Why Subnetting Isn’t Hard (If You’re the GOAT)

Anand DarshanAnand Darshan
19 min read

Table of contents

I am writing this article for those who’ve put a decent amount of effort and time in mastering subnetting but still struggle with it.

Subnetting is one of those topics in networking that many struggle with, beginners and even experienced professionals alike.

I’ve taken multiple courses, and with each one, a new piece of subnetting clicked into place. Eventually, I came across a way of organizing and visualizing subnetting that finally helped everything fall into place.

This article shares that exact method. It’s not another subnetting basics guide, it’s a cheat sheet-based approach for people who understand the theory but struggle when solving actual questions.

A better Pentester would not skip subnetting because it gives them an edge of understanding and mapping the given network out.

“You can break a thing better, if you know where all it’s joints are.”

What can you expect from this article?

The article doesn’t aim to teach the networking foundations or the topic “Subnetting” itself from scratch to the readers. It instead jumps straight into the Cheat Sheet for subnetting.

The article first shows how to build this cheat sheet from scratch in such a way that it’s easy to remember.

My personal claim is that the reader should be able to create this cheat sheet table in almost 5 minutes from scratch for any exams or network environment that they’ve been access to, for testing.

Then the article will walk readers through some subnetting networks and solve questions related to it. In the process understand the Maths of subnetting, all while referring this cheat sheet table and a method ( discussed while solving the questions only ) so readers can too build it from scratch in the exams they’re preparing for or the network they are testing and refers it to solve given problems right.

Who This Article is For?

This article is not for complete beginners. It’s written for readers who:

  • Already know the fundamentals of IP addressing, subnetting, CIDR, and subnet masks

  • Understand the difference between public/private IPs, the OSI/TCP-IP models, MAC vs IP, etc.

  • Have studied subnetting but still struggle with solving real subnetting questions, especially under pressure (like in exams or CTFs)

If you haven’t reviewed subnetting in a while, I recommend giving yourself a quick refresher before continuing.

Suggestion

If you’ve decided to read this, commit to going through it thoroughly and slowly. Don’t skim.

Practice the questions and follow the cheat sheet creation process. Trust me, by the end, things will start clicking like never before.

Creating the Cheat Sheet

So in this section you’ll learn how to create this cheat sheet.

You might be wondering “why would I need to know that I can just create this by memorizing it” and you’re correct to think so but still I personally believe if somebody tries to mug this table up without noticing the pattern, there’s a high probability, they will mess things up while creating the table, and that, in any exams with subnet questions, would be too bad.

This section intends to make the pattern known to the readers, so it becomes easy to memorize because this way readers won’t be afraid regarding creating the whole table itself, their mind will be focused on memorizing the initial pattern which will make the entire table fall in place itself without them trying to recall anything.

It becomes that easy with this table in hand. So shall we start now?

First open up an MS excel sheet, this is where we’ll work.

The first pattern: CIDR bits

We start with writing down CIDR bits from 1 to 32 split in four rows, each row of eight bits that adds to the previous total, like this

Leave two rows gap in-between the next CIDR bits rows as shown in the figure above.

NOTE: While going through this section some things might look scattered, might not make much sense but it will all make sense while the question walk-through section.

Also remember that what we’re creating a cheat sheet, try to just learn how to create this so that you can solve questions, and focus less on trying to make sense of this table.

The second pattern: Hosts bits

Now we’ll write down the total hosts possible for given CIDR’s (subnet mask) network.

This time we’ll start from bottom to top, the hosts number will be placed right below the CIDR bits, like this

Here we started from bottom right, with 1 then kept doubling when we moved right or top side of the table.

Simply use the equation of =previous*2 in the current cell to calculate the hosts number in the table, like this:

The third pattern: Subnet mask octet in focus

In this we’ll add a pattern common for entire rows in pair of CIDR bits and Hosts. Look at the table to understand better

So for each CIDR and corresponding hosts number, we have subnet mask.

The x in the subnet mask represents the position that will be changed based on the CIDR bits taken.

For example,

  • For the third CIDR and Hosts pair, we have 255.255.x.0 as the common subnet mask, there x is unkown, and it will be decided based on the given network with specific CIDR.

