An IP address identifies a device on a network. A subnet is a logical subdivision of that network. CIDR notation expresses the network prefix length with a slash, for example 192.168.1.0/24. Understanding how these three concepts interact is fundamental to configuring servers, cloud infrastructure, and network security policies. The authoritative specifications are RFC 4632 for Classless Inter-Domain Routing and RFC 1918 for private address ranges.

In a previous guide, we covered some basic networking terminology. You should review that guide to make sure you are familiar with the concepts presented there.

This article covers network addressing at the IP layer: how IPv4 addresses are structured and classified, how subnet masks divide address space, how CIDR notation represents any prefix length, how Variable Length Subnet Masking (VLSM) enables efficient allocation, and how IPv6 applies the same slash notation to a 128-bit space. Each concept builds on the previous one.

• An IPv4 address is a 32-bit number expressed as four decimal octets, for example 192.168.0.5. An IPv6 address is a 128-bit number expressed as eight groups of four hexadecimal digits.

• A subnet mask identifies which bits of an IP address belong to the network portion and which belong to the host portion. The mask 255.255.255.0 (prefix /24) means the first 24 bits are the network.

• In most IPv4 subnets (/0 through /30), the first address is the network address (all host bits set to 0) and the last address is the broadcast address (all host bits set to 1), and neither can be assigned to a host. (/31 point-to-point links are an exception; RFC 3021.)

• CIDR notation appends a prefix length to an IP address, for example 10.0.0.0/8, to represent the network without requiring classful boundaries.

• RFC 1918 defines three private address ranges: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. These ranges are not routed on the public internet.

• VLSM allows different prefix lengths within the same address space, enabling right-sized subnets for each segment.

• IPv6 uses the same slash notation as IPv4, with a standard per-subnet prefix of /64, leaving 64 bits for host addressing within each subnet.

An IP address is a numerical label assigned to every device on a network that uses the Internet Protocol. It serves two functions: identifying the host and locating it within the network topology.

IPv4 Address Structure and Dot-Decimal Notation

An IPv4 address is a 32-bit number written as four 8-bit segments separated by periods, each expressed in decimal from 0 to 255. Every device on a network needs an address so other devices can reach it; at the network layer of the TCP/IP model, that address is the IP address. Even though the segments are written in decimal for readability, each is called an octet to reflect that it represents 8 bits.

A typical IPv4 address looks like this:

192.168.0.5

The lowest value in each octet is 0 and the highest is 255.

The same address expressed in binary, with each 4 bits separated by a space and octets separated by dashes:

1100 0000 - 1010 1000 - 0000 0000 - 0000 0101

Recognizing that these two formats represent the same value is fundamental to understanding subnet masks and CIDR notation.

IP addresses allow network resources to be reached through a network interface. If one computer needs to communicate with another, it addresses the information to the remote computer’s IP address. Assuming the two computers are on the same network, or that intermediate devices can translate requests across networks, the computers can reach each other and exchange information.

A system called Network Address Translation (NAT) allows addresses to be rewritten when packets cross network borders. This allows the same private IP address to be used on multiple isolated networks while still permitting those networks to communicate externally when configured correctly.

IPv4 Address Classes (Class A, B, C, D, E)

IP addresses are composed of a network portion and a host portion. Where the network portion ends and the host portion begins depends on how the network is configured.

IPv4 addresses were traditionally divided into five classes named A through E, defined by the leading bits of the address. The table below shows the class boundaries, default masks, and typical uses.

Two ranges within Class A are carved out and are not available for general host assignment: 0.0.0.0/8 (the “this network” address, used as a source before a host acquires an address) and 127.0.0.0/8 (loopback, reserved for each host to test its own network stack, typically via 127.0.0.1).

Class D addresses are reserved for multicast protocols, which deliver a packet to a group of hosts in one operation. Class E addresses are reserved for experimental use and are largely unused.

Classful addressing is deprecated in modern routing. RFC 1519 (1993), updated by RFC 4632 (2006), introduced CIDR as its replacement, removing the requirement that prefix lengths align with class boundaries. The class designations remain useful as historical context and for understanding default mask conventions.

