Subnetting Made Simple: Understanding IP Addresses and CIDR Notation

Subnetting is one of those networking fundamentals that every developer and IT professional encounters sooner or later, yet it consistently ranks among the most confusing topics for newcomers. The combination of binary arithmetic, historical legacy addressing, and a notation system that uses slashes and dots in equal measure can be intimidating at first glance. But beneath the surface complexity lies an elegant and logical system. Once you grasp how IP addresses are structured at the binary level and understand why subnetting was invented, everything else falls into place.

The Structure of an IPv4 Address

An IPv4 address is a 32-bit number, nothing more and nothing less. We write it in dotted-decimal notation as four octets separated by periods — for example, 192.168.1.100 — but this is purely a human convenience. Each octet represents 8 bits, and those 8 bits can express values from 0 (00000000 in binary) to 255 (11111111 in binary). The full address is therefore a sequence of 32 ones and zeros that uniquely identifies a device on a network.

Understanding the binary representation is not optional when learning subnetting; it is the foundation upon which everything else rests. The address 192.168.1.100 in binary is 11000000.10101000.00000001.01100100. When you perform subnetting operations, you are working with these bits directly, dividing the 32-bit address into two portions: the network portion, which identifies the network the device belongs to, and the host portion, which identifies the specific device within that network.

Classful Addressing: A History Lesson

In the early days of the internet, IP addresses were divided into classes based on the leading bits of the address. Class A addresses began with a 0 bit and used the first 8 bits for the network portion, leaving 24 bits for hosts. This meant a single Class A network could contain over 16 million host addresses. Class B addresses began with the bits 10 and used 16 bits for the network, allowing roughly 65,000 hosts per network. Class C addresses began with 110 and used 24 bits for the network, allowing only 254 usable hosts.

This system was conceptually simple but catastrophically wasteful. An organization that needed 300 addresses could not use a Class C network (limited to 254 hosts) and would be assigned an entire Class B network with 65,534 usable addresses — wasting over 65,000 addresses. By the late 1980s, it was clear that the classful system would exhaust the available IPv4 address space far sooner than necessary, not because there were too few total addresses, but because the rigid class boundaries made efficient allocation impossible.

The solution was to abandon fixed class boundaries entirely and instead allow the network/host boundary to fall at any bit position within the 32-bit address. This innovation, introduced in 1993, is called Classless Inter-Domain Routing, or CIDR.

CIDR Notation: Flexible Boundaries

CIDR notation appends a slash and a number to an IP address to indicate how many of the leading bits constitute the network portion. The notation 192.168.1.0/24 means that the first 24 bits identify the network and the remaining 8 bits identify hosts within that network. The notation 10.0.0.0/8 means the first 8 bits are the network portion and the remaining 24 bits are for hosts.

The beauty of CIDR is that the boundary can fall at any position. A /26 network uses 26 bits for the network and 6 bits for hosts, yielding 64 total addresses (62 usable, since the first address is the network address and the last is the broadcast address). A /30 network uses 30 bits for the network and 2 for hosts, providing just 4 total addresses — perfect for point-to-point links between two routers, where only 2 usable addresses are needed.

This flexibility eliminated the waste inherent in classful addressing. An organization needing 300 addresses could now be assigned a /23 network (512 addresses) rather than a wasteful Class B network. The number after the slash is often called the prefix length, and the corresponding binary mask is called the subnet mask.

Subnet Masks: The ANDing Operation

A subnet mask is a 32-bit value where all the network bits are set to 1 and all the host bits are set to 0. For a /24 network, the subnet mask is 11111111.11111111.11111111.00000000, or 255.255.255.0 in dotted-decimal notation. For a /26 network, it is 11111111.11111111.11111111.11000000, or 255.255.192.0.

The subnet mask serves a precise mathematical purpose: when you perform a bitwise AND operation between an IP address and its subnet mask, the result is the network address. This is how devices determine whether a destination IP is on the same local network or needs to be routed through a gateway.

