- Subnetting divides a large network into smaller, more manageable segments for better security, performance, and organization.
- A subnet mask tells you which bits of an IP address identify the network and which identify individual hosts.
- CIDR notation (like
/24) is shorthand for how many bits belong to the network portion of the address. - The usable host formula is 2n − 2, where n is the host bit count. The network and broadcast addresses are reserved.
- Every subnet has four key values: network address, broadcast address, first usable host, and last usable host.
- You can calculate subnets instantly with a tool, but the math matters for certifications and troubleshooting.
Last updated: June 11, 2026
Subnetting makes networking students break into a cold sweat. The word sounds complicated, and eyes glaze over when instructors start writing binary on the whiteboard. Here is the truth: subnetting is just dividing a network into smaller pieces. That is genuinely all it is.
You already have the mental model. A street address tells you the city, the street, and the building number. An IP address works the same way. Part of it tells you which network you are on. The other part tells you which specific device, or host, you are.
Maybe you are studying for the CompTIA Network+ (N10-009) or prepping for the CCNA (200-301). Maybe you are setting up a home lab, or you are a developer tired of guessing at cloud networking configs. Either way, this guide walks you through subnetting from the ground up. We use real numbers, actual binary, and step-by-step examples you can follow along with.
What Is a Subnet?
A subnet is a logical subdivision of a larger IP network. Subnetting splits one address block into smaller segments for security, performance, and organization. Each subnet becomes its own broadcast domain, with traffic between subnets controlled by routers and firewall rules.
Think of an office building with multiple floors. The building has one street address, but each floor is its own workspace with its own rooms and people. Devices on one floor do not automatically see devices on another. That separation is intentional, and it is exactly what subnetting achieves.
Organizations subnet for three main reasons:
- Security: Isolating departments into separate subnets lets you control traffic with firewalls and access control lists. A compromised device in one subnet cannot easily reach another. Subnetting operates at Layer 3 of the OSI model, where routing decisions happen.
- Performance: Smaller subnets mean smaller broadcast domains. Broadcasts reach every device in the subnet. Fewer devices means less noise and better performance.
- Organization: Subnets group devices logically. Engineering gets one subnet, HR gets another, and printers live on their own. Management, monitoring, and troubleshooting all get easier.
Without subnetting, every device in a large organization would share one network. That is an open warehouse with no walls: noisy, chaotic, and a security nightmare.
IP Addresses and Binary
An IPv4 address is 32 bits arranged as four 8-bit octets. Each octet uses the place values 128, 64, 32, 16, 8, 4, 2, and 1. Every subnetting calculation comes down to where the binary boundary falls between network bits and host bits.
Before you can subnet, you need to see how IP addresses work under the hood. An IPv4 address like 192.168.1.0 looks like four numbers separated by dots. Your computer sees 32 bits of binary. Our guide on IP address formats covers decimal, binary, hex, and integer representations in detail.
Each of those four numbers is an octet, made of 8 bits. Four octets times 8 bits equals 32 bits total. Each bit is a 0 or a 1, and each position represents a power of 2.
Octet 1: 192 = 128 + 64 = 11000000
Octet 2: 168 = 128 + 32 + 8 = 10101000
Octet 3: 1 = 1 = 00000001
Octet 4: 0 = 00000000
Full binary:
192.168.1.0 = 11000000.10101000.00000001.00000000Each octet has place values: 128, 64, 32, 16, 8, 4, 2, 1. To convert decimal to binary, check each place value left to right. If the number is greater than or equal to the place value, write a 1 and subtract. Otherwise, write a 0 and move on.
Need practice converting between formats? Our IP to binary converter checks your work instantly.
Binary fluency is not optional for subnetting. Every calculation depends on where the boundary falls between the network portion and the host portion.
What Is a Subnet Mask?
A subnet mask is a 32-bit pattern marking network bits and host bits within an IP address. Ones mark network bits and zeros mark host bits. ANDing the mask with an address yields the network address.
A subnet mask works like a stencil laid over an IP address. Everywhere the mask has a 1, that bit belongs to the network. Everywhere it has a 0, that bit belongs to the host.
Decimal: 255 . 255 . 255 . 0
Binary: 11111111 . 11111111 . 11111111 . 00000000
|<--- Network bits (24) --->| |<Host (8)>|The first 24 bits are all 1s, so the first three octets identify the network. The last 8 bits are all 0s, so the final octet identifies individual hosts. With 8 host bits, you get 28 = 256 total addresses. Subtract the network and broadcast addresses and 254 are usable.
Here is the key insight: the subnet mask does not change the IP address itself. It tells routers and devices how to read the address. The same IP address with a different mask belongs to a different-sized network.
