Mental model
An IP address is just 32 bits split into two halves: the network portion (everyone on this network has these bits in common) and the host portion (unique per device on this network).
The subnet mask tells you where the split lives. A /24 mask means “the first 24 bits are network, the last 8 bits are host” — so you’ve got 8 bits = 256 addresses = 254 usable hosts.
Subnetting means moving that boundary to the right — taking host bits and using them as network bits. Steal 2 bits and you split your /24 into four /26 subnets. Each /26 has 6 host bits = 64 addresses = 62 usable hosts.
This is the only concept in subnetting. Everything else — the math, the magic-number trick, VLSM, wildcard masks — is just consequences of that one rule.
Anatomy of a 32-bit address
Let’s look at 192.168.10.85 with mask /26 in full detail.
IP: 192 .168 .10 .85
11000000 .10101000 .00001010 .01010101
Mask: 255 .255 .255 .192
11111111 .11111111 .11111111 .11000000 ← /26 = 26 ones
The mask’s 1 bits define the network. The 0 bits define the host. Apply the mask (binary AND between IP and mask):
11000000 .10101000 .00001010 .01000000 = 192.168.10.64
So 192.168.10.85/26 is on the network 192.168.10.64/26. The first 26 bits (11000000 10101000 00001010 01) are the network identifier — every device on this subnet shares these bits. The remaining 6 bits (010101) are the host portion that makes this device unique on its segment.
You will almost never do this binary calculation in real life. But understanding why it works is the unlock.
The four numbers you always compute
For any subnet, you need:
- Network address — first IP, all host bits = 0
- Broadcast address — last IP, all host bits = 1
- First usable host — network + 1
- Last usable host — broadcast − 1
Example: 192.168.10.64/26
- Network:
192.168.10.64 - Broadcast:
192.168.10.127 - First host:
192.168.10.65 - Last host:
192.168.10.126 - Usable hosts: 62 (64 − 2 for network + broadcast)
The network address and broadcast address cannot be assigned to a device. That’s the −2 everyone forgets on test day.
The magic-number method (use this on the exam)
Given a subnet mask, find the interesting octet — the octet that isn’t 255 or 0. Compute 256 − that octet. That’s your block size.
Subnets always start at multiples of the block size.
Walk-through: /26 (mask 255.255.255.192)
- Interesting octet: 192 (fourth octet)
- Block size: 256 − 192 = 64
- Subnets: 0, 64, 128, 192 — four subnets in a /24
| Subnet | Network | Broadcast | First host | Last host |
|---|---|---|---|---|
| 1 | 192.168.10.0 | 192.168.10.63 | .1 | .62 |
| 2 | 192.168.10.64 | 192.168.10.127 | .65 | .126 |
| 3 | 192.168.10.128 | 192.168.10.191 | .129 | .190 |
| 4 | 192.168.10.192 | 192.168.10.255 | .193 | .254 |
Walk-through: /27 (mask 255.255.255.224)
- Interesting octet: 224 (fourth octet)
- Block size: 256 − 224 = 32
- Subnets: 0, 32, 64, 96, 128, 160, 192, 224 — eight /27s in a /24, each with 30 usable hosts.
Walk-through: /22 (mask 255.255.252.0)
- Interesting octet: 252 (third octet)
- Block size: 256 − 252 = 4
- Subnets in the third octet: 0, 4, 8, 12, 16, … 252 — 64 /22s in a /16, each with 1,022 usable hosts.
The trick is the same — just applied one octet earlier when the mask crosses an octet boundary.
Walk-through: /21 (mask 255.255.248.0)
- Block size: 256 − 248 = 8 (in the third octet)
- Subnets: 0, 8, 16, 24, … 248 — 32 /21s in a /16, each with 2,046 usable hosts.
