Understanding IPv4 Subnetting (Part 2)

by Rik Farrow and Scott Pinzon, with updates by Corey Nachreiner

[Editor's note: This article continues our attempt to explain the complex subject of subnetting in terms you can understand even if you're not a rocket scientist. If these concepts are new to you, you'll increase your comprehension by reading Corey Nachreiner's prequel, "Understanding IP Addresses and Binary," and then Rik Farrow's "Understanding IPv4 Subnetting (Part 1)."]

In Part 1, I explained how an IP address is really two addresses in one: part of it is a network address, and part of it is a host address. This split between the network and host portions of the address formerly occurred predictably, on full-byte boundaries. But newer addressing techniques, aimed at stretching the finite number of addresses available to the ever-growing Internet, now allow an IP address to be split anywhere within its 32 bits.

Because of the history of TCP/IP, your operating system (which provides you with TCP/IP) still expects you to use the old Class system. If you use an address in the Class C range, say, your operating system will automatically think of it as a /24 address: the first three bytes indicate a network address. But suppose you don't want to be a /24 network. Suppose you want it to be a /26. How do you, the administrator, impose your iron will upon IP addressing? By specifying a subnet mask. Your network has always had one. But in this case, you are seizing control by specifying one that differs from the Class C default.

To understand how a subnet mask works, we have to go back to binary, because that's what your computers understand. So, in binary, is:


(If you don't understand where we got that value, see Corey's article.)

The subnet mask is simply a binary value that uses ones to represent how many bits (out of the 32-bit IP address) represent the network portion of the address. Zeros indicate the host portion of the address. So if you want a /26 address, you want 26 bits of the IP address to indicate the network and 6 bits for indicating host addresses, written like this:


To change a Class C address (or any class of address) into a classless CIDR address, you supply a subnet mask which differs from the "classful" default subnet mask. Your computer uses this subnet mask to "mask off" the network portion of the address, reminiscent of the way an usher in a theater might put velvet ropes around rows of seats reserved for a large group. The easy way to understand masking is to count the number of one bits in the subnet mask, because that is how many bits of the IP address will become the network portion. The hard way is to imagine how your operating system does this: by using a CPU operation known as a Logical or Binary AND. Without plunging deep into math theory -- in other words, defer knowing "why" -- let's stipulate that in this operation, 1 + 1 = 1, and 1 + [anything else] = 0. If that's hard to wrap your head around, think of 1 as "true" and zero as "false." The truth plus more truth equals truth. The truth plus anything false is no longer the truth. Using this Boolean logic, combining our sample IP address ( with our sample subnet mask (/26) produces this result:

+ 11111111.11111111.11111111.11000000

Convert the answer back to decimal, and you still have -- but because you've specified a non-standard subnet mask, your OS now understands that this is, and that this network's range is 64 addresses rather than 256.


Bits of Pain

You don't have to go through the painful labor of calculating binary every time you want to specify a subnet. Though your OS uses binary bits internally, your OS permits you to specify the subnet mask in decimal or in slash notation. If you'll recall Corey's article, a full byte with all eight bits turned on (11111111) adds up to a value of 255 (128 + 64 + 32 + 16 + 8 + 4 + 2 + 1), so when subnet masks are expressed in decimal, you'll often see some 255s. For example, the decimal representation for /16 becomes

So, just to create another example, what is the subnet mask for a /22 address? Well, first there will be 22 ones, and the rest zeroes, or 11111111.11111111.11111100.00000000, or Converting the binary into decimal can get tricky, so it's nice to have a calculator or computer program that does the math for you, or a table. You can find such "cheats" all over the Web, including these:

This is also why slash notation is so nice (no binary-to-decimal conversions).


Why Subnet?

If you've followed the logic thus far, you might wonder, "Was this trip really necessary?" The answer: yes, because subnetting lets you split a single network address into many subnets.

Remember, every time an individual host on your network receives another packet of data, the one thing that host wants to know is, What do I do with this? For example, take a typical networked host, called Gandalf. Gandalf assesses every outgoing packet's Destination field in its IP header to decide whether the packet's destination is "local" or "not local." If the destination is local, Gandalf consults an ARP table for the MAC address of the destination machine, then sends the packet to it. If the destination is not local, Gandalf forwards the packet to his all-knowing buddy that handles everything else, a device we refer to as the default gateway. (This is some kind of device that routes, whether an actual router or something that can perform routing, such as your Firebox.) How does Gandalf define "local"? Simple: local is any device having the same subnet address as Gandalf.

