Module 6 of 21 · Foundations

Subnetting in plain language

14 min read 3 outcomes Subnetting lab + quiz

By the end of this module you will be able to:

  • Explain what a CIDR prefix means and calculate the number of usable addresses in a subnet
  • Describe how a device decides whether a destination is local (same subnet) or remote (needs a router)
  • Explain why a subnet boundary does not automatically create a security boundary

CIDR decides local delivery before routing

The host compares the destination with its own prefix before choosing neighbour discovery or a gateway.

CIDR decides local delivery before routing An input block shows the host's address (10.10.20.34/24) and two destinations: A at 10.10.20.80 (same network bits, matches the host's prefix) and B at 10.10.30.80 (different prefix). Two outcome lanes below show the decision: the LEFT LOCAL lane describes ARP for the destination MAC, frame on the local segment, no gateway. The RIGHT REMOTE lane describes default-gateway lookup, ARP for the gateway, frame to the gateway. Sources cited per lane: RFC 826/4861 for ARP and NDP; RFC 1812 for router behaviour. INPUT · RFC 4632 Host address 10.10.20.34 / 24 → network bits: 10.10.20.0 Destination A 10.10.20.80 → network bits: 10.10.20.0 MATCH Destination B 10.10.30.80 → network bits: 10.10.30.0 DIFFERENT if same if different SAME PREFIX → LOCAL Destination A: 10.10.20.80 1. ARP / NDP for the MAC of 10.10.20.80 2. Frame goes directly on the local segment 3. No gateway involvement, no TTL decrement NEXT HOP Same link · RFC 826 / RFC 4861 DIFFERENT PREFIX → REMOTE Destination B: 10.10.30.80 1. Look up default gateway in route table 2. ARP / NDP for the gateway's MAC 3. Frame goes to gateway; gateway routes from there NEXT HOP Default gateway · RFC 1812 built by ransfordsnotes.com

The CIDR mask compares network bits first. Local destinations skip the gateway; remote destinations hand off to it.

Subnet mistakes usually happen at the boundary

The first and last addresses in an IPv4 subnet have special meaning in traditional subnet practice.

Subnet mistakes happen at the boundary A horizontal strip of 65 small rectangles represents addresses .0 through .64 in the 192.0.2.0/26 subnet. The .0 and .63 cells are filled brand red because they are reserved (network and broadcast). The 62 cells between them are usable hosts. The .64 cell beyond the strip is shown in neutral fill because it belongs to the next /26 subnet. Labels above the strip name each zone. Two tip cards below highlight the two most common off-by-one mistakes: assigning the network or broadcast address to a host, and assuming the next subnet starts at .65 instead of .64. NETWORK .0 USABLE HOSTS (62 ADDRESSES) .1 · .2 · ... · .61 · .62 BROADCAST .63 NEXT /26 .64 OFF-BY-ONE EDGES Assigning .0 or .63 to a host breaks ARP responses. NEXT BLOCK The next /26 starts at .64, not .65. Common mistake. built by ransfordsnotes.com

In a /26 subnet, the first address is the network and the last address is the broadcast; only the 62 in the middle can host devices.

6.1 What the /24 actually means

In Module 5, you saw IP addresses written with a slash and a number, like 192.168.1.0/24. That number is the CIDR prefix length. It tells you how many of the 32 bits in the address belong to the network portion.

A /24 means the first 24 bits are the network address, and the remaining 8 bits are available for host addresses. Eight bits give you 2^8 = 256 possible values, but two are reserved: the first (192.168.1.0) is the network address, and the last (192.168.1.255) is the broadcast address. That leaves 254 usable host addresses.

Here are the most common prefix lengths you will encounter:

/24 = 254 usable hosts. Standard for a small office or a single VLAN.
/25 = 126 usable hosts. Half of a /24.
/16 = 65,534 usable hosts. A building or campus.
/8 = 16,777,214 usable hosts. An entire large organisation.
/30 = 2 usable hosts. Point-to-point links between routers.
/32 = 1 host. Used for loopback addresses and host routes.

The old Class A/B/C system restricted networks to fixed sizes (/8, /16, or /24). CIDR (RFC 4632) removed that restriction, letting organisations use any prefix length. A company that needs 500 addresses can use a /23 (510 usable hosts) instead of wasting a /16 (65,534 hosts) or cramming into a /24 (254 hosts).

Knowing the size of a subnet only matters because your device uses the prefix to decide whether to send a packet directly or through a router.

6.2 How your device decides: local or remote?

Every time your device sends a packet, it makes a critical decision: is the destination on the same subnet (local) or a different subnet (remote)? The answer determines whether it uses ARP directly or sends the packet to the default gateway.

The device performs a bitwise AND between the destination IP and its own subnet mask. Then it does the same with its own IP address and the mask. If the results match, the destination is local. If they differ, it is remote.

Example: local delivery.Your device is 192.168.1.50/24. You want to reach 192.168.1.100. Apply the /24 mask (255.255.255.0) to both addresses. Your network address is 192.168.1.0. The destination's network address is also 192.168.1.0. They match. The destination is local. Your device uses ARP to find the destination's MAC address and sends the frame directly.

Example: remote delivery.Same device, but you want to reach 192.168.2.10. Apply the mask. Your network is 192.168.1.0. The destination's network is 192.168.2.0. They do not match. The destination is remote. Your device ARPs for the default gateway's MAC address and sends the frame to the router. The router takes it from there.