Public vs. Private IP Addresses

IP addresses fall into two categories: public and private. Public addresses are globally routable on the internet. Private addresses are defined by RFC 1918 and are used only within private networks.

Private addresses are dropped at internet boundaries because no public router holds a route to them. RFC 1918 ranges are deliberately absent from the global routing table, so a packet bound for a private destination has nowhere to go once it leaves the local network. This means a private-addressed host cannot be reached from the public internet, which is why outbound traffic from private hosts must pass through NAT.

The loopback range 127.0.0.0/8 is reserved for each host to test its own network stack. Typically only 127.0.0.1 is used, but all addresses in the 127.0.0.0/8 range are reserved for this purpose.

For a complete list of reserved IPv4 address blocks, see the IANA IPv4 Special-Purpose Address Registry.

A subnet (short for subnetwork) is a logical subdivision of a larger IP network. Subnetting divides one address block into multiple smaller blocks, each operating as an independent network segment.

Why Subnets Are Used

Subnets reduce broadcast traffic, isolate segments for security, and let you allocate address space by actual host count instead of fixed class boundaries.

The clearest motivation is the broadcast domain. On a single flat network, broadcast frames such as ARP requests and DHCP discovery reach every host. A flat /16 with 60,000 hosts forces every machine to process every broadcast, and one misbehaving host broadcasting at volume degrades the whole network. Splitting that /16 into /24 segments confines each broadcast to roughly 254 hosts, so a storm in one segment never touches the others.

Subnets also give you an enforcement boundary. Firewall rules, route policies, and access controls all operate on address ranges, so a database tier in 10.10.2.0/24 can be made reachable only from a web tier in 10.10.1.0/24 and from nowhere else. Without subnetting there is no range to write the rule against.

Finally, subnets let you size allocations to need. A point-to-point link uses a /30 (2 hosts) while a user segment uses a /24 (254 hosts), instead of every segment consuming an identical block. This is the basis for VLSM, covered later in this article.

Network Address and Host Address Explained

Each IP address contains two logical components: a network portion and a host portion. The network portion identifies the subnet; the host portion identifies a specific device within that subnet.

For the address 192.168.0.15 on a /24 network, the network portion is 192.168.0 and the host portion is 15. In binary:

1100 0000 - 1010 1000 - 0000 0000 - 0000 1111

The first 24 bits (the first three octets) identify the network. The last 8 bits identify the host.

Applying a bitwise AND between the address and the subnet mask extracts the network address by zeroing out the host bits:

1100 0000 - 1010 1000 - 0000 0000 - 0000 1111   (192.168.0.15)
AND
1111 1111 - 1111 1111 - 1111 1111 - 0000 0000   (255.255.255.0)
=
1100 0000 - 1010 1000 - 0000 0000 - 0000 0000   (192.168.0.0)

The network address is 192.168.0.0. The host identifier is 0000 1111, which is 15.

Broadcast Address and Why It Matters

The first address in any subnet is the network address, where all host bits are set to 0. The last address is the broadcast address, where all host bits are set to 1. A packet sent to the broadcast address is delivered to all hosts within that subnet. Neither the network address nor the broadcast address can be assigned to an individual host.

This constraint applies to the first and last address within the specific subnet, not to any address whose final octet happens to be literally 0 or 255. For example, in the subnet 10.0.1.0/24, the network address is 10.0.1.0 and the broadcast is 10.0.1.255. In the subnet 10.0.2.128/25, the network address is 10.0.2.128 and the broadcast is 10.0.2.255.

A subnet mask is a 32-bit value that identifies which bits of an IP address belong to the network portion and which belong to the host portion. Bits set to 1 in the mask mark network bits; bits set to 0 mark host bits.

How Subnet Masks Work in Binary

The subnet mask for a /24 network is 255.255.255.0. In binary, using the 4-bit group convention:

1111 1111 - 1111 1111 - 1111 1111 - 0000 0000

The first 24 bits (all 1s) identify the network. The remaining 8 bits (all 0s) are available for host addressing.