Consider the address 192.168.1.130 with a /25 subnet mask (255.255.255.128). In binary, the address is 11000000.10101000.00000001.10000010, and the mask is 11111111.11111111.11111111.10000000. ANDing these together yields 11000000.10101000.00000001.10000000, which is 192.168.1.128. This is the network address. The network spans from 192.168.1.128 (network address) to 192.168.1.255 (broadcast address), with usable host addresses from 192.168.1.129 to 192.168.1.254.

You can verify these calculations instantly with a Subnet Calculator, which takes an IP address and prefix length and displays the network address, broadcast address, usable range, total hosts, and the binary breakdown. This is invaluable when designing network architectures or troubleshooting connectivity issues.

Calculating Key Addresses

Every subnet has three critical addresses that you need to be able to derive. The network address is the first address in the range, obtained by ANDing the IP address with the subnet mask. It identifies the network itself and cannot be assigned to a host. The broadcast address is the last address in the range, obtained by setting all host bits to 1. Packets sent to the broadcast address are delivered to all hosts on that subnet. The usable host range comprises every address between the network address and the broadcast address, exclusive of both.

The total number of addresses in a subnet is $2^{(32 - n)}$ where $n$ is the prefix length. The number of usable host addresses is $2^{(32 - n)} - 2$, accounting for the network and broadcast addresses. For a /24 network, that is $2^8 = 256$ total addresses and 254 usable. For a /28, it is $2^4 = 16$ total and 14 usable. For a /31, the math yields only 2 total addresses and 0 usable — but RFC 3021 defines a special case where /31 networks are used for point-to-point links without a network or broadcast address, making both addresses usable.

Variable Length Subnet Masking (VLSM)

Before VLSM, subnetting was done with a single mask applied uniformly to an entire network. If you had a /24 network and needed to create smaller subnets, all subnets had to use the same prefix length. VLSM removed this restriction, allowing different subnets within the same address space to use different prefix lengths.

This capability is essential for efficient address allocation in real-world networks. Consider a small office with four departments: Engineering needs 50 hosts, Sales needs 25, Management needs 10, and the server room needs 5. Without VLSM, you would need to use a /26 mask everywhere (providing 62 usable addresses per subnet), wasting significant space in the smaller departments. With VLSM, you can allocate a /26 for Engineering, a /27 for Sales (30 usable), a /28 for Management (14 usable), and a /29 for the server room (6 usable), plus /30 networks for the point-to-point links between routers.

The key to VLSM design is to start with the largest subnet and work downward. Allocate address space for the biggest requirement first, then carve out progressively smaller subnets from the remaining space. This prevents fragmentation and ensures that your subnets align on proper binary boundaries. A Subnet Calculator makes this process significantly less error-prone by automatically computing the boundaries for each prefix length.

A Practical Subnetting Exercise

Let us walk through a realistic scenario. You have been assigned the network 172.16.0.0/16 and need to design a network for a multi-floor office building. The ground floor requires 500 host addresses for an open-plan workspace. The second floor needs 200 for a development team. The third floor needs 100 for marketing. There are also 6 point-to-point links between floor switches, each requiring 2 addresses.

For the ground floor, 500 hosts requires at least 9 host bits ($2^9 = 512$, minus 2 gives 510 usable), so you need a /23 subnet. You allocate 172.16.0.0/23, covering 172.16.0.1 through 172.16.1.254.

For the second floor, 200 hosts requires 8 host bits ($2^8 = 256$, giving 254 usable), so a /24 will work. The next available block after 172.16.1.255 starts at 172.16.2.0, so you allocate 172.16.2.0/24.

For the third floor, 100 hosts requires 7 host bits ($2^7 = 128$, giving 126 usable), so a /25 is appropriate. You allocate 172.16.3.0/25, covering addresses through 172.16.3.127.

For the six point-to-point links, each needs a /30 (4 addresses, 2 usable). You can start these at 172.16.3.128/30, 172.16.3.132/30, and so on. The entire design fits neatly within the /16 allocation with vast room for future expansion.

Private Address Ranges and RFC 1918

Not all IPv4 addresses are routable on the public internet. RFC 1918 reserves three address ranges for private use: 10.0.0.0/8 (over 16 million addresses), 172.16.0.0/12 (about 1 million addresses), and 192.168.0.0/16 (about 65,000 addresses). These addresses can be used freely within private networks without coordination with any external authority. Any organization can use 10.0.0.0/8 internally, and many do — it provides an enormous address space for even the largest private networks.

