# Subnet

> Source: Courseiva IT Certification Glossary — https://courseiva.com/glossary/subnet

## Quick definition

A subnet is like a smaller neighborhood inside a larger city of network addresses. It helps organize and secure network traffic by grouping devices together logically. Subnets make networks faster and easier to manage by reducing the amount of broadcast traffic that each device must process. They are essential for efficient IP address use in both on-premises and cloud environments.

## Simple meaning

Imagine a giant apartment building with thousands of apartments. Each apartment has its own unique address, but if you wanted to deliver a message to every apartment at once, you would have to knock on every single door. That would be incredibly noisy and slow. Now, imagine that the building is divided into separate wings, each with its own floor and a set of apartments. If you only want to deliver a message to the apartments in the east wing, you only need to knock on doors in that wing. The rest of the building stays quiet. A subnet works exactly like that wing. In computer networking, a subnet is a smaller, isolated section of a larger network. The larger network is like the entire apartment building, and the subnet is the east wing. The main reason we create subnets is to control broadcast traffic. When a device sends a broadcast message (a message meant for every device on the network), that message is only forwarded within its own subnet. It does not go out to the rest of the network. This keeps the overall network from being overwhelmed with unnecessary chatter. Subnets also help with security. You can put sensitive devices, like a company's server holding payroll data, in a separate subnet that is protected by a firewall. Other devices on the general network cannot directly access that subnet unless they are given special permission. This is like having a VIP lounge inside the building that only certain people can enter. Subnets are defined by a subnet mask, which is a number that looks like 255.255.255.0. This mask tells the network which part of an IP address belongs to the larger network and which part belongs to the specific host (device). Think of it like a postal code that helps the mail service know which city and which neighborhood to deliver to. In cloud computing, like Amazon Web Services (AWS) or Microsoft Azure, subnets are used to organize virtual networks. You can place your web servers in one public subnet that is accessible from the internet, and your databases in a private subnet that is only accessible from your web servers. This is a fundamental best practice for building secure and scalable applications. Without subnets, every device would see every broadcast, and networks would quickly grind to a halt as they grew. Subnets are the reason that large organizations with thousands of computers can still function smoothly.

## Technical definition

A subnet is a logical subdivision of an Internet Protocol (IP) network. The process of dividing a network into subnets is called subnetting. Subnetting is a core function of the TCP/IP protocol suite and is essential for efficient IP address allocation, network management, and security. The network layer of the OSI model (Layer 3) is where subnetting operates. The fundamental mechanism behind subnetting is the use of a subnet mask, which is a 32-bit number that distinguishes the network portion of an IP address from the host portion. For example, the common subnet mask 255.255.255.0 indicates that the first 24 bits of the IP address represent the network, and the remaining 8 bits represent individual hosts. This is often written in CIDR (Classless Inter-Domain Routing) notation as /24. CIDR notation supplanted the older classful addressing system (Class A, B, C) because it allows for much more flexible and granular division of IP address space. Instead of being forced into only three fixed network sizes (Class A /8, Class B /16, Class C /24), network administrators can choose any prefix length, such as /27 (32 addresses) or /23 (512 addresses). Subnetting works by 'borrowing' bits from the host portion of the IP address to use as subnet bits. For instance, a Class C network of 192.168.1.0/24 (256 addresses) can be subnetted into two /25 subnets (128 addresses each), four /26 subnets (64 addresses each), or eight /27 subnets (32 addresses each). The number of usable host addresses in each subnet is always 2^(32-prefix length) minus 2. The subtraction of 2 accounts for the network address itself (all host bits set to 0) and the broadcast address (all host bits set to 1). These two addresses are reserved and cannot be assigned to a device interface. In practice, subnetting is implemented through routing. Routers maintain routing tables that include entries for each subnet. When a router receives an IP packet, it applies the subnet mask to the destination IP address to determine the network portion, and then looks up that network address in its routing table. If the destination is on a directly connected subnet, the router forwards the packet directly using ARP (Address Resolution Protocol) to find the destination MAC address. If the destination is on a different subnet, the router forwards the packet to the next-hop router. In virtualized environments such as AWS Virtual Private Cloud (VPC) or Azure Virtual Network (VNet), subnets are software-defined. Each subnet is associated with a route table and a network access control list (ACL). The route table dictates how traffic flows to and from the subnet. The network ACL acts as a stateless firewall at the subnet boundary, allowing or denying traffic based on IP addresses, ports, and protocols. Subnets can be designated as public (with a route to an internet gateway) or private (with no direct internet route). This allows cloud architects to create layered security zones. For example, a public-facing web server might reside in a public subnet, while a database server resides in a private subnet. The database subnet only allows traffic from the web server subnet, using both security groups and network ACLs. Subnetting also plays a critical role in IPv6, although the vast address space makes the need for conservation less urgent. In IPv6, subnetting is still used for network organization and security, and the default prefix length for a local network is typically /64. This provides an immense number of possible subnets. The standards governing subnetting are primarily defined in RFC 791 (Internet Protocol), RFC 950 (Internet Standard Subnetting Procedure), and RFC 4632 (Classless Inter-domain Routing). Understanding binary arithmetic is essential for mastering subnetting calculations, especially for exams like the CCNA, Network+, and AWS Solutions Architect. Being able to quickly calculate the number of subnets, hosts per subnet, valid host ranges, and broadcast addresses from a given IP address and subnet mask is a fundamental skill for any networking professional.

