I remember the first time I had to plan a network for a small office. The previous admin had put everything on a single /16 network — 65,534 possible hosts for a 30-person company. The broadcast traffic alone was causing intermittent slowdowns that had mystified the team for months. Understanding subnetting would have prevented the entire mess.
Subnetting is one of those topics that seems intimidating until it clicks. And once it clicks, you wonder why anyone made it sound complicated.
What Is a Subnet, Really?
A subnet is a logical division of an IP network. Think of it like an apartment building: the building has one street address (the network), but inside there are individual units (hosts). The subnet mask tells you where the “building” ends and the “apartment numbers” begin.
An IPv4 address is 32 bits. A subnet mask splits those 32 bits into two parts:
- Network portion — identifies the network (shared by all hosts on that subnet)
- Host portion — identifies individual devices on that network
IP Address: 192.168.1.100
Subnet Mask: 255.255.255.0
Network: 192.168.1.0 (first 24 bits)
Host: .100 (last 8 bits)CIDR Notation: The Modern Way
Before CIDR (Classless Inter-Domain Routing), we had the classful system: Class A (/8), Class B (/16), Class C (/24). The problem was simple math — a company that needed 300 addresses either got a Class C (254 usable) that was too small, or a Class B (65,534 usable) that wasted thousands of addresses.
CIDR fixed this by allowing any prefix length from /0 to /32. The number after the slash tells you how many bits are used for the network:
| CIDR | Subnet Mask | Total Addresses | Usable Hosts |
|---|---|---|---|
| /24 | 255.255.255.0 | 256 | 254 |
| /25 | 255.255.255.128 | 128 | 126 |
| /26 | 255.255.255.192 | 64 | 62 |
| /27 | 255.255.255.224 | 32 | 30 |
| /28 | 255.255.255.240 | 16 | 14 |
| /29 | 255.255.255.248 | 8 | 6 |
| /30 | 255.255.255.252 | 4 | 2 |
The formula: Usable hosts = 2^(32 - prefix) - 2
Why minus 2? Because every subnet reserves two addresses: the network address (all host bits = 0) and the broadcast address (all host bits = 1).
Quick calculations: Our IP Subnet Calculator computes network address, broadcast address, host range, and wildcard mask instantly from any CIDR input — no mental math required.
The Mental Math Shortcut
You don’t need to memorize subnet tables. Here’s the trick I use:
For the last octet (prefixes /25 through /32):
Start with 256 and divide by 2 for each bit past /24:
- /24 = 256 addresses (256/1)
- /25 = 128 addresses (256/2)
- /26 = 64 addresses (256/4)
- /27 = 32 addresses (256/8)
- /28 = 16 addresses (256/16)
To find the subnet mask octet: 256 minus the block size
- /26 → block size = 64 → subnet mask = 256 - 64 = 192 → 255.255.255.192
- /27 → block size = 32 → subnet mask = 256 - 32 = 224 → 255.255.255.224
To find which subnet an IP belongs to: divide the last octet by the block size, round down, multiply back
Example: Which /26 subnet does 192.168.1.155 belong to?
Block size = 64
155 ÷ 64 = 2.42 → round down = 2
2 × 64 = 128
→ Network: 192.168.1.128/26
→ Range: 192.168.1.128 – 192.168.1.191
→ Broadcast: 192.168.1.191
→ Usable: 192.168.1.129 – 192.168.1.190 (62 hosts)Common Subnetting Scenarios
Home or Small Office: /24
The classic 192.168.1.0/24 gives you 254 usable addresses. More than enough for a home or small office. Most consumer routers default to this.
Point-to-Point Links: /30 or /31
Router-to-router links only need 2 addresses. A /30 gives exactly 2 usable hosts (plus network and broadcast). Some modern routers support /31 (RFC 3021), which skips the network and broadcast addresses entirely — perfect for WAN links.
10.0.0.0/30
Network: 10.0.0.0 (reserved)
Router A: 10.0.0.1
Router B: 10.0.0.2
Broadcast: 10.0.0.3 (reserved)Cloud VPCs: Plan Bigger Than You Think
In AWS, Azure, or GCP, your VPC CIDR is hard to change later. I’ve seen teams choose a /24 for their VPC, then realize they need multiple subnets across availability zones and can’t expand.
My rule of thumb for cloud VPCs:
VPC: 10.0.0.0/16 (65,534 addresses)
├── Public: 10.0.1.0/24 (254 hosts, AZ-a)
├── Public: 10.0.2.0/24 (254 hosts, AZ-b)
├── Private: 10.0.10.0/24 (254 hosts, AZ-a)
├── Private: 10.0.11.0/24 (254 hosts, AZ-b)
├── DB: 10.0.20.0/24 (254 hosts, AZ-a)
└── DB: 10.0.21.0/24 (254 hosts, AZ-b)This leaves massive room for growth and makes the addressing scheme intuitive.
Microservices and Container Networks
Kubernetes and Docker use subnetting heavily. A typical k8s cluster might use:
- Pod network: 10.244.0.0/16 (each node gets a /24 for its pods)
- Service network: 10.96.0.0/12 (ClusterIP addresses)
- Node network: 192.168.0.0/24 (the physical/VM network)
Understanding these ranges prevents overlapping subnets — a configuration error that produces extremely confusing network behavior.
Private IP Ranges You Should Know
RFC 1918 defines three private ranges. Every developer should have these memorized:
| Range | CIDR | Addresses | Common Use |
|---|---|---|---|
| 10.0.0.0 – 10.255.255.255 | 10.0.0.0/8 | 16.7 million | Cloud VPCs, large enterprises |
| 172.16.0.0 – 172.31.255.255 | 172.16.0.0/12 | 1 million | Docker default (172.17.0.0/16) |
| 192.168.0.0 – 192.168.255.255 | 192.168.0.0/16 | 65,536 | Home/office routers |
There’s also 169.254.0.0/16 (link-local) — if you see an address in this range, it means DHCP failed and the device assigned itself an address. That’s always a problem to fix, not a feature to rely on.
Wildcard Masks: The Inverse Trick
If you work with Cisco routers or OSPF, you’ll encounter wildcard masks. They’re just the inverse of the subnet mask:
Subnet mask: 255.255.255.192 (/26)
Wildcard: 0.0.0.63
How: 255.255.255.255 - 255.255.255.192 = 0.0.0.63Wildcard masks tell the router which bits to ignore when matching addresses. Where the subnet mask says “these bits must match,” the wildcard says “these bits can be anything.”
Common Mistakes
Mistake 1: Overlapping Subnets
Network A: 10.0.0.0/24 → 10.0.0.0 – 10.0.0.255
Network B: 10.0.0.128/25 → 10.0.0.128 – 10.0.0.255 ← Overlaps!Network B is entirely contained within Network A. This causes routing ambiguity — packets might go to either network unpredictably.
Mistake 2: Forgetting Reserved Addresses
The first address (network) and last address (broadcast) of any subnet cannot be assigned to hosts. I’ve seen production configs try to use .0 or .255 as server addresses and wonder why things break intermittently.
Mistake 3: Choosing a Subnet That’s Too Small
When planning, account for growth. If you need 25 addresses today, a /27 (30 usable) is technically sufficient but leaves almost no room. Use a /26 (62 usable) and save yourself a painful re-addressing project in six months.
Quick Subnet Reference
Need to quickly determine subnetting details? Here’s a cheat sheet for the most common prefix lengths:
| Prefix | Mask | Block Size | Usable Hosts | Typical Use |
|---|---|---|---|---|
| /8 | 255.0.0.0 | 16,777,216 | 16,777,214 | Large enterprise / ISP |
| /16 | 255.255.0.0 | 65,536 | 65,534 | Cloud VPCs |
| /24 | 255.255.255.0 | 256 | 254 | Standard LAN |
| /25 | 255.255.255.128 | 128 | 126 | Split a /24 in two |
| /26 | 255.255.255.192 | 64 | 62 | Small department |
| /27 | 255.255.255.224 | 32 | 30 | Conference room / IoT |
| /28 | 255.255.255.240 | 16 | 14 | DMZ / small server cluster |
| /30 | 255.255.255.252 | 4 | 2 | Point-to-point link |
| /32 | 255.255.255.255 | 1 | 1 | Single host route |
Further Reading
- DNS Records Explained: What Every Developer Should Know
- SSL/TLS Certificates: What Developers Should Know
Planning a network or verifying CIDR ranges? Our IP Subnet Calculator handles all the math instantly — network address, broadcast, host range, and wildcard mask from any CIDR input. And if you’re setting up DNS for your network, the DNS Lookup tool lets you verify records in seconds.