  • So let’s keep one network in memory, 192.168.0.0./20. When the table’s complete we’ll find out the exact subnet mask value for the network later.

The fourth pattern

In this, we’ll first write down the hosts ( 1 to 128, from the last row in the table we’ve created so far ), like

Corresponding to that we’ll write subnet (CIDR) bits value ( each bit in the octet switched on, corresponds to some value which I assume known to readers ), starting from 128, we’ll diagonally add subnet (CIDR) bit value to the number of hosts like this:

Next to it will be,

and if we keep doing that we’ll end up with this

So our final cheat sheet table is

I’ll show you how to refer this and solve any subnetting questions.

So keep this in your head’s buffer.

Obtaining Subnet mask ( from CIDR bits )

Example Discussion ( from the third pattern )

Go back to the third pattern, there we were going to find the exact subnet mask value for the network 192.168.0.0./20.

As the table’s complete, we can refer and easily do that now.

It’s so simple, that you might would have been able to guess it on your own and if you haven’t then here’s the discussion.

Find the CIDR bits ( subnet bits ) that is equal to 20, we’re doing so because we have /20 network,

So we see that the CIDR bits /20 appears in the 255.255.x.0 section of the table. So subnet’s two octet is already fixed except the x.

Now to find x, we just refer the subnet bits value from the cheat sheet, like this

and that’s it, we now have the subnet mask value of the network, which is 255.255.240.0 ( which is equal to /20 in CIDR notation ).

Now let’s learn to use this cheat sheet

Learn to use this cheat sheet table properly

In this section of the article, we’ll refer this cheat sheet table and solve questions to learn the proper way of cheating without really cheating ( seriously ).

Question 1: Small network (CIDR /24 to /32 range)

Generate 3 subnets from the network 192.168.10.0/27.
List the following for each of the subnets:

  • Sub-Network ( x.x.x.x/27 )

  • Subnet Mask

  • Number of Hosts

  • First IP

  • Last IP (Broadcast IP)

Method 1: Small Network Increment Method

  • This is my preferred method while working with smaller networks (higher CIDR value).

  • This method is effective only with small sized networks, with larger networks, this method can be calculation heavy which may lead to error but I’m discussing it so you can understand the subnetting calculation better through this cheat sheet. Just trust me, and read through the article. It will pay off.

  • The method 2 ( discussed later ) is our main method. It works with any size of network ( with any CIDR range ).

First subnet

NOTE: in the table, “Network” is simply the sub-net and “network” is network address ( first address in the sub-net ). They are not the same.

Subnet mask

So we got the subnet mask: 255.255.255.224

Hosts per subnet

If we see the hosts corresponding to the CIDR bits of 27, we see 32 hosts possible per sub-net

But First IP ( network address ) and the last IP ( Broadcast address ) is reserved in each sub-net (or network). First IP is used for identifying the sub-network and the last is used for broadcasting messages to other hosts in the sub-network.

So formula for total number of possible hosts in any network is

Total usual hosts number ( IP address ) = CIDR corresponding hosts - 2

That gives us a total of 30 hosts ( 30 usable IP addresses in the sub-net ).

Network address ( network )

It should be pretty easy, as it’s the first address in the sub-network.

So our Network ( network address ) is 192.168.10.0, cool!

Broadcast address ( broadcast )

This too should be easy for us.

We know that the last address is braodcast, and we also know that the total hosts in the sub-net is 30 + 1 network address + 1 broadcast address, which equals to 32 ( as pointed in the cheat sheet ).

So we simply add total number of hosts including the two reserved host IPs ( 32 ), to the network address, starting the count to 32 from the network address itself.

So in this sub-net

  • The 1st address (host) is 192.168.10.0

  • The 2nd address (host) is 192.168.10.1

  • The 10th address (host) is 192.168.10.9

  • And the 32nd address is 192.168.10.31 ( because we started the host number count to add from IP ending with zero aka., the network address )

So the last IP which is 192.168.10.31 is the broadcast address.

The break down above was done to make readers understand this counting and addition better. You won’t need to do this yourself as you practice a few questions.

So the first subnet we got is

We have to derive 2 more sub-nets from this.

Second Subnet

First of all, we need to figure out what’s the next network ( subnet ).

