Subnetting
Network Segmentation
A practical, walkthrough of IP subnetting — from foundational concepts to real-world deployment strategies.
🌐 What is Subnetting?
Subnetting is the process of dividing a single, larger IP network into multiple smaller, logically isolated sub-networks — commonly referred to as subnets. Rather than treating all devices in an organisation as part of one flat address space, subnetting allows network engineers to partition that space into segments that are easier to manage, secure, and route efficiently.
At its core, subnetting is a mathematical technique that manipulates the binary structure of an IPv4 address. Every IPv4 address is a 32-bit number, and subnetting works by borrowing bits from the host portion of that address to create additional network identifiers. The result is a hierarchy: a parent network block that contains multiple child subnets, each capable of serving a defined number of hosts.
From a practical standpoint, consider an organisation that has been assigned the network block 192.168.10.0/24. Without subnetting, all 254 usable hosts share the same broadcast domain — meaning any broadcast packet reaches every single device, regardless of whether it is relevant to them. With subnetting, that block can be divided into, say, four subnets of 62 hosts each, isolating traffic between departments such as Finance, Engineering, HR, and Management.
Subnetting is a foundational skill for any network engineer. It underpins everything from enterprise LAN design to cloud virtual private cloud (VPC) architecture.
Example:
192.168.10.0/24 Divided into Four /26 Subnets — Parent Network Block (256 addresses)
| Subnet | Address / Range | Hosts | Broadcast | Comment |
|---|---|---|---|---|
| Subnet 1 | 192.168.10.0/26 | 192.168.10.1 – 192.168.10.62 | 192.168.10.63 | Finance |
| Subnet 2 | 192.168.10.64/26 | 192.168.10.65 – 192.168.10.126 | 192.168.10.127 | Sales |
| Subnet 3 | 192.168.10.128/26 | 192.168.10.129 – 192.168.10.190 | 192.168.10.191 | HR |
| Subnet 4 | 192.168.10.192/26 | 192.168.10.193 – 192.168.10.254 | 192.168.10.255 | Management |
🧩 Key Components
Understanding subnetting requires a firm grasp of the building blocks that make it function. Each of these components plays a distinct role in how IP addresses are allocated, interpreted, and routed across a network.
IP Address
A 32-bit binary identifier assigned to each network interface. Written in dotted-decimal notation (e.g. 192.168.1.10), it consists of a network portion and a host portion.
Subnet Mask
A 32-bit value that defines which bits of an IP address belong to the network and which belong to the host. A mask of 255.255.255.0 means the first 24 bits are the network.
CIDR Notation
Classless Inter-Domain Routing notation expresses the subnet mask as a prefix length (e.g. /24). This compact format replaced the older classful A/B/C addressing model.
Network Address
The first address in a subnet block, where all host bits are zero. This address identifies the subnet itself and cannot be assigned to a device. Example: 192.168.1.0
Broadcast Address
The last address in a subnet block, where all host bits are one. Packets sent to this address are delivered to every host on the subnet. Example: 192.168.1.255
Usable Host Range
All addresses between the network address and broadcast address. For a /24 subnet, this yields 254 usable addresses — the formula is 2ⁿ – 2, where n is the number of host bits.
Default Gateway
The router interface that acts as the exit point for traffic leaving a subnet. Its IP address must fall within the subnet’s usable host range and is configured on each end device.
Wildcard Mask
The inverse of a subnet mask, commonly used in access control lists (ACLs) and OSPF configurations. A /24 network has a wildcard of 0.0.0.255.