When you AND the IP address with the subnet mask, comparing bit by bit, you get the network address:
IP Address: 192.168.1.100 = 11000000.10101000.00000001.01100100
Subnet Mask: 255.255.255.0 = 11111111.11111111.11111111.00000000
──────────────────────────────────────────────────────
Network (AND): 192.168.1.0 = 11000000.10101000.00000001.00000000Anywhere both bits are 1, the result is 1. Anywhere either bit is 0, the result is 0. The result is the network address: 192.168.1.0.
CIDR Notation Explained
CIDR notation appends a slash and a number to an address, like 192.168.1.0/24. The number counts network bits, replacing the longer subnet mask format. Defined in RFC 4632, CIDR replaced classful addressing and allows networks to be sized at any bit boundary.
CIDR stands for Classless Inter-Domain Routing, defined in RFC 4632. Instead of writing the full subnet mask, CIDR appends a slash and a number to the IP address. That number is the count of network bits.
192.168.1.0/24 means the first 24 bits are the network part. That is identical to a subnet mask of 255.255.255.0, but far faster to write and read. To expand a CIDR block into first IP, last IP, and host count, use our CIDR to IP Range Converter.
CIDR replaced the old classful addressing system of Class A, B, and C, which forced fixed network sizes. Classful addressing gave you 254 hosts (Class C), about 65,000 hosts (Class B), or over 16 million hosts (Class A). Nothing in between. CIDR lets you slice networks at any bit boundary, giving exactly the size you need. For advanced techniques like variable-length subnetting and route aggregation, see our guide on VLSM and supernetting.
Common CIDR Prefixes
| CIDR | Subnet Mask | Network Bits | Host Bits | Total Addresses | Usable Hosts |
|---|---|---|---|---|---|
/8 | 255.0.0.0 | 8 | 24 | 16,777,216 | 16,777,214 |
/16 | 255.255.0.0 | 16 | 16 | 65,536 | 65,534 |
/24 | 255.255.255.0 | 24 | 8 | 256 | 254 |
/25 | 255.255.255.128 | 25 | 7 | 128 | 126 |
/26 | 255.255.255.192 | 26 | 6 | 64 | 62 |
/27 | 255.255.255.224 | 27 | 5 | 32 | 30 |
/28 | 255.255.255.240 | 28 | 4 | 16 | 14 |
/29 | 255.255.255.248 | 29 | 3 | 8 | 6 |
/30 | 255.255.255.252 | 30 | 2 | 4 | 2 |
/31 | 255.255.255.254 | 31 | 1 | 2 | 2* |
/32 | 255.255.255.255 | 32 | 0 | 1 | 1 |
* A /31 is a special case (RFC 3021) for point-to-point links. Both addresses are usable because no broadcast address is needed.
How to Calculate a Subnet (Step by Step)
Four steps solve any subnet problem. Convert the prefix to a mask. Find the block size by subtracting the last mask octet from 256. List the network, first host, last host, and broadcast addresses. Then count hosts: two to the power of host bits, minus two.
This is where it all comes together. We will walk through one complete calculation, then reinforce with a second example. Grab a notepad or follow along mentally.
Example 1: 192.168.10.0/26
/26 means 26 network bits. That is 3 full octets (24 bits) plus 2 more bits in the fourth octet.
Binary mask: 11111111.11111111.11111111.11000000
Decimal: 255 .255 .255 .192The block size, also called the increment or magic number, is 256 minus the last non-zero octet of the mask.
Block size = 256 - 192 = 64Subnets start at every multiple of 64 in the fourth octet: 0, 64, 128, 192.
Our address is 192.168.10.0 and the block size is 64:
Network address: 192.168.10.0 (the subnet starts here)
First usable host: 192.168.10.1 (network address + 1)
Last usable host: 192.168.10.62 (broadcast address - 1)
Broadcast address: 192.168.10.63 (next subnet - 1 = 64 - 1)
Host bits = 32 - 26 = 6
Total addresses = 2^6 = 64
Usable hosts = 64 - 2 = 62You subtract 2 because 192.168.10.0 is the network address and 192.168.10.63 is the broadcast address. Neither can be assigned to a device.
Example 2: 10.0.5.0/28
Now reinforce the process with a second example using a /28 prefix.
Given: 10.0.5.0/28
Step 1 — Subnet mask:
/28 = 11111111.11111111.11111111.11110000
= 255.255.255.240
Step 2 — Block size:
256 - 240 = 16
Subnets in the 4th octet: 0, 16, 32, 48, 64 ... 240
Step 3 — Key addresses (for the 10.0.5.0 subnet):
Network address: 10.0.5.0
First usable host: 10.0.5.1
Last usable host: 10.0.5.14
Broadcast address: 10.0.5.15
Step 4 — Host count:
Host bits = 32 - 28 = 4
Total addresses = 2^4 = 16
Usable hosts = 16 - 2 = 14Notice how the next subnet starts at 10.0.5.16. The broadcast address is always one less than the start of the next subnet. Internalize that pattern and subnetting becomes mechanical. Verify your work with our subnet calculator. Or expand any CIDR block to a full IP list with the CIDR to IP Range Converter.