This is actually easy, we just need to refer to the previous sub-net’s broadcast address, which is 192.168.10.31. So whatever IP comes after that is our new sub-net address, which is 192.168.10.32/27

Of course, the /27 stays there in each sub-nets we derive from the original starting network

Subnet mask and hosts

Well, because the CIDR stays same, /27, the subnet mask value stays the same too.

The same goes for hosts in the network, it will stay the same too, because of the CIDR bits didn’t change and hence the corresponding hosts value stayed the same too.

So we have 255.255.255.224 subnet mask and 30 hosts. This will be the same for next sub-net we derive in this question.

So we’re now just left with network address and broadcast address IP identification.

Network address

It’s pretty simple, as mentioned the first address is the network address and here the first address would be 192.168.10.32 ( take it directly from the Network 192.168.10.32/27 )

Broadcast address

We’ll do yet again, the same thing, which is adding 32 hosts including the network address ( 192.168.10.32 ), to find the last address in the given subnet ( which is broadcast ).

So 192.168.10.32 ( the network address ) + 31 ( not 32, because we’re counting the network address separately ) = broadcast address

broadcast address => 192.168.10.32+31 = 192.168.10.63

So our next subnet has the followings in it

Third Subnet

Now I’m not gonna discuss this but list everything, you should be able to make sense of it easily now

  • Network - 192.168.10.64/27

  • subnet mask - 255.255.255.224

  • hosts ( excluding network addr and broadcast addr ) - 30

  • network address ( network ) - 192.168.10.64

    • first address in the sub-network

  • broadcast address - 192.168.10.(64+31) = 192.168.10.95

    • To find out the last address ( broadcast address ), add 31 to the network address ( 64 + 31 )

So our final three subnets derived from the given network 192.168.10.0/27 are:

Networksubnet maskhostsnetwork addressbroadcast
192.168.10.0/27255.255.255.22430192.168.10.0192.168.10.31
192.168.10.32/27255.255.255.22430192.168.10.32192.168.10.63
192.168.10.64/27255.255.255.22430192.168.10.64192.168.10.95

This method is easier when working with small networks but the general way of working with any size of network requires a different common method ( common because it works even in the larger networks ).

Method 2: Subnet Block Span Method ( Main Method )

This method brings one small change, everything else stays the same as the 1st method.

This one change is just a simple formula that makes it easier for us to identify where the next sub-network starts.

While working with larger networks ( with higher number of hosts per sub-net ), this formula becomes very effective.

You’ll see, in the second question ( /12 CIDR, higher number of hosts, larger network question ), we’ll use this method only.

Let’s continue with the same network from the last subnet we identified from 1st method.

The network is 192.168.10.96/27. We have to identify the next three subnets and for each we need to state

  • subnet itself ( Network )

  • subnet mask

  • hosts

  • network address

  • broadcast address

We’re using the same methods for identifying subnet mask, hosts number, and network address.

And then we’re going to use a formula to identify the next subnet based on which we can also identify broadcast address.

So first, our table looks like this

The formula

let’s look at the CIDR and subnet mask. It is /27 and 255.255.255.224 respectively.

Looking at /27, We know that the first 3 octets (255.255.255) are fixed, and our working/focus octet is the fourth one 224.

Using the formula:

Total numbers of IP/hosts ( including the network addr/id and the broadcast addr ) in an octet - the subnet mask octet in focus ( 4th octet value ) = Subnet Block Span Size

256 ( starting from 0 to 255 = 256 ) - 224 ( 4th octet, octet in focus ) = Subnet’s Block Span Size

So that gives us;

32 = Subnet’s Block Span Size

Now let me explain this.

Subnet Block Span Size helps you identify where each new subnet starts in the relevant octet and where it ends in the given octets. Doesn’t make sense, right?

That’s okay, for now refer Subnet Block Span Size as Subnet Block Size. The name Subnet Block Span Size will make sense when you’ll work with bigger networks. I’ll be going there in the next section of solving a question related to bigger network with CIDR /12.

For now just consider it as Subnet Block Size, which is defined below.

Subnet’s block size is the size of each sub-network we’ll be getting from a /27 CIDR, means each sub-network will be able to accomodate a total of 32 hosts including network id/addr and broadcast addr, leaving us with 30 usable IPs.

