Module 6 of 21 · Foundations

Subnetting in plain language

14 min read 3 outcomes Subnetting lab + quiz

By the end of this module you will be able to:

  • Explain what a CIDR prefix means and calculate the number of usable addresses in a subnet
  • Describe how a device decides whether a destination is local (same subnet) or remote (needs a router)
  • Explain why a subnet boundary does not automatically create a security boundary

6.1 What the /24 actually means

In Module 5, you saw IP addresses written with a slash and a number, like 192.168.1.0/24. That number is the CIDR prefix length. It tells you how many of the 32 bits in the address belong to the network portion.

A /24 means the first 24 bits are the network address, and the remaining 8 bits are available for host addresses. Eight bits give you 2^8 = 256 possible values, but two are reserved: the first (192.168.1.0) is the network address, and the last (192.168.1.255) is the broadcast address. That leaves 254 usable host addresses.

Here are the most common prefix lengths you will encounter:

/24 = 254 usable hosts. Standard for a small office or a single VLAN.
/25 = 126 usable hosts. Half of a /24.
/16 = 65,534 usable hosts. A building or campus.
/8 = 16,777,214 usable hosts. An entire large organisation.
/30 = 2 usable hosts. Point-to-point links between routers.
/32 = 1 host. Used for loopback addresses and host routes.

The old Class A/B/C system restricted networks to fixed sizes (/8, /16, or /24). CIDR (RFC 4632) removed that restriction, letting organisations use any prefix length. A company that needs 500 addresses can use a /23 (510 usable hosts) instead of wasting a /16 (65,534 hosts) or cramming into a /24 (254 hosts).

6.2 How your device decides: local or remote?

Every time your device sends a packet, it makes a critical decision: is the destination on the same subnet (local) or a different subnet (remote)? The answer determines whether it uses ARP directly or sends the packet to the default gateway.

The device performs a bitwise AND between the destination IP and its own subnet mask. Then it does the same with its own IP address and the mask. If the results match, the destination is local. If they differ, it is remote.

Example: local delivery. Your device is 192.168.1.50/24. You want to reach 192.168.1.100. Apply the /24 mask (255.255.255.0) to both addresses. Your network address is 192.168.1.0. The destination's network address is also 192.168.1.0. They match. The destination is local. Your device uses ARP to find the destination's MAC address and sends the frame directly.

Example: remote delivery. Same device, but you want to reach 192.168.2.10. Apply the mask. Your network is 192.168.1.0. The destination's network is 192.168.2.0. They do not match. The destination is remote. Your device ARPs for the default gateway's MAC address and sends the frame to the router. The router takes it from there.

This decision happens for every single packet your device sends. It is defined in RFC 1122, Section 3.3.1.1. Getting the subnet mask wrong means your device makes the wrong decision for every packet, which is why a misconfigured mask can make the entire network unreliable.

6.3 Try it yourself

Use the subnetting calculator below to enter an IP address and prefix length. It will show you the network address, broadcast address, usable host range, and total number of hosts. Try a few different prefix lengths to see how the numbers change.

6.4 Subnets are not security boundaries

A common mistake is assuming that putting two groups of devices on different subnets isolates them. It does not. A router's entire purpose is to forward traffic between subnets. If no firewall rules or access control lists (ACLs) are in place, traffic flows freely between subnets through the router.

VLANs (which you saw in Module 4) create Layer 2 isolation. Devices on VLAN 10 cannot send Ethernet frames to VLAN 20. But inter-VLAN routing through a Layer 3 switch or router reconnects them at Layer 3 unless you add explicit access controls.

NIST SP 800-207 (Zero Trust Architecture) makes this point directly: network location alone should not grant trust. Even devices on the same subnet should authenticate and authorise connections. Segmentation without enforcement provides broadcast isolation, not security.

Common misconception

Putting devices on different subnets isolates them from each other.

Subnets create logical separation, but a router connects them by design. Without firewall rules or ACLs between the subnets, traffic flows freely. For actual security, you need access controls at the boundary, not just different IP ranges. A VLAN without a firewall is a broadcast domain, not a security zone.

6.5 Why IPv6 subnetting is simpler

IPv6 eliminates most of the mental arithmetic. RFC 4291 standardises a /64 prefix for every subnet. The first 64 bits are the network prefix. The last 64 bits are the interface identifier (roughly 18.4 quintillion addresses per subnet).

You will never run out of addresses in an IPv6 subnet. The subnetting question shifts from "how many hosts fit?" to "how many subnets do I need?" A typical ISP allocation gives an organisation a /48, which provides 65,536 subnets (16 bits of subnet space between the /48 prefix and the /64 interface identifier).

IPv6 also removes the need for DHCP address assignment in many cases. SLAAC (Stateless Address Autoconfiguration, RFC 4862) lets devices generate their own address from the network prefix and their interface identifier. The router advertises the /64 prefix, and devices construct their full address automatically.

6.6 Check your understanding

A host at 10.0.1.50/24 wants to send a packet to 10.0.2.25. What does the host do?

How many usable host addresses are in a /26 subnet?

Two departments are on different subnets connected by a router with no ACLs. Can devices in Department A reach Department B?

A host is configured with IP 10.1.1.50 and mask /16, but the correct mask is /24. What happens when it tries to reach 10.1.2.10?

Key takeaways

  • A CIDR prefix (/24, /16, etc.) tells you how many bits are the network portion. Usable hosts = 2^(32 - prefix) minus 2.
  • Devices compare masked addresses to decide local vs remote. If the network portions match, deliver locally via ARP. If not, send to the default gateway.
  • A wrong subnet mask makes every packet go to the wrong place. It is one of the most common and frustrating misconfigurations.
  • Subnets provide logical separation, not security. Without firewalls or ACLs, routers forward traffic freely between subnets.

Standards and sources cited in this module

  1. RFC 4632, Classless Inter-domain Routing (CIDR)

    Full specification

    Defines CIDR notation and variable-length subnet masking. Referenced in Section 6.1.

  2. RFC 1122, Requirements for Internet Hosts: Communication Layers

    Section 3.3.1.1, Local/Remote Decision

    Defines the bitwise AND operation that determines local vs remote delivery. Referenced in Section 6.2.

  3. RFC 1918, Address Allocation for Private Internets

    Section 3, Private Address Space

    Defines the private ranges used in subnetting examples. Referenced in Section 6.1.

  4. RFC 4291, IP Version 6 Addressing Architecture

    Section 2.5.1, Interface Identifiers

    Defines the /64 standard prefix for IPv6 subnets. Referenced in Section 6.5.

  5. NIST SP 800-207, Zero Trust Architecture

    Section 2, Zero Trust Basics

    States that network location alone should not grant trust. Referenced in Section 6.4.

  6. CompTIA Network+ N10-009 Exam Objectives

    Domain 1.0, Objective 1.4: Subnetting and IP addressing

    Tests CIDR calculations, VLSM, and local vs remote delivery decisions.

You now understand how the local-versus-remote decision works. Module 7 chains every step together: DNS, TCP, TLS, HTTP. You will trace a single web request from the moment you press Enter to the first byte of response, and learn what each failure looks like.

Previous: Addresses, ports, and namesNext: From URL to first byte

Module 6 of 21 in Foundations