code8 min readMarch 30, 2026

How IP Subnetting Works: The Network Math Behind CIDR

Every device on the internet has an address. Not a street address — a 32-bit number split into four chunks, written like 192.168.1.42. That familiar dotted-decimal notation hides a world of binary math underneath. Understanding how IP addresses actually work means understanding subnetting — the art of dividing a network into smaller, manageable pieces using nothing but bitwise arithmetic.

IPv4 addresses are just 32-bit numbers

An IPv4 address like 192.168.1.42 is really a single 32-bit binary number. Each of the four “octets” (the numbers between the dots) represents 8 bits, ranging from 0 to 255. The human-friendly dotted format is purely for readability.

192.168.1.42 in binary:

  192     .  168     .    1     .   42
11000000 . 10101000 . 00000001 . 00101010

Full 32-bit representation:
11000000101010000000000100101010

Every calculation in subnetting — determining network boundaries, counting hosts, checking if two devices are on the same network — happens at this binary level. The decimal notation is just a convenience layer on top.

Why octets matter

Each octet can hold values from 00000000 (0) to 11111111 (255). That's 2^8 = 256 possible values per octet. The entire IPv4 address space is 2^32 = roughly 4.3 billion unique addresses. That sounds like a lot, but it ran out years ago — which is why we have NAT, private address ranges, and IPv6.

What subnet masks actually do

A subnet mask splits an IP address into two parts: the network portion (which network is this device on?) and the host portion (which specific device within that network?). The mask is another 32-bit number where all the 1-bits mark the network part and all the 0-bits mark the host part.

IP address:   192.168.1.42    → 11000000.10101000.00000001.00101010
Subnet mask:  255.255.255.0   → 11111111.11111111.11111111.00000000
                                 ^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^
                                 Network bits (24)         Host bits (8)

The key operation is a bitwise AND. When you AND the IP address with the subnet mask, you get the network address — the identifier for the entire subnet. Every device on the same subnet shares this network address.

  11000000.10101000.00000001.00101010   (192.168.1.42)
AND 11111111.11111111.11111111.00000000   (255.255.255.0)
  = 11000000.10101000.00000001.00000000   (192.168.1.0)  ← network address

The AND operation in plain English: Wherever the mask has a 1, keep the original bit from the IP address. Wherever the mask has a 0, force the result to 0. The remaining bits form the network address.

Two devices are on the same subnet if and only if their IP addresses, when ANDed with the same mask, produce the same network address. A router uses this exact check to decide whether to forward a packet locally or send it to another network.

CIDR notation: the slash shorthand

Writing 255.255.255.0 every time is tedious. CIDR (Classless Inter-Domain Routing) notation replaces the mask with a single number: the count of leading 1-bits. A mask of 255.255.255.0 has 24 leading ones, so we write it as /24.

CIDR	Subnet Mask	Usable Hosts	Common Use
/8	255.0.0.0	16,777,214	Giant corporate networks
/16	255.255.0.0	65,534	Large campus networks
/24	255.255.255.0	254	Home networks, small offices
/30	255.255.255.252	2	Point-to-point router links
/32	255.255.255.255	1	Single host route

The formula for usable hosts is 2^(32 - prefix) - 2. You subtract 2 because every subnet reserves two addresses: the network address (all host bits = 0) and the broadcast address (all host bits = 1).

Why we subnet at all

In the early internet, networks were divided into rigid classes: Class A (/8), Class B (/16), and Class C (/24). A company that needed 300 addresses got a Class B with 65,534 — wasting over 99% of the space. Subnetting solves three problems at once:

Broadcast domain control — When a device sends a broadcast (like an ARP request), every device in the subnet receives it. A flat /16 network with 65,000 devices would be flooded with broadcast traffic. Smaller subnets limit the blast radius.
Security isolation — By placing servers, employee workstations, and guest Wi-Fi on separate subnets, you can apply firewall rules between them. Traffic between subnets must pass through a router where you control the rules.
Address efficiency — CIDR lets you allocate exactly the number of addresses you need. A branch office with 25 devices gets a /27 (30 usable hosts) instead of an entire /24 (254 usable hosts).

Calculating network and host ranges by hand

Given 10.20.30.100/26, find the network address, broadcast address, and usable host range:

Host bits: 32 - 26 = 6 host bits
Block size: 2^6 = 64 addresses per subnet
Subnet boundaries: Multiples of 64 in the last octet — 0, 64, 128, 192. Our IP (100) falls between 64 and 128.
Network address: 10.20.30.64 (start of the block)
Broadcast address: 10.20.30.127 (64 + 63 = 127, last address in the block)
Usable range: 10.20.30.65 through 10.20.30.126 (62 hosts)

Given: 10.20.30.100/26

Step 1 — Host bits: 32 - 26 = 6
Step 2 — Block size: 2^6 = 64
Step 3 — Boundaries in last octet: 0, 64, 128, 192
         100 falls in the 64–127 block

Network address:    10.20.30.64
First usable host:  10.20.30.65
Last usable host:   10.20.30.126
Broadcast address:  10.20.30.127
Usable hosts:       62

The quick trick: To find the subnet boundary, divide the last octet by the block size and take the floor. For /26 (block size 64): 100 ÷ 64 = 1.56 → floor is 1 → subnet starts at 1 × 64 = 64. This works for any prefix length.

Subnetting is binary arithmetic with a practical purpose. Every network engineer, cloud architect, and DevOps engineer who configures VPCs, security groups, or firewall rules is doing subnetting — whether they realize it or not.