The following reference shows the binary form and dotted-decimal equivalent for common prefix lengths:

/8  → 11111111.00000000.00000000.00000000 → 255.0.0.0
/16 → 11111111.11111111.00000000.00000000 → 255.255.0.0
/24 → 11111111.11111111.11111111.00000000 → 255.255.255.0
/25 → 11111111.11111111.11111111.10000000 → 255.255.255.128
/26 → 11111111.11111111.11111111.11000000 → 255.255.255.192
/27 → 11111111.11111111.11111111.11100000 → 255.255.255.224
/28 → 11111111.11111111.11111111.11110000 → 255.255.255.240
/29 → 11111111.11111111.11111111.11111000 → 255.255.255.248
/30 → 11111111.11111111.11111111.11111100 → 255.255.255.252

To split a /24 network into two equal subnets, extend the prefix by one bit. The new mask uses 25 network bits. In binary:

1111 1111 - 1111 1111 - 1111 1111 - 1000 0000

This is the subnet mask 255.255.255.128, corresponding to the prefix /25. It is a mask value, not a network address. Applied to 192.168.0.0/24, it produces two distinct subnets:

• Subnet 1: Network address 192.168.0.0, broadcast 192.168.0.127, usable range 192.168.0.1 to 192.168.0.126 (126 hosts).
• Subnet 2: Network address 192.168.0.128, broadcast 192.168.0.255, usable range 192.168.0.129 to 192.168.0.254 (126 hosts).

If more subnets are needed, additional bits from the host portion can be designated as network bits, doubling the number of subnets each time at the cost of halving the hosts per subnet.

Default Subnet Masks for Each IP Class

Under classful addressing, each class has a default subnet mask aligned with its class boundary:

Under CIDR, these defaults are informational only. Any prefix length from /0 to /32 is valid regardless of the address’s classful origin.

Calculating Usable Hosts from a Subnet Mask

Given a prefix length, the total number of IP addresses in the subnet is 2^(32 - prefix). Usable hosts equals that total minus two: one address for the network and one for the broadcast.

For a /24 subnet: 2^(32 - 24) = 2^8 = 256 total addresses. 256 - 2 = 254 usable hosts.

For a /26 subnet: 2^(32 - 26) = 2^6 = 64 total addresses. 64 - 2 = 62 usable hosts.

The /31 prefix is an exception defined by RFC 3021 for point-to-point links, where both addresses are usable because no broadcast or network address designation is needed. The /32 prefix identifies a single host route.

To go the other direction, from a host requirement to a prefix, pick the smallest block whose usable host count meets or exceeds your need:

For example, a segment that needs 30 hosts requires a /27, because a /28 provides only 14 usable addresses and a /27 provides 30.

CIDR (Classless Inter-Domain Routing) notation expresses a network address and its prefix length in a single string. The prefix length follows the IP address after a forward slash. For example, 192.168.0.15/24 means the first 24 bits identify the network.

How CIDR Replaced Classful Addressing

CIDR replaced classful addressing because fixed class sizes wasted large amounts of address space and caused routing tables to grow unsustainably. Before CIDR, IP address allocation followed fixed class boundaries. A Class B block provided 65,534 host addresses regardless of actual need, and a Class C block provided only 254. This made right-sized allocation impossible and caused internet routing tables to grow rapidly as providers assigned many small Class C blocks to cover demand.

RFC 1519 (1993), later updated and consolidated into RFC 4632 (2006), introduced CIDR as the replacement. CIDR allows address blocks to be allocated in any prefix length, matching allocations to actual requirements. It also enables route aggregation: multiple contiguous blocks can be represented by a single covering prefix, reducing routing table size.

Reading a CIDR Block: Network Prefix and Host Bits

A CIDR block consists of two parts: the network prefix and the host portion. The prefix length specifies how many leading bits are fixed and identify the network. The remaining bits are variable and identify individual hosts within that network.