## Real-life example

Think of a large corporate office building that houses multiple departments: Sales, Engineering, HR, and IT. Each department has its own set of offices, and they all share the same main lobby and cafeteria. Now, imagine that the building has a central intercom system that allows anyone to broadcast a message to every room in the building. If someone in Sales wants to announce a team meeting, they press a button and everyone in the entire building hears the announcement, including the quiet Engineering team that is trying to focus. This creates constant noise and disruption. To solve this, the building management installs separate intercom zones on each floor. The Sales team is on the first floor, Engineering on the second, HR on the third, and IT on the fourth. Now, when Sales announces a meeting, only the rooms on the first floor hear it. The other floors remain quiet. This is exactly how subnetting works in a network. The building represents a large IP network. The individual floors are subnets. The intercom broadcast is a network broadcast. Before subnetting, a broadcast from one device would reach every device on the network, causing unnecessary traffic and slowing everything down. After subnetting, broadcasts are confined to the subnet where they originate. This is called a broadcast domain. Each subnet is its own broadcast domain. In the building analogy, the Sales floor is one broadcast domain, Engineering is another, and so on. The elevators and stairwells that connect the floors are like routers. A router is necessary to send traffic from one subnet (floor) to another. Without a router, devices on different subnets cannot communicate. So, if someone from HR needs to send a message to someone in IT, that data packet must travel through the router (the elevator) to get to the other floor. This analogy also helps explain network security. Suppose the HR office contains sensitive employee files. To protect those files, the building management installs a locked door at the entrance to the HR floor. Only people with a special keycard can enter. In networking terms, that locked door is a firewall placed between subnets. The HR subnet is a protected subnet. The firewall controls which traffic is allowed to enter the HR subnet from other subnets. Similarly, in cloud computing, you might put your database servers in a private subnet that is not directly accessible from the internet. Access to that subnet is strictly controlled by firewall rules, just like the locked door to the HR floor. The subnetting concept is so powerful because it allows network administrators to create order out of chaos. Without subnets, a growing network would be like a building where everyone shouts and no one can hear anything clearly. With subnets, communication becomes organized, efficient, and secure.

## Why it matters

Subnetting is not just an academic concept; it is a daily operational necessity in any environment with more than a handful of devices. For IT professionals, understanding subnets is essential for designing networks that are scalable, secure, and performant. Without subnetting, a network of 500 devices would be constantly overwhelmed by broadcast traffic. Every time a device sends an ARP request (asking 'who has this IP address?'), that request would be received by all 500 devices, clogging the network and wasting CPU cycles. Subnetting divides the network into smaller broadcast domains, so an ARP request from one subnet does not disturb devices in another subnet. This dramatically reduces unnecessary traffic and improves overall network performance. Subnetting also enables efficient use of IP addresses. With the exhaustion of IPv4 addresses, careful subnetting is crucial. Instead of assigning a full Class C /24 network to a small department that only needs 10 devices, you can assign a /28 subnet (16 addresses, 14 usable) and save the remaining addresses for other uses. Cloud providers like AWS and Azure enforce subnetting as a fundamental part of their virtual networking. When you create a VPC in AWS, you must define subnets. Your application's architecture, security, and availability directly depend on how you design those subnets. Miscalculating a subnet can lead to IP address exhaustion within the VPC, preventing you from launching new instances. It can also cause routing errors that break connectivity between application tiers. For system administrators, subnetting knowledge is critical for troubleshooting. When two devices cannot communicate, the first thing to check is whether they are on the same subnet. If they are not, the traffic must go through a router. If the router is misconfigured or the route tables are wrong, connectivity fails. Knowing how to read a routing table and understand subnet masks allows an administrator to quickly diagnose and fix such issues. In the context of IT certifications, subnetting is tested heavily because it is a foundational skill. The CompTIA Network+ exam, Cisco CCNA, AWS Solutions Architect, Azure Administrator, and Google Associate Cloud Engineer all include subnetting questions. These questions test not only your ability to perform binary calculations but also your understanding of how subnetting affects routing, security, and network design. A solid grasp of subnetting is therefore a gateway skill. Without it, you cannot progress to more advanced topics like VPNs, routing protocols, or cloud networking architectures. It is the bedrock upon which modern networking is built.

