(originated in 1985 with RFC 950)

This is one of the few long, detailed explanations of subnets that you will find - so stick with it and read through it slowly.  The concept is very important !!  Subnets are for LAN's only, and the Internet has no idea that subnets exist - and continues addressing the same way, with the same network address.  But behind the router, the network address is broken up into 2 or more subnets.  If the LAN did not subnet, and the customer needed the separate networks, then the Internet would have to do all the work of routing to those networks.  Instead it only has to route to one network, and the LAN preforms the subnetting.

Subnets do not add any addresses !!!  They only take the existing addresses and split them up into groups.  For example, if a customer had one Class C block - they could take the 256 addresses and split them up into two subnets, each with 128 addresses (although only 126 are usable in each subnet).

Subnets are all based on Classful addressing !!!  Do not be confused by the new Internet CIDR (Classless Inter-Domain Routing).  CIDR is only for the Internet backbone, and it is also referred to as “supernets” – not subnets.

Subnets are all local !!!  The internet has no idea that subnets are included within the IP addresses, and it only delivers based on the Classful portion (the Network prefix), which is not part of the subnet bits, not is it part of the host bits.

All Classes of IP networks can be divided into smaller networks called subnetworks (or subnets).   This becomes extremely complex, and therefore only the basic concept will be discussed here.

Dividing the major class network is called subnetting. Subnetting provides network administrators with several benefits. It provides extra flexibility, makes more efficient use of network address utilization, and contains broadcast traffic because a broadcast will not cross a router. 

Subnets are under local administration. As such, the outside world sees an organization as a single network, and has no detailed knowledge of the organization's internal network structure.  A given network address can be broken up into many subnetworks. For example,,,, and are all subnets of the Class B network

IP Subnet Mask:

A subnet address is created by "borrowing" bits from the host field and designating them as the subnet field. The number of borrowed bits is variable and specified by the subnet mask.  The following figure shows how bits are "borrowed" from the host address field to create the subnet address field:

Subnet masks use the same format and representation technique as network mask format, the subnet mask has binary 1s in all bits specifying the network and subnetwork fields, and binary 0s in all bits specifying the host field.  The following figure shows a sample subnet mask:

Subnet Masks when there are no Subnets

This is very common - the majority of IP customers have no subnets - but still need the subnet masks.  For a simple example of a non-subnetted customer, suppose a corporation orders a T1 Internet circuit, and is given one Class C block of addresses ( for a total of 254 usable addresses (.111 and .000 are reserved).  Even though the customer does not have any subnets, there are still two subnet masks required!!

1)      Subnet Mask for T1 Serial Interface
This is the serial link between customer and provider, and only requires two static IP addresses . . . one for the customer's router, and one for the provider's router.  This is always (for the customers).  This is configured within their router.  The .252 mask defines a /30 prefix, and therefore has 4 addresses, of which only 2 are usable.  The 2 addresses are the WAN Interface addresses of the two routers.  Here is an example of the two addresses for the serial interfaces for the a T1 link:  (customer)  (provider)

2)          Local Subnet Mask - cust has his own local subnet mask, which for a Class C block of addresses, is:            

All 1’s and all 0’s Representations

In general, the host address of a subnet IP space can be any combination of bits, except all 0's or all 1's.

all 0’s  -  refers to the host portion as all 0's, not the network portion !!!!  This is called the “Network” address (also called "this computer" or "this networks").  It is called "this network" when dealing with all 0's in the Host portion.  For example, a Class C network  - the fourth byte of that address is the host byte, and the 8 bits are all 0's (i.e. 00000000).  All actual host addresses in that byte will be 1,2,3, . . . 254.  The network is 194.7.4 but the full 32-bit address of the network is usually stated as  -  this is not an actual physically accessible address.  This is a virtual address used to define a network.  Useful to show the area where all IP addresses from that network reside.

all  1’s  -  broadcast  -  these packets will be received by all stations

Both network and host address representations have two special cases, all 0’s and all 1’s which are often said to be reserved, and often said to be not reserved.  Therefore the equation for maximum representations (max networks or max hosts) becomes either 2n  (some rare books say that all 1’s and all 0’s are ok) or   2n –2.  ALWAYS ASSUME 2n –2

Cisco’s tables  at - xtocid17414  include all the subnets, including 000 and 111 for this example.  The Sybex book says do not use the all zero’s and all 1’s subnets.