For 192.168.0.0/24:

• Network prefix: first 24 bits (192.168.0)
• Host bits: last 8 bits (values 0 through 255, giving 256 total addresses)

For 10.0.0.0/8:

• Network prefix: first 8 bits (10)
• Host bits: last 24 bits (values 0 through 16,777,215, giving 16,777,216 total addresses)

CIDR Notation Examples (/8, /16, /24, /26, /30)

The most common CIDR blocks and their sizes are summarized in the table at the end of this section: 192.168.1.0/24 gives 254 usable hosts, 192.168.1.0/26 gives 62, and 10.0.0.112/30 gives 2. Beyond sizing individual networks, CIDR notation also represents supernets, which aggregate multiple contiguous classful blocks into a single routing entry. For example, 192.168.0.0 and 192.168.1.0 are two adjacent Class C networks. Under classful rules, they require two separate routing entries. Under CIDR, they can be aggregated as 192.168.0.0/23.

The first network (192.168.0.0) in binary:

1100 0000 - 1010 1000 - 0000 0000 - 0000 0000

The second network (192.168.1.0) in binary:

1100 0000 - 1010 1000 - 0000 0001 - 0000 0000

The /23 mask:

1111 1111 - 1111 1111 - 1111 1110 - 0000 0000

With 23 bits fixed, the 24th bit can be either 0 or 1 and both networks match. This is equivalent to the subnet mask 255.255.254.0. CIDR allows more control over addressing continuous blocks of IP addresses than classful subnetting permits.

Additional common CIDR examples:

The table below lists every IPv4 prefix length from /0 to /32 with its subnet mask, total IP count, and usable host count. The usable host formula for /0 through /30 is 2^(32 - prefix) - 2. The /31 exception (RFC 3021) applies to point-to-point links where both addresses are assignable. The /32 identifies a single host route.

Subnet calculations follow a consistent binary process: identify the prefix, apply the mask to find the network address, set all host bits to 1 to find the broadcast address, and the usable range falls between those two boundaries.

Step-by-Step Example: Subnetting a /24 Network

Given the network 192.168.1.0/24:

• Prefix length: 24 bits
• Subnet mask: 255.255.255.0
• Total addresses: 2^8 = 256
• Usable hosts: 254

In binary, the subnet mask is:

1111 1111 - 1111 1111 - 1111 1111 - 0000 0000

Apply a bitwise AND between an address in this network, for example 192.168.1.75, and the mask:

1100 0000 - 1010 1000 - 0000 0001 - 0100 1011   (192.168.1.75)
AND
1111 1111 - 1111 1111 - 1111 1111 - 0000 0000   (255.255.255.0)
=
1100 0000 - 1010 1000 - 0000 0001 - 0000 0000   (192.168.1.0)

• Network address: 192.168.1.0 (all host bits = 0)
• Broadcast address: 192.168.1.255 (all host bits = 1)
• Usable range: 192.168.1.1 to 192.168.1.254

Step-by-Step Example: Subnetting a /24 into /26 Blocks

A /26 prefix uses 26 bits for the network and 6 bits for hosts. Each /26 subnet contains 2^6 = 64 addresses, with 62 usable. Dividing 192.168.1.0/24 into /26 blocks produces four subnets:

Each subnet boundary falls every 64 addresses (2^6). The network addresses are at .0, .64, .128, and .192.

Using Binary to Determine Network and Host Portions

For a /26 network, the boundary between network bits and host bits falls at position 26. The last octet of the mask 255.255.255.192 is 1100 0000, meaning the first two bits of the final octet are network bits and the remaining six are host bits.

For the address 192.168.1.130 within the third /26 subnet:

1100 0000 - 1010 1000 - 0000 0001 - 1000 0010   (192.168.1.130)
AND
1111 1111 - 1111 1111 - 1111 1111 - 1100 0000   (255.255.255.192)
=
1100 0000 - 1010 1000 - 0000 0001 - 1000 0000   (192.168.1.128)

The network address is 192.168.1.128. The host bits in the last octet are 00 0010, which is host 2 within that subnet.