## Why it matters in exams

Subnetting appears in almost every major IT certification exam because it is a fundamental networking skill. In the CompTIA Network+ (N10-008) exam, subnetting is explicitly listed under Domain 1.0: Networking Fundamentals. You are expected to be able to calculate the number of hosts per subnet, the subnet mask, and the valid IP range. Questions often present a scenario like 'You need to subnet a /24 network into 4 subnets. What is the new subnet mask?' You must know that borrowing 2 bits gives a /26, or 255.255.255.192. The exam also tests your ability to identify the network address and broadcast address from a given IP and mask. For Cisco CCNA (200-301), subnetting is even more critical. The exam expects you to be able to subnet quickly without a calculator. You will need to determine the wildcard mask for EIGRP or OSPF network statements, calculate VLSM (Variable Length Subnet Mask) for different-sized subnets, and design addressing schemes for point-to-point links (which typically use a /30 or /31 mask). A common CCNA question is: 'Which subnet does host 192.168.1.67/27 belong to?' The answer is 192.168.1.64, with a broadcast address of 192.168.1.95. You must be fast and accurate. In AWS certifications (Cloud Practitioner, Solutions Architect, SysOps Administrator), subnetting appears in the context of VPC design. For example, 'You need to create a VPC with public and private subnets across two Availability Zones. How many subnets do you need?' The answer is at least 4: a public and a private subnet in each AZ. The exam also tests your understanding of how subnets interact with route tables, internet gateways, NAT gateways, and network ACLs. A typical scenario question might describe a case where an EC2 instance in a private subnet cannot reach the internet. You need to know that the private subnet does not have a route to an internet gateway, and instead needs a NAT gateway in the public subnet. The Azure Administrator (AZ-104) exam tests similar concepts. You must be able to plan and configure virtual networks (VNets) and subnets. Questions may ask about the number of subnets required for a given architecture, or how to ensure subnet addresses do not overlap when peering VNets. The Google Associate Cloud Engineer (ACE) exam also covers subnetting within the context of VPC networks. You need to understand how to create subnets, expand them, and use Private Google Access. For the Security+ exam, subnetting is less about calculation and more about understanding how subnets contribute to network segmentation as a security control. You might be asked, 'Which of the following is a benefit of subnetting?' and the correct answer would be 'Reduced broadcast traffic and increased security through network segmentation.' In the CompTIA A+ exam, subnetting appears at a very basic level. You might need to identify the purpose of a subnet mask or simply recognize that subnets separate network traffic. Even in the Azure Fundamentals (AZ-900) exam, the concept of subnets is tested as part of network security groups and virtual networks. Mastering subnetting is not optional for exam success. It is a high-weight topic. The ability to calculate subnets quickly and apply that knowledge to routing and security scenarios will directly translate to higher scores. The confidence you gain from mastering subnetting will carry over into more complex networking and cloud topics.

## How it appears in exam questions

Subnetting appears in exam questions in three main forms: calculation-based, scenario-design, and troubleshooting. Calculation-based questions are the most straightforward. They will give you an IP address and a subnet mask, and ask you to find the network address, broadcast address, or the number of usable hosts. For example, a Network+ question might be: 'Given the IP address 172.16.30.45/23, what is the broadcast address for the subnet?' To answer this, you need to realize that a /23 mask means the third octet has 7 bits for the network and 1 bit for the host. The network address is 172.16.30.0, and the broadcast address is 172.16.31.255. These questions test your binary math skills and your understanding of CIDR. Scenario-design questions are more complex and are common in AWS and Cisco exams. They present a business requirement and ask you to choose the best subnetting plan. For example, 'A company has a Class C network 192.168.1.0/24. They need to create 3 subnets, each with at least 50 hosts. Which subnet mask should they use?' The calculation shows that a /26 mask provides 62 hosts per subnet, which meets the requirement for 3 subnets. A /25 mask provides only 2 subnets, which is not enough. So the answer is /26 (255.255.255.192). Another example from AWS: 'You are designing a VPC for a three-tier application. You need a public subnet for web servers and two private subnets for application servers and databases. How many subnets should you create if you need high availability across two Availability Zones?' The answer is 6 subnets (2 public, 2 app, 2 db), one for each tier in each AZ. Troubleshooting questions test your ability to diagnose connectivity issues based on subnet misconfiguration. For instance, 'A user reports that they cannot access a server with IP 10.1.1.10 from their workstation with IP 10.1.2.20. Both are configured with a subnet mask of 255.255.255.0. What is the most likely cause?' The correct answer is that the two devices are on different subnets (10.1.1.0/24 vs 10.1.2.0/24), and there is no router configured between them, or the router does not have a route for the destination subnet. Another troubleshooting question might show you a routing table and ask which route will be used to reach a certain destination. You need to calculate the subnet for each route entry and determine the longest prefix match. For example, you have routes for 10.1.0.0/16 and 10.1.1.0/24. To reach 10.1.1.5, the /24 route is chosen because it is more specific (longer prefix). In cloud exams, you may be given a network ACL configuration and asked whether traffic from a specific source subnet will be allowed or denied. You must determine the subnet range from the source IP and mask. For example, 'A network ACL allows inbound traffic from 10.0.1.0/24. Will traffic from IP 10.0.2.5 be allowed?' The answer is no, because 10.0.2.5 is not within the 10.0.1.0/24 range. Comprehending these patterns is critical for exam success. Practicing with subnet calculators and memorizing powers of 2 is helpful, but the real skill is applying that knowledge to realistic scenarios.

## Example scenario

Your small business has grown from 10 computers to 50 computers. Initially, all computers were on the same network, 192.168.1.0/24, which gives 254 usable addresses. But now, the network has become slow because of too much broadcast traffic. The office has two departments: Sales and Accounting. The Sales team uses a lot of streaming video for client presentations, which generates unnecessary broadcasts that are received by Accounting computers, slowing down their work. You decide to split the network into two subnets: one for Sales and one for Accounting. You need each subnet to support at least 25 computers. The /24 network can be subnetted into two /25 subnets: 192.168.1.0/25 and 192.168.1.128/25. The first subnet (192.168.1.0/25) will be for Sales, with a usable address range of 192.168.1.1 to 192.168.1.126. The broadcast address for this subnet is 192.168.1.127. The second subnet (192.168.1.128/25) will be for Accounting, with a usable range of 192.168.1.129 to 192.168.1.254, and a broadcast address of 192.168.1.255. Now you need a router to connect these two subnets so that Sales and Accounting can still exchange emails and share files. You configure a router with two interfaces. Interface 1 has the IP 192.168.1.1 (usually the first usable address in the subnet) and is connected to the Sales switch. Interface 2 has the IP 192.168.1.129 and is connected to the Accounting switch. You also set the default gateway on all Sales computers to 192.168.1.1, and on all Accounting computers to 192.168.1.129. Now, when a Sales computer sends a broadcast, it only reaches other Sales computers. The Accounting network remains quiet. The performance improves significantly. You also add a firewall rule on the router to allow only specific traffic (like email and file sharing) between the two subnets, and you block other traffic. This provides security because Accounting's sensitive financial data is now isolated from the general Sales network traffic. This simple scenario demonstrates the core benefits of subnetting: performance improvement through reduced broadcast domains, and enhanced security through network segmentation.