Subnetting Cheat Sheet
The /24 through /32 range covers most real-world and exam scenarios. Each step toward /24 doubles the block size and roughly doubles the usable hosts. Memorize the mask, wildcard, block size, and host count for each prefix before any certification exam.
This table covers the range most commonly tested on certifications and most useful in daily administration. Print it, bookmark it, or tattoo it on your forearm. (We recommend bookmarking.)
| CIDR | Subnet Mask | Wildcard Mask | Block Size | Total Addresses | Usable Hosts |
|---|---|---|---|---|---|
/24 | 255.255.255.0 | 0.0.0.255 | 256 | 256 | 254 |
/25 | 255.255.255.128 | 0.0.0.127 | 128 | 128 | 126 |
/26 | 255.255.255.192 | 0.0.0.63 | 64 | 64 | 62 |
/27 | 255.255.255.224 | 0.0.0.31 | 32 | 32 | 30 |
/28 | 255.255.255.240 | 0.0.0.15 | 16 | 16 | 14 |
/29 | 255.255.255.248 | 0.0.0.7 | 8 | 8 | 6 |
/30 | 255.255.255.252 | 0.0.0.3 | 4 | 4 | 2 |
/31 | 255.255.255.254 | 0.0.0.1 | 2 | 2 | 2* |
/32 | 255.255.255.255 | 0.0.0.0 | 1 | 1 | 1 |
* /31 subnets are a special case for point-to-point links per RFC 3021.
The wildcard mask is the inverse of the subnet mask: subtract each octet from 255. Wildcard masks appear in Cisco ACLs, OSPF configurations, and other router commands. Getting them backwards is one of the most common subnetting mistakes in production configurations.
Practical Uses of Subnetting
Subnetting appears everywhere in production networks. VLANs pair with subnets to segment departments. Guest Wi-Fi runs on isolated subnets. ISPs carve customer allocations from large blocks. Cloud VPCs are built entirely from CIDR blocks, and home labs use subnets to isolate untrusted devices.
Subnetting is not just an exam topic. Network engineers, cloud architects, and sysadmins use it every day. Here are the most common applications.
VLANs and Network Segmentation
Enterprise networks pair VLANs (Virtual LANs) with subnets to segment traffic. Accounting lives on 10.0.10.0/24, engineering on 10.0.20.0/24, and guest Wi-Fi on 10.0.100.0/24. Each subnet gets its own firewall rules. A visitor’s infected laptop on the guest network cannot reach your payroll server.
Guest vs. Employee Networks
Every organization offering guest Wi-Fi should use a separate subnet. The guest subnet gets internet access but stays walled off from internal resources. This is subnetting in action, and one of the most basic security practices.
ISP Address Allocation
Internet Service Providers receive large blocks, like a /16, and subnet them into customer allocations. A business might get a /28 with 14 usable addresses. A residential customer gets a single /32. CIDR makes precise allocation possible without waste. As IPv4 keeps running short, understanding IPv4 versus IPv6 matters more each year for allocation planning.
Cloud VPC Design
Used AWS, Azure, or Google Cloud? Then you have subnetted, whether you realized it or not. A VPC (Virtual Private Cloud) gets a CIDR block like 10.0.0.0/16. Inside it you create subnets: a public 10.0.1.0/24 for web servers and a private 10.0.2.0/24 for databases. Subnetting is core to cloud architecture. Use our subnet calculator to plan VPC address space.
Home Lab Setups
Running Proxmox, Docker, or pfSense at home? Subnetting isolates your management network, lab VMs, and IoT devices. A common layout: 192.168.1.0/24 for regular devices, 192.168.10.0/24 for lab VMs, and 192.168.20.0/24 for untrusted IoT gear. You can check your public IP to see what your ISP assigned to your router’s WAN interface.
Common Subnetting Mistakes
Five mistakes cause most subnetting errors. Forgetting to subtract the network and broadcast addresses. Misusing /31 outside point-to-point links. Overlapping subnet ranges. Inverting wildcard masks in ACLs. And assigning the network or broadcast address to a host device.
Even experienced administrators make these. Watch for them on exams and in production.
Forgetting to Subtract Network and Broadcast Addresses
The classic beginner mistake: calculating 2^n and calling that your usable host count. It is not. Always subtract 2 for the network address (all host bits 0) and broadcast address (all host bits 1). A /24 has 256 total addresses but only 254 usable hosts. On exam day, this mistake costs points.
Confusing /31 Behavior
A /31 has only 2 addresses, which traditionally means 0 usable hosts. However, RFC 3021 allows /31 subnets on point-to-point links between routers, where no broadcast address is needed. Both addresses become usable. Most modern router operating systems support this, saving an address versus a /30. Just remember: /31 works only on point-to-point links, never on a regular LAN segment.
