Screen version
Adjacent Node
Networking, explained. No BS.

IPv4 Subnetting

What It Is

IPv4 subnetting divides address space into routed prefixes. In modern networks, think in CIDR prefixes, not classful A/B/C networks. The useful question is usually: how many addresses does this prefix provide, where does it route, and what can it summarize?

Fast Math

Prefix Mask Total Addresses Usual Host Addresses Common Use
/32 255.255.255.255 1 1 Host route, loopback, exact match
/31 255.255.255.254 2 2 Point-to-point links
/30 255.255.255.252 4 2 Legacy point-to-point links
/29 255.255.255.248 8 6 Small handoff, small service segment
/28 255.255.255.240 16 14 Small LAN, firewall transit
/27 255.255.255.224 32 30 Small user or device VLAN
/26 255.255.255.192 64 62 Medium VLAN
/25 255.255.255.128 128 126 Large VLAN
/24 255.255.255.0 256 254 Common LAN boundary
/23 255.255.254.0 512 510 Larger LAN or summary block
/22 255.255.252.0 1,024 1,022 Larger site block
/21 255.255.248.0 2,048 2,046 Campus or regional block
/20 255.255.240.0 4,096 4,094 Large summary block
/16 255.255.0.0 65,536 65,534 Large private allocation
/12 255.240.0.0 1,048,576 1,048,574 RFC 1918 172.16.0.0/12
/8 255.0.0.0 16,777,216 16,777,214 RFC 1918 10.0.0.0/8

Modern note: /31 is valid for point-to-point router links. The two addresses are both usable endpoints. Do not use /31 on a broadcast LAN unless the platform and design explicitly support it.

Core Formulas

Need Formula Example
Total addresses 2^(32 - prefix) /24 = 256
Usual host addresses 2^(32 - prefix) - 2 /24 = 254
Prefix from host bits 32 - host_bits 8 host bits = /24
Block size in interesting octet 256 - mask_octet /26 mask octet 192, block size 64

Watch out: the -2 host rule does not apply to /31 point-to-point links or /32 host routes.

Interesting Octet

Find the octet where the mask is not 255 or 0. The block size is 256 - mask value.

Prefix Mask Interesting Octet Block Size Network Boundaries
/25 255.255.255.128 4 128 .0, .128
/26 255.255.255.192 4 64 .0, .64, .128, .192
/27 255.255.255.224 4 32 .0, .32, .64, .96, .128, .160, .192, .224
/28 255.255.255.240 4 16 .0, .16, .32, .48, .64, .80, .96, .112, .128, .144, .160, .176, .192, .208, .224, .240
/29 255.255.255.248 4 8 .0, .8, .16, .24, .32, .40, .48, .56, ...
/30 255.255.255.252 4 4 .0, .4, .8, .12, .16, .20, ...

Example: 192.0.2.77/27

  • Mask: 255.255.255.224
  • Block size: 256 - 224 = 32
  • Boundaries: .0, .32, .64, .96
  • Network: 192.0.2.64/27
  • Usual host range: 192.0.2.65 through 192.0.2.94
  • Broadcast: 192.0.2.95
  • Next network: 192.0.2.96/27

Private And Special Ranges

Range Purpose Notes
10.0.0.0/8 Private addressing Common for enterprise and cloud networks
172.16.0.0/12 Private addressing Includes 172.16.0.0 through 172.31.255.255 only
192.168.0.0/16 Private addressing Common for small sites and home networks
100.64.0.0/10 Shared address space Usually CGNAT or provider/customer boundary, not normal enterprise private space
169.254.0.0/16 IPv4 link-local Usually automatic addressing when DHCP fails, also used by some cloud metadata paths
192.0.2.0/24 Documentation Use in examples
198.51.100.0/24 Documentation Use in examples
203.0.113.0/24 Documentation Use in examples
127.0.0.0/8 Loopback Host-local, not routed
224.0.0.0/4 Multicast Not unicast host space
255.255.255.255/32 Limited broadcast Local segment only

Watch out: 172.32.0.0/16 is not RFC 1918 private space. Only 172.16.0.0/12 is private.

Summarization

Summarization works when prefixes are contiguous and aligned on the summary boundary.

Prefixes Valid Summary Why
10.10.0.0/24 through 10.10.3.0/24 10.10.0.0/22 Four contiguous /24s aligned on a /22 boundary
10.10.4.0/24 through 10.10.7.0/24 10.10.4.0/22 Four contiguous /24s aligned on the next /22 boundary
10.10.1.0/24 through 10.10.4.0/24 No clean single /22 Not aligned, would include extra networks

Design note: do not summarize just because the math works. Summaries can hide failures and create blackholes unless routing, filtering, and failover behavior are designed around them.

Design Notes

  • Use CIDR consistently in diagrams, IPAM, firewall rules, route filters, and documentation.
  • Reserve space for growth at site, region, environment, and service boundaries.
  • Keep infrastructure, user, server, management, and transit ranges easy to recognize.
  • Prefer /31 for routed point-to-point links when both endpoints support it.
  • Avoid giant flat VLANs. Addressing should not be the reason a Layer 2 domain grows too large.
  • In cloud networks, check provider-reserved addresses before sizing. Usable address counts may be lower than raw subnet math.
  • Do not overlap private ranges across VPNs, mergers, partner connections, or cloud VPC/VNet peering.

Troubleshooting

Symptom Check Likely Cause
Host has an IP but cannot reach local gateway IP, mask, gateway, ARP table Wrong mask or wrong default gateway
Some hosts in same VLAN can talk, others cannot Compare masks and ARP behavior One side thinks the other is local, the other routes
Route exists but traffic drops after summarization More-specific route, summary null route, failover path Summary blackhole
VPN or cloud peering will not route Local and remote CIDR blocks Overlapping address space
DHCP clients receive unexpected gateway or range DHCP scope, helper address, relay target Wrong scope or relay path
Only first or last address fails in a subnet Platform behavior, prefix length Network or broadcast address used by mistake

Quick Checks

ip route get 192.0.2.77
ip addr show
ip neigh show
show ip route 192.0.2.77
show ip interface brief
show arp

Expected clues:

  • The host mask matches the gateway interface mask.
  • The default gateway is inside the host subnet.
  • The route table has the expected longest-prefix match.
  • ARP resolves for same-subnet destinations and the gateway.
  • No overlapping or broader route is stealing traffic.

References