## Subnet IP Addressing and CIDR Notation

A subnet, or subnetwork, is a logical subdivision of an IP network. The practice of dividing a network into subnets is called subnetting, and it is fundamental to modern networking and cloud architecture. Each subnet is defined by a Classless Inter-Domain Routing (CIDR) block, which specifies the range of IP addresses that belong to that subnet. For example, a CIDR block of 10.0.1.0/24 includes 256 possible IP addresses, from 10.0.1.0 to 10.0.1.255. Understanding CIDR notation is critical for both on-premises networking and cloud platforms like AWS and Azure. 

 In AWS, when you create a Virtual Private Cloud (VPC), you define a primary CIDR block, such as 10.0.0.0/16. You then create subnets within that VPC by specifying smaller CIDR blocks, like 10.0.1.0/24 for a public subnet and 10.0.2.0/24 for a private subnet. AWS reserves the first four IP addresses and the last IP address of each subnet for networking purposes. This means in a /24 subnet, the usable IP addresses are from .4 to .254. For the AWS Cloud Practitioner and AWS Solutions Architect exams, you must know that subnets are tied to a single Availability Zone and that each subnet must have a unique CIDR block within the VPC. 

 In Azure, subnets exist within a virtual network (VNet). The subnet CIDR block must be a subset of the VNet address space. Azure also reserves five IP addresses (first four and last one) in each subnet. For the Azure Administrator (AZ-104) and Azure Fundamentals exams, you need to understand that subnets can host resources like virtual machines and that network security groups (NSGs) can be associated with subnets to filter traffic. The key difference is that Azure does not have the concept of public and private subnets in the same way as AWS; instead, resources in a subnet get public IPs via a public IP address resource or a NAT gateway. 

 For CompTIA Network+ and Security+ exams, subnetting is a core skill. You must be able to calculate the number of hosts per subnet, the network address, broadcast address, and valid host ranges. For example, a /26 subnet provides 62 usable hosts (2^(32-26) - 2). The CCNA exam goes further into VLANs and routing between subnets. Understanding IP addressing ensures you can design efficient and secure networks, avoiding address exhaustion and ensuring proper isolation between different tiers of an application.

## Subnet Routing and Internet Access Patterns

One of the most crucial aspects of subnet design is controlling how traffic flows into and out of the subnet. In cloud environments, subnets are classified as public or private based on their connectivity to the internet. A public subnet has a route to an internet gateway, while a private subnet does not. This distinction is heavily tested in AWS exams, such as the AWS Certified Solutions Architect – Associate (SAA) and AWS SysOps Administrator. 

 In AWS, each subnet is automatically associated with a main route table, but you can create custom route tables and associate them with specific subnets. A public subnet’s route table has a default route (0.0.0.0/0) pointing to an Internet Gateway (IGW). Resources in that subnet, such as EC2 instances with public IPs, can directly communicate with the internet. In contrast, a private subnet’s route table typically has a route to a NAT Gateway or NAT instance for outbound internet access, but no direct inbound access from the internet. This setup is common for database servers or application servers that need to download updates but should not be directly accessible. 

 Azure follows a similar pattern but uses different terminology. Subnets in Azure are always private by default. To provide outbound internet access, you attach a NAT gateway or assign a public IP to a virtual machine. Inbound internet access is achieved by adding a public IP address to the VM and ensuring the subnet’s network security group (NSG) allows the traffic. For the AZ-104 exam, you must know how to configure a route table (called a User-Defined Route, or UDR) to override Azure’s default routing. For example, you can force all traffic from a subnet to go through a network virtual appliance (NVA) for inspection. 

 For CCNA and Network+ exams, routing between subnets is typically done by a router or a layer 3 switch. Each subnet corresponds to a different VLAN, and the router has an interface in each subnet. The default gateway for hosts in a subnet is the router’s IP address in that subnet. This concept is directly transferable to the cloud: in AWS, the VPC router handles inter-subnet routing automatically. However, you must ensure that route tables and network ACLs do not block traffic. For exam scenarios, you might be asked why an instance in a public subnet cannot reach the internet – the answer is usually a missing route to an IGW or a misconfigured security group. Understanding these routing patterns is essential for securing traffic and ensuring high availability.