CIDR cheat strip (memorize)
| CIDR | Subnet mask | Block size | Usable hosts | Common use |
|---|---|---|---|---|
| /16 | 255.255.0.0 | 65,536 | 65,534 | Large enterprise site |
| /20 | 255.255.240.0 | 4,096 | 4,094 | Mid enterprise site |
| /22 | 255.255.252.0 | 1,024 | 1,022 | Branch office, large VLAN |
| /23 | 255.255.254.0 | 512 | 510 | Large user VLAN |
| /24 | 255.255.255.0 | 256 | 254 | Default subnet for VLANs |
| /25 | 255.255.255.128 | 128 | 126 | Smaller VLAN |
| /26 | 255.255.255.192 | 64 | 62 | Conference room, small office |
| /27 | 255.255.255.224 | 32 | 30 | Small VLAN |
| /28 | 255.255.255.240 | 16 | 14 | Server segment, DMZ |
| /29 | 255.255.255.248 | 8 | 6 | Tiny segment, transit link |
| /30 | 255.255.255.252 | 4 | 2 | Classic point-to-point WAN |
| /31 | 255.255.255.254 | 2 | 2 | Modern point-to-point (RFC 3021) |
| /32 | 255.255.255.255 | 1 | 1 | Host route, loopback |
Memorize the “Usable hosts” column. CCNA exam questions like “minimum mask for 100 hosts?” become trivial: 100 < 126 = /25.
Subnetting at the speed of conversation
The pros don’t pull out a calculator. The thought process is:
“They need 50 hosts. 50 < 62, so /26 works. Block size 64. Start at .0 — next subnet at .64. Broadcast of the first = .63. Done.”
That’s the full mental loop. With practice it takes 5 seconds.
The drill
Pick a random IP and mask, predict network / broadcast / first / last out loud, then verify on a subnet calculator. Do 20 a day for a week. By day 8 your reflex is built.
Free drill site: subnettingpractice.com. Aim for under 45 seconds per problem.
VLSM — Variable-Length Subnet Masking
Real networks have segments of different sizes. A user VLAN needs 200 hosts. A server VLAN needs 30. A point-to-point WAN link needs 2. Allocating a /24 to each wastes thousands of addresses.
VLSM is the practice of using different mask lengths within a single allocation. It’s how the modern internet was made possible after the address-class system collapsed in the 1990s.
The VLSM rule: always allocate largest first
The algorithm:
- List your subnet requirements, sorted largest host count first.
- Allocate the largest subnet from the start of your address space.
- Allocate the next subnet immediately after.
- Repeat until done.
Worked example: allocate from 192.168.10.0/24
Requirements (in any order):
- Branch office: 100 hosts
- DC server segment: 50 hosts
- Storage segment: 20 hosts
- 4× point-to-point WAN links: 2 hosts each
Step 1 — sort by size:
| Requirement | Hosts needed | Mask needed | Subnet size |
|---|---|---|---|
| Branch office | 100 | /25 (126 usable) | 128 |
| DC servers | 50 | /26 (62 usable) | 64 |
| Storage | 20 | /27 (30 usable) | 32 |
| 4× WAN P2P | 2 each | /30 (2 usable) | 4 each |
Step 2 — allocate from .0:
192.168.10.0/25 → Branch office (.0 – .127) 128 addresses
192.168.10.128/26 → DC servers (.128 – .191) 64 addresses
192.168.10.192/27 → Storage (.192 – .223) 32 addresses
192.168.10.224/30 → WAN link A (.224 – .227) 4 addresses
192.168.10.228/30 → WAN link B (.228 – .231) 4 addresses
192.168.10.232/30 → WAN link C (.232 – .235) 4 addresses
192.168.10.236/30 → WAN link D (.236 – .239) 4 addresses
Spare (.240 – .255) 16 addresses
You’ve packed 248 addresses of usable allocation into a /24 with no overlap and 16 addresses spare for growth. If you’d allocated four /24s naively (one per requirement) you would have needed a /22 — four times the address space.
Why largest-first matters
Imagine you allocated WAN links first at .0/30. Now you want a /25 (128 addresses). The next /25 boundary is .128 — so addresses .4 through .127 are now stuck “in the middle” and you can’t use them for a single /25 because that block has to start at a /25 boundary (multiple of 128). You’d burn 124 addresses to bad ordering.
Always largest first. The rule has saved more enterprise IP plans than any single other practice.
Reverse-engineering: from host count to mask
Common exam pattern: “You need 350 hosts on a segment. What’s the smallest mask?”
The thought process:
- Smallest 2^n ≥ 350 + 2 (for network + broadcast) = 512 = 2^9
- So you need 9 host bits.
- 32 − 9 = /23 mask.
- Sanity check: /23 = 510 usable hosts ≥ 350. ✓
Try a few:
- 24 hosts → smallest 2^n ≥ 26 = 32 = 2^5 → /27
- 60 hosts → smallest 2^n ≥ 62 = 64 = 2^6 → /26
- 200 hosts → smallest 2^n ≥ 202 = 256 = 2^8 → /24
- 1,000 hosts → smallest 2^n ≥ 1,002 = 1,024 = 2^10 → /22
This is two seconds with the table memorized. Don’t waste exam time computing 2^n.