Verifying Subnet Calculations with ipcalc

ipcalc is a command-line subnet calculator that performs subnet arithmetic and displays the binary breakdown of an address. On Ubuntu and Debian systems, install it with:

sudo apt install ipcalc

To verify the /24 network used in the example above:

ipcalc 192.168.1.0/24

Output
Address:   192.168.1.0          11000000.10101000.00000001. 00000000
Netmask:   255.255.255.0 = 24   11111111.11111111.11111111. 00000000
Wildcard:  0.0.0.255            00000000.00000000.00000000. 11111111
=>
Network:   192.168.1.0/24       11000000.10101000.00000001. 00000000
HostMin:   192.168.1.1          11000000.10101000.00000001. 00000001
HostMax:   192.168.1.254        11000000.10101000.00000001. 11111110
Broadcast: 192.168.1.255        11000000.10101000.00000001. 11111111
Hosts/Net: 254                   Class C, Private Internet

The space in the binary columns marks the boundary between the network portion and the host portion. HostMin is the first usable address, HostMax is the last, and Broadcast confirms the upper boundary of the subnet.

To verify the /26 subnet:

ipcalc 192.168.1.0/26

Output
Address:   192.168.1.0          11000000.10101000.00000001.00 000000
Netmask:   255.255.255.192 = 26 11111111.11111111.11111111.11 000000
Wildcard:  0.0.0.63             00000000.00000000.00000000.00 111111
=>
Network:   192.168.1.0/26       11000000.10101000.00000001.00 000000
HostMin:   192.168.1.1          11000000.10101000.00000001.00 000001
HostMax:   192.168.1.62         11000000.10101000.00000001.00 111110
Broadcast: 192.168.1.63         11000000.10101000.00000001.00 111111
Hosts/Net: 62                    Class C, Private Internet

The ipcalc 192.168.1.0/24 --split 62 62 62 62 command splits the parent /24 into subnets each large enough for the requested host counts, allocating them sequentially. It prints a full breakdown block per resulting subnet. The four /26 subnets it produces are:

This makes --split useful for VLSM planning when combined with per-segment host-count estimates.

Viewing an Interface’s CIDR on Linux

The address and prefix you calculate are exactly what a Linux host reports for its interface. Use ip addr show to see the CIDR assignment directly:

ip addr show eth0

Output
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 9a:1c:3e:7b:0a:11 brd ff:ff:ff:ff:ff:ff
    inet 10.10.1.5/24 brd 10.10.1.255 scope global eth0
       valid_lft forever preferred_lft forever

The inet 10.10.1.5/24 line is the host address with its /24 prefix, and brd 10.10.1.255 is the broadcast address for that subnet, matching the network and broadcast boundaries you would derive by hand. To see the routes the kernel builds from these prefixes, use ip route:

ip route

Output
default via 10.10.1.1 dev eth0 proto static
10.10.1.0/24 dev eth0 proto kernel scope link src 10.10.1.5

The 10.10.1.0/24 entry is the local subnet route the kernel installs from the interface’s CIDR. The default via line sends every other destination to the gateway.

Private IP addresses are non-routable address blocks defined by RFC 1918. Routers on the public internet do not forward packets with private source or destination addresses. Hosts using private addresses require NAT to communicate externally.

10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16

RFC 1918 defines three private address ranges:

These ranges were historically associated with Class A, B, and C boundaries, respectively. Under CIDR, they are referenced by their CIDR blocks as defined in RFC 1918. The classful framing is historical context only.

When to Use Private vs. Routable Addresses

Use private addresses for all internal hosts: application servers, databases, internal APIs, and any endpoint that does not require direct internet reachability. Use publicly routable addresses only for internet-facing endpoints such as load balancers and edge proxies.

NAT is required for private-addressed hosts to initiate connections to the public internet. The NAT gateway replaces the private source address with a public IP when forwarding outbound packets and reverses the translation for return traffic.

DigitalOcean allocates VPC address space from RFC 1918 ranges. When you create a VPC with the block 10.10.0.0/16, all resources provisioned within it receive private addresses from that range.

VLSM is the practice of applying different prefix lengths to different subnets within a single address space. Enabled by CIDR, it allows administrators to right-size each subnet rather than using a uniform block size throughout the network.

What VLSM Is and Why It Matters

VLSM lets you assign different prefix lengths to different subnets within the same address space, sizing each subnet to its actual host count rather than a uniform block. Before VLSM, all subnets within a network had to use the same prefix length, which forced a segment needing 50 hosts and a point-to-point link needing 2 hosts to consume identical blocks.