This decision happens for every single packet your device sends. It is defined in RFC 1122, Section 3.3.1.1. Getting the subnet mask wrong means your device makes the wrong decision for every packet, which is why a misconfigured mask can make the entire network unreliable.

The logic becomes intuitive quickly once you have worked through a few examples with real numbers.

6.3 Try it yourself

Use the subnetting calculator below to enter an IP address and prefix length. It will show you the network address, broadcast address, usable host range, and total number of hosts. Try a few different prefix lengths to see how the numbers change.

Subnetting gets you the right address range. The next question is whether that boundary actually protects anything, which is where most teams underestimate the risk.

6.4 Subnets are not security boundaries

A common mistake is assuming that putting two groups of devices on different subnets isolates them. It does not. A router's entire purpose is to forward traffic between subnets. If no firewall rules or access control lists (ACLs) are in place, traffic flows freely between subnets through the router.

VLANs (which you saw in Module 4) create Layer 2 isolation. Devices on VLAN 10 cannot send Ethernet frames to VLAN 20. But inter-VLAN routing through a Layer 3 switch or router reconnects them at Layer 3 unless you add explicit access controls.

NIST SP 800-207 (Zero Trust Architecture) makes this point directly: network location alone should not grant trust. Even devices on the same subnet should authenticate and authorise connections. Segmentation without enforcement provides broadcast isolation, not security.

Common misconception

Putting devices on different subnets isolates them from each other.

Subnets create logical separation, but a router connects them by design. Without firewall rules or ACLs between the subnets, traffic flows freely. For actual security, you need access controls at the boundary, not just different IP ranges. A VLAN without a firewall is a broadcast domain, not a security zone.

With the security distinction clear, it is worth noting that IPv6 largely removes the address-size anxiety that drives much of IPv4 subnetting practice.

6.5 Why IPv6 subnetting is simpler

IPv6 eliminates most of the mental arithmetic for ordinary LANs. Most IPv6 unicast subnets use a 64-bit interface identifier, which gives the familiar /64 subnet boundary: the first 64 bits are the network prefix and the last 64 bits identify the interface. RFC 7421 describes this 64-bit boundary as the de facto length for almost all IPv6 interface identifiers.

You will never run out of addresses in an IPv6 subnet. The subnetting question shifts from "how many hosts fit?" to "how many subnets do I need?" A typical ISP allocation gives an organisation a /48, which provides 65,536 subnets (16 bits of subnet space between the /48 prefix and the /64 interface identifier).

There are real exceptions. RFC 6164 standardises /127 prefixes for inter-router point-to-point links, and /128 is used for a single interface, loopback, or host route. The practical rule is: use /64 for normal IPv6 LAN segments and SLAAC, use the specialist prefixes when the link type or routing design calls for them.

IPv6 also removes the need for DHCP address assignment in many cases. SLAAC (Stateless Address Autoconfiguration, RFC 4862) lets devices generate their own address from the network prefix and their interface identifier. The router advertises the /64 prefix, and devices construct their full address automatically.

6.6 Check your understanding

A host at 10.0.1.50/24 wants to send a packet to 10.0.2.25. What does the host do?

How many usable host addresses are in a /26 subnet?

Two departments are on different subnets connected by a router with no ACLs. Can devices in Department A reach Department B?

A host is configured with IP 10.1.1.50 and mask /16, but the correct mask is /24. What happens when it tries to reach 10.1.2.10?

Core distinctions

  • A CIDR prefix (/24, /16, etc.) tells you how many bits are the network portion. Usable hosts = 2^(32 - prefix) minus 2.
  • Devices compare masked addresses to decide local vs remote. If the network portions match, deliver locally via ARP. If not, send to the default gateway.
  • A wrong subnet mask makes every packet go to the wrong place. It is one of the most common and frustrating misconfigurations.
  • Subnets provide logical separation, not security. Without firewalls or ACLs, routers forward traffic freely between subnets.

Standards and sources cited in this module

  1. RFC 4632, Classless Inter-domain Routing (CIDR)

    Full specification

    Defines CIDR notation and variable-length subnet masking. Referenced in Section 6.1.

  2. RFC 1122, Requirements for Internet Hosts: Communication Layers

    Section 3.3.1.1, Local/Remote Decision

    Defines the bitwise AND operation that determines local vs remote delivery. Referenced in Section 6.2.

  3. RFC 1918, Address Allocation for Private Internets

    Section 3, Private Address Space

    Defines the private ranges used in subnetting examples. Referenced in Section 6.1.

  4. RFC 7421, Analysis of the 64-bit Boundary in IPv6 Addressing

    Section 1, Introduction

    Explains the operational /64 boundary and its exceptions. Referenced in Section 6.5.

  5. RFC 6164, Using 127-Bit IPv6 Prefixes on Inter-Router Links

    Abstract and Section 5

    Defines the common /127 exception for point-to-point router links. Referenced in Section 6.5.

  6. NIST SP 800-207, Zero Trust Architecture

    Section 2, Zero Trust Basics

    States that network location alone should not grant trust. Referenced in Section 6.4.

  7. CompTIA Network+ N10-009 Exam Objectives

    Domain 1.0, Objective 1.4: Subnetting and IP addressing

    Tests CIDR calculations, VLSM, and local vs remote delivery decisions.

You now understand how the local-versus-remote decision works. Module 7 chains every step together: DNS, TCP, TLS, HTTP. You will trace a single web request from the moment you press Enter to the first byte of response, and learn what each failure looks like.

Module 6 of 21 in Foundations