Wildcard masks (for OSPF and ACLs)
OSPF and ACLs use a wildcard mask instead of a subnet mask. A wildcard mask is the bit-inverse of the subnet mask.
| Subnet mask | Wildcard mask |
|---|---|
| 255.255.255.0 (/24) | 0.0.0.255 |
| 255.255.255.128 (/25) | 0.0.0.127 |
| 255.255.255.192 (/26) | 0.0.0.63 |
| 255.255.255.224 (/27) | 0.0.0.31 |
| 255.255.255.240 (/28) | 0.0.0.15 |
| 255.255.255.248 (/29) | 0.0.0.7 |
| 255.255.255.252 (/30) | 0.0.0.3 |
| 255.255.252.0 (/22) | 0.0.3.255 |
| 255.255.0.0 (/16) | 0.0.255.255 |
Quick conversion: for each octet, wildcard = 255 − subnet. So 255.255.255.192 → 0.0.0.63.
Use cases you’ll see all the time:
R1(config-router)# network 192.168.10.0 0.0.0.255 area 0 # OSPF — match /24
R1(config)# access-list 10 permit 10.0.0.0 0.255.255.255 # ACL — match /8
0 bits in the wildcard mean “this bit must match exactly.” 1 bits mean “wild — don’t care.” Same logic as a subnet mask, inverted.
Subnetting across octet boundaries
Almost everything in CCNA labs uses subnets within a single octet (the fourth octet). Real networks routinely subnet across the third octet for larger ranges.
The key insight: the magic-number trick works in whatever octet the mask is “interesting” in.
For /19 (mask 255.255.224.0):
- Interesting octet: 224 in the third octet.
- Block size in the third octet: 256 − 224 = 32.
- Subnets: third-octet values 0, 32, 64, 96, 128, 160, 192, 224.
- So
10.0.0.0/19covers10.0.0.0–10.0.31.255(32 × 256 addresses = 8,192). - Next /19 starts at
10.0.32.0and covers10.0.32.0–10.0.63.255.
Practice this on /18, /17, /20, /21, /22, /23 until it’s reflex.
Special IPv4 addresses you must recognize
Some address ranges are reserved or have special meaning. The CCNA exam tests recognition.
| Range | Meaning |
|---|---|
0.0.0.0/0 | Default route — “anywhere I don’t have a specific route to” |
10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 | RFC 1918 private addresses |
127.0.0.0/8 | Loopback — 127.0.0.1 is “this host” |
169.254.0.0/16 | Link-local / APIPA — auto-assigned when DHCP fails |
100.64.0.0/10 | Carrier-grade NAT (CGNAT) — ISP shared space, not routable on the public internet |
224.0.0.0/4 | Multicast |
240.0.0.0/4 | Experimental / reserved |
255.255.255.255 | Limited broadcast |
192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24 | Documentation only — used in textbooks and RFCs (TEST-NET) |
Enterprise IP plan — full worked example
You’re designing IP for a mid-size US enterprise with:
- HQ campus: 800 users + 200 servers + 50 IoT devices
- Branch A: 150 users
- Branch B: 80 users + 20 servers
- Branch C: 25 users (small office)
- 6 point-to-point WAN links between sites
- 10 loopback addresses for routing protocols
Available: 10.50.0.0/16.
Step 1 — allocate per site
Allocate at /20 boundaries (4,096 addresses each):
10.50.0.0/20 → HQ campus (4,094 hosts)
10.50.16.0/20 → Branch A (4,094 hosts)
10.50.32.0/20 → Branch B (4,094 hosts)
10.50.48.0/20 → Branch C (4,094 hosts)
10.50.64.0/20 → Reserved (growth) (4,094 hosts)
…
10.50.240.0/20 → Infrastructure (WAN links + loopbacks)
Step 2 — subnet within HQ (10.50.0.0/20)
HQ needs:
- Users: 800 → /22 (1,022 hosts)
- Servers: 200 → /24 (254 hosts)
- IoT: 50 → /26 (62 hosts)
10.50.0.0/22 → HQ users (.0.0 – .3.255)
10.50.4.0/24 → HQ servers (.4.0 – .4.255)
10.50.5.0/26 → HQ IoT (.5.0 – .5.63)
10.50.5.64/26 → Reserved
10.50.6.0/23 → Reserved (growth)
10.50.8.0/21 → Reserved (growth)
Step 3 — subnet within Branch A (10.50.16.0/20)
150 users → /24 with room to grow.