VLSM relates directly to the /23 supernet example in the CIDR section. Supernetting aggregates contiguous blocks upward into a larger covering prefix for route summarization. VLSM splits a block downward into smaller prefixes for efficient allocation. Both techniques are made possible by CIDR’s removal of classful boundaries.

VLSM Practical Example

Divide 10.0.0.0/24 into subnets sized for four different segments:

To verify the Engineering subnet allocation against the table above:

ipcalc 10.0.0.0/26

Output
Address:   10.0.0.0             00001010.00000000.00000000.00 000000
Netmask:   255.255.255.192 = 26 11111111.11111111.11111111.11 000000
Wildcard:  0.0.0.63             00000000.00000000.00000000.00 111111
=>
Network:   10.0.0.0/26          00001010.00000000.00000000.00 000000
HostMin:   10.0.0.1             00001010.00000000.00000000.00 000001
HostMax:   10.0.0.62            00001010.00000000.00000000.00 111110
Broadcast: 10.0.0.63            00001010.00000000.00000000.00 111111
Hosts/Net: 62                    Class A, Private Internet

Run the same command against each subnet in the VLSM table to confirm host ranges and broadcast boundaries before committing them to a configuration.

After these four subnets, addresses 10.0.0.116 through 10.0.0.255 remain unallocated and available for future segments.

To choose a prefix length from a host requirement, use the decision table in the “Calculating Usable Hosts from a Subnet Mask” section above.

IPv6 uses the same slash-based prefix notation as IPv4 CIDR, applied to 128-bit addresses. The concepts of network prefix, host portion, and subnet boundary all carry over directly.

How IPv6 Addresses Are Structured

An IPv6 address is 128 bits long, written as eight groups of four hexadecimal digits separated by colons, where hexadecimal uses digits 0-9 and letters a-f to represent values 0-15. A typical IPv6 address looks like this:

1203:8fe0:fe80:b897:8990:8a7c:99bf:323d

IPv6 was developed to replace IPv4 because the 32-bit address space was exhausted. Its 128-bit space provides approximately 3.4 × 10^38 addresses, more than 7.9 × 10^28 times the IPv4 total.

IPv6 allows a compact representation. Leading zeros within any group can be omitted. For example:

...:00bc:...

can be written as:

...:bc:...

A contiguous sequence of all-zero groups can be replaced with a double colon (::) once per address. For example:

...:18bc:0000:0000:0000:00ff:...

becomes:

...:18bc::ff:...

The :: replacement can only be applied once per address, or the full address cannot be reconstructed unambiguously.

The subnetting examples in this article use IPv4 because the smaller address space makes the binary calculations easier to follow. The same principles apply to IPv6.

CIDR Notation in IPv6 Networks

IPv6 uses the same slash notation as IPv4. The prefix length specifies how many of the leading 128 bits are fixed as the network portion.

Common IPv6 CIDR examples:

• 2001:db8::/32 is the documentation prefix, defined by RFC 3849. It is used in examples and documentation and is not routed on the internet.
• 2001:db8:1::/48 is a typical site-level allocation. An ISP might assign a /48 to a customer site, leaving 16 bits for the customer to create up to 65,536 individual /64 subnets.
• 2001:db8:1:1::/64 is a standard single-subnet prefix.

The standard per-subnet prefix in IPv6 is /64. This leaves 64 bits for host addressing, providing 2^64 addresses per subnet. Stateless Address Autoconfiguration (SLAAC) and many DHCPv6 implementations require a /64 prefix to function correctly.

Dividing an IPv6 allocation works the same way as IPv4: borrow bits from the host portion to create more subnets. The difference is scale. Suppose an ISP assigns your site 2001:db8:1::/48. The first 48 bits are fixed. The standard subnet size is /64, so bits 49 through 64 (16 bits) are yours to number subnets, giving 2^16 = 65,536 possible /64 subnets:

2001:db8:1:0000::/64   first subnet
2001:db8:1:0001::/64   second subnet
2001:db8:1:0002::/64   third subnet
...
2001:db8:1:ffff::/64   last subnet (65,536th)

The fourth hextet (0000 through ffff) is the subnet ID. Each resulting /64 still contains 2^64 host addresses, so unlike IPv4 you typically don’t subdivide below /64 to conserve hosts on LANs. You usually stop at /64 because SLAAC and many DHCPv6 deployments require it, though point-to-point links are often numbered with prefixes like /127.