So now we increase the value of base address ( network address ) by 32 starting the count from network address as 1.

That leaves us with these as our each sub-networks’ broadcast address:

  • 192.168.10.95+32 = 192.168.10.127

  • 192.168.10.127+32 = 192.168.10.159

  • 192.168.10.159+32 = 192.168.10.191

  • 192.168.10.191+32 = 192.168.10.223

  • 192.168.10.223+32 = 192.168.10.255 ( the last IP possible in the last sub-network )

Optional: Complete this table, try to make as many subnets as you can in this. You already have the broadcast IPs but don’t look at the answer here. Try to do it on your own. Maybe take one another question, but come back soon. Next content in this article is important.

💡
Revision and reflection point - do a quick re-run if you feel necessary

Method 2 on larger network ( lower CIDR value )

Let’s just assume a network x.x.x.x/12.

So CIDR /12 gives us 255.240.0.0 subnet mask. Great!

Now we know 1st octet is fixed, but here the 2nd octet is in focus.

Okay so now we do the same thing

256 - 240 = subnet block size ( Subnet Block Span Size)

16 = Subnet block size ( Subnet Block Span Size)

So we’ve got each networks of 16 hosts size, with 14 usable IPs.

Hope you’ve got that much. Now we’ll go solve a question using this method with the cheat sheet table together, for a larger network with the same CIDR /12, which would have way higher number of hosts in it.

Let’s go..

This was easier as the network was small. It gets a bit more messy when the network’s size increases. That’s why we’ll look at one more example question which would be for larger networks.

Hope you’ve understood how to use the table.

Don’t worry if you feel a bit overwhelmed, it’s actually pretty easy. You just have to solve a few questions, then you’ll be feeling pretty comfortable by the end.

I’ll also give you routine to follow so you can practice a few questions in a very specific way, making the the cheat sheet table embedded in your head.

Question 2: larger network (CIDR /8 to /16 range)

Now brace yourselves. This one’s gonna be mildly more trippy than the last one, in fact that’s the point of bringing these larger network in this article, but this article’s aim is to make it way easier for you. You already have been introduced the method 2 and that’s what we need.

I’m just gonna show you how to implement the second method for larger networks, and you’ll be good to go.

Don’t be scared, I’ve got you. Just read through, understand the lines and you’ll be good to go.

And by trippy, I mean mildly more subnetting Maths and calculation, That’s it. So don’t get nervous because of that, yeah?

Given network is 10.0.0.0/12.

Derive 3 subnets from this network and for each subnet, provide:

  • Network ( x.x.x.x/12 )

  • Subnet Mask

  • Number of Hosts

  • First IP ( network addr )

  • Last IP ( broadcast addr )

Cheat Sheet Table ( for reference )

Method 2 Formula

256 - the subnet mask octet in focus = Subnet/Network Block Size

First Subnet

We’ll use the cheat sheet and quick identify subnet mask, hosts number, and the network address.

Subnet mask

It should be easy by now to identify this and obvious but still I’m gonna repeat how to refer the cheat sheet through the screenshot below.

First octet is fixed, we know that. x is in focus, that’s where we put the subnet value.

So our subnet is 255.240.0.0.

hosts

This too should be easy.

So we have total of 1048576 hosts. Usable hosts would 2 less (network address and the broadcast address, first and last IP), 1048574.

network address

The first IP of course which is 10.0.0.0

Broadcast address

Now we’re left with broadcast address identification.

But wait, we already know total number of hosts per sub-network, 1048576, don’t we?

Yep we do but do we have the block size and can you tell identify the broadcast address? No you can’t, and if you could then it would take a lot of time and calculation.

You actually have the block size ( total number of hosts per network ) but laying it in IP 4 octet format is what’s turns challenging here. So let’s make it easy..

The formula is still the same, but we get to have a different perspective on it while working with larger networks. let’s look through that perspective..

The perspective is the working/focus octet in subnet mask mapped with network’s IP. This is very important, just keep that in mind.

Let’ me explain.

256 - the subnet mask octet in focus = Subnet/Network Block Span Size

So this is our formula.

