Doug Vitale Tech Blog

Understanding and performing IPv4 subnetting

Subnetting – it’s the subject that IT professionals love to hate. Believe it or not, the frustration that it caused me as a student years ago made me question whether I wanted to go into the information technology (IT) field. Furthermore, with the availability of many subnet calculator programs and subnetting websites, the ability to manually perform subnet calculations may seem superfluous at first. However, a solid understanding of IP subnetting will not only allow IT pros to create appropriately-sized networks in the absence of specialized software and web applications (on paper, for example), but given IP’s foundational role in modern computer networks and the global Internet, it behooves us to keep our comprehension of this protocol sharp. Lastly, if you plan on obtaining a networking certification like the Cisco CCNA, you are just going to have to master the material below.

The purpose of this article will be to thoroughly explain how IP subnetting works and to provide some relevant examples. Therefore a detailed analysis of all the workings of IP, such as packet structures, packet switching, and routing will not be provided. However, we will review what the Internet Protocol (IP) is, how it works, and what purpose it serves on networks. We will focus solely on Internet Protocol version 4 (IPv4) which is the version of IP that has powered the Internet revolution and remains the most widely utilized networking protocol today.

A subnetted network

A subnetted network using variously sized subnet masks

Computers must share a common protocol to communicate, and nowadays IP has become ubiquitous on nearly all operating systems. So what does IP do? Simply put, IP allows computers to locate and facilitate communications with other hosts that are either on the same logical network or on separate, distinct networks (for instance, networks such as those owned by different organizations – businesses, universities, Internet service providers, etc.). IP provides for this communication by enabling the routing of data packets between sources and destinations, often through multiple intermediary hosts.

Jump to:

Host and network IP addresses

To accomplish the goals of host identification and packet routing, IP relies on an addressing scheme in which individual hosts as well as collections of hosts (networks) are assigned unique IP addresses. The first prerequisite to understanding IP subnetting is to grasp the difference between host addresses and network addresses. A host IP address specifies a single host or device on a network, such as the network interface card (NIC) on a server or your laptop (yes, it is possible for hosts to have more than one NIC and hence, multiple IP addresses). A network IP address, in contrast, does not refer to a single host but to a collection of hosts. Think of your residential address, for example. Your street number + street name would be your “host address” because it refers specifically to your residence, a single building or unit. Your zip code, however, would be your “network address” because it refers to your municipality, a grouping of buildings just as networks are groupings of hosts. Put another way, network addresses can be seen as analogous to telephone area codes. If your phone number were (908) 469-6151, 908 would be like the network address while 469-6151 would represent your host device (your telephone).

Counting in binary

So if you look at an IP address such as, how would you know if it is a host or network address? The answer is to first realize the binary nature of IP addressing. In other words, despite its standard numeric appearance, IP addressing is actually done at the binary level. What this means is:

Important point:

An IP address such as is not really “″. IP hosts really see this address as:


It is crucial to understand this if you want to make sense of subnetting. When I mentioned earlier the discouragement I felt at not being able to subnet, it was because I had a poor understanding of binary and I was trying to subnet anyway. This is not a good idea!

Each of the four fields in IP address contains eight characters (called bits), meaning that IPv4 is based on 32-bit addresses (8 bits x 4 fields = 32 bits…and remember, eight bits makes a byte). The four fields in an IP address are actually called octets, from the Latin word for eight, octo.

When represented numerically, IP addresses are said to be in dotted decimal notation, for example We use this notation because it is visually easier for our brains to process. To clearly comprehend IP subnetting, though, you need to be able to “see” dotted decimal addresses in binary format. You need to commit to memory the respective values of each of the bits in an octet, as shown here:

128 64 32 16 8 4 2 1

As you can see, a bit’s position in an octet determines its value. A “1″ in a certain position doesn’t mean numeric “one”; it stands for the value of the appropriate bit slot in the octet (reading the octets from left to right). For example, a “1″ in the first slot means a value of 128; a “1″ in the third slot means a value of 32; a “1″ in the sixth slot means a value of 4, etc. However, a “0″ (zero) always has a value of zero. In this way you could say that “1″ and “0″ stand for “on” and “off”, respectively.