Key Differences Between IPv4 and IPv6 Subnetting

IPv6 Unique Local Addresses (ULA), defined in the fc00::/7 range by RFC 4193, are the IPv6 counterpart to RFC 1918 private addresses. They are not globally routed and are used for internal communication within a site or organization.

Subnetting and CIDR notation apply directly to configuring real infrastructure: cloud VPCs, office networks, and internet routing at scale.

Subnetting a Cloud VPC

A DigitalOcean VPC is a single private network defined by one CIDR block that you set at creation. Create one with doctl:

doctl vpcs create --name prod-vpc --region nyc1 --ip-range 10.10.0.0/16

Every Droplet, load balancer, and managed database placed in this VPC receives a private address from 10.10.0.0/16.

One planning detail matters: a DigitalOcean VPC is not subdivided into separately provisioned subnets the way an on-premises network or an AWS VPC is. You do not create 10.10.1.0/24 and 10.10.2.0/24 as distinct objects. Instead, you treat ranges within the block as a logical tiering convention and enforce the boundaries with cloud firewalls and tags:

The CIDR ranges are how you scope firewall rules. To allow only the web tier to reach the database tier on PostgreSQL’s port while blocking everything else, create a firewall scoped to the data tier:

doctl compute firewall create \
  --name data-tier \
  --inbound-rules "protocol:tcp,ports:5432,address:10.10.1.0/24" \
  --tag-names data

This permits inbound 5432 only from 10.10.1.0/24 and drops traffic from any other range, including the monitoring tier. Confirm the exact rule syntax with doctl compute firewall create --help, since available flags vary by doctl version.

One constraint to plan for up front: two networks that need to communicate cannot use overlapping CIDR blocks. If a VPC uses 10.10.0.0/16 and a second VPC also uses 10.10.0.0/16, you cannot peer them or connect them over VPN, because a host has no unambiguous route to a destination that exists in both ranges. Assign each VPC, and each on-premises network you intend to connect, a distinct non-overlapping block from RFC 1918 space, for example 10.10.0.0/16 for one and 10.20.0.0/16 for another.

For full configuration options, see the DigitalOcean VPC documentation.

Subnetting a Home or Office Network

Most home routers assign addresses from 192.168.1.0/24 or 192.168.0.0/24, providing 254 usable host addresses. For a single household, this is more than sufficient.

A small office needing distinct segments for staff workstations, guest Wi-Fi, and IoT devices can use three /26 subnets carved from a single /24 parent block:

• Staff: 192.168.1.0/26 (62 usable hosts)
• Guest Wi-Fi: 192.168.1.64/26 (62 usable hosts)
• IoT devices: 192.168.1.128/26 (62 usable hosts)

The fourth /26 block (192.168.1.192/26) remains available for future expansion or management interfaces.

How Routers Use CIDR for Route Aggregation

Routers use CIDR to advertise a single covering prefix for a contiguous range of networks instead of advertising each one separately, reducing the size of the global routing table. Without this, a provider with 256 separate /24 networks would need 256 routing entries. With CIDR, if those networks are contiguous, a single covering block replaces all of them.

The /23 supernet example from the CIDR section illustrates this directly: 192.168.0.0/23 covers both 192.168.0.0 and 192.168.1.0 as a single routing entry. See that section for the binary walkthrough.

This aggregation mechanism, called route summarization, is fundamental to the scalability of the global internet routing table. The Border Gateway Protocol (BGP) uses CIDR longest-prefix matching to determine the most specific route for each destination.

What Is the Difference Between a Subnet Mask and a CIDR Prefix?

A subnet mask and a CIDR prefix represent the same information in different formats. The subnet mask 255.255.255.0 and the CIDR prefix /24 both indicate that the first 24 bits of an IP address are the network portion. The CIDR prefix counts the number of consecutive 1-bits in the subnet mask written in binary. To convert between them: count the leading 1-bits in the mask’s binary representation to get the prefix length, or expand the prefix length to 32 bits (that many 1s followed by 0s) to get the mask.