10.50.16.0/24 → Branch A users (254 hosts)
10.50.17.0/24 → Reserved (growth)
10.50.18.0/24 → Reserved (growth)
…
Step 4 — WAN links + loopbacks from 10.50.240.0/20
10.50.240.0/30 → HQ ↔ Branch A
10.50.240.4/30 → HQ ↔ Branch B
10.50.240.8/30 → HQ ↔ Branch C
10.50.240.12/30 → Branch A ↔ Branch B
10.50.240.16/30 → Branch A ↔ Branch C
10.50.240.20/30 → Branch B ↔ Branch C
10.50.241.0/32 → HQ Router loopback (10.50.241.1/32)
10.50.241.0/32 → Branch A Router (10.50.241.2/32)
... etc.
Notice the principles:
- Largest allocations first at each level.
- Reserve before you need it — growth space is much cheaper than re-numbering 800 hosts later.
- Predictable structure — every site is a /20, every WAN link is a /30 starting at .240. New engineers can predict where things live.
This is the kind of plan you’d build in real life. Spend 30 minutes designing it once, save 30 hours of “wait, where does Branch D go?” later.
Common mistakes
-
Off-by-one on broadcast.
.0/26broadcast is.63, not.64. The last address in the block belongs to that subnet’s broadcast — the next subnet starts after. -
Forgetting the −2 for usable hosts. A
/26has 64 addresses but only 62 usable hosts. -
Picking the wrong mask for the host count. “We need 30 hosts” → many students pick
/27(30 usable). Works exactly to the limit — no headroom. In production always go one size bigger if you can afford it. -
Mixing classful and classless thinking. Old IPv4 classes (A=/8, B=/16, C=/24) are dead. CIDR replaced them in the 1990s. Don’t say “class C network” — say “/24” or “192.168.0.0/24”.
-
Confusing the network and broadcast addresses in routing. Static routes use the network address, never the broadcast.
ip route 192.168.10.64 255.255.255.192 ...is correct;192.168.10.127 255.255.255.192is wrong. -
VLSM allocated smallest-first. Eats your address space with unusable gaps. Always largest first.
-
Wildcard ≠ subnet mask. A common ACL bug.
access-list 10 permit 10.0.0.0 255.0.0.0matches nothing because the wildcard255.0.0.0means “match the first octet exactly, ignore the rest.” You wanted0.255.255.255. -
Forgetting that 127.0.0.0/8 is reserved. Don’t allocate it. Don’t ping 127.0.0.1 to test connectivity to “this network” — it’s the loopback.
-
Using
/31on equipment that doesn’t support it. RFC 3021 allows /31 on point-to-point links, but very old gear barfs. Stick with/30if you don’t control both ends.
Practice problems with worked solutions
Try these before looking at the solutions.
Problem 1. What is the network address of 172.16.85.200/27?
Solution:
- /27, block size = 32, interesting octet = 4th.
- Largest multiple of 32 ≤ 200 = 192.
- Network:
172.16.85.192/27.
Problem 2. Given 192.168.5.0/24, list all /29 subnets and their usable host ranges.
Solution:
- /29 in a /24 = 32 subnets (256 / 8).
- Block size 8.
.0/29(.1–.6),.8/29(.9–.14),.16/29(.17–.22),.24/29(.25–.30), … all the way to.248/29(.249–.254).
Problem 3. You need to support 500 hosts on one segment. What’s the smallest mask?
Solution:
- Smallest 2^n ≥ 502 = 512 = 2^9.
- 9 host bits = 32 − 9 = /23 mask (510 usable hosts).
Problem 4. What is the broadcast of 10.10.32.0/19?
Solution:
- /19, block size in 3rd octet = 32.
- Next /19 boundary after .32.0 is .64.0.
- Broadcast = next boundary − 1 =
10.10.63.255.
Problem 5. Convert 255.255.255.240 to wildcard mask.
Solution:
- 255 − 240 = 15.
- Wildcard:
0.0.0.15.