If you add up all possible bit values in a binary octet, the sum would be 255 (128+64+32+16+8+4+2+1=255). Therefore the range of values for an octet is 0 – 255 (00000000 – 11111111).

Let’s return to our IP address of The 192. stands for binary 11000000 because 128+64 = 192. The next octet, 168., derives from binary 10101000 because 128+32+8 = 168 (the first, third, and fifth binary bit positions are populated). The third octet, 10., represents the binary value 00001010 (2+8=10). 25. would be 00011001 (1+8+16=25). Here are a few more examples to help this conversion process sink in.
is really:
is really:
is really:
is really:

Subnet masks

So now that we know that IP addresses in their pure form are comprised four binary octets, let’s return to the matter of host and network addresses and how they can be differentiated.

An IP address represents not just a unique single host, but it also reveals the network to which that host belongs. How? Because not all of the 32 bits in an address belong exclusively to the host. Some of the bits signify the network of the host, while the rest of the bits denote the host itself. And we can determine which portion of the address belongs to the network thanks to an IP address’s subnet mask. A subnet mask is a 32-bit value that clarifies how many of an address’s bits belong to the network. For example, a 24-bit (/24) subnet mask (also written as, because the first 24 of 32 possible bits are filled) means that the bits of the first 3 octets represent the network. So for, the network is 192.168.10.x and the host itself is .25. An important point to remember is that wherever the “1″ bits stop in the subnet mask, that is where the network portion of the IP address stops. The following 0s and 1s (or sometimes just 0s) in the mask denote the host portion of the IP address. Have a look: = 11000000.10101000.00001010.00011001 = 11111111.11111111.11111111.00000000

Remember: the network portion of an IP address corresponds to the contiguous 1s in its subnet mask, and the host portion of an IP address corresponds to where the first 0 appears in the subnet mask, and goes all the way to the right.

Subnet masks are not just useful for network segmentation purposes. They play an important role during IP communication, when sending hosts refer to the subnet mask to determine if routing will be required when transmitting to a receiving host. If the sender determines that the recipient is a local address, packets are sent via Ethernet. If the recipient address is not local, the packet is forwarded to the default gateway for routing (the default gateway on a local area network is the host to which all data traffic bound for other subnets is sent).

IP network classes

Per RFC 950, certain ranges of IP addresses were previously assigned to three classes based on their first octet. However, this practice is no longer relevant in modern networking.

First octet


Default subnet mask

0–126 A (8 bits, or /8)
128–191 B (16 bits, or /16)
192–223 C (24 bits, or /24)


Note: the range– is reserved for testing and loopback routines for IP applications. Additionally, the command ping verifies that the local host has a functional TCP/IP stack. This is one of the primary steps in the IP connectivity troubleshooting process.

IP address classes can also be depicted this way (where N signifies a network bit and H signifies a host bit).


So based on the value of their first octet, IP addresses used to belong to a default class and hence have a default subnet mask. Make sure you note that the class is determined by the first bits (the “high-order bits”) of the network portion of the address, not by the address’s mask (a common misconception). Be aware also that the subnet/host boundaries are often not as cut-and-dry as shown above. Utilization of the default masks is no longer mandatory. Indeed, the concept of IP ‘classes’ itself has become outdated. With classful routing, all subnets have to have a mask of either /8, /16, or /24. Consequently, modern routers generally ignore the concept of classes (Cisco routers are set to ‘ip classless’ by default) and administrators can set an IP address like to use a /26 subnet mask even though is a Class C and takes a /24 mask by default. But why would they do this? Because standard class C networks can contain a maximum of only 254 host addresses (too few addresses for most organizations) while class B networks can contain a max of 65,534 hosts (too many for the average network). Is there a happy middle ground? With subnetting, there is.


Thanks to subnetting, networks no longer need to be divided solely on the basis of class. Subnetting involves starting with a default (A, B, or C) network, “stealing” bits from the host portion, and adding them to the network side. In other words, converting host 0s to network 1s extends the size of the network portion of an IP address. This increases the quantity of available networks (not hosts), as shown below. These new networks are subnetworks (or subnets), logical divisions of a parent network range.

