The Problem With One Giant Network
Place 500 devices on a single flat network and you will quickly run into three problems. First, every device receives every broadcast packet, even ones meant for nobody in the room—this is called broadcast traffic, and it consumes bandwidth and CPU cycles on every host. Second, there are no natural security boundaries: a compromised laptop on the guest Wi-Fi segment can attempt connections directly to your accounting servers. Third, troubleshooting becomes a nightmare because any IP conflict or misbehaving device could be anywhere in the entire address space.
Subnetting solves all three by dividing one large IP block into smaller, logically isolated segments. Each subnet is its own broadcast domain. Traffic between subnets must pass through a router (or Layer 3 switch), where you can apply firewall rules, QoS policies, and access control lists. The result is a network that performs better, fails in smaller pieces, and is far easier to manage.
How Subnetting Works: The Binary Math
Every IPv4 address is 32 bits long, written as four decimal octets (e.g., 192.168.10.45). Subnetting works by borrowing bits from the host portion of the address and reassigning them to the network portion. The dividing line between network and host bits is defined by the subnet mask.
A subnet mask is also 32 bits. Bits set to 1 indicate the network portion; bits set to 0 indicate the host portion. The mask 255.255.255.0 in binary is 24 consecutive 1-bits followed by 8 zeros—so in CIDR notation it is written as /24.
When you extend the mask from /24 to /25, you borrow one host bit. That one bit doubles the number of subnets (from 1 to 2) and halves the number of hosts per subnet (from 254 to 126 usable). The pattern continues:
/24— 1 subnet of 254 usable hosts/25— 2 subnets of 126 usable hosts each/26— 4 subnets of 62 usable hosts each/27— 8 subnets of 30 usable hosts each/28— 16 subnets of 14 usable hosts each/29— 32 subnets of 6 usable hosts each/30— 64 subnets of 2 usable hosts each (point-to-point links)
Two addresses in every subnet are always reserved: the network address (all host bits = 0) and the broadcast address (all host bits = 1). This is why a /24 with 256 total addresses yields only 254 usable hosts.
Subnet Masks vs. CIDR Notation
Subnet masks and CIDR prefix lengths are two notations for the same information. Network engineers use both interchangeably:
| CIDR Prefix | Subnet Mask | Total Addresses | Usable Hosts |
|---|---|---|---|
| /16 | 255.255.0.0 | 65,536 | 65,534 |
| /20 | 255.255.240.0 | 4,096 | 4,094 |
| /24 | 255.255.255.0 | 256 | 254 |
| /25 | 255.255.255.128 | 128 | 126 |
| /26 | 255.255.255.192 | 64 | 62 |
| /28 | 255.255.255.240 | 16 | 14 |
| /30 | 255.255.255.252 | 4 | 2 |
Subnets vs. VLANs: Understanding the Difference
Subnets operate at Layer 3 (the IP layer). VLANs operate at Layer 2 (the Ethernet frame layer). In most modern network designs, they work together: each VLAN is mapped to a subnet, and inter-VLAN routing is handled by a Layer 3 switch or router. The VLAN creates the broadcast domain at Layer 2; the subnet defines the IP addressing within it.
You can have a subnet without a VLAN (common in simple routed networks), and in theory you can have VLANs without separate subnets (though this is rare and usually indicates a design problem). The most important distinction: if two devices are in the same subnet but different VLANs, they cannot communicate without a router—the VLAN boundary blocks the Layer 2 frame. If they are in the same VLAN but different subnets, they also cannot communicate directly—no default gateway configured, no route exists.
Real-World Subnetting Design Patterns
Most enterprise and campus networks follow a hierarchical addressing scheme:
- Server VLAN: A
/25or/24block for physical and virtual servers. Often placed in a DMZ for externally reachable services, with a separate internal segment for databases and management systems. - User workstations: Separate
/22or/23blocks per floor or building, each acting as its own broadcast domain. This prevents a single broadcast storm from affecting the entire campus. - Voice/VoIP: A dedicated subnet (often a
/24or smaller) with QoS markings to ensure low latency for voice traffic. Keeping voice and data traffic on separate subnets simplifies QoS policy enforcement. - Guest Wi-Fi: An isolated subnet with no access to internal resources. Internet-only routing, usually behind a separate firewall or VLAN with strict ACLs.