## Subnet Security: Network ACLs and Security Groups

Security at the subnet level is a fundamental concern for any network architect. In AWS, subnets can be protected by Network Access Control Lists (NACLs), which are stateless firewalls that allow or deny traffic based on rules. NACLs operate at the subnet boundary, meaning they apply to all instances within the subnet. They support both allow and deny rules, and rules are evaluated in order from lowest to highest number. For example, a rule with number 100 is evaluated before rule 200. This is important for the AWS Cloud Practitioner and SAA exams, where you must know that NACLs are stateless, so you need to define both inbound and outbound rules separately. 

 Security Groups, on the other hand, operate at the instance level and are stateful. They only have allow rules, and if you allow inbound traffic, the outbound response is automatically allowed. Security Groups are assigned to network interfaces, not subnets. In exam scenarios, you might be asked why an instance can be reached from the internet even though the NACL is blocking the traffic – the answer is often that NACLs have an implicit deny at the end, so if no explicit allow rule exists, traffic is denied. For the Security+ exam, understanding the difference between stateless and stateful firewalls is key. Network ACLs are an example of a stateless firewall, and you must be able to configure access control lists on routers or firewalls. 

 Azure uses Network Security Groups (NSGs) which are similar to both NACLs and Security Groups combined. An NSG can be associated with a subnet or a network interface. It supports both inbound and outbound rules, which are stateful. However, Azure also supports Application Security Groups (ASGs) for grouping VMs by application tier. For the AZ-104 exam, you must know how to create NSG rules with priorities, source and destination IP ranges, and protocols. A common troubleshooting scenario is that a VM in a subnet cannot connect to another VM due to an NSG rule blocking traffic – the solution is to add a rule that allows the traffic. 

 For the Google ACE exam, VPC firewall rules are similar to AWS NACLs but they are stateful by default. They can be applied to the entire VPC or specific subnets. In all cloud platforms, the principle of least privilege applies: only allow traffic that is necessary for the application. For instance, a web server subnet should only allow traffic on ports 80 and 443 from the internet, while a database subnet should only allow traffic on port 3306 (MySQL) or 1433 (SQL Server) from the web server subnet. Understanding these access control mechanisms is critical for passing network-related exams and for designing secure cloud architectures.

## Subnet High Availability and Placement Strategies

High availability in cloud networking often depends on how subnets are distributed across Availability Zones (AZs). In AWS, each subnet is confined to a single AZ. To achieve fault tolerance, you should create subnets in at least two AZs. For example, a common architecture includes a public subnet in us-east-1a and another in us-east-1b, each with its own route to an internet gateway. Application instances are then launched in both subnets, and an Elastic Load Balancer (ELB) distributes traffic across them. This ensures that if one AZ experiences a failure, the application continues running in the other AZ. This pattern is heavily emphasized in the AWS Solutions Architect exams, where you must be able to design a multi-AZ architecture. 

 Azure uses a similar concept with Availability Zones. A subnet in Azure can span an entire region, but to achieve high availability, you should place VMs in different availability zones within the same subnet or across different subnets. However, Azure also supports Availability Sets, which are logical groupings of VMs that are placed in different fault domains. For the AZ-104 exam, you must know how to configure a load balancer to distribute traffic across VMs in different availability zones. The key point is that the subnet itself does not guarantee high availability; it is the placement of resources within subnets across multiple zones that provides resilience. 

 The Google ACE exam also tests this concept. In Google Cloud, subnets are regional resources, meaning they span all zones in a region. This is different from AWS and Azure. You can create a subnet in a specific region and then create VM instances in different zones within that same subnet. This simplifies network design because you don’t need to create separate subnets per zone. However, you still need to ensure that your application is deployed across multiple zones to handle zone failures. 

 For on-premises networking (Network+, CCNA), high availability is achieved through redundant routers, switches, and link aggregation. Subnets are often spread across multiple physical locations using VLANs and trunking. For example, a subnet can be extended across multiple buildings using a VPLS or MPLS network. In exam questions, you might be asked what happens when a subnet’s default gateway fails – the answer is that devices in that subnet lose connectivity to other subnets unless there is a virtual gateway protocol (like HSRP or VRRP) providing a redundant router. Understanding how subnets fit into a high-availability architecture is crucial for both cloud and traditional networking exams. The goal is always to eliminate single points of failure, and subnets play a key role in that strategy by providing isolation and redundancy.

## Common mistakes

- **Mistake:** Forgetting to subtract 2 for the network and broadcast addresses when calculating usable hosts.
  - Why it is wrong: The network address (all host bits 0) and broadcast address (all host bits 1) cannot be assigned to devices. Using the total number of addresses as usable leads to IP address conflicts and allocation errors.
  - Fix: Always remember the formula: Usable hosts = 2^(32 - prefix length) - 2. For a /24, that is 256 - 2 = 254 usable addresses.
- **Mistake:** Confusing the subnet mask with the wildcard mask used in routing protocols like OSPF.
  - Why it is wrong: A subnet mask uses 1 bits for the network portion and 0 bits for the host portion. A wildcard mask is the inverse: 0 for network and 1 for host. Using one in place of the other will cause incorrect route advertisements.
  - Fix: Remember that for a subnet mask, the network bits are 1. For a wildcard mask, subtract the subnet mask from 255.255.255.255. For example, /24 subnet mask = 255.255.255.0, wildcard = 0.0.0.255.
- **Mistake:** Assuming that subnets can be any size within a larger network with overlapping ranges.
  - Why it is wrong: Subnets must be non-overlapping. If you create a subnet of 10.1.0.0/24 and another of 10.1.0.0/25, the second subnet is entirely contained within the first, causing routing ambiguity.
  - Fix: Always plan your subnet allocation using a binary or visual diagram. Ensure that the network address ranges do not overlap. Start with the largest subnet first and assign smaller subnets from the remaining space.
- **Mistake:** Thinking that devices on the same subnet can communicate without a router regardless of the subnet mask configuration.
  - Why it is wrong: For two devices to be on the same subnet, they must have the same network address after applying the subnet mask. If the subnet masks are different, they may calculate different network addresses and attempt to send traffic to a gateway unnecessarily.
  - Fix: Ensure that all devices on the same physical or virtual segment are configured with the same subnet mask. Use consistent /24 for simplicity unless VLSM is required.
- **Mistake:** In cloud environments, placing all resources in a single large subnet instead of using multiple subnets for different tiers.
  - Why it is wrong: This violates the principle of least privilege and reduces security. All resources become accessible from each other, and there is no network boundary to enforce firewall rules.
  - Fix: In AWS or Azure, create separate subnets for web, application, and database tiers. Use network ACLs and security groups to control traffic between these subnets.

