reach someone in a different neighbourhood, the traffic must go through a shared road junction. Subnetting creates these boundaries intentionally, giving network administrators fine-grained control over which devices can reach which other devices and what rules govern the traffic between them.
Every subnet has three special addresses that cannot be assigned to individual devices. The network address identifies the subnet itself and is the lowest address in the range. The broadcast address is the highest address and is used to send a message to every device in the subnet simultaneously. Every address between these two is a usable host address.
What Is a Subnet Mask
A subnet mask is a 32-bit number that defines the boundary between the network portion and the host portion of an IP address. Applied to an IP address, it tells a device which part of the address identifies the network and which part identifies the individual host within that network. Devices use this information to determine whether a destination is local, meaning it can be reached directly, or remote, meaning it must be sent to the default gateway.
Subnet masks are expressed in two equivalent notations. Dotted decimal notation writes the mask as four groups of numbers such as 255.255.255.0. CIDR notation appends a forward slash and the number of network bits to the IP address such as 192.168.1.0/24. Both forms describe the same mask and are used interchangeably. CIDR notation is more compact and is the standard in modern networking documentation.
IP Address: 192.168.1.50
11000000.10101000.00000001.00110010
Subnet Mask: 255.255.255.0 (/24)
11111111.11111111.11111111.00000000
└──────── Network bits ──────────┘└─ Host bits ─┘
Network: 192.168.1.0 (first 24 bits identify the network)
Host: .50 (last 8 bits identify the device)
Result: This device is on the 192.168.1.0/24 network.
Destination 192.168.1.x → direct delivery (same subnet)
Destination anything else → send to default gateway| CIDR Notation | Subnet Mask | Total Addresses | Usable Hosts | Common Use |
|---|---|---|---|---|
| /8 | 255.0.0.0 | 16,777,216 | 16,777,214 | Very large organisations, Class A private range (10.0.0.0/8) |
| /16 | 255.255.0.0 | 65,536 | 65,534 | Large organisations, Class B private range (172.16.0.0/16) |
| /24 | 255.255.255.0 | 256 | 254 | Home networks, small office networks, typical LAN segment |
| /25 | 255.255.255.128 | 128 | 126 | Splitting a /24 into two equal halves for two departments |
| /26 | 255.255.255.192 | 64 | 62 | Small team networks, dividing a /24 into four segments |
| /28 | 255.255.255.240 | 16 | 14 | Small server groups, cloud VPC subnets |
| /30 | 255.255.255.252 | 4 | 2 | Point-to-point links between routers where only two addresses are needed |
| /32 | 255.255.255.255 | 1 | 1 | Single host route, cloud instance addressing, loopback interfaces |
Reading an IP Address with CIDR Notation
CIDR notation such as 192.168.1.0/24 encodes both the network address and the subnet mask in a single compact string. Breaking it down reveals everything you need to know about the subnet.
192.168.1.0/24
Network address: 192.168.1.0 (identifies the subnet, not assignable to hosts)
Subnet mask: 255.255.255.0 (/24 means 24 bits are the network portion)
First usable host: 192.168.1.1
Last usable host: 192.168.1.254
Broadcast address: 192.168.1.255 (sends to all devices in the subnet, not assignable)
Total addresses: 256 (2^8 host bits)
Usable hosts: 254 (256 minus network and broadcast addresses)10.0.0.0/8
Network address: 10.0.0.0
Subnet mask: 255.0.0.0 (/8 means only 8 bits are network portion)
First usable host: 10.0.0.1
Last usable host: 10.255.255.254
Broadcast address: 10.255.255.255
Total addresses: 16,777,216 (2^24 host bits)
Usable hosts: 16,777,214How to Calculate a Subnet
Subnetting calculations follow a consistent formula once you understand the relationship between the prefix length, total addresses, and usable hosts.
- Total addresses in a subnet: 2 raised to the power of the number of host bits. For a /24, there are 32 minus 24 equals 8 host bits, so 2^8 equals 256 total addresses.