Number of Subnets =   2n (Cisco)    or    2n-2  (Sybex and Cisco Press)  n=no. of subnet bits

Number of Hosts = 2n-2           n = no. of host bits

Conclusion – to be safe do not use the zero and broadcast subnets.  Therefore for both subnets and hosts, the total number can be found by using  2n-2.  However, for the CCNA Exam – keep that option open !!  Note that the subnet mask will always have all 1’s in the subnet numbert portion.  For example a mask of, for the last octet, has 4 bits that are all 1’s, and that is the subnet number portion of the IP addresses – the last octet is 11110000, where the first 4 bits is where the subnet number resides, and the 1’s of the mask let it come through when “AND’ed” (the last 4 bits is the host address and that is masked out to all 0’s during the AND operation).

*** this inclusion-exclusion of all 0’s and all 1’s is bery confusing, since sources do not agree at all on it !!!

OSPF and IS-IS routing protocols look for the existence of an extended-prefix whenever the prefix is all 0’s or all 1’s.  If the extended-prefix exists, then a network address of all 0’s or 1’s is tolerated and seen as a routable packet.  However, RIP does not look for an extended prefix, and cannot route all 0’s or all 1’s prefixes.  Fortunately, RIP is not used on the Internet, so these are generally legal. 

For CCNA Tests always assume all 0’s and all 1’s are not allowed – for both number of subnets and number of hosts !!!   But this is not even certain !!!

The Prefix (the slash  /  ) and Extended Prefix

With Classful addressing, the Network portion is called the “prefix”, which is either 1, 2, or 3 bytes.  With subnetting, an “extended-prefix” is comprised of the concatenation of the network-prefix and the subnet bits.  The extended-prefix is so common, that it is now simply called the prefix.

Prefix Lengths

The lenght of the prefix can theoretically consist of any number of bits from 1 up to 32.  However, there are some constraints . . .

Prefix minimum/maximum – since you cannot have a network larger than a Class A, the smallest prefix is /8.  The largest is 30 bits.  Prefix cannot be 31 - of course, there will always be both a network, and a host address, You cannot have just a single bit for the host address.  This would leave only two host addresses – 1 or 0.  The case of all 0’s and all 1’s are disallowed ( reserved)

NOTE:  Sybex states one odd instance – A prefix length of 32 bits, the width of a complete IP address, is possible because it matches one IP address exactly.

Does a Prefix mean there are Subnets ?

No, it is simply a method of notation.  However, subnets are often given in prefix notation.  For example, you have a private campus network.  You decide to use classless addresses using 10.10 /16  (it must be Classless, because 10. is Class A and that would be /8 ).  So far we have given an address range using prefix notation, and there are no subnets.  Then you decide to create a subnet at one of the buildings 10.10.1 /24.  You have just given a subnet in prefix notation.  It dictates that all addresses in that building are addressed in the following range:

 So in this case, the Network prefix has been extended 8 bits to the right, and the subnet host address is the last 8 bits.  But, if you were just given 10.10.1 /24 and asked if there were subnets involved, you do not have enough info – it could simply be a classless 24-bit network address with an 8-bit host.

You could then further subnet the building, routing packets to two different subnets.  These are now subnets of a subnet of a network (10.10 /16).

Subnets  (RFC 950)

The diagram shows a subnetted IP address.  This is not the subnet address, which is the extended network prefix with the host field all zeros!! The Network-Prefix is the standard Classful prefix which in this case is /16.  The subnet number increases the prefix to /24, which means there are 8 bits used for subnetting.  The extended network address is classless.  Therefore, with subnets, you typically have a combination of classful (Internet routing) and classless (local routing) adressing, as the example shows. 

Subnet Number Confusion - the subnet number is often represented as a full 32 bits with the extended network prefix all 1’s and the host all 0’s.  Here it is shown as the extension of the network prefix for clarity of the explanation – and is also called the “subnet part”, or “subnet field” of the address.  However, if you are asked for the subnet, or the subnet number, or the subnet address – use the 32-bit version and remember to use all zeros for the host.


Subnet Mask confusion – the subnet mask is usually thought of as the extended part of the prefix (the subnet number or field).  BUT it can also be the entire prefix.  Therefore, if you are given that the subnet mask is 19 bits, it will proably be 19 bits extended onto a Class A 8-bit network prefix:



_____  -  network prefix

_____  - subnet number

_____  -  host

 for a total of 27 bits.  So in this case, the subnet mask could be 19 bits (typical) or 27 bits – depending on who you ask.

