Networking

Subnetting Without the Headaches: A Practical Guide

By Rebin Mustafa 6 min read

The first time someone hands you a network diagram and says "we need to carve this /22 into six subnets with different host counts," it can feel like a trick question. The math is doable — but doing it in your head, or on scratch paper during a client call, is a different story.

Subnetting isn't complicated once the underlying model clicks. This guide is about making that click happen, and then showing you how to skip the manual arithmetic when you're actually working.

What subnetting actually is

An IPv4 address is 32 bits. Every address belongs to a network, and the network is defined by how many of those 32 bits are used to identify the network (the network portion) versus the individual host (the host portion).

A subnet mask defines that boundary. 255.255.255.0 means the first 24 bits are network, the last 8 bits are host. CIDR notation writes this as /24 — the number after the slash is just a count of the network bits.

So when someone says 192.168.1.0/24, they mean: a network where the first 24 bits (192.168.1) are fixed, and the last 8 bits can vary to represent individual hosts.

The math you actually need

Given a prefix length of n, the number of usable host addresses is:

2^(32 - n) - 2

The subtraction of 2 accounts for two reserved addresses: the network address (all host bits set to 0) and the broadcast address (all host bits set to 1). You cannot assign these to devices.

Here are the prefix lengths you'll see most often:

  • /24 — 254 usable hosts. Standard for small office networks and VLANs.
  • /25 — 126 hosts. Splits a /24 in half, useful when you need two segments from one block.
  • /26 — 62 hosts. Four subnets from a /24. Common in environments with multiple smaller VLANs.
  • /28 — 14 hosts. Tight subnets for DMZs, printer networks, or device groups you want isolated.
  • /30 — 2 hosts. Point-to-point links between routers. No wasted addresses.
  • /32 — A single host. Used in routing tables to refer to a specific device or loopback.

A real example: planning a small office network

Say you're given the block 10.10.0.0/22 and need to create subnets for four departments: Servers (max 50 hosts), Finance (max 25 hosts), Operations (max 100 hosts), and a DMZ (max 10 hosts).

Start with the biggest group and work down:

  • Operations (100 hosts): needs a /25 (126 usable). Assign 10.10.0.0/25.
  • Servers (50 hosts): needs a /26 (62 usable). Assign 10.10.0.128/26.
  • Finance (25 hosts): needs a /27 (30 usable). Assign 10.10.0.192/27.
  • DMZ (10 hosts): needs a /28 (14 usable). Assign 10.10.0.224/28.

This technique — fitting subnets of different sizes from a single larger block — is called Variable Length Subnet Masking (VLSM). It lets you avoid wasting address space by matching subnet sizes to actual requirements.

The things that trip people up

Forgetting the network and broadcast addresses. A /28 has 16 total addresses (2^4), but only 14 usable. Every time you calculate host capacity, subtract 2.

Overlapping subnets. When carving subnets from a block, each new subnet must start at an address that's a multiple of its size. A /26 (64 addresses) must start at 0, 64, 128, or 192 within its parent block. Starting a /26 at 192.168.1.100 is invalid — it would overlap with the previous subnet.

Confusing the subnet mask with the CIDR prefix. /24 and 255.255.255.0 are the same thing, just different notations. If you want to understand why — how a subnet mask becomes a binary string of 1s followed by 0s — read Binary, Hex, and Decimal: A Practical Guide. Most modern tools and documentation use CIDR because it's shorter. Older equipment and some operating systems still display subnet masks. Know both.

Thinking /32 is invalid. It's not. It's a host route — a route to a single address. You'll see these in routing tables all the time.

When to use a calculator

For simple /24 or /25 work, mental math is fine once you know the pattern. But for anything involving VLSM, multiple nested subnets, or verifying whether two IP ranges overlap, doing it by hand is slow and error-prone.

The Subnet Calculator on ToolsKit takes an IP and CIDR prefix and immediately returns the network address, broadcast address, first and last usable host IPs, subnet mask, and total host count. Useful for quick verification before committing a scheme to a firewall config or Ansible playbook.

Quick reference: common subnet sizes

/8   = 255.0.0.0         — 16,777,214 hosts
/16  = 255.255.0.0       — 65,534 hosts
/24  = 255.255.255.0     — 254 hosts
/25  = 255.255.255.128   — 126 hosts
/26  = 255.255.255.192   — 62 hosts
/27  = 255.255.255.224   — 30 hosts
/28  = 255.255.255.240   — 14 hosts
/29  = 255.255.255.248   — 6 hosts
/30  = 255.255.255.252   — 2 hosts

Private vs public address ranges

Three blocks are reserved for private use and are not routable on the public internet:

  • 10.0.0.0/8 — Class A private, ~16 million addresses
  • 172.16.0.0/12 — Class B private, ~1 million addresses
  • 192.168.0.0/16 — Class C private, ~65,000 addresses

Use one of these for internal networks. Devices in private ranges reach the internet via NAT at the router or firewall boundary. If you're designing a multi-site network with VPN tunnels between sites, make sure each site uses a different non-overlapping private block — overlapping ranges at both ends of a VPN is one of the more avoidable network headaches.

The short version

Subnetting comes down to a few habits: know your prefix lengths and corresponding host counts, start with the largest subnets when doing VLSM, always align subnet boundaries correctly, and use a calculator for anything you're going to put into production. The mental model matters; the manual arithmetic doesn't.

Subnet Calculator — Enter any IP and CIDR prefix to instantly get network address, broadcast address, host range, and usable host count.

Open Tool
← All Articles DNS Records Explained →