Subnet

A subnet is defined by two values: a network address and a subnet mask. The network address identifies the subnet (e.g., 192.168.1.0), and the mask (e.g., /24 = 255.255.255.0) determines how many addresses it contains. Every device in 192.168.1.0/24 can reach every other device in the same subnet directly via ARP and Layer 2 switching. To reach a device in 192.168.2.0/24, traffic must be routed — it goes through the default gateway (router), which can apply firewall rules between subnets. This makes subnets the fundamental tool for network segmentation and security.

Subnetting math: network and host bits

An IPv4 address is 32 bits. A subnet prefix length (e.g., /24) indicates how many leading bits are the network portion — the remainder are host bits. For 192.168.1.0/24: the first 24 bits (192.168.1) identify the network; the last 8 bits identify individual hosts. To determine which subnet an address belongs to, perform a bitwise AND between the address and the subnet mask. For example: 192.168.1.75 AND 255.255.255.0 = 192.168.1.0 — the network address. Two addresses are in the same subnet if their bitwise AND with the same mask produces the same result. Routers perform this calculation for every forwarding decision.

Why subnets are created

Subnets serve three primary purposes. First, broadcast domain reduction: every device in a subnet receives every broadcast packet. A single /16 with 65,534 hosts generates enormous broadcast traffic (ARP requests, DHCP, etc.) that consumes bandwidth and CPU on every device. Splitting into many /24 subnets limits each broadcast domain to 254 hosts. Second, security isolation: devices in different subnets must route through a firewall or router, which can enforce access control policies. Third, IP address management: assigning different subnets to different departments, floors, or device classes makes IP allocation and troubleshooting tractable at scale.

Common subnet sizes

Calculating subnets and hosts

The number of usable host addresses in a subnet is 2^{(32 − prefix)} − 2. The subtraction of 2 accounts for the network address (all host bits set to 0, used to identify the subnet itself) and the broadcast address (all host bits set to 1, used to send to all hosts in the subnet). To divide a larger block into subnets: borrowing one host bit doubles the number of subnets and halves the hosts per subnet. A /24 split into two /25 subnets yields two blocks of 126 usable hosts each; split into four /26 subnets yields four blocks of 62 hosts each.

VLSM — Variable Length Subnet Masking

Fixed-size subnetting wastes addresses when different segments have very different size requirements. VLSM allows different subnet masks within the same address space. A network administrator can assign a /24 (254 hosts) for the main office floor, a /27 (30 hosts) for the server room, a /29 (6 hosts) for the DMZ, and /30 (2 hosts) for each router-to-router WAN link — all carved out of the same 10.1.0.0/16 block. VLSM is enabled by classless routing protocols (OSPF, EIGRP, BGP) that carry the prefix length with each route advertisement. Classful protocols (RIPv1) assumed all subnets within a major network used the same mask, making VLSM impossible.

Subnets and routing

Every subnet requires a route. When a router receives a packet, it performs a longest prefix match against its routing table — the most specific matching route wins. A packet for 10.1.2.50 might match both a /16 summary route and a /24 specific route; the router forwards it via the /24 entry. In large networks, subnets from different parts of the address space are summarised (aggregated) into shorter prefixes — 10.1.0.0/16 covers all 256 /24 subnets within it — to keep routing tables manageable. Proper subnetting with contiguous address blocks enables clean summarisation; discontiguous assignments force routers to carry individual routes for every subnet.

Subnetting for security

Network segmentation puts different device types on different subnets with firewall rules between them. A typical home security setup: 192.168.1.0/24 for trusted computers and phones; 192.168.2.0/24 for IoT devices — no access to subnet 1, internet only; 192.168.3.0/24 for guests — internet only, no access to other subnets. Traffic between subnets is controlled at the router/firewall. This limits blast radius: a compromised IoT device on 192.168.2.0/24 cannot directly access your NAS on 192.168.1.0/24 — it must pass through the firewall.

IPv6 subnetting

IPv6 uses 128-bit addresses and fundamentally different allocation conventions. The standard LAN subnet size is /64 — this is not arbitrary. IPv6 Stateless Address Autoconfiguration (SLAAC) requires a /64 prefix to generate interface identifiers from MAC addresses using the EUI-64 algorithm. Splitting a /64 into smaller subnets breaks SLAAC. The standard site allocation from an ISP or RIR is a /48, which contains 65,536 /64 subnets — enough to assign one /64 per room in a building with room to spare. A home ISP typically delegates a /56 (256 /64 subnets) or /48. IPv6 routing aggregation works the same way as IPv4 — /48 allocations to customers are summarised into /32 allocations at the ISP level and further into larger blocks at the regional registry level.

Frequently Asked Questions

Why would I use multiple subnets at home?

Security isolation. Put IoT devices on a separate subnet so a compromised device can't directly reach your computers or NAS. A guest network is another subnet — internet access only. Requires a router supporting VLANs and multiple subnets (pfSense, OPNsense, or capable consumer routers).

What is the difference between a subnet and a VLAN?

Subnet is Layer 3 (IP addresses). VLAN is Layer 2 (Ethernet isolation). They're almost always paired: each VLAN has its own subnet. The router routes between subnets; the switch enforces VLAN boundaries at Layer 2.

How do I calculate the number of hosts in a subnet?

2^(32 − prefix) − 2. /24 = 254 hosts, /25 = 126, /28 = 14, /30 = 2. Subtract 2 for the network address (all host bits 0) and broadcast address (all host bits 1).