The Internet uses the network prefix to route, and subnetting has no effect on the network prefix !!!  All it does it break down the host address space into two parts, so that locally, a subnet (local network address) is made available.  The subnet number is also viewed as an extension of the network address, but this extension is only used by the local router.

The Internet has no idea or concept of subnets!!  Packets are addressed the same way they always have been, and the subnets create no new addresses.  The subnet is of local significance only.  When a packet is addressed to a destination that contains subnets, the following occurs: 

  1. The Internet routers ignore the subnet number bits and host bits, and route the packet to the correct domain dictated by the classful portion, the Network prefix.
  2. Once the packets are delivered to the final router, the subnet number is inspected, and the router does a lookup in it’s ARP cache, and appends the MAC address to the packet . 
  3. The router sends the packet out the NIC (Network Interface Card) that is connected to the LAN segment corresponding to the subnet (one subnet per LAN segment, typically).
  4. The stations on the LAN segment inspect the MAC address, and if it matches theirs, they copy it into their buffer.

Cisco Nomenclature – whenever they say you have an “n” bit subnet mask, assume that it is the number of bits in the subnet number.  Therefore you must add it to a Classful address to get the total 1 bits in the mask.  For example, they say you have a 19-bit subnet mask and ask you how many possible hosts.  The 19-bits will be added to a Class C (24 bits), Class B (16 bits) or Class A (8 bits).  The only possible Class it can be added to without exceeding the total of 32 bits, is a Class A subnet mask (8  “1-bits”).  So 19+8 = 27, and the mask will be 27 bits long:   11111111.11111111.11111111.11100000, which has 5 bits for the hosts.  Therefore you can have 2n – 2 hosts = 25 – 2 = 32-2 = 30 hosts

Restrictions on Subnets

Extended Prefix Lengths for:

Cannot be less than classful prefix lengths:

Class A


Class B


Class C


TIP:  to see if a given subnet with prefix is valid, look at the first octet to figure out the Class, and then make sure the Classful prefix is greater than the subnet prefix.  If the Classsful prefix is the same as the subnet prefix, then it is not subnetted at all and it is not a subnet.  For example, the “subnet” /24 is not a subnet – it is Class C, which is /24, and the subnet is /24 which means there are no bits to ther right in which to form subnets.

Subnets also can't intrude into the classful network boundaries, so the prefix (which includes the subnet bits) cannot be less than the Classful prefix – however, it must be larger. Each subnet must be fully contained with a single classful network. For example, 210.22.74  /23 is not a valid subnet.  :     11010010.00010110.01001010.00000000

First of all, 210 defines it as Class C addressing, which means a 24-bit classful prefix, which the subnet prefix must exceed .  Second, you can see that there are many possible hosts that will cause the network ID of 74 (3rd octet) to change to 75 by placing “1” in the 9th bit:     11010010.00010110.01001010.00000000    11010010.00010110.01001011.00000000

On the other hand, 150.22.74  /23 is a valid subnet, because 150 in the first octet means that it is Class B addressing and the host bits are fully contained within the class B network


No matter what combination of host bits are used, the Class B network ID remains unchanged

What about the classless addressing you mentioned earlier with 10.10 /16 ??  In this case, you first notice that the first octet of 10 (00001010) means it is Class A (first bit=0).  But /16 is Class B !!!   Also, the prefix with Class A addressing must be /8,  not /16 -  therefore this must be a classless address:


In addition, just as they were for Classful addressing host numbers - all 1’s and all 0’s are disallowed, as follows :

This subnet, assigned the prefix would have and as its reserved addresses.

Subnets for Serial Links

When divvying up the address space that you have – the addresses are precious resources, and you always want to use the smallest number of them as possible  (unless you need to plan for growth).  The serial link interfaces between two routers will rarely grow – so you can save on address space by assigning the two addresses in a /30 range. This is the world’s smallest subnet.  Note that /30 prefix leaves you with 2 bits for the host (the address assigned to the router interface).  2 bits gives you 4 addresses, but all 1’s and all 0’s are not allowed – so you have 2 addresses available.  The “network” is simply the link between the two routers, and since there are only 2 devices on it – the small subnet is often used (Sprint provisions Internet customers with way).