How Many Usable Hosts Does a /24 Subnet Have?

A /24 subnet contains 256 total IP addresses (2^8). Two addresses are reserved: the network address (the first address, with all host bits set to 0) and the broadcast address (the last address, with all host bits set to 1). This leaves 254 usable host addresses, from .1 to .254 in the final octet.

What Is the Difference Between a Public and a Private IP Address?

Public IP addresses are globally routable on the internet. Private IP addresses are defined by RFC 1918 and are reserved for use within private networks: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. Packets with private source addresses are not forwarded by internet routers. A host on a private network must communicate externally through a NAT gateway, which replaces the private source address with a public IP before forwarding the packet.

Why Was CIDR Introduced?

CIDR was introduced in 1993 (RFC 1519, later updated by RFC 4632) to solve two problems with classful IP addressing: the rapid exhaustion of Class B address blocks, which were too large for most organizations but were the only option between the too-small Class C and the very large Class A; and the unsustainable growth of internet routing tables as thousands of Class C blocks were individually advertised. CIDR allows IP address blocks to be allocated in arbitrary prefix lengths and enables route aggregation to reduce routing table size.

What Is VLSM and How Does It Relate to CIDR?

Variable Length Subnet Masking (VLSM) is the practice of applying different subnet prefix lengths to different subnets within the same address space. It is enabled by CIDR and allows network administrators to allocate IP space efficiently by sizing each subnet to its actual host requirements rather than using a uniform block size throughout. VLSM is not a separate protocol; it is a design practice made possible by removing classful boundaries.

How Does IPv6 Use CIDR Notation?

IPv6 uses the same slash notation as IPv4 CIDR. For example, 2001:db8::/32 denotes a block where the first 32 bits are the network prefix. IPv6 addresses are 128 bits long, so a /64 prefix (the standard for a single IPv6 subnet) leaves 64 bits for host addressing, providing 2^64 addresses per subnet. IPv6 also defines its own private-equivalent address range: Unique Local Addresses (fc00::/7, RFC 4193).

What Is the Difference Between a Network Address and a Broadcast Address?

In any subnet, the network address is the first IP in the range, with all host bits set to 0. It identifies the subnet itself and cannot be assigned to a host. The broadcast address is the last IP in the range, with all host bits set to 1. Packets sent to the broadcast address are delivered to every host within the subnet, and it also cannot be assigned to a host. The constraint applies to the first and last address of the specific subnet, not to any address whose final octet happens to be literally 0 or 255.

How Do I Calculate Which Subnet an IP Address Belongs To?

Apply a bitwise AND operation between the IP address and the subnet mask. The result is the network address of the subnet containing that IP. For example, 192.168.10.75 with mask 255.255.255.0 produces 192.168.10.0: the IP belongs to the 192.168.10.0/24 subnet. For a finer mask such as 255.255.255.192 (/26), the same bitwise AND identifies which of the four /26 subnets within a /24 contains the address.

This article covered IP addressing from the ground up. IPv4 addresses are 32-bit dot-decimal values organized into five historical address classes, with subnet masks defining the network and host boundary through bitwise AND. CIDR notation (RFC 4632) replaced those fixed class boundaries with arbitrary prefix lengths, enabling right-sized allocation and route aggregation. The full /0 to /32 reference table, VLSM for variable-length allocation within one address space, and IPv6’s application of the same slash notation to 128-bit addresses with a standard /64 per-subnet prefix complete the coverage.

With this foundation, you can design subnet allocations for any network size, verify host ranges and broadcast addresses from binary first principles, read and write CIDR blocks in routing configurations and firewall rules, and understand the rationale behind RFC 1918 private ranges and NAT requirements.

To explore these concepts interactively, CIDR.xyz translates between decimal IP addresses and binary octets and visualizes different CIDR netmasks. For networking fundamentals underlying these concepts, see the introduction to networking terminology referenced at the start of this article. If you are applying subnetting to DigitalOcean infrastructure, the DigitalOcean VPC documentation covers CIDR block selection, subnet configuration, and firewall rules for cloud private networks.