- Usable host addresses: Total addresses minus 2, because the network address and broadcast address cannot be assigned to devices. A /24 has 254 usable hosts.
- Network address: The lowest address in the range, where all host bits are zero. For 192.168.1.0/24, the network address is 192.168.1.0.
- Broadcast address: The highest address in the range, where all host bits are one. For 192.168.1.0/24, the broadcast address is 192.168.1.255.
- First usable host: Network address plus one. For 192.168.1.0/24, the first usable host is 192.168.1.1.
- Last usable host: Broadcast address minus one. For 192.168.1.0/24, the last usable host is 192.168.1.254.
Subnet Mask Host Bits Total Usable First Host Last Host
192.168.1.0/24 255.255.255.0 8 256 254 192.168.1.1 192.168.1.254
192.168.1.0/25 255.255.255.128 7 128 126 192.168.1.1 192.168.1.126
192.168.1.128/25 255.255.255.128 7 128 126 192.168.1.129 192.168.1.254
10.0.0.0/30 255.255.255.252 2 4 2 10.0.0.1 10.0.0.2Splitting a Network: VLSM
Variable Length Subnet Masking (VLSM) allows different subnets within the same network to use different prefix lengths, allocating exactly as many addresses as each segment needs rather than dividing everything into equal-sized blocks.
For example, if you have the network 192.168.1.0/24 and need to allocate it across three departments of different sizes, VLSM lets you do this efficiently without wasting address space.
Available: 192.168.1.0/24 (256 addresses)
Department A (100 hosts needed):
Subnet: 192.168.1.0/25 → 126 usable hosts ✓
Range: 192.168.1.1 to 192.168.1.126
Department B (50 hosts needed):
Subnet: 192.168.1.128/26 → 62 usable hosts ✓
Range: 192.168.1.129 to 192.168.1.190
Department C (20 hosts needed):
Subnet: 192.168.1.192/27 → 30 usable hosts ✓
Range: 192.168.1.193 to 192.168.1.222
Router links (2 hosts needed):
Subnet: 192.168.1.224/30 → 2 usable hosts ✓
Range: 192.168.1.225 to 192.168.1.226
Addresses used: 128 + 64 + 32 + 4 = 228 of 256
Addresses wasted: far fewer than if equal /26 blocks were usedPrivate IP Address Ranges
RFC 1918 defines three ranges of IP addresses reserved for private networks. These addresses are not routable on the public internet. Routers at the edge of a network use NAT (Network Address Translation) to translate private addresses to the single public IP address assigned by the ISP when traffic needs to reach the internet.
| Range | CIDR | Addresses Available | Typical Use |
|---|---|---|---|
| 10.0.0.0 to 10.255.255.255 | 10.0.0.0/8 | 16,777,214 | Large enterprise networks, cloud VPCs, data centres |
| 172.16.0.0 to 172.31.255.255 | 172.16.0.0/12 | 1,048,574 | Medium enterprise networks, VPN address pools |
| 192.168.0.0 to 192.168.255.255 | 192.168.0.0/16 | 65,534 | Home networks, small offices, consumer routers |
Why Subnetting Matters
| Benefit | How Subnetting Helps |
|---|---|
| Security | Subnets create natural boundaries where firewall rules and access control lists can be applied. The HR subnet cannot reach the engineering database server without traffic passing through a controlled router or firewall that enforces policies. |
| Performance | Broadcast traffic is confined to the subnet where it originates. Smaller broadcast domains mean fewer devices are interrupted by broadcasts they do not need, reducing unnecessary network noise on each segment. |
| Address Efficiency | VLSM allows allocating exactly as many addresses as each segment requires, avoiding the waste of assigning a /24 to a network that only needs ten hosts. |
| Organisation | Subnets provide a logical structure that mirrors the physical or functional layout of an organisation, making networks easier to document, troubleshoot, and manage. |
| Fault Isolation | Problems such as broadcast storms and misconfigurations are contained within a subnet rather than spreading across the entire network. |
| Routing Efficiency | Routers can summarise multiple subnets into a single route advertisement, reducing the size of routing tables and improving routing performance. |
Subnetting in Cloud Environments
Cloud platforms like AWS, Google Cloud, and Azure use subnetting extensively to organise virtual network infrastructure. In AWS, a Virtual Private Cloud (VPC) is a large private network that you divide into subnets, typically assigning each subnet to a specific availability zone and purpose.
