IP Subnetting for Security Professionals: From CIDR Basics to Network Segmentation

Network segmentation — dividing a network into isolated subnets with controlled communication paths between them — is one of the most effective architectural controls for limiting the blast radius of a security breach. When an attacker compromises a single host in a flat network with no segmentation, they can freely reach every other host using the same IP subnet, making lateral movement straightforward. In a properly segmented network, a compromised workstation cannot directly initiate connections to database servers, management interfaces, or production systems because firewall rules between segments deny those connection paths.

Compliance frameworks and security standards mandate network segmentation for specific data types. PCI-DSS requires that the cardholder data environment (CDE) be isolated from all other network segments, with strictly controlled and audited communication paths to and from the CDE. HIPAA-regulated environments must protect ePHI through access controls that network segmentation enables. NIST Cybersecurity Framework and CIS Controls both include network segmentation as a foundational security control. Understanding the mathematics of subnetting is a prerequisite for designing and implementing these segmentation architectures, reading and writing firewall access control lists, and interpreting the network ranges that appear in security alerts and SIEM data.

• Segmentation limits lateral movement: a compromised host cannot reach systems on other segments
• PCI-DSS mandates CDE isolation — the cardholder data environment must be a separate network segment
• Firewall rules between segments control and log all inter-segment traffic flows
• Zero-trust architectures use micro-segmentation to enforce per-workload communication policies
• Subnetting knowledge is required to read firewall ACLs, interpret security alerts, and design architectures

An IPv4 address is a 32-bit binary number expressed in dotted decimal notation as four octets separated by periods. Each octet represents 8 bits and ranges from 0 to 255 in decimal (00000000 to 11111111 in binary). The 32-bit address is divided into two portions by the subnet mask: the network portion, which identifies the specific subnet, and the host portion, which identifies a specific device within that subnet. All devices on the same subnet share the same network portion and differ only in their host portion. The number of bits in the network portion is determined by the subnet mask.

Before 1993, IPv4 addresses were allocated in three fixed classes: Class A (networks with a /8 mask, 16 million host addresses), Class B (/16 mask, 65,536 host addresses), and Class C (/24 mask, 256 host addresses). This classful allocation system was extremely wasteful — an organization needing 300 host addresses would receive a Class B network with 65,536 addresses. Classless Inter-Domain Routing (CIDR), introduced in RFC 1519 in 1993, replaced the fixed class boundaries with variable-length subnet masks, allowing network blocks of any power-of-two size. CIDR notation appends the prefix length — the number of network bits — to the address using a slash: 192.168.1.0/24 means a 24-bit network prefix.

• 32-bit IPv4 address expressed as four 8-bit octets in dotted decimal: 0.0.0.0 to 255.255.255.255
• Subnet mask divides the address into network portion and host portion
• Classful addressing (pre-1993): fixed /8, /16, /24 boundaries — replaced by CIDR in 1993
• CIDR notation: 192.168.1.0/24 — the number after the slash is the number of network bits
• CIDR enables any power-of-two subnet size, eliminating the waste of classful allocation

A subnet mask is a 32-bit value where all network bits are set to 1 and all host bits are set to 0. The CIDR prefix length is simply the count of consecutive 1 bits from the left. A /24 prefix means 24 network bits (all ones) and 8 host bits (all zeros), corresponding to the dotted-decimal mask 255.255.255.0. A /16 prefix corresponds to 255.255.0.0 with 16 network bits and 16 host bits. To determine the subnet mask from a CIDR prefix, mentally (or mathematically) fill the mask with 1 bits from the left until reaching the prefix length, then fill the remainder with 0 bits, and convert each 8-bit group to decimal.

Variable-Length Subnet Masking (VLSM) is the practice of using different subnet sizes within the same network space to allocate address space efficiently. Rather than assigning all subnets a uniform /24, a network administrator using VLSM might allocate a /26 for a segment needing 60 hosts, a /28 for a DMZ needing 14 hosts, and a /30 for a point-to-point WAN link needing only 2 hosts — all from the same parent /24 address block. This efficient use of address space is critical for organizations with limited IPv4 allocations and is also relevant for designing clean, readable addressing schemes that facilitate firewall rule management.