- IoT/OT devices: Cameras, HVAC controllers, printers, and other embedded devices belong in their own subnet, strictly firewalled from production systems. IoT devices are among the most commonly exploited entry points.
- Management network: A separate
/27or/28block accessible only via jump host or VPN, used for out-of-band management of switches, routers, and servers. This network has no internet access and is firewalled from all user segments.
VLSM: Right-Sizing Every Subnet
Variable Length Subnet Masking (VLSM) lets you use different prefix lengths within the same parent block, allocating exactly the right number of addresses to each segment. Without VLSM, you would have to make every subnet the same size—wasteful when some segments need 200 hosts and others need only 2.
Example: Starting with 10.1.0.0/24, you need three subnets: one for 100 hosts, one for 50 hosts, and one for a router-to-router link. Using VLSM:
10.1.0.0/25— 126 usable hosts (for the 100-host segment)10.1.0.128/26— 62 usable hosts (for the 50-host segment)10.1.0.192/30— 2 usable hosts (for the router link)
That uses 198 addresses out of 256 with no overlap and only minor waste, compared to assigning three /24s and wasting 510 addresses.
Common Misconceptions
Misconception 1: Subnetting Reduces the Total Number of Available IPs
Subnetting does not destroy address space. You lose two addresses per subnet (network and broadcast), so splitting one /24 into eight /27s costs you 16 addresses (2 × 8) instead of 2. This is a small, fixed cost. The total usable addresses in the parent block stay essentially the same.
Misconception 2: A Bigger Subnet Mask Is Always Better
A larger mask number (like /28) means a smaller subnet—fewer hosts. The confusion comes from thinking of the mask as a size indicator when it is actually a precision indicator. Always verify whether you need more subnets or more hosts per subnet before choosing a mask.
Misconception 3: Subnetting Alone Provides Security
Subnetting creates boundaries that require routing to cross. But unless you place an access control list or firewall on the router performing that inter-subnet routing, traffic between subnets is unrestricted. Subnetting creates the opportunity to enforce security; it does not enforce it automatically.
Misconception 4: Home Networks Don't Need Subnetting
A flat home network works fine at small scale. But as soon as you add a home server, a NAS, smart home devices, and guest Wi-Fi, a single subnet becomes a security liability. Putting IoT devices on a separate subnet and firewalling them from your computers is a meaningful security improvement available to anyone with a modern router.
Pro Tips
- Memorize the common subnet boundaries: /24 starts at 0, /25 at 0 and 128, /26 at 0, 64, 128, 192. These anchor points make mental subnet calculations much faster during exams or troubleshooting sessions.
- Use an IPAM tool from day one. Even a free tool like NetBox or phpIPAM eliminates the overlapping allocations that invariably appear when subnet planning lives in spreadsheets shared across multiple engineers.
- Always reserve a /27 or /28 for network infrastructure. Routers, switches, firewalls, and management interfaces should live in a dedicated management subnet that is never shared with user devices.
- Document your subnetting scheme with intent, not just numbers. A spreadsheet column saying "VLAN 20 — Finance" is less useful than "VLAN 20 — Finance workstations — no access to HR VLAN 30 per policy." The reasoning matters when the original engineer is gone.
- Test your subnet design under worst-case growth. If a department doubles in size, does your subnet still have room? Plan for at least 50% headroom in any segment that is expected to grow.
- Use /31 masks for point-to-point links on modern gear. RFC 3021 allows /31 subnets on point-to-point links, giving you 2 usable addresses with no wasted network/broadcast overhead. Most modern routers support this.
Subnetting is the foundational skill that enables everything else in IP networking—from firewall policy design to cloud VPC architecture. Once you are comfortable with the math and the design patterns, every other networking concept becomes easier to reason about. Look up your current IP address and subnet details now.