- Public subnets: Subnets that have a route to an internet gateway, allowing resources within them to be directly reachable from the internet. Used for load balancers, bastion hosts, and NAT gateways.
- Private subnets: Subnets with no direct route to the internet. Resources here are not publicly accessible. Used for application servers and databases that should only be reachable from within the VPC.
- Database subnets: Often a dedicated private subnet tier for database instances, further isolated from application servers by security group rules.
- CIDR allocation planning: Cloud VPCs are typically assigned large blocks such as
10.0.0.0/16and divided into smaller subnets per availability zone and tier, leaving room for future expansion.
Frequently Asked Questions
- What is the difference between a subnet and a VLAN?
A subnet is a Layer 3 concept that divides IP address space. It defines which IP addresses belong to the same network and determines routing boundaries. A VLAN (Virtual Local Area Network) is a Layer 2 concept that segments traffic at the switch level, creating separate broadcast domains at the data link layer. In practice they are almost always paired together: each VLAN corresponds to one subnet, and a router or layer 3 switch handles traffic between them. A VLAN without a corresponding subnet would have no IP address organisation, and a subnet without VLAN separation would not achieve broadcast isolation at the switch level. - Is 192.168.x.x always a private network?
Yes. The entire192.168.0.0/16range is permanently reserved for private use by RFC 1918 and will never be assigned as public internet addresses. The same applies to10.0.0.0/8and172.16.0.0/12. These ranges are not routable on the public internet, meaning routers operated by ISPs and backbone networks will not forward packets addressed to these ranges. Devices using private addresses must use NAT to communicate with public internet addresses. - What is the purpose of the /32 subnet mask?
A /32 represents a single host because all 32 bits of the address are the network portion, leaving zero bits for host identification. It is used in routing tables to create a host-specific route that points directly to a single IP address rather than a range. In cloud environments like AWS, instances are often addressed with /32 masks on their network interfaces. It is also used for loopback addresses and in situations where a route must be injected for a specific individual IP address rather than a range. - How do I choose the right subnet size for a new network?
Start by estimating the number of devices that will connect to the subnet, then add a reasonable buffer for growth. Choose the smallest CIDR prefix that provides enough usable host addresses for your requirement. For 50 devices, a /26 provides 62 usable hosts with room to grow. For 200 devices, a /24 provides 254 usable hosts. For point-to-point router links where exactly two addresses are needed, a /30 is the standard choice. In cloud environments, it is common practice to over-allocate slightly, using /24 subnets even for small segments, to avoid running out of addresses as the deployment grows. - What happens if two devices on the same subnet have the same IP address?
An IP address conflict occurs, and both devices experience network problems. When either device tries to communicate, other devices on the network receive conflicting ARP responses mapping the same IP address to two different MAC addresses. The ARP cache on other devices oscillates between the two, causing packets to be delivered to the wrong device unpredictably. Most modern operating systems detect IP conflicts at startup and display a warning, and will sometimes refuse to use the conflicting address until the conflict is resolved. DHCP servers prevent this by tracking which addresses have been assigned, but statically assigned addresses can still conflict if not carefully managed.
Conclusion
Subnetting is a foundational networking skill that underpins the design of every network from a simple home setup to a global enterprise infrastructure. It divides large address spaces into purposeful segments that improve security by creating boundaries for access control, reduce broadcast noise for better performance, enable efficient address allocation through VLSM, and provide the logical structure that makes large networks manageable. Understanding how to read CIDR notation, calculate subnet ranges, and plan address allocation prepares you to design, configure, and troubleshoot networks at any scale. Continue with NAT, default gateway, IP addresses, and how routing works to build a complete picture of how local networks are structured and connected to the internet.