IPv4 Address Classes — Pre-CIDR Context
Before CIDR was adopted, IPv4 addresses were grouped into fixed classes. While classful addressing is largely obsolete in modern networking, understanding it provides important context for why subnetting was developed.
| Class | Leading Bits | Default Mask | Address Range | Max Hosts | Typical Use |
|---|---|---|---|---|---|
| Class A | 0xxx | /8 (255.0.0.0) | 1.0.0.0 – 126.255.255.255 | 16,777,214 | Large enterprises, ISPs |
| Class B | 10xx | /16 (255.255.0.0) | 128.0.0.0 – 191.255.255.255 | 65,534 | Medium organisations |
| Class C | 110x | /24 (255.255.255.0) | 192.0.0.0 – 223.255.255.255 | 254 | Small office networks |
| Class D | 1110 | N/A | 224.0.0.0 – 239.255.255.255 | N/A | Multicast groups |
| Class E | 1111 | N/A | 240.0.0.0 – 255.255.255.255 | N/A | Experimental / reserved |
⚙️ How It Works
Subnetting works by borrowing bits from the host portion of an IP address and reassigning them as network bits. This process increases the number of available subnets while reducing the number of hosts per subnet. The trade-off is always between number of subnets and number of hosts per subnet.
Binary Fundamentals
Every IPv4 address is composed of four octets, each 8 bits wide, totalling 32 bits. When working with subnets, engineers perform binary AND operations between the IP address and the subnet mask to determine the network address.
IP Address: 192 .168 .10 .25
Binary: 11000000.10101000.00001010.00011001Subnet Mask: 255 .255 .255 .0
Binary: 11111111.11111111.11111111.00000000
AND Result:
Network Addr: 11000000.10101000.00001010.00000000 = 192.168.10.0
The host bits (last octet) are zeroed → Network Address = 192.168.10.0/24
Borrowing Host Bits — The Subnetting Formula
To create subnets, bits are borrowed from the left side of the host portion. Each bit borrowed doubles the number of subnets while halving the hosts per subnet.
Number of Subnets = 2^(bits borrowed)
Hosts per Subnet = 2^(remaining host bits) – 2Example: Starting with 192.168.10.0/24 and borrowing 2 bits:
New prefix: /26 (255.255.255.192)
Subnets created: 2² = 4
Hosts per subnet: 2⁶ – 2 = 62
Block size: 256 / 4 = 64 addresses per subnet
Subnet increments: .0, .64, .128, .192
Step-by-Step Subnetting Process
Determine how many subnets are needed and the maximum number of hosts required per subnet. These two numbers drive all subsequent decisions.
Identify the assigned address block (e.g. 10.0.0.0/8 for a private network) that will be subdivided. Confirm it provides enough total address space.
Use the formula 2ⁿ ≥ required subnets to find the minimum number of bits to borrow. Similarly, use 2ᵐ – 2 ≥ required hosts to validate remaining host bits.
Add the borrowed bits to the original prefix length. For example, starting at /24 and borrowing 3 bits yields /27 (255.255.255.224).
Determine the block size (256 – subnet mask octet value). List each subnet’s network address, usable host range, and broadcast address by incrementing by the block size.
Allocate subnets to network segments and document all assignments thoroughly. Accurate IP Address Management (IPAM) records prevent addressing conflicts and simplify troubleshooting.
VLSM — Variable Length Subnet Masking
Variable Length Subnet Masking (VLSM) extends basic subnetting by allowing different subnet masks within the same parent network. This lets engineers allocate address space proportionally — large masks for departments with many hosts, small masks for point-to-point WAN links that need only two usable addresses (/30).
Requirement: 3 departments + 2 WAN linksEngineering (100 hosts): 172.16.0.0/25 → 126 usable hosts
Sales (50 hosts): 172.16.0.128/26 → 62 usable hosts
HR (25 hosts): 172.16.0.192/27 → 30 usable hosts
WAN Link A (2 hosts): 172.16.0.224/30 → 2 usable hosts
WAN Link B (2 hosts): 172.16.0.228/30 → 2 usable hosts
Total addresses used: 256 of 65,536 available in /16 — highly efficient
📊 Usage & Functions
Subnetting is not merely an academic exercise — it is applied daily across enterprise networks, data centres, cloud environments, and service provider infrastructure. The following table summarises the primary use cases and how subnetting directly addresses each scenario.