Red bits create new network addresses

Image source: Wikimedia Commons

The “stolen” host–>network bits are in bold:

/24 – (the default class C mask) = 11111111.11111111.11111111.00000000
/25 – = 11111111.11111111.11111111.10000000
/26 – = 11111111.11111111.11111111.11000000
/27 – = 11111111.11111111.11111111.11100000
/30 – = 11111111.11111111.11111111.11111100

Note that the quantity of new subnets does not match up with the quantity of stolen bits. For example, if you steal 3 bits, this does not mean you have just allowed for the creation of 3 subnets. Looking at the /26 row along with the IP address, this would mean you have a potential for the creation of 4 new networks using the expanded fourth octet of the mask (11000000): 00000000, 01000000, 10000000, and 11000000. These networks would correspond to,,, and Also of note is the fact that the more subnets you create, the fewer host addresses are available per subnet.

Subnetting is crucial for modern networking because without it, you are only able to use one network from your Class A, B, or C address range, which is unrealistic. You might be wondering why subnetting is even a recommended best practice. Why not just use a network which allows for 16,777,214 hosts, and be done with it? Well, you would be able to get away with this IP scheme in a small home network or workgroup. However, in an organizational environment such as those found in modern enterprises, putting hundreds or thousands of hosts on a 10.0.0.x network with the default /8 mask would create way too much networking traffic, such as ARP broadcasts. Additionally from an information security perspective, subnetting can also help you isolate segregate hosts that may be considered high risk, or hosts that store sensitive or critical data.

Now that we have covered the concept of network and host addresses and the binary nature of IP addresses, we can move on to more advanced subnetting topics. Armed with the knowledge you have acquired so far, you will be able to look at an IP address and its subnet mask and be able to answer the following questions:

  • What is the address of the subnet which a given IP host belongs to?
  • What is the broadcast address of that subnet?
  • How can you subnet a standard Class A, B, or C network to accommodate the creation of additional subnets?
  • What is the valid host range of a given subnet?

Finding the subnet address

Task: given a host IP address and corresponding subnet mask, how can we determine the address of the subnet which the host belongs to? The answer is to “add” the IP address and subnet mask together using the “anding” process in which:

  • 1 + 1 = 1
  • 1 + 0 = 0
  • 0 + 0 = 0

Example 1

IP address, subnet mask (or /20). First of all, we notice that is a historical Class B address (see table above). Class B addresses take a /16 mask by default, so is using 4 extra bits for subnetting. Now let’s add the address and mask together using the “anding” formula (subnetted bits are in bold). −- 10101100.00010000.00010001.00011110 − 11111111.11111111.11110000.00000000
Subnet address ==== 10101100.00010000.00010000.00000000 (

Using the “anding” process, we determine that the host with IP address belongs to the subnet.

Example 2

IP address (subnet mask: is a historical Class A address and takes a /8 mask by default. We can tell that is using 13 extra bits for subnetting. Now let’s add the address and mask together using the “anding” formula (subnetted bits are in bold). −- 00001010.00110000.00100111.01101010 − 11111111.11111111.11111000.00000000
Subnet address ==== 00001010.00110000.00100000.00000000 (

Using the “anding” process, we determine that the host with IP address belongs to the subnet.

Example 3

Try to answer this one yourself. What is the subnet address of host Answer:

Note that it is okay to have a network address whose subnetted bits are all set to zero. For example, and are perfectly valid subnet addresses. RFC 950 originally prohibited the practice of “subnet zero” but this standard was made obsolete by RFC 1878.

Finding the broadcast address

Task: given an IP address and its subnet mask, how can we determine the subnet’s broadcast address?

Example 1

When dealing with one of the default subnet masks, finding the broadcast address of a subnet is easy. For example, looking at IP address (a historical default Class C) we can easily determine the following:

  • Network address: (see “anding” above)
  • Broadcast address: (all 1s in the host portion of the network IP address; equals 255)
  • Valid host range: – (network and broadcast addresses get omitted from this range)

Example 2

Let’s subnet that range and change the mask length to Now what? Well, first we recognize that the mask is no longer; it has become which is really 11111111.11111111.11111111.11110000 (subnetted bits in bold). Next we determine the address of the subnet to which belongs. Using what you know from the previous section, you perform the “anding” process: -−- 11000000.10101000.00001010.00011001 − 11111111.11111111.11111111.11110000
Subnet address ====== 11000000.10101000.00001010.00010000 (

So, host belongs to the subnet. The result is that the broadcast address for this subnet is We arrived at .31 for the last octet because we changed all the host bits to 1, leaving us with 00011111 which adds up to be 31.

