Networking Deep Dive
by Sergey Okinchuk
The IPv4 DatagramPrivate Addressing and RFC 1918
Subnetting and CIDR
Topic 13

Subnetting and CIDR

Subnetting

A subnet is a contiguous block of IP addresses that share a common prefix. CIDR notation — the /24 after an address — says exactly how long that prefix is: /24 means the first 24 bits are the network and the remaining 8 are the host part. Everything you do with addresses, from sizing a VPC to writing a firewall rule to reading a routing table, reduces to splitting a block at the right bit boundary and counting what's left.

This is the one networking skill you will use by hand, on a whiteboard, for the rest of your career. The math is small — it is all powers of two — but the consequences of getting it wrong are large and sometimes permanent. Size a subnet too tight and you renumber under pressure later; overlap two blocks you later want to connect and the connection simply refuses to come up. The rest of this page is the math, worked end to end.

Carving 10.0.0.0/16 down to /24, then /27
/16
10.0.0.0/16 — 65,534 hosts
/24
10.0.5.0/24 — 254 hosts
/27
10.0.5.32/27 — 30 hosts

Network Bits versus Host Bits

An IPv4 address is 32 bits. A subnet mask splits those 32 bits into a network part (the high bits, all ones) and a host part (the low bits, all zeros). The prefix length /n is just the count of leading one-bits: /24 is a mask of 255.255.255.0, because 24 ones followed by 8 zeros, grouped into octets, is 11111111.11111111.11111111.00000000.

Two addresses are on the same subnet if their network bits are identical. A host computes this on every single packet: it ANDs the destination address with its own mask and compares to its own network. Match, and the destination is on-link — send the frame directly. No match, and it is off-link — send the frame to the default gateway. That one bitwise comparison is the basis of every forwarding decision a host makes.

# ip addr shows the prefix length right on the address
ip -br addr show eth0
# eth0  UP  10.0.5.37/24
# /24 mask = 255.255.255.0
# network = 10.0.5.0   host part = .37
# 10.0.5.37 and 10.0.5.200 share 10.0.5.0 -> same subnet, direct send
# 10.0.5.37 and 10.0.6.4   differ in bit 24  -> off-link, via gateway

CIDR Notation and Block Sizes

The host part determines the block size, and it is pure powers of two. With h host bits a block holds 2^h addresses. A /24 leaves 8 host bits, so 2^8 = 256 addresses. A /16 leaves 16 host bits, 2^16 = 65 536 addresses. A /8 leaves 24 host bits, 2^24 = 16 777 216 addresses. Every step of one in the prefix halves or doubles the block: a /25 is exactly half a /24, 128 addresses.

The shortcut worth memorizing: the block size of any prefix is 2^(32 − n). A /27 has 32 − 27 = 5 host bits, so 2^5 = 32 addresses. The block also tells you the address boundaries — a /27 starts only on multiples of 32 in the last octet (.0, .32, .64, .96 …), which is why 10.0.0.40/27 actually belongs to the block starting at 10.0.0.32.

PrefixMaskHost bitsAddressesUsable hosts
/30255.255.255.252242
/29255.255.255.248386
/27255.255.255.22453230
/24255.255.255.08256254
/16255.255.0.01665 53665 534
/8255.0.0.02416 777 21616 777 214

Network, Broadcast, and Usable Addresses

Two addresses in every block are not assignable to a host. The first — all host bits zero — is the network address, the name of the subnet itself. The last — all host bits one — is the broadcast address, which reaches every host on the segment at once. Usable host addresses are everything between, so a block of 2^h addresses gives 2^h − 2 usable hosts. This is the off-by-one that bites everyone: a /24 is 256 addresses but only 254 hosts.

Work a /27 end to end. Take 10.0.0.40/27. Host bits = 32 − 27 = 5, so the block is 2^5 = 32 addresses and aligns to multiples of 32. The 40 falls in the .32.63 block. Network address is 10.0.0.32, broadcast is 10.0.0.63, and the usable range is 10.0.0.33 through 10.0.0.62 — 30 hosts, exactly 2^5 − 2.

# let the tool confirm the hand math for 10.0.0.40/27
ipcalc 10.0.0.40/27
# Network:    10.0.0.32/27
# HostMin:    10.0.0.33
# HostMax:    10.0.0.62
# Broadcast:  10.0.0.63
# Hosts/Net:  30

The exception is a /31. On point-to-point links — a single cable between two routers — there are only two addresses and no need for a broadcast, so /31 is defined to give both addresses to the two ends. A /32 is a single host route, one address, used for loopbacks and individual firewall entries.