| Use Case | How Subnetting Helps | Real-World Example |
|---|---|---|
| Network Segmentation | Divides flat networks into isolated broadcast domains, reducing unnecessary traffic and improving performance. | Separating user VLANs from server VLANs in a campus LAN using /24 subnets per VLAN. |
| Security Isolation | Enables ACLs and firewall rules to be applied at subnet boundaries, limiting lateral movement of threats. | Placing SCADA/ICS systems in a dedicated /27 subnet with strict inbound/outbound ACLs. |
| IP Address Conservation | Allocates address space proportionally with VLSM, avoiding waste from over-provisioning large classful blocks. | Assigning /30 masks to point-to-point WAN links instead of wasting a /24 per link. |
| Routing Efficiency | Summarises multiple specific routes into a single, aggregated prefix, reducing routing table size and CPU load on routers. | Advertising 10.0.0.0/21 to cover eight /24 subnets (10.0.0.0 – 10.0.7.0) from a remote site. |
| Cloud VPC Design | Maps directly to cloud Virtual Private Cloud (VPC) subnet architecture for provisioning compute resources in isolated availability zones. | AWS VPCs using /16 parent blocks subdivided into /24 public and /24 private subnets per AZ. |
| Quality of Service (QoS) | Differentiates traffic classes by subnet, allowing QoS policies to prioritise or throttle specific segments. | Marking all traffic from a VoIP /25 subnet with DSCP EF (Expedited Forwarding) for low latency. |
| Geographic / Site Allocation | Assigns hierarchical address blocks to each physical site, enabling logical summarisation in WAN routing protocols like OSPF or EIGRP. | Sydney site: 10.10.0.0/16; Melbourne site: 10.20.0.0/16; Brisbane site: 10.30.0.0/16. |
| DMZ Architecture | Places internet-facing servers in a dedicated subnet that is separate from the internal LAN, reducing attack surface. | Web servers in 192.168.100.0/28 with dual-homed firewalls controlling access to 192.168.0.0/24 internal network. |
✅Best Practices
Following industry-proven subnetting practices reduces the likelihood of addressing errors, simplifies network documentation, and allows your infrastructure to scale without costly redesigns. The following guidelines reflect real-world operational experience on enterprise and service-provider networks.
- Plan for Growth — Always Allocate More Than You Need Today. Never design subnets at capacity. A subnet sized for exactly 30 hosts today will require a redesign the moment a 31st device is added. Reserve at least 20–30% headroom, and consider future project phases, IoT expansion, and temporary contractor devices.
- Use VLSM to Maximise Address Efficiency. Avoid assigning uniform /24 subnets to every segment regardless of host count. A WAN link or loopback interface needs only a /30 or /32 respectively. VLSM lets you allocate address space proportionally, preserving the remainder for future use.
- Adopt a Hierarchical, Site-Based Addressing Scheme. Assign large parent blocks (e.g. /16) to geographic regions or sites, then subnet those blocks further for each building, floor, or department. This hierarchical structure enables route summarisation, drastically reducing routing table complexity.
- Align Subnets to Powers of Two — Never Split Arbitrary Ranges. Subnets must be aligned to their block size to be mathematically valid. For example, 192.168.1.64/26 is valid (starts on a 64-boundary), but 192.168.1.70/26 is not. Use calculators or structured worksheets when designing manually.
- Document Every Subnet in an IPAM System. Manual spreadsheets become unmanageable at scale. Use a dedicated IP Address Management (IPAM) tool to track allocations, reserve blocks for future use, and detect overlapping or duplicate assignments before they reach production.
- Keep Security Boundaries Aligned to Subnet Boundaries. Firewall rules and ACLs are most efficiently written when security zones correspond directly to subnets. This avoids the complexity of host-specific rules and makes policy intent immediately legible to other engineers reviewing the configuration.
- Use Private Address Space for Internal Networks. Always use 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16 for internal infrastructure. Avoid using public IP space internally — it creates routing conflicts when establishing VPN tunnels or connecting to the internet.
- Review and Reclaim Unused Address Space Regularly. As networks evolve, subnets are often deprecated without being returned to the pool. Conduct periodic audits to identify unused or underutilised allocations, and reclaim them for growing segments.