Never do this for Ethernet links, even if there is only one PC connected to a router!!  The network will grow.

Subnet Masking

The subnet mask is used to filter out and separate the extended network prefix (includes the Network prefix and the subnet bits) and the Host bits.  Usually, a logical AND is performed between the IP address and the mask.  The 1’s in the mask allow the prefix bits to come trhough – the 0’s in the mask, filter out the Host bits.  This leaves the network address intact.  The following shows you the various syntax used when stating an IP address with a prefix.  Just by seeing these forms with a prefix does not mean that there are subnets – but it does tell you where the boundaries of a subnet mask are, and how many bits are in the prefix. 

NOTE:  it is common mistake to call the default masks for Classful addresses “subnet masks”.  Instead they are simply called “masks”.  For example – if a Class B is subnetted with a mask of 255.255.255, then that truly is the subnet mask – however, the default mask would still be, even  though it is not being used

Valid Subnet Masks

Each octet of a valid mask begins with a string of one bits, then changes to a string of zero bits.  There are only a handful of eight bit numbers that fit this requirement. In fact, there are only nine such numbers,

Just as there are nine possible eight bit numbers that meet the requirements for a subnet mask, so there are only thirty three such thirty two bits numbers.

Applying a subnet mask to an IP address allows you to identify the network and node parts of the address. Performing a bitwise logical AND operation between the IP address and the subnet mask results in the Network Address or Number.

For example, using our test IP address and the default Class B subnet mask, we get:

10001100.10110011.11110000.11001000   Class B IP Address

11111111.11111111.00000000.00000000   Default Class B Subnet Mask


10001100.10110011.00000000.00000000   Network Address

Default subnet masks:

     Class A (/8)   - - 11111111.00000000.00000000.00000000

     Class B (/16) - - 11111111.11111111.00000000.00000000

     Class C (/24) - - 11111111.11111111.11111111.00000000

When a bitwise logical AND operation is performed between the subnet mask and IP address, the result defines the Subnet Address. There are some restrictions on the subnet address. Node addresses of all "0"s are reserved for specifying the local network (when a host does not know it's network address) and all 1’s to reach all hosts on the network (broadcast address). This also applies to subnets. A subnet address cannot be all "0"s or all "1"s. This also implies that a 1 bit subnet mask is not allowed. This restriction is required because older standards enforced this restriction. Recent standards that allow use of these subnets have superceded these standards, but many "legacy" devices do not support the newer standards. If you are operating in a controlled environment, such as a lab, you can safely use these restricted subnets.

To calculate the number of subnets or nodes, use the formula (2^n - 2) where n = number of bits in either field. Multiplying the number of subnets by the number of nodes available per subnet gives you the total number of nodes available for your class and subnet mask. Also, note that although subnet masks with non-contiguous mask bits are allowed they are not recommended.

Example of subnet mask.  The IP address begins with 140, and therefore it is a Class B address.  The normal mask is extended by adding 3 bits which allow subnets.  Although all 32 bits shown below form the “subnet mask” – the 3 bits that start the 3rd octet are also referred to as the “subnet mask” – so it can be confusing :

                 10001100.10110011.11011100.11001000   IP Address

AND         11111111.11111111.11100000.00000000   Subnet Mask


                 10001100.10110011.11000000.00000000   Subnet Address

                 10001100.10110011.11011111.11111111   Broadcast Address

Number of Subnets - in this example a 3 bit subnet mask was used (shown in bold), and 13 bits represent the node address. For older, legacy equipment the subnet address could not be all 0’s or all 1’s  -  however all new routers allow them.  Using 2n-2 = 8-2 = 6, there are 6 subnets available with this size mask for legacy equipment and 8 subnets for new equipment.

Number of nodes (Hosts) - we have 13 bits in the node address.  Again, using 2n-2  the total number of possibilities is 213 –2 = 8192 –2 = 8190.  So each subnet has 8190 nodes. Each subnet can have nodes assigned to any address between the Subnet address and the Broadcast address. This gives a total of 6 subnets x 8190 = 49,140 nodes for the entire class B address subnetted for use with legacy equipment. Notice that this is substantially less than the 65,534 nodes an unsubnetted class B address would have.   If we use all 8 subnets, which new equipment allows, we would have 8 x 8190 = 65,520. 