## Exam trap

{"trap":"The exam gives you an IP address like 192.168.1.5/23 and asks for the network address. You might calculate that /23 means the third octet has 7 bits for network and 1 for host, leading to a network address of 192.168.1.0. This is correct. But the trap is that some learners mistakenly think the network address is 192.168.0.0 because they think /23 applies to the second octet.","why_learners_choose_it":"Learners often confuse the bit boundary for Class C networks. They know that /24 is 255.255.255.0, and they think /23 is 255.255.254.0, which is correct. But they then misinterpret that the network bits in the third octet cover only the first 7 bits, and they assume the 8th bit rolls over to the next octet incorrectly.","how_to_avoid_it":"Practice with binary. Write out the third octet in binary. For 192.168.1.0/23, the third octet is 1, which in binary is 00000001. The /23 mask means the first 7 bits of the third octet are network bits (0000001), and the last bit is host. The network bits are 0000001, which is 2 in decimal? No, careful. The network address is the IP address with host bits set to 0. The host bit is the last bit, so set it to 0. That gives 0000000, which is 0. So the network address is 192.168.0.0. Wait, that is the trap. Actually, for 192.168.1.5/23, the network address is 192.168.0.0, not 192.168.1.0. The learner who says 192.168.1.0 is wrong. The correct answer is 192.168.0.0. That is the trap. Be careful: with a /23 mask, the third octet has only 7 network bits, so the network addresses increment in blocks of 2 (0,2,4,6...). 1 falls into the block starting at 0. So the network address is 192.168.0.0. Many people get this wrong because they intuitively think /23 still preserves the third octet at 1. Do the binary math."}

## Commonly confused with

- **Subnet vs VLAN:** A VLAN is a layer 2 concept that separates traffic on the same physical switch into different broadcast domains. A subnet is a layer 3 concept that separates IP networks. VLANs are often mapped 1:1 to subnets, but they are not the same thing. VLANs operate at the data link layer, while subnets operate at the network layer. (Example: You can have two VLANs on the same switch, each with its own /24 subnet. Devices in different VLANs need a router to communicate, even if they are on the same physical switch.)
- **Subnet vs CIDR block:** CIDR block is a notation that describes an entire IP address range, such as 10.0.0.0/16. A subnet is a specific subdivision of that CIDR block. The CIDR block is the parent network; the subnet is one of its children. For example, a /16 CIDR block can be broken into multiple /24 subnets. (Example: If you have a CIDR block of 10.0.0.0/16, you can create a subnet 10.0.1.0/24 within it. The CIDR block is the larger container, the subnet is a smaller piece.)
- **Subnet vs Network ACL:** A network ACL is a stateless firewall that controls traffic at the subnet level in cloud environments. The subnet itself is just the IP address range. The ACL is applied to the subnet to allow or deny traffic. The subnet determines the range; the ACL determines the rules. (Example: In AWS, you create a subnet 10.0.1.0/24. You then attach a network ACL to that subnet that allows HTTP traffic from the internet. The subnet is just the address space; the ACL is the security layer.)
- **Subnet vs Route table:** A route table contains rules that determine where network traffic goes from a subnet. The subnet defines the address space; the route table defines the pathways. Every subnet in a VPC must be associated with a route table. The subnet itself does not route; the route table does. (Example: In a VPC, a public subnet is associated with a route table that has a default route (0.0.0.0/0) pointing to an internet gateway. A private subnet has a route table with a default route pointing to a NAT gateway. The subnet is the same; the route tables differ.)