Subdividing and Supernetting

Splitting works by borrowing host bits for the network part. Take a 10.1.0.0/16 and you want per-team /24s: each added prefix bit doubles the number of subnets, and going from /16 to /24 borrows 8 bits, yielding 2^8 = 256 subnets of 254 hosts each — 10.1.0.0/24, 10.1.1.0/24, on up to 10.1.255.0/24. This is variable-length subnet masking: you can carve different-sized blocks out of the same parent as long as none overlap.

Supernetting is the reverse — aggregating contiguous blocks into one shorter prefix to shrink a routing table. Four adjacent /24s that align on a 4-block boundary (10.1.0.0/24 through 10.1.3.0/24) summarize to a single 10.1.0.0/22, advertised as one route instead of four. Route aggregation is what keeps the internet's backbone tables from exploding — a provider announces one supernet, not the thousands of customer subnets inside it.

/24 vs /16 vs /8

A /24 is 256 addresses, 254 usable — the right size for a single VLAN, a rack, or a small service tier. It is the unit most engineers think in, and the default subnet size in many tools. A /16 is 65 536 addresses; use it as a whole-VPC or whole-site allocation that you then subdivide into /24s, not as a flat segment — a flat /16 broadcast domain is a performance problem.

A /8 is 16.7 million addresses, almost always a top-level private allocation like 10.0.0.0/8 that you carve down, never assign flat. These three map onto the obsolete classful scheme — class C was a /24, class B a /16, class A a /8 — but CIDR replaced fixed classes precisely so you could pick any prefix length and stop wasting a class B on a network that needed 300 hosts.

Common Mistakes
  • Forgetting the network and broadcast addresses when counting capacity. A /24 holds 256 addresses but only 254 hosts; size a subnet for exactly 254 devices and you have zero room for the gateway, which also consumes one.
  • Overlapping CIDR ranges across networks you later want to peer. Two VPCs both on 10.0.0.0/16 can never be peered or connected to the same on-prem network — the peering refuses to establish, and there is no fix short of renumbering one side from scratch.
  • Sizing a subnet with no headroom. A team that exactly fills a /26 today has nowhere to grow; pick the next size up when the block is cheap, because expanding a subnet in place usually means re-IPing every host.
  • Putting an address in the wrong block by ignoring alignment. 10.0.0.40/27 is not its own network — it lives in the 10.0.0.32/27 block, and treating .40 as the network address produces a mask that silently drops half the intended hosts.
  • Confusing the host count of /30 and /31 on point-to-point links. A /30 gives 2 usable of 4; a /31 gives both addresses to the two ends with no broadcast — using a /30 everywhere wastes half your point-to-point address space.
Best Practices
  • Compute usable hosts as 2^(32 − n) − 2 every time, and confirm with ipcalc <addr>/<n> before committing a subnet so the network and broadcast addresses are never double-counted.
  • Allocate VPC and site supernets generously — a /16 or larger — then subdivide into /24s per tier, leaving whole unused blocks between allocations so you can grow a subnet without colliding with its neighbor.
  • Choose non-overlapping private ranges across every environment, partner, and VPN you might ever connect, because overlap is the one addressing mistake that cannot be fixed without renumbering one network end to end.
  • Aggregate contiguous, aligned subnets into a single supernet when advertising routes — four adjacent /24s become one /22 — to keep routing tables small and convergence fast.
  • Use /31 on router-to-router point-to-point links and /32 for loopbacks and single-host rules, reserving larger blocks for segments that actually hold many hosts.
Comparable conceptsClassful A/B/C (obsolete)VLSM (variable-length masking)

Knowledge Check

How many usable host addresses does a /27 subnet provide?

  • 30, because 5 host bits give 32 addresses and the network and broadcast addresses are not assignable
  • 32, since a /27 spans 32 consecutive addresses that can all be assigned to hosts
  • 27, matching the prefix length, which directly sets the number of hosts
  • 28, after reserving the network, the broadcast, the gateway, and a DHCP server address out of the block

You split 10.1.0.0/16 into /24 subnets. How many do you get?

  • 256, because going from /16 to /24 borrows 8 bits and 2^8 is 256
  • 254, the usable hosts in each /24, which also sets how many subnets fit
  • 8, the number of bits borrowed when moving from /16 to /24
  • 65 536, matching the total address count of the parent /16 block

Why can two VPCs both numbered 10.0.0.0/16 never be peered?

  • Their identical CIDR ranges overlap, so routing cannot tell the two apart and peering refuses to come up
  • A /16 is too large for a peering connection, which is capped at /24-sized blocks
  • Private 10.x ranges cannot be peered at all and must first be re-addressed into globally routable public space
  • Peering needs NAT between the two, and NAT cannot be enabled on a peering link

You got correct