Subnets are used throughout the Internet. But you can decide to use subnetting yourself on your own network, if you want. You can subnet for any reason, including security reasons -- for example, to split a single network into two or more parts, using one or more routers to connect each subnet together. Using routers means that broadcasts will (generally) be limited to each subnet. You could also use the Optional and Trusted interfaces of a Firebox to isolate two subnets, even if they were both internal networks. You can subnet to ease troubleshooting. Tracing a problem on a network segment is easier if the network has been cut into halves through subnetting; you're dealing with fewer hosts at a time.

Though at one time subnetting implied breaking your network down into shorter physical segments, today subnetting is not necessarily tied to the physical world. You can subnet simply because you want each department (or remote office, or floor in your highrise, or building on your campus, or ...) to have its own subnet address. You can decide, for example, that anything beginning with 192.168.100 indicates mobile users, and, say, 192.168.200 indicates executive users. You can make wireless addresses instantly recognizable to you, so you can keep an eye on them in your logs easily. Or whatever -- use your imagination!


But don't start yet...

Before you begin slicing and dicing your own subnets, we have to take another side adventure into the history of TCP/IP. Note that even though there are 256 possible addresses when we use one byte (0 through 255), you will only be able to use 254. This is because an address of all ones, or 255 in this case, is reserved for the broadcast address and an address of all zeroes is reserved for the network address. The broadcast address means "Send to all hosts on this network segment," so it obviously cannot be used as an individual host address. The network address is reserved for more traditional reasons.

As an example, suppose someone wanted to split their Class C network up into four smaller CIDR networks. Dividing the 256 possible addresses in a Class C network by 4 tells us each subnet can have 64 addresses. (However, for the reasons I just cited, only 62 of those addresses can be used for hosts.) Instead of using a Class C subnet mask of, or /24, you would use, or /26. This works because it leaves six bits (out of the 32 bits in an IP address) for addressing hosts. Six bits (32 + 16 + 8 + 4 + 2 + 1) is enough to make 64 addresses (the bits total 63, but 0 also counts as one of the addresses).

In Part 1, I pointed out that an IP address is two addresses in one: a network address, and a host address. When you specify a subnet mask, you could say that the portion that defines the subnet has been "borrowed" out of the host address portion and added to the network portion. Thus, the router that connects your subnets can determine which addresses belong to which subnet by considering the first two bits of (what was) the host address as being part of the (newly changed) network address.

How does IP addressing look when you slice up a network this way? Let's use as the Class C network address to split up.

Subnet #

Network Address

Broadcast Address

Usable Host Addresses

1 to 62

2 to 126

3 to 190

4 to 254


The routing for this will work whether all four subnets are on the same physical wire or not, as long as you have at least one strategically placed router that knows what's going on.

The binary arithmetic involved in using CIDR block addressing is painful. It is much easier to start with another private network address space, say, and use the third byte to represent internal subnets:,,, and so on. Now you use the default ( or "classful") subnet mask of (or /24) and each subnet includes 254 host addresses. See how much easier it is to start with a Class B (/16) network, and split it into 254 Class Cs (/24)? Perhaps the designers of TCP/IP weren't so dumb after all when they chose to use byte boundaries in the initial network addressing scheme.

Subnets aren't black magic — just a place where administrators come face to face with binary arithmetic, often for the first time. We've barely scratched the surface of this topic. But at least now when networking experts are having one of those subnetting conversations where the technical concepts seem to rush past you at superhighway speeds, you have an onramp. You've got enough basics to join in the fun. Use your new powers wisely!


Read More Security Fundamentals »


About WatchGuard

WatchGuard has deployed nearly a million integrated, multi-function threat management appliances worldwide. Our signature red boxes are architected to be the industry's smartest, fastest, and meanest security devices with every scanning engine running at full throttle. Why buy WatchGuard? Find out here.



  • Global Headquarters
    505 Fifth Avenue South, Suite 500
    Seattle, WA 98104, United States
  • Phone
    1.800.734.9905 US & Canada