• /24 = subnet mask 255.255.255.0 — 256 total addresses, 254 usable hosts per subnet
• /16 = subnet mask 255.255.0.0 — 65,536 total addresses, 65,534 usable hosts per subnet
• /8 = subnet mask 255.0.0.0 — over 16 million total addresses, typically used by large organizations
• VLSM: use different prefix lengths within the same parent block to allocate address space efficiently
• To convert /27 to mask: fill 27 bits with 1s, 5 bits with 0s = 11111111.11111111.11111111.11100000 = 255.255.255.224

Given any IP address and subnet mask, you can calculate all subnet parameters mathematically. The network address is obtained by performing a bitwise AND operation between the IP address and the subnet mask: every bit in the IP address that corresponds to a 0 bit in the mask is cleared. For example, the network address of 192.168.1.75/26 is 192.168.1.64 (the 26-bit mask is 255.255.255.192, or binary ...11000000; AND with 75 = binary ...01001011 gives ...01000000 = 64). The broadcast address is obtained by setting all host bits to 1: 192.168.1.64 with 6 host bits = 192.168.1.127. Usable hosts are all addresses between the network address (exclusive) and the broadcast address (exclusive): 192.168.1.65 through 192.168.1.126 = 62 usable hosts.

The formula for usable hosts in a subnet is 2 raised to the power of the number of host bits, minus 2 (subtracting the network address and broadcast address). For a /26, there are 6 host bits (32 - 26 = 6), so 2^6 = 64 total addresses, minus 2 = 62 usable hosts. For a /28, there are 4 host bits, so 2^4 = 16 total addresses, minus 2 = 14 usable hosts. For a /30, there are 2 host bits, so 2^2 = 4 total addresses, minus 2 = 2 usable hosts — appropriate for point-to-point links with one address on each end. For a /32, there are 0 host bits — a single host address used for loopbacks and host routes.

• Network address: IP AND mask — all host bits cleared; identifies the subnet itself
• Broadcast address: network address OR inverted mask — all host bits set; used for subnet-wide broadcasts
• Usable hosts: 2 raised to (32 - prefix length) minus 2
• /26 example: 64 addresses, 62 usable hosts — network .0 and broadcast .63 are reserved
• /30 example: 4 addresses, 2 usable hosts — standard for point-to-point WAN links

Security network architects use specific subnet sizes for specific purposes, and familiarity with these conventions makes reading firewall rules and network diagrams much faster. A /24 provides 254 usable host addresses and is the standard size for general office LAN segments, where all workstations in a single floor or department share a subnet. A /25 provides 126 hosts and is useful when you want to divide a /24 into two halves for different user groups or security zones. A /26 provides 62 hosts, suitable for smaller departments or server clusters. A /27 provides 30 hosts, often used for isolated server groups or IoT device segments.

For smaller, more controlled segments, a /28 provides 14 usable hosts — ideal for DMZ segments hosting a small number of public-facing servers, management network jump-host segments, or small server clusters. A /29 provides 6 usable hosts and is useful for very small isolated groups of servers. A /30 is the point-to-point WAN standard with exactly 2 usable hosts. A /31 (used per RFC 3021) provides 2 usable hosts with no broadcast address, sometimes used for modern point-to-point links. A /32 represents a single specific host and is used for loopback addresses, route injection in BGP, and firewall host-specific rules. Understanding these conventions instantly communicates the purpose and scale of a network segment when reading infrastructure documentation.

• /24 — 254 hosts: standard LAN segment, typical office floor or department network
• /26 — 62 hosts: medium server cluster or isolated workstation group
• /28 — 14 hosts: DMZ segment, management network, or small server farm
• /30 — 2 hosts: point-to-point WAN links (router-to-router connections)
• /32 — 1 host: loopback interfaces, host-specific routes, and firewall host rules

A layered security network architecture typically includes several discrete segments with controlled inter-segment traffic. The DMZ (demilitarized zone) segment contains public-facing servers — web servers, mail gateways, DNS resolvers — and is typically a /28 allowing up to 14 servers. The firewall permits inbound traffic from the internet to specific DMZ services and restricts DMZ servers from initiating connections to internal networks except as explicitly required. The workstation segment, typically a /24 or larger, contains end-user devices and is permitted outbound access to approved internet destinations and specific application servers, but cannot initiate connections to the server or management segments.

The RFC 1918 private address space — 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 — is used for all internal network segments. The 10.0.0.0/8 range is the most flexible with over 16 million addresses, making it the standard choice for large enterprise networks that need many subnets. In IPv6 environments, ISPs typically assign a /48 to each customer, and network architects subdivide it into /64 subnets for individual LAN segments — each /64 contains 2^64 addresses, more than sufficient for any LAN. The management network, containing out-of-band management interfaces for switches, routers, and servers, should be isolated in a dedicated /28 or /27 accessible only from a designated jump host.

• DMZ: /28 for public-facing servers; firewall restricts DMZ from initiating internal connections
• Workstation segment: /24 with outbound internet access; no direct access to production servers
• Management network: /28 isolated segment; accessible only from a dedicated jump host
• RFC 1918 private ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 — use for all internal segments
• IPv6 LAN standard: /64 per segment from ISP-allocated /48 — each /64 has sufficient addresses for any LAN