## Step-by-step breakdown

1. **Identify the network requirement** — Determine how many subnets you need and how many hosts each subnet must support. For example, you might need 4 subnets, each with at least 30 hosts. This drives the subnet mask selection.
2. **Choose a starting IP address range** — Select a network address block, typically a private IP range such as 192.168.1.0/24 or 10.0.0.0/16. The size of this block must be large enough to accommodate all the required subnets and hosts.
3. **Calculate the number of subnet bits needed** — Use the formula 2^n >= number of required subnets, where n is the number of bits borrowed from the host portion. For 4 subnets, n=2 (2^2=4). This increases the prefix length by 2, so a /24 becomes /26.
4. **Calculate the number of hosts per subnet** — With the new prefix length, calculate usable hosts: 2^(32 - prefix length) - 2. For a /26, that is 2^6 - 2 = 62 usable hosts. Ensure this meets your requirement (30 hosts, so 62 is sufficient).
5. **Determine the subnet increment** — The increment is the number of addresses in each subnet, which is 2^(32 - prefix length). For a /26, the increment is 64 addresses. This means each subnet starts at a multiple of 64 in the third octet (0, 64, 128, 192).
6. **List the subnet addresses** — For the 192.168.1.0/24 network with a /26 mask, the four subnets are: 192.168.1.0/26, 192.168.1.64/26, 192.168.1.128/26, and 192.168.1.192/26. Each has a usable host range and a broadcast address.
7. **Define the broadcast and usable host ranges** — For subnet 192.168.1.0/26, the network address is 192.168.1.0, the broadcast is 192.168.1.63, and the usable range is 192.168.1.1 through 192.168.1.62. Repeat for each subnet.
8. **Assign IP addresses to devices** — Assign a default gateway from the usable range (typically the first usable address, e.g., 192.168.1.1). Assign static IPs or let DHCP hand out addresses within the range. Ensure no two devices have the same IP.
9. **Configure routing between subnets** — Set up a router with an interface in each subnet, or enable IP routing on a layer 3 switch. Add routes so that traffic from one subnet can reach another. Typically, a default route points to the internet gateway.
10. **Apply security controls** — Add firewall rules, network ACLs, or security groups to control traffic between subnets. For example, allow web traffic from public subnet to private subnet but block direct SSH access.

## Practical mini-lesson

Subnetting is a skill that you will use every day as a network or cloud administrator. It is not just about passing exams; it is about designing efficient, secure, and scalable networks. In practice, you will rarely need to do binary math by hand, because tools like subnet calculators, cloud consoles, and IP address management (IPAM) software handle the heavy lifting. However, you must understand the underlying concepts to interpret subnet ranges, troubleshoot issues, and design architectures correctly. For example, when you create a VPC in AWS, you specify a CIDR block like 10.0.0.0/16. This gives you 65,536 total addresses (minus 5 reserved by AWS). You then create subnets within that VPC, specifying a smaller CIDR block for each. A common mistake is to create a VPC with a /16 CIDR, and then try to create a subnet with a /24 CIDR that is not within the VPC range. The subnet’s network address must be a subset of the VPC's CIDR. So if your VPC is 10.0.0.0/16, you can create a subnet 10.0.1.0/24 but not 10.1.0.0/24. In on-premises environments, you might use DHCP to automatically assign IP addresses within a subnet. The DHCP server must have a scope that matches the subnet range. If the scope is misconfigured, devices may get IP addresses that are outside the subnet, causing communication failures. For example, if your subnet is 192.168.1.0/24 but your DHCP server assigns a device 192.168.2.10, that device cannot communicate with others in the 192.168.1.0/24 subnet without a router. Another practical aspect is Variable Length Subnet Masking (VLSM). In a large organization, you have subnets of different sizes. A point-to-point link between two routers only needs 2 IP addresses, so you can use a /30 or /31 subnet. An office with 100 employees might need a /25 subnet. VLSM allows you to use different subnet masks in the same network to avoid wasting addresses. For instance, from a /24 network, you could create a /25 (126 hosts), two /26 (62 hosts each), and a /30 (2 hosts) for the router link. That totals 126+62+62+2 = 252 addresses, which fits within the 256 addresses of the /24. This is efficient and is a skill tested heavily in the CCNA exam. In cloud environments, subnets are also associated with availability zones. In AWS, each subnet must be in a single Availability Zone. This is crucial for high availability: if you deploy your application across two Availability Zones, you need a subnet in each zone. If you accidentally create both subnets in the same zone, you lose fault tolerance. Understanding this relationship is vital for architecting resilient systems. Finally, remember that subnets have reserved addresses. In AWS, the first 4 IP addresses and the last IP address of each subnet are reserved for networking purposes (for example, network address, VPC router, DNS, and future use). So your usable addresses are less than the theoretical maximum. Always account for cloud provider reservations when sizing your subnets. This practical knowledge separates a junior administrator from a senior engineer. The best way to master subnetting is to practice with real scenarios: create a VPC, manually assign CIDR blocks, try to ping between subnets, and observe the effect of route tables and ACLs. Hands-on experience solidifies the theoretical concepts.

## Commands

```
aws ec2 create-subnet --vpc-id vpc-12345678 --cidr-block 10.0.1.0/24 --availability-zone us-east-1a
```
Creates a new subnet in AWS with the specified VPC ID, CIDR block, and Availability Zone.

*Exam note: This command tests if you know that subnets are tied to a specific AZ. On the exam, you might be asked to create a subnet in a different AZ than the VPC's primary AZ.*

```
aws ec2 describe-subnets --filters Name=vpc-id,Values=vpc-12345678
```
Lists all subnets within a given VPC. Useful for verifying subnet configuration.

*Exam note: Used in exam scenarios to check if a subnet exists or to verify CIDR block assignments. Also tests knowledge of filters.*

```
aws ec2 modify-subnet-attribute --subnet-id subnet-abcdef12 --map-public-ip-on-launch
```
Enables auto-assign public IP for instances launched in this subnet, making it a public subnet.