/12 = 255.240.0.0

And the value that we need to subtract from 256, “the subnet mask octet in focus” value, is 240.

So what we get is,

256 - 240 = Sub-network Block Span Size

16 = Sub-network Block Span Size

So where do we add this 16 value ?

💡
Remember we add the block size (more correctly, Block span size), as explained in the smaller network section, to the base network ( including the first ip - network address )

Well that’s where we discuss about the Sub-net Block Span Size ( instead of referring to it as Subnet block size, which mildly incorrect ).

I told you earlier that the perspective change to look at this formula is the subnet octet in focus mapped with network IP. And that in fact is where we’ll put the 16.

So we have 255.240.0.0 subnet mask and network IP 10.0.0.0.

2nd octet is the focus octet in subnet, hence focus octet in network IP would be the 2nd octet as well.

So we’ll add the value 16 into the second octet of the network IP starting to count from network address ( as the network address is included in this 16 hosts, mentioned in the call-out above ), 10.15.0.0

So we have, 10.15.0.0.

Now 1st octet was fixed, second octet was in focus, which we’ve identified. Now we need the last IP - broadcast IP, and we know that each octet’s last value is 255, so we simply fill that in.

So we get 10.15.255.255. And that’s our last IP - Broadcast IP.

Here’s another perspective to look through, to see how total hosts:

  • 10.0.0.0 to 10.0.0.255

    • 10.0.1.0 to 10.0.1.255

    • 10.0.2.0 to 10.0.2.255

    • …. 10.0.255.255, next is 10.1.0.0

  • 10.1.0.0 to 10.1.255.255

  • 10.2.0.0 to 10.2.255.255

  • …. 10.240.255.255 to 10.255.255.255

So, according to this, we can calculate the Total hosts for the sub-network we’ve extracted like this:

Total hosts for 10.0.0.0/12 = 16×256×256( 0 to 255 )

Total hosts for 10.0.0.0/12 = 4096×256

Total hosts for 10.0.0.0/12 = 1048576

Usual hosts/IP = 1048574

Hope that makes sense. Some things might start to feel repetitive, that’s intentional, so things get hammered in your head.

That gives us the next address in the network, 10.16.0.0/12

We know for this too, the subnet mask and hosts number would be the same.

Network address too would be the first IP itself, i.e., 10.16.0.0

So let’s calculate the second broadcast IP quickly,

  • 10.16.0.0 is the base IP

  • We need to add 16 starting from base IP in the octet that’s in focus ( 2nd octet )

  • So 10.15+16.0.0 = 10.31.0.0

  • To reach the last IP, fill the remained octet to it’s highest value possible, 255.

  • That gives us the last IP - 10.31.255.255

That’s gives us our next sub-network

Now, you go have a try on the next one on your own. It’s easy, I know you can do this.

So that’s all of it.

That’s where Sub-netting content of the article stops. I’ve given all of what I had related to sub-netting here.

5 day Practice Plan

I want you to get the most out of this article that’s why I’m sharing a plan that worked for me.

It takes five days, and you’ll rock all sub-netting questions like it’s now your forte.

DayWhat to Do
1Read article. Solve 3 fresh questions.
2Solve 4-5 questions. Each should involve generating 3 subnets.
4Solve 3 more. Create cheat sheet on your own. Refer article only if stuck.
8Repeat. No article reference allowed. Refer your Day 4 cheat sheet if stuck.
30Final practice. Fresh 3 question set. Create cheat sheet from scratch. No reference this time.

If you fail on 30th day, which is highly unlikely but if it happens. Don’t be bothered. Re-do, make a custom plan that works for you.

This doesn’t necessarily would work for everyone, but it did or me.

You’ll get it for sure then.

So that would all from my side.

If this guide helped you understand subnetting better or even made it finally click, then I'd love to hear from you.

A quick message or comment on LinkedIn would mean a lot.

Thanks for reading. Happy subnetting!

See You then..

0
Subscribe to my newsletter

Read articles from Anand Darshan directly inside your inbox. Subscribe to the newsletter, and don't miss out.

subnettingnetworking

Written by

Anand Darshan
Anand Darshan

Cyber Security Student | Msc in Progress | Learning and sharing