Broadcast Address – this is defined as an IP address where the Host is all 1’s.  You keep the network address as-is and do not fill it with ones, since you do not want to broadcast to the entire Internet.  For the example :

Network/Host -           10001100.10110011.11011100.11001000     

Broadcast Address -    10001100.10110011.11011111.11111111     

How to Assign Subnets and Addresses – Example

 The network in this diagram might belong to a mid-sized company with a headquarters and three branch offices. Let's apply each step in the subnetting process.

Step One. Count hosts on each subnet, and refer back to the chart showing how many addresses can be assigned for each prefix length. Two of the branch offices have 20 hosts (21 including the router), and the other has 25 hosts (26 including the router). Each of these subnets will require a /27 prefix, since these can handle up to 30 addresses. Of the headquarters subnets, the one with 30 hosts will require another /27, the one with 50 hosts will require a /26, and the two 10 host subnets each require a /28.

Don't forget the three WAN links, each requiring a /30, and the Ethernet connecting the two routers together, which also requires a /30. However, since more hosts might later be added to the Ethernet, we'll assign it a /29 for expansion purposes.

Step Two. Assign largest subnets first. The largest subnet is the headquarters subnet with 50 hosts, requiring a /26 prefix. We'll assign to it, using numbers from 0 to 63 in the fourth byte.

Next we need four /27s (one in the headquarters, and one for each of the branch offices). We'll assign,,, and We've now used numbers from 0 to 191 in the fourth byte.

The two /28s will be and That leaves for the Ethernet between the two headquarters routers, and the remaining address space for the three WAN links:, and

Finding Subnets and Valid Hosts (given the subnet mask)

Assuming the mask’s subnet number portion is contained within one byte (for example,, would have the subnet number within the last octet). 

The Trick – find the “subnet multiplier – or base number”.  The valid subnets will be a multiple of a base number in the “interesting octet), which :

Multiplier = 256 – Interesting Octet

Finding the Interesting octet (examples) :

Subnet Mask              Interesting Octet             none         240             224                 192


Given Class C addressing and a subnet mask (the last byte = 11110000), the subnet multiplier is 16  (256 – 240 = 16).  This is your base number, or multiple - each successive subnet is multiples of 16.  Include 0, that subnet counts !!

mask    11111111.11111111.11111111.11110000  (subnet number in Bold)


Network (Internet) Number = N’s,  Subnet Number = S’s,  Host Number = H’s

Local Network Number = N’s and S’s

So, for the mask, the IP Network address that is routed across the Internet is in the first 3 octets (we were told it is a Class C address).  In addition, the mask AND operation includes the first four bits in the last octet, so they can be anything from 0000 to 1111.  The last 4 bits in the 4th octet are masked out by the zeros so the valid subnet numbers will always end in 0000 .  Therefore the subnet number range is in the SSSS bits = 0000 (4th octet = 00000000) to 1111  (4th octet = 11110000) which counts as follows – 0, 16, 32, 48,  . . . 240

Valid Subnets (S) addresses (using 16 as the interval) – the 4th octet value :

            0000  (0)          Subnet address =

            0001  (16)        Subnet address =

            0010  (32)                    etc

            0011  (48)                    etc

             etc.                              etc

            1111  (240)      Subnet Address =

Valid Hosts (H) addresses (the actual valid host bits are 1 to 14 no matter what), but the IP address of the host includes the subnet bits :

for subnet =0,   hosts 1 – 14     (exclude 0 which is all zero’s and 15 which is all 1’s)

for subnet=16,  hosts 17-30      (16 is all zero’s and 31 is all 1’s)


so for the valid hosts of 17-30, the subnet is 16 and therefore their IP addresses are:

            x.x.x.17,  x.x.x.18,  etc,  etc  x.x.x.30

As a check, use subnet 16 with host 18 :

Host =  (if IP address is given as, then this host address = and the subnet is

IP Address                   11000000.00111100.10000001.00010010

Subnet Mask (AND)    11111111.11111111.11111111.11110000

Subnet                          11000000.00111100.10000001.00010000 (


Secondary Addresses

If a subnet becomes full, you can add another subnet on the same data link – two subnets on one link is called secondary addresses.  The router will have to have multiple addresses assigned to the same Interface attached to that segment.  To configure this, you must add the word “secondary” to the IP Address command.   example:

ip address secondary

ip address

You can also have multiple subnets off of the same “subinterfaces” with Frame relay, using for example, s0.1, s0.2, etc.  Subinterfaces always have a decimal point.