Private addresses cannot appear as source or destination addresses on public internet traffic. Routers on the internet are configured to drop packets with RFC 1918 source or destination addresses. To allow devices with private addresses to communicate with the public internet, Network Address Translation (NAT) is used.

NAT: Bridging Private and Public Networks

Network Address Translation is the mechanism that allows thousands of devices with private IP addresses to share a single (or small pool of) public IP address. When a device on a private network sends a packet to the internet, the NAT router rewrites the packet's source address from the private IP to its own public IP, and records the mapping in a translation table. When the response comes back, the router consults its table and forwards the packet to the correct internal device.

NAT has been both a savior and a complication for the internet. On the positive side, it dramatically extended the usable lifetime of the IPv4 address space by allowing millions of devices to share relatively few public addresses. On the negative side, it breaks the end-to-end principle of IP networking, makes peer-to-peer communication difficult, and adds complexity to protocols that embed IP addresses in their payloads (such as SIP for VoIP). NAT traversal techniques like STUN, TURN, and ICE exist specifically to work around these limitations.

Supernetting and Route Aggregation

While subnetting divides a large network into smaller ones, supernetting (or route aggregation) combines multiple smaller networks into a single, larger routing entry. This is essential for keeping the global internet routing table manageable. Without aggregation, every small network would require its own entry in the routing tables of every backbone router, and the tables would grow to unmanageable sizes.

For example, if an ISP has been assigned the block 203.0.113.0/24 through 203.0.113.255/24(four contiguous /24 blocks from 203.0.112.0 to 203.0.115.255), it can advertise the single aggregate route 203.0.112.0/22 to its upstream providers. This one routing entry covers all four /24 networks and reduces the burden on global routing infrastructure. The mathematical principle is identical to subnetting but applied in reverse: instead of increasing the prefix length to create smaller networks, you decrease it to create larger ones.

IPv6: A Different Addressing World

IPv6 was designed to solve the IPv4 address exhaustion problem once and for all. With 128-bit addresses, IPv6 provides approximately $3.4 \times 10^{38}$ unique addresses — enough to assign trillions of addresses to every person on Earth. IPv6 addresses are written as eight groups of four hexadecimal digits separated by colons, such as 2001:0db8:85a3:0000:0000:8a2e:0370:7334, with rules allowing the omission of leading zeros and the compression of consecutive all-zero groups using a double colon.

Subnetting in IPv6 works on the same fundamental principles as in IPv4 — a prefix length divides the address into network and host portions — but the conventions are different. The standard practice is to assign a /48 prefix to each site and a /64 to each individual subnet, leaving 64 bits for the host identifier. This means every IPv6 subnet can accommodate $2^{64}$ (over 18 quintillion) host addresses, which eliminates any need for the careful host-counting arithmetic that IPv4 subnetting requires. The fixed /64 subnet size also enables Stateless Address Autoconfiguration (SLAAC), where devices generate their own host address from their MAC address or a random identifier without needing a DHCP server.

IPv6 also eliminates the need for NAT in most scenarios, since the enormous address space means every device can have its own globally unique address. This restores the end-to-end connectivity model that NAT disrupted in IPv4, simplifying peer-to-peer communication, real-time protocols, and network troubleshooting.

Practical Mastery Through Tools

Subnetting is a skill that improves with practice, and the most efficient way to practice is with tools that provide immediate feedback. A Subnet Calculator lets you input any IP address and prefix length, then instantly see the network address, broadcast address, usable host range, wildcard mask, and binary representation. This makes it easy to verify your manual calculations, explore different prefix lengths, and develop the intuitive sense for subnet sizes that experienced network engineers possess.

Whether you are designing a network for a new office, segmenting a cloud VPC, configuring firewall rules, or simply trying to understand why two devices cannot communicate, subnetting knowledge is indispensable. The binary arithmetic may seem tedious at first, but with practice it becomes second nature, and the ability to quickly decompose an IP address into its network and host components is a skill that pays dividends throughout a career in technology.