*Exam note: Exams ask why an instance doesn't get a public IP – answer may be that this attribute is not set. Key for distinguishing public vs private subnets.*

```
az network vnet subnet create --name WebSubnet --resource-group myRG --vnet-name myVNet --address-prefixes 10.0.1.0/24
```
Creates a subnet within an Azure VNet with the given address prefix.

*Exam note: Azure AZ-104 asks about using address-prefixes (plural) because you can specify multiple prefixes. Also tests resource group and VNet association.*

```
az network nsg rule create --nsg-name WebNSG --resource-group myRG --name AllowHTTP --priority 100 --source-address-prefixes Internet --destination-port-ranges 80 --access Allow --protocol Tcp
```
Creates an NSG rule to allow HTTP traffic from the internet to the subnet where this NSG is attached.

*Exam note: Tests knowledge of NSG priority, protocol, and source/destination addressing. A common scenario in AZ-104 is creating rules for web servers.*

```
gcloud compute networks subnets create my-subnet --network my-vpc --region us-east1 --range 10.0.1.0/24
```
Creates a regional subnet in Google Cloud with the specified CIDR range.

*Exam note: Google ACE exam tests that subnets are regional, not per-zone. Contrasts with AWS. Also tests the --range flag for IP allocation.*

```
ipconfig (Windows) or ifconfig (Linux) to check subnet mask and default gateway
```
A basic command to view the IP configuration of a host, including its subnet mask and gateway.

*Exam note: Network+ and Security+ exams use this to test understanding of how hosts determine if a destination is on the same subnet or requires a gateway.*

```
route print (Windows) or ip route (Linux) to view the routing table
```
Displays the routing table, which shows all known subnets and the next hop for each.

*Exam note: CCNA and Network+ tests often ask you to interpret a routing table to find the correct route for a given subnet.*

## Troubleshooting clues

- **Instance in public subnet cannot reach the internet** — symptom: Ping to 8.8.8.8 fails, web browser cannot load external pages.. The subnet's route table may be missing a default route 0.0.0.0/0 to an Internet Gateway, or the instance does not have a public IP address. (Exam clue: Exam questions often present this scenario to test whether you check the route table and the 'auto-assign public IP' attribute of the subnet.)
- **Cannot ping an instance in a different subnet within the same VPC** — symptom: Ping request times out, but both instances show as running.. The security group or network ACL of the destination instance may be blocking ICMP traffic. Also, the route tables must allow traffic between subnets (VPC router does this automatically). (Exam clue: Exams use this to test that security groups are stateful while NACLs are stateless; you must allow both inbound and outbound ICMP in NACLs for the response to flow back.)
- **Azure VM cannot connect to the internet after attaching a public IP** — symptom: Remote desktop works but browsing the web fails.. The subnet's NSG may not have an outbound rule allowing internet traffic. Azure requires explicit outbound rules in NSGs for outbound internet access, or you need a NAT gateway. (Exam clue: AZ-104 questions test that NSGs are stateful for inbound traffic but outbound traffic still needs a rule if you want to restrict it. The default outbound rule allows internet traffic unless overridden.)
- **Subnet size too small for required number of instances** — symptom: When creating a new instance, AWS or Azure throws an error saying no available IP addresses.. The subnet's CIDR block provides a limited number of usable IPs. For example, a /28 subnet has only 11 usable IPs. You need to choose a larger CIDR or create a new subnet. (Exam clue: Exam questions test your ability to calculate the number of usable hosts in a subnet. They may ask what subnet size to use for a given number of instances.)
- **Google Cloud VM in a subnet cannot communicate with another region's resources** — symptom: Connection timed out, ping fails across regions.. By default, Google Cloud subnets within a VPC are global, but traffic between different VPCs or regions requires VPC peering or Cloud VPN. The subnet itself does not automatically route across regions. (Exam clue: Google ACE exam tests that VPCs are global but subnets are regional. If you need cross-region connectivity, you must set up peering or a VPN.)
- **On-premises host cannot reach a subnet after changing subnet mask** — symptom: Ping fails, traceroute shows no route to the destination.. Changing the subnet mask changes the range of IPs that are considered local. If the mask is too narrow, the host may think the destination is on a different subnet and send traffic to the default gateway incorrectly. (Exam clue: Network+ exams test how subnet masks affect routing decisions. A common question is why a host cannot communicate after a mask change – answer is that the network ID changed.)
- **Subnet routes are being ignored and traffic goes through default route** — symptom: Traffic to a specific subnet is not going through the intended VPN or firewall.. The route table has a more specific route (e.g., /32 host route) that takes precedence, or there is a route with a lower metric pointing elsewhere. (Exam clue: CCNA exam tests longest prefix match and administrative distance. A question may show a routing table and ask why traffic for a /24 subnet is going through a different next hop.)
- **AWS VPC subnets cannot communicate after adding a network ACL rule** — symptom: Instances in different subnets cannot communicate even though security groups allow it.. NACLs are stateless and require both inbound and outbound rules for traffic. If you added a rule that blocks traffic on a specific port, or forgot to add an outbound rule for the response, communication will fail. (Exam clue: AWS exam questions often ask why a NACL rule broke connectivity between subnets. The answer is usually a missing outbound allow rule for the response traffic.)

## Memory tip

To find the network address for a given IP and mask, convert the mask to binary and do a bitwise AND. To find the broadcast, set all host bits to 1. Remember: 'AND for network, OR for broadcast.'

---

Practice questions and the full interactive page: https://courseiva.com/glossary/subnet
