Understanding IPv4 Subnetting (Part 1)

by Rik Farrow, updates by Corey Nachreiner

[Editor's note: If the difference between a bit and a byte stumps you, or if the term "IP addressing" seems foggy to you, you'll understand and enjoy this article much more if you first read "Understanding IP Addresses and Binary."]

Sure, you've heard of subnets. But if a crazed IT veteran glared at you and demanded, "Explain subnetting right now, or I'll have you fired for incompetence!," could you tell him much more than the vague idea that subnets have to do with TCP/IP networks? This Security Fundamentals article explains what IPv4 subnets are, what a subnet mask is, and how you might use them within your own network. In brief, subnets have to do with routing, but it'll take some explaining getting to that point -- enough that this will be a two-part article. (So try to avoid crazed IT veterans until you've read both parts.) By the way, subnets apply (in much the same way) to the more modern IPv6 protocol as well, but these articles will focus on IPv4 since that’s what most administrators still use.


Long ago, in a project far away...

Once upon a time, the entire Internet was very small. It was so small, in fact, that the entire Internet (then called the ARPANET) could use one byte, with a maximum value of 255, for addressing every connected computer. During this time, a group of graduate students working on a project at Stanford began writing a replacement for NCP, the early ARPANET protocol. They called their protocol TCP/IP, and allowed what they considered a generous size for addresses, four bytes.

What's more, they formatted the addresses so that the beginning of each address indicated which of three "classes" an address belonged to. The students had the notion that the Internet would be composed of a few very large networks (which they dubbed Class A), a larger number of medium sized networks (Class B), and many small networks (Class C). In the students' scheme, there were 126 Class A network addresses, 64,000 Class B network addresses, and almost 2 million Class C network addresses.

This construct didn't work out too well, because a Class C network could only contain 254 individual device addresses—a number restrictive enough that any medium-sized organization wanted a Class B all for its very own. By the early '90s, just as the Internet was becoming commercialized, the American Registry for Internet Numbers (ARIN) was running out of Class B network addresses.


Addressing the issues

(when addressing is the issue)

In the students' scheme, some of the four bytes of an IP address identified a network. The remainder of the address identified a particular machine, or host, on that network. In other words, any IP address is composed of one part network address and one part host address. In that sense, you could compare IP addresses to phone numbers. For example, if you wanted to call the US White House from Japan, you would dial 001 1 202 456 1414. The 001 1 represents the code to call from Japan to the US, 202 the area code, and 456 1414 the specific phone number. 001 1 202 corresponds to a network address, and 456 1414 to a host address.

But how much of a 32-bit IP address is the network address, and how much is the host address? The answer is a hearty "it depends." The student's addressing scheme split IP addresses into network and host addresses on byte boundaries. For example, a Class A address used the first byte to identify the network, and the remaining three bytes to identify individual hosts. Thus, in the address, the first byte (126.) is the network, and 10.11.12 is a host on the 126 network. Class B IP addresses, like, use the first two bytes (128.16) as the network address, and the last two bytes (.7.4) as the host address. In a Class C address, like, the network portion of the address takes up three bytes (204.176.22), leaving only a single byte for the host portion (.1).

Note that using a Class A address, you could address a mammoth number of hosts. Remember from the "Understanding IP Addresses and Binary" article that one byte can represent any value from 0 to 255? That means if you have three bytes available for identifying hosts, you could assign hosts IP addresses of 0.0.1, 0.0.2, 0.0.3, and so on, up to 255 (at least in theory; in practice, 255 is reserved for a special purpose). Then you could start over using 0.1.1, 0.1.2, et cetera. Working through all the possible combinations, the total amount of unique host IDs available in a Class A address is roughly 255 x 255 x 255 -- well over 16,000,000 available addresses! Following the same logic, a Class B network has two bytes left for host addresses, and two bytes allow us to address more than 65,000 hosts (255 x 255). And now you probably can grasp why a Class C address, using only one byte for addressing individual hosts, can only handle 254 devices. Why not 255 devices? I'll explain that in Part 2 of this article.

Given a generic IP address nnn.nnn.nnn.nnn (where "n" equals a number):

Network Class Network ID portion Host ID portion No. of unique hosts possible
A nnn. nnn.nnn.nnn more than 16,000,000
B nnn.nnn. nnn.nnn more than 65,000
C nnn.nnn.nnn. nnn 254


Now that you understand the history of IP address classes and how they're divided on byte boundaries, you're ready to grasp slash notation, a shorthand way of expressing network information. A Class A network address uses one byte, or eight bits, for the network address portion. To indicate this explicitly, administrators write /8, appended to the end of an IP address. When you see, you know it's a Class A address. A Class B uses two bytes, or 16 bits, written as /16. Class C appears as /24 (three eight-bit bytes). The important concept here is that in slash notation, the number after the slash tells you how many bits of an IP address is the network portion of the address. (You can readily calculate how many bits that leaves for the host portion of the address by subtracting the number of network bits from 32, the total number of bits in an IP address.)


How the Internet lost its class

When I left off my history of the Internet a few paragraphs ago, we had just seen that ARIN was running out of Class B network addresses. The Internet Engineering Task Force (IETF) eventually came up with a workaround. Instead of the original, rigid, network class splits on full-byte boundaries (/8, /16, and /24), they allowed Classless Internet Domain Routing (CIDR, pronounced like 'cider'). This birthed the modern way of talking about IP addresses, which ignores classes, and uses network notation instead. So if an organization wanted enough IP address space for one thousand systems, ARIN's choices were no longer limited to dispensing either four Class Cs (/24) or a Class B (/16) network. They could assign, for example, a /22. Twenty-two bits of the IP address would be used as the network address, and the remaining 10 bits would be used for host addresses, which would permit 1,024 addresses.

Another problem with IP addressing had surfaced in the mid-eighties. Some organizations wanted multiple network addresses, one for each network within their organization. Instead of giving out multiple network addresses, RFC 950 recommends the use of subnetworking, that is, using some portion of the IP address to indicate internal network addresses.

The problem with both using a CIDR (classless) network address, and splitting a network into subnetworks (abbreviated as subnets), was that TCP/IP was designed with the rigid Class system in mind. Certain addresses were assumed to have one, two or three bytes of network address. Specifically: - Class A, or /8 - Class B, or /16 - Class C, or /24


CIDR throws those assumptions away. In fact, this entire discussion of "classful" IP addresses is only necessary because of its long legacy on the Internet (and to help you understand Internet veterans who often use the old terminology). The problem was, in order to split IP addresses on any bit you wanted, there had to be some way of defining where that split in the IP address occurred. The answer for how to define subnets: use a subnet mask. It's a very important networking concept, and it's where we'll resume our discussion in "Understanding IPv4 Subnetting, Part 2".


Read More Security Fundamentals »


About WatchGuard

WatchGuard has deployed nearly a million integrated, multi-function threat management appliances worldwide. Our signature red boxes are architected to be the industry's smartest, fastest, and meanest security devices with every scanning engine running at full throttle. Why buy WatchGuard? Find out here.



  • Global Headquarters
    505 Fifth Avenue South, Suite 500
    Seattle, WA 98104, United States
  • Phone
    1.800.734.9905 US & Canada