Problem 6. VLSM problem. You have 192.168.100.0/24. Allocate:
- A: 60 hosts
- B: 25 hosts
- C: 12 hosts
- D, E, F: 2 hosts each (P2P)
Solution (largest first):
| Segment | Hosts | Mask | Network | Broadcast |
|---|---|---|---|---|
| A | 60 | /26 | 192.168.100.0 | 192.168.100.63 |
| B | 25 | /27 | 192.168.100.64 | 192.168.100.95 |
| C | 12 | /28 | 192.168.100.96 | 192.168.100.111 |
| D | 2 | /30 | 192.168.100.112 | 192.168.100.115 |
| E | 2 | /30 | 192.168.100.116 | 192.168.100.119 |
| F | 2 | /30 | 192.168.100.120 | 192.168.100.123 |
Total used: 124 addresses out of 256. Plenty of spare.
Problem 7. A router has interface Gi0/0 with IP 10.5.4.30/29. Will host 10.5.4.34 be on the same subnet?
Solution:
- /29 → block size 8 → subnets at .0, .8, .16, .24, .32, .40, …
.30falls in.24/29(range .24 – .31)..34falls in.32/29(range .32 – .39).- Different subnets — no, they’re not on the same segment.
This is exactly the kind of trap exam questions use. Plot both addresses on the magic-number map before answering.
Problem 8. How many /27 subnets fit in a /22?
Solution:
- /22 = 1,024 addresses. /27 = 32 addresses.
- 1,024 / 32 = 32 /27 subnets.
Alternative: subtract the prefix lengths → 27 − 22 = 5 bits of difference → 2^5 = 32.
Common interview questions
These come up in entry-level network engineer interviews. Practice answering each in under 30 seconds out loud.
- “Walk me through how you’d subnet a /24 for 4 VLANs of 50 users each.”
- “What’s the difference between a subnet mask and a wildcard mask?”
- “You’re given 10.10.10.85/27. What’s the network, broadcast, and how many usable hosts?”
- “Explain VLSM in one minute. When would you use it?”
- “Why do we lose 2 addresses per subnet? Are there any exceptions?”
The third bullet trips most candidates — the answer is network = .64, broadcast = .95, 30 usable. If you can’t do it in 10 seconds, drill the magic-number trick more.
IPv6 subnetting — a brief note
IPv6 subnetting is different in scale but easier in math. Every interface typically gets a /64 (18 quintillion addresses). You subnet at boundaries of 4 bits (called nibbles) — /48, /52, /56, /60, /64.
The math is hexadecimal, not decimal. But you almost never run into “out of host bits” since each /64 is enormous.
See IPv6 Basics for the IPv6-specific story.
Lab to try tonight
-
Magic-number drill — take any
/24(e.g.10.10.10.0/24). Subnet it into eight/27s. Write out network and broadcast for each on paper, then verify with a subnet calculator. -
Mixed-size practice — build a small Packet Tracer topology with three routers and three subnets sized for: 100 hosts, 30 hosts, 2 hosts. Pick the smallest mask that works for each. Assign IPs.
-
Static routing — configure static routes between the routers from step 2. Confirm all hosts can ping each other.
-
VLSM challenge — take a single
/22and chop it into subnets of decreasing size (one /24, one /26, two /28s, four /30s). Confirm no overlap on paper, then deploy in Packet Tracer. -
Wildcard mask drill — convert these subnet masks to wildcard masks: /16, /19, /23, /25, /28, /30. Do them out loud, then check.
-
Enterprise plan drill — design an IP plan for a fictional 3-branch enterprise with HQ (500 hosts), Branch A (100 hosts), Branch B (50 hosts), and 3 WAN links. Use
172.20.0.0/16. Spend 20 minutes on it. Compare with a colleague if possible.
Cheat strip
| Need to find… | Use this |
|---|---|
| Block size | 256 − interesting octet of the mask |
| Where does subnet X start | Always a multiple of block size |
| Broadcast | Next subnet boundary − 1 |
| Usable hosts | 2^(host bits) − 2 |
| Smallest mask for N hosts | Find smallest 2^n − 2 ≥ N |
| Wildcard mask | 255 − each octet of subnet mask |
| How many /Y in a /X | 2^(Y − X) |
| /30 | 4 addresses, 2 usable — classic point-to-point |
| /31 | 2 addresses, both usable (RFC 3021) — modern point-to-point |
| /32 | Single host — loopback or host route |
| VLSM rule | Always allocate largest subnet first |
| Special: 127.0.0.0/8 | Loopback — never route, never assign |
| Special: 169.254.0.0/16 | APIPA — DHCP failure indicator |
| Special: 0.0.0.0/0 | Default route |