Overlapping Subnets
Assign 192.168.1.0/24 to one department and 192.168.1.128/25 to another and you have a problem. The /25 sits entirely inside the /24. Devices hit routing conflicts and packets miss their destinations. Map your address space before assigning subnets and confirm no ranges overlap. Our subnet calculator helps verify boundaries.
Wrong Wildcard Mask in ACLs
Cisco devices use wildcard masks in access control lists and OSPF configurations. If your subnet mask is 255.255.255.192, the wildcard is 0.0.0.63, not 0.0.0.192. Getting this backwards can open firewall rules to far more addresses than intended. That creates serious security holes. Always double-check by subtracting each octet from 255.
Assigning the Network or Broadcast Address to a Host
If your subnet is 10.0.5.0/28, never assign 10.0.5.0 or 10.0.5.15 to a device. The first is the network address and the second is the broadcast. Some operating systems accept the configuration without complaint. Network behavior turns unpredictable, and you will lose hours troubleshooting.
Related Tools & Resources
NetworkCheckr pairs this guide with free calculators. The Subnet Calculator solves any prefix instantly. The CIDR to IP Range Converter expands blocks into full address lists. The IP to Binary Converter checks your conversion work, and the VLSM guide covers the advanced techniques.
- Subnet Calculator — solve any subnet problem and verify your manual math.
- CIDR to IP Range Converter — expand any CIDR block to its first IP, last IP, and host count.
- IP to Binary Converter — check binary conversions while you practice.
- VLSM and Supernetting — the advanced follow-up to this guide.
- IP Address Formats Explained — decimal, binary, hex, and integer notation.
- The OSI Model Explained — where Layer 3 addressing fits in the stack.
- All NetworkCheckr Tools — the complete collection of free utilities.
Frequently Asked Questions
Seven questions cover the sticking points. Masks versus CIDR notation, host counts, and /31 links. Certification memorization and wildcard masks. Splitting a /24 into four equal subnets. And how basic subnetting differs from VLSM.
What is the difference between a subnet mask and CIDR notation?
They express the same information in different formats. A subnet mask like 255.255.255.0 uses dotted decimal notation to show which bits belong to the network. CIDR notation like /24 simply counts the network bits. Both tell you that 24 bits identify the network and 8 bits identify hosts. CIDR is more concise and is the modern standard. You will still meet both in practice, especially on older equipment.
How many usable hosts are in a /24 subnet?
254 usable hosts. A /24 has 8 host bits, giving you 2^8 = 256 total addresses. Subtract the network address and the broadcast address, and you get 254. This is the most common subnet size you will meet. It is the one to memorize first if you are studying for a certification.
What is a /31 subnet used for?
A /31 subnet provides exactly 2 addresses and is used only for point-to-point links between routers or layer 3 switches. As defined in RFC 3021, both addresses are usable because a broadcast address is not needed on a two-endpoint link. A /31 saves one address per link compared to a /30. The savings add up in networks with thousands of router-to-router connections.
Do I need to memorize subnet masks for certifications?
Yes, and no. For the CompTIA Network+ (N10-009) and CCNA (200-301), you should have the /24 through /30 range memorized cold. That includes the subnet mask, the usable host count, and the block size. You will not have time to derive them on every question. The memorization comes naturally with practice. Work through 20 or 30 problems and the table sticks without active effort. The cheat sheet in this article covers everything you need.
What is a wildcard mask?
A wildcard mask is the mathematical inverse of a subnet mask. You calculate it by subtracting each octet of the subnet mask from 255. For example, the wildcard of 255.255.255.192 is 0.0.0.63. Wildcard masks appear mostly in Cisco IOS, in access control lists (ACLs) and OSPF area definitions. Where the wildcard mask has a 0, the bit must match exactly. Where it has a 1, the bit can be anything.
How do I subnet a /24 into four equal subnets?
Borrow 2 bits from the host portion, because 2^2 = 4. That changes the prefix from /24 to /26. Each /26 subnet has a block size of 64 and 62 usable hosts. Subnetting 192.168.1.0/24 this way yields subnets starting at .0, .64, .128, and .192. The general formula: to split a subnet into n equal parts, borrow log2(n) bits. Splitting into 2 takes 1 bit, 4 takes 2 bits, and 8 takes 3 bits.
What is the difference between subnetting and VLSM?
Basic subnetting, also called FLSM, divides a network into equal-sized pieces using one mask everywhere. VLSM (Variable Length Subnet Mask) assigns a different mask to each subnet based on actual host needs. A big department gets a /25 while a router link gets a /30, all from one parent block. VLSM wastes far fewer addresses. Our VLSM and supernetting guide covers the technique step by step.