A /26 mask is 255.255.255.192 → block size = 256 – 192 = 64.
Subnets start at: .0, .64, .128, .192.
Usable hosts = block size – 2.
⚖️ Pros & Cons
Like any network design decision, subnetting involves trade-offs. Understanding both the advantages and limitations enables engineers to apply subnetting thoughtfully rather than reflexively.
✔ Advantages
- Reduced Broadcast Traffic: Smaller broadcast domains mean fewer unnecessary frames transmitted to irrelevant devices, improving overall network performance.
- Enhanced Security Posture: Subnet boundaries allow ACLs and firewalls to enforce traffic policies between segments, containing breaches and limiting lateral movement.
- Improved IP Address Utilisation: VLSM allows precise allocation, eliminating the waste inherent in classful addressing where large blocks were assigned to small networks.
- Simplified Troubleshooting: Logical segmentation makes it easier to isolate faults to a specific subnet, reducing the scope of investigation during outages.
- Scalable Routing: Route summarisation reduces routing table entries, lowering CPU and memory consumption on core routers and improving convergence times.
- Organisational Alignment: Subnets can mirror business units or functional zones, making network documentation more intuitive for operations teams.
- Foundation for Network Policies: QoS, monitoring, and compliance policies are most effectively applied at the subnet level, enabling consistent treatment of traffic classes.
- Cloud-Native Compatibility: Modern cloud platforms (AWS, Azure, GCP) model their virtual networks using subnetting principles, making the skill transferable across on-premises and cloud environments.
✘ Disadvantages
- Address Waste at Subnet Boundaries: Each subnet reserves two addresses (network and broadcast) that cannot be assigned to hosts, which accumulates across many small subnets.
- Increased Design Complexity: Poorly planned subnet schemes can become difficult to extend or summarise, leading to fragmented address spaces and complex routing tables.
- Inter-Subnet Routing Overhead: Traffic between subnets must traverse a Layer 3 device (router or Layer 3 switch). This adds latency and requires proper gateway configuration on every host.
- Risk of Human Error: Manual subnetting is prone to mistakes — overlapping ranges, mismatched masks, or misconfigured gateways can cause widespread connectivity failures.
- Not a Complete Security Solution: Subnets alone do not prevent attacks. Misconfigured ACLs or routing rules can negate segmentation benefits and create false confidence in network security.
- Complexity Grows with Scale: Large enterprise environments with hundreds of subnets require robust IPAM tools and disciplined documentation. Without these, address management becomes unmanageable.
- IPv4 Exhaustion Not Fully Solved: Subnetting slows address consumption but does not eliminate it. IPv6 adoption remains the long-term solution to the global IPv4 exhaustion problem.
🎯 Conclusion
Subnetting is one of the most fundamental and enduring skills in network engineering. Despite the rise of IPv6, cloud-native networking, and software-defined infrastructure, IPv4 subnetting continues to underpin the vast majority of deployed networks worldwide — from small office environments to hyperscale cloud platforms.
A well-designed subnetting scheme delivers measurable operational benefits: reduced broadcast traffic, stronger security boundaries, leaner routing tables, and an address space that scales gracefully as the business grows. Conversely, a poorly planned subnet architecture creates technical debt that compounds over time — fragmenting address space, complicating routing policies, and increasing the likelihood of misconfiguration during future changes.
As a network engineer, mastering subnetting goes beyond passing an examination. It means developing the ability to model a network’s addressing requirements, select appropriate prefix lengths, apply VLSM to maximise efficiency, and document every allocation in a maintainable IPAM system. These habits distinguish competent engineers from truly excellent ones.
Whether you are designing your first office LAN or architecting a multi-site enterprise WAN, invest the time to plan your subnetting strategy carefully. The discipline you apply at the design stage will pay dividends for the entire operational lifetime of the network.
📖 Glossary
The following terms are referenced throughout this guide. They form the core vocabulary of subnetting and IP addressing as used in day-to-day network engineering practice.
Mask
Gateway
Address
Address
Mask
Domain
Summarisation