Example 3

What is the broadcast address for subnet The last octet in the address, .64, is 01000000 in binary (subnetted bits in bold). The broadcast address is all 1s in the host portion of the address, which would be 01011111. This makes the broadcast address

Example 4

What is the broadcast address for subnet The last octet in the address, .192, is 11000000 in binary (subnetted bits in bold). The broadcast address is the all 1s host portion of the address, which would be 11011111. This makes the broadcast address

Example 5

What is the broadcast address for subnet There are 7 bits for hosts in the last octet (.128). Turn all these bits from 0 to 1 and you get the subnet broadcast address,

Example 6

What is the broadcast address for subnet This is a historical Class C address so it takes /24 mask by default, which means that there are 3 subnetted bits (to arrive at /27). This leaves 5 bits for hosts in the last octet (.192, or 11000000). Turn these host bits from 0 to 1 and you get a broadcast address of The last octet, .223, is 11011111.

Example 7

Try to answer this one yourself. What is the broadcast address for subnet Answer: the broadcast address is

Choosing appropriately sized networks

Subnetted network

Subnetting depends in large part on how many hosts each subnet has to support

Task: given a quantity of desired networks and/or hosts, how can we determine an appropriate IP addressing scheme?

Example 1

Let’s imagine you are tasked with rolling out a new network infrastructure for an organization. You want each department to have its own subnet, and there are 6 departments. You want to use 192.168.10.x for your addressing. However, an IP address scheme based on will not work because this mask (/24) only allows for one (historical Class C) network. Therefore we need to start subnetting this address.

The first step is count to the power of 2 until you reach a number that covers the amount of subnets you want to create (in this case, 6). Let’s count: 2, 4, 8, 16…okay, 8 can accommodate the 6 networks we want to create. 8 is 23. This value (3) represents the extra bits that we need to add to the /24 subnet mask. So, 24+3 = 27 and therefore we need a 27-bit subnet mask to accommodate the 6 networks we want to create (192.168.10.x/27; will create 8 total subnets). This subnet mask, /27, can also be represented as as 224 is the sum of the first 3 binary bits in the last octet.

Example 2

Let’s say that our original requirement is not that we need 6 distinct subnets, but we just need a subnet mask that is best suited to account for a maximum of 9 hosts. Should we just go ahead and use the default address? We could, but it would not be a best practice as this range allows for 254 hosts and we will only need space for 9. The formula for determining how many hosts can be supported in a given subnet is 2h – 2, where h stands for the quantity of host bits in the mask. For example, in the subnet mask there are sixteen binary 0s in the last two octets. 216 – 2 = 65,534 hosts per subnet. Why do we subtract 2 in the formula 2h – 2? Because while there are 256 possible values for an octet (0 through 255) we must subtract 2 to account for the subnet and broadcast addresses.

Note: you might want to try memorizing the “two-to-the-n” values: 20 = 1, 21 = 2, 22 = 4, 23 = 8, 24 = 16, 25 = 32, 26 = 64, 27 = 128, 28 = 256, 29 = 512, and 210 = 1024.

So to devise a properly sized subnet for 9 hosts, return again to your power of 2s. 2, 4, 8, 16, 32…okay, 16 can adequately cover 9. 16 is 24 which tells us that we need to assign 4 bits in the mask for hosts. Therefore the best subnet to use for a maximum of 9 hosts is, or /28. The last octet in the mask is 11110000; the four zeroes are the bits we reserved for the hosts.

Example 3

In Example 1 we are left with 5 bits in the final octet to be allocated to the hosts…but how many total hosts can we add to each of our 8 new subnets? Keeping the 5 host bits in mind, we determine that 25 is 32. From this value, we subtract 2 to account for the network address and the broadcast address. Therefore, the subnets in 192.168.10.x/27 can support a total of 30 unique hosts each.

Example 4

If you begin with the subnet mask (/28) and you want to know how many hosts this can support, the last octet in binary has 4 host bits (11110000). 24 power is 16. Then subtract 2 to account for the network and broadcast addresses, and you are left with 14 hosts. Why do we subtract 2? Because the first address in the host range (where the host portion of the mask is all 0s is the network address as it refers to the entire subnet, not to any single host within that subnet. The last address in the range is (all host bits set to 1 in the subnet mask) is off-limits too, as it is the broadcast address for that subnet.

How many hosts could a /21 mask ( support? This mask leaves 11 bits for host allocation. 211 = 2048. Now subtract 2 for the network and broadcast addresses and you get 2046.

Example 5

Let’s try another example to help drive these points home. You have the subnet to work with. However, you have been tasked with creating 5 subnets and each of the subnets must be able to support a minimum of 28 hosts each. You know you will have to do some subnetting because provides only one network (204.15.5.x), which means you will have to steal host bits and add them to the network side. But how many bits? Count to the power of two to find out. 21 = 2, 22 = 4, 23 = 8…so 8 is the first quantity that can cover the 5 subnets which you need. Therefore you need to steal 3 host bits (from 23), leaving 5 bits in the octet for the hosts (the subnet mask in binary would be 11111111.11111111.1111111.11100000). How many hosts can 5 bits accommodate? 25 = 32; subtract 2 for the network and broadcast addresses leaving 30. This meets the requirement for supporting a minimum of 28 hosts per subnet. The newly created subnets would be:

00000000 -
00100000 -
01000000 -
01100000 -
10000000 -
10100000 -
11000000 -
11100000 -

Example 6

Starting with the standard Class B address, create subnets in this range that can support up to 60 hosts each. Step 1 is to start counting to the power of 2 until you reach a number that can cover the 60 host requirement. 26 = 64. Therefore, we need 6 bits for hosts in the subnet mask. This will change the mask from /16 ( to /26 ( This means that we will be using 10 subnetted bits. 210 = 1024 and that is the total number of subnets that can be used with this mask.

Example 7

Subnet allows for the creation of 65,534 hosts (minus network and broadcast addresses). However, if your network only has 90 hosts, this subnet mask would be much too big. Let’s subnet this range. Count to the power of 2 until you cover the 90 host requirement. 27 = 128, so we need to reserve 7 bits for the host portion. This leaves with with a new mask, /25 (or The final octet in this mask is 10000000. The seven zeroes are the bits reserved for the 90 hosts.

What about TCP?

After hosts are able to locate each other using IP, they use the Transmission Control Protocol (TCP) to transfer data back and forth. Although you will often hear the term TCP/IP (a suite of networking-related protocols), TCP and IP perform very distinct functions. TCP delivers data using network sockets, which are combinations of IP addresses and port numbers. TCP’s sister protocol, User Datagram Protocol (UDP), performs the same networking role as TCP but is faster and less reliable. The basic point to remember is that TCP and UDP ensure data delivery while IP facilitates host identification and discovery.

Further reference

Still confused? You may want to consider enrolling in a formal training course for the Cisco CCNA., Subnet mask cheat sheet, Cisco binary game, Visual subnet calculator, CIDR conversion chart, Command line subnet calculator, IP subnetting cheat sheet, Networking fundamentals web-based training (disable popup blocker; see section 4, IP Addressing), IP addressing and subnetting, Subnetting practice questions, IPv4 subnetting reference sheet (PDF), Sipcalc IP subnet calculator, SolarWinds Advanced Subnet Calculator, Subnetting practice questions, IP subnet practice page

↑ Up to menu

Recommended reading

If you found the content of this article helpful and want to expand your knowledge further, please consider buying a relevant book using the links below. Thanks!

Guide to TCP/IP on Amazon Guide to TCP/IP CCNA Routing and Switching Study Guide on Amazon CCNA Routing and Switching Study Guide

Network Warrior on Amazon Network Warrior Cisco CCNA Routing and Switching on Amazon Official CCNA Routing and Switching

↑ Up to menu

About these ads

Written by Doug Vitale

March 5, 2013 at 3:50 PM

%d bloggers like this: