Understanding Variable Length Subnet Masks (VLSMs) Part 3

This article is the final installment in a series of tutorials about VLSM. It all begins here.

Recall that from this table, many IP address ranges are still available on our network – everything from through for North America. For that reason, we can again subnet the address range further to account for the smaller offices. For these smaller offices, we’ll use a /24 subnet mask – this meets our requirement of supporting up to 150 hosts on each of the small LANs. In this case, we can support 254 (28) hosts on each. This table outlines the 13 subnets for the small offices, along with a few defined for additional growth.

Notice that even after dividing up the address space for our small offices, we still have additional address space left over – in this cases, everything from up to is still unassigned. This space could be used to assign additional large or small subnets in North America, as need dictates. However, we still have one last requirement – WAN links.

Remember that a point-to-point WAN link still counts as a subnet, even if it is limited to only 2 hosts. In order to account for our WAN links, let’s use the use the range, and subnet it further. In this way, we have left the entire address space between and for defining additional North America LANs if required.

Since we only require 2 addresses for each WAN link, we only need 2 host bits – 22-2 is 2, which meets our requirements. If we make all the remaining bits subnet IDs, we can support up to 26-2 or 62 WAN subnets within North America alone. This will easily meet our needs. Based on this scenario, our WAN links will use a subnet mask of This table outlines only the first 4 WAN links, since listing all 62 would serve little purpose.

Obviously VLSM gives us better control of the size of our subnets, allowing us to allocate addresses in our chosen space more efficiently. But what other benefits does this scenario bring? Well, one is certainly smaller routing tables. For example, all networks in North America can now be reached from any other geographic region via a single routing table entry – Once any data for North America is sent to this router, it then decides where the data needs to be forwarded next. If we weren’t using CIDR and VLSM in this example, each router’s routing table would need entries for every network in North America. By aggregating all the entries behind a single entry, routing performance will be greatly increased – especially on very large networks.

Understanding Variable Length Subnet Masks (VLSMs) Part 2

Let’s start off by breaking our network into 6 large subnets, since using the required 4 would only account for current regions, and would not allow for future growth. Doing this is not in any way different that what we’ve done in the past. To get 6 large subnets, we’ll need to steal 3 bits, since 23-2 gives us 6 subnets. In this case, our new mask becomes, or /19. Each of the new subnet IDs is listed in this table, including the location that it will be used for.

Since we’ve used a /19 subnet mask, each of these ranges supports up to 213-2 or 8190 hosts as things presently stand. However, we’re not done. Our next goal is to take one of the areas and further divide it into a number of smaller networks. For example, let’s say that North America includes 16 offices. Of these, 3 are large, and need to support up to 400 hosts. 13 are smaller, and need to support 150 hosts maximum. In the future, it is possible that more large and small offices will be added.

In order to deal with these requirements, we need to subnet the North America network further. The easiest way to deal with this is to consider to be just another network ID, and our starting point. To begin, we know that we need to immediately support 3 large offices, each with up to 400 hosts. For this example, I’m going to have us define one additional large office, in order to account for future growth. That gives us a requirement of 4 networks, and 400 hosts per network. Using the host portion, we would need 9 host bits in order to support our requirement, which would give us 29-2 or 510 hosts per subnet. In doing so, we are left with 4 bits to define subnets, as shown. Remember that our starting subnet mask is or /19 in this case.

Using the first 4 available ranges to define our four large LANs, we would allocate the subnet IDs as shown in this table.

Understanding Variable Length Subnet Masks (VLSMs) Part 1

At the most basic level, VLSM represents a hierarchical network addressing scheme. Think of it as subnetting multiple times within the same address range. For example, we can take the network and subnet it into a number of large subnets. In our case, these will be used to define large geographic regions. Next, we look at those regions (or large subnets) individually, subnetting them further. This allows us to break up a region for the purpose of defining custom subnets that meet our size requirements. This additional subnetting can continue until you run out of subnets within a given range. A properly designed hierarchical addressing scheme both makes better use of the address space, and also provides for more optimized routing tables, as we’ll see shortly. This figure outlines the basic idea behind a hierarchical addressing arrangement. Note that I have only shown the breakdown of a single large subnet rather than both large subnets, in order to keep things clear.

Using VLSM addressing on a network is slightly more involved that using the same subnet mask throughout. You again need to properly characterize your network, defining how many WAN links, subnets, and hosts per subnet you are dealing with. The easiest way for us to begin is with a single network address. In this case we’ll use the private address I’m going to assume that our company has four main geographic regions, and that each region includes many smaller offices.

Introduction to Subnetting with VLSMs

One thing that you may have noticed during our look at subnetting was that each and every subnet defined was exactly the same size, based on a single subnet mask value. While this is simple, it is again very wasteful. In most organizations, LANs are not all the same size. While some subnets may have hundreds of hosts, others may have a very small number, perhaps 10 or 20. More obvious still is a WAN link connecting two locations, which only requires 2 addresses. In cases where you have subnetted a Class B network using a /20 mask, that leaves you with a fixed 4094 hosts per subnet. On a WAN link, that alone would mean wasting 4092 addresses!

While you may have plenty of subnets and address space for your smaller network, on very large networks proper address management can be crucial. Using Variable Length Subnet Masks (VLSM), this problem can be solved. VLSM allows you to use different subnet mask values throughout a network, in order to better account for how many hosts you have on each subnet. Like all classless addressing, VLSM relies on the associated subnet mask (prefix) information to be explicitly provided in order to determine the network portion of an address. While VLSM provides some very useful addressing capabilities, it also requires some careful planning.

Classless Inter-Domain Routing (CIDR) aka Supernetting

Recall that classful addresses are decidedly wasteful in the way they allocate addresses –even an entire Class B address range is too large for most companies. To make matters worse, a Class C block is so small that many companies would require many Class C ranges as a viable alternative. On the public Internet, routing tables were becoming extremely large, which in turn was affecting routing performance. A new solution was required to deal with the public address space more efficiently, and came about via a method referred to as Classless Inter-Domain Routing (CIDR).

CIDR is sometimes referred to as supernetting. While subnetting involves taking an address space and breaking it up into a number of smaller networks, supernetting is first and foremost a network aggregation scheme. For example, by supernetting four network addresses together, you can actually make them appear to be one network, as opposed to four. Again, this is all accomplished by playing with the subnet mask values.

CIDR has its own notation for dealing with subnet masks, and you may already be familiar with it. Instead of taking the time to say network with a subnet mask of, CIDR notation truncates the subnet mask to what is known as “slash” notation. In this example, the network would be identified as The “/16” value refers to the fact that the first 16 bits in the subnet mask are all set to values of binary 1.

Figure: Determining CIDR notation based on a subnet mask.

This really is a more efficient way of referring to a network. For example, if we had a network address of with a mask of, in CIDR notation it becomes Again, the /25 means that the first 25 bits of the subnet mask are set to binary 1.

But what is supernetting really? Well, imagine a routing table on a large Internet backbone router. This router needs to know how to get to all public networks. If a certain company has been given many different network IDs (for example, an ISP might have 8 Class B network IDs), a minimum of 8 routing table entries would be required, just to be sure that these 8 networks could be reached. As routing tables get larger and larger, routing performance is definitely impacted. Supernetting provides a way to “collapse” or “summarize” those 8 entries into a single entry, by altering the subnet mask value.

Tip: Supernetting allows contiguous network addresses to be summarized into a single routing table entry through the use of a custom subnet mask.
The first requirement to supernet addresses together is that network addresses must be contiguous. For example, you could supernet together networks and, but not networks and

Determining if Network Hosts are Local or Remote (ANDing)

We spent time determining the valid ranges of addresses on a given subnet for a reason. Recall from our earlier look at TCP/IP communication that when a host wishes to communicate with another host, it must first determine whether the destination is local (on the same subnet) or remote (on a different subnet). In cases where hosts are local, they can communicate directly. In cases where the destination host is on a different network, the packets must be sent to a router, who will then forward them along on their journey to the destination network.

In order to determine whether a destination host is local or remote, a computer will perform a simple mathematical computation referred to as an AND operation. While the sending host does this operation internally, understanding what takes place is the key to understanding how an IP-based system knows whether to send packets directly to a host or to a router.

An AND operation is very simple – two binary digits are compared, and the based on their combination, a resultant value is formed. It is neither adding nor subtracting, so do not consider it as such. In the most simple terms, there are only three possibilities when ANDing two binary digits. The list below outlines these operations and their results.

0 AND 0 = 0

0 AND 1 = 0

1 AND 1 = 1

Notice that when the binary digits 1 and 1 are ANDed, the result is 1, and that any other combination produces a result of 0.

The question now becomes how this is actually used. When a host wishes to figure out whether a destination host is local or remote, it goes through the following steps.

  1. The host takes its own IP address and ANDs it with its own subnet mask, producing a result.
  2. The host then takes the destination IP address and ANDs it with its own subnet mask, producing another result.
  3. Finally, the host compares the two results. In cases where the ANDing results are identical, it means that the hosts reside on the same subnet. In cases where the results are different, it means that the destination host is remote.

Consider this example. Computer A has an IP address of with a subnet mask of It wishes to communicate with host In order to determine whether this destination is local or remote, it will go through the ANDing process. Its IP address and subnet mask are lined up in binary, and then vertically compared to find the AND result. The same is then done for the destination address, again using the subnet mask of the source host. This is illustrated in the figure below.

Figure: The ANDing process.

Notice that when the resulting AND values are converted back to binary, it becomes clear that the two hosts are on different networks. Computer A is on subnet, while the destination host is on subnet, which means that Computer A will next be sending the data to a router. Without ANDing, determining local and remote hosts can be difficult. Once you’re very familiar with subnetting and calculating ranges of addresses, recognizing local and remote hosts will become much more intuitive.
Whenever you’re in doubt as to whether hosts are local or remote, use the ANDing process. You should also notice that the ANDing process always produces the subnet ID of a given host.

The Super-Handy Subnetting Shortcut Table

If you’ve been watching closely, you may have noticed the very clear pattern that develops when attempting to determine address ranges. Now that we have the long method out of the way, we can take a look at a quick shortcut. With any given subnet mask value, there is always an associated multiple at which new subnets will start. For example, if you are using the network ID, and a subnet mask of, subnetting is clearly taking place in the third octet. When a custom value of 252 is used in a mask, new address ranges always move in multiples of 4 in the third octet. For example, the first three ranges of addresses in this example would be:

  • –
  • –
  • –

Of course, we could calculate these the old fashioned way, breaking everything down to binary and then working from there. However, the pattern that exists can easily be put into a table to help you recall mask values and address range multiples quickly and easily, as illustrated in this subnetting shortcut table:

Bit 1 1 1 1 1 1 1 1
Mask 128 192 224 240 248 252 254 255
Range Multiples 128 64 32 16 8 4 2 1

So what does this table tell you? Well, imagine that you were given the network ID with a subnet mask of If you used the table above, you could quickly determine the multiples at which new address ranges start. Simply look for the value associated with the custom mask in the Mask row – in this case 224. Now look in the Range Multiples row directly below 224, and you’ll notice the number 32. When a custom subnet mask of 224 is used, new ranges always start at multiples of 32 in the second octet. So, in our example, the first three ranges of addresses would be:

  • –
  • –
  • –

While the table above works perfectly for Class A and B address ranges, it does present a small issue for Class C address subnetting. Recall that Class C addresses use only the last octet for subnetting. The table can still be used for these addresses, but with one small adjustment – you’ll need to add 1 to the beginning of every range and subtract one from the end to account for the network ID and broadcast address.

For example, imagine the address with a subnet mask of In this case, according to our table, the ranges should begin at multiples of 16. This is still true, and the first three subnet IDs would be:


However, calculating the ranges means remembering that simple rule I just outlined. Add one to find the beginning of the range, and subtract one from what you might normally consider the end of the range. For example, the first range would go from up to This is because the “normal” end of the range ( is actually the broadcast address for that subnet, where the host ID is set to all binary 1s. Altogether, the first three ranges in this example would be:

  • –
  • –
  • –

All thing considered, the shortcut table provides a simple and effective way of recalling the address range starting points associated with a given custom subnet mask. It should be helpful as a quick reminder if jotted down before you write your exams. Just remember that when in doubt, always go back to the binary method.

Subnetting Challenge

To make things interesting, let’s go through what I consider to be a tough subnetting question. To be honest, if you can follow this question and understand what you’re doing, there isn’t a subnetting question I can ask that you can’t answer. We’re going to go through it step-by-step, just to be sure that you’re clear on determining the correct subnet mask, and the ranges of hosts on the first, second, and last subnets.

In this scenario, we’re going to assume a network ID of You should already be familiar with its default mask. Our requirement is to have at least 4000 subnets. Our goal is to determine both the custom subnet mask, as well as the first, second, and last ranges of host IDs.

Let’s start with the custom subnet mask. Since we need 4000 subnets minimum, we need to determine how many bits are required. It should already be obvious that we’ll need to move beyond a single octet, since 8 bits will only provide a maximum of 256 subnets. If we try 10 bits, we come up with a value of 210-2 or 1022 subnets, obviously not enough. 11 bits provides 2046 subnets and 12 bits 4094 (212-2). Obviously 12 bits meets out requirement, so that’s what we’ll use.

Recall that the default subnet mask for the private network address is If we add an additional 12 bits, the mask becomes, as shown in the figure below.

Figure: Network, subnet, and host portions based on the custom subnet mask

Now that we know our custom mask, let’s determine how many hosts we can support per subnet. From the diagram above, we have 12 host bits remaining, giving us a maximum of 212-2, or 4094 hosts per subnet.

Our next goal is determining the first valid range of IP addresses. Don’t get thrown off by the fact that the subnet portion of the address spans one and a half octets. If we simply follow the same rules as before, we’ll be fine. In this case, set all 12 subnet bits the lowest non-zero value, and determine the first and last valid host addresses, as shown in the figure below.

Figure: Defining the IP address range for the first subnet.

Notice that the first valid range of IP addresses on subnet goes from up to The second subnet will start when we set the 12 bits of the subnet ID to 00000000 0010.

Figure: Defining the IP address range for the second subnet.

The second valid range of addresses becomes to The broadcast ID for this subnet is

The subnet IDs will continue to increase until the last range is reached – remember that this occurs when the subnet ID is set to the highest value that is not all binary 1 values – in this case, 11111111 1110.

Figure: Defining the IP address range for the last subnet.

As such, our last valid subnet is subnet ID, with an address range from up to Remember that in between the three subnets that we’ve looked at, another 4091 subnets exist.

Defining Valid IP Address Ranges for Subnets

Once you’ve managed to define a custom subnet mask that meets your requirements, the next step is calculating the ranges of IP addresses that are valid for a given subnet. Remember that after a custom subnet mask is defined, you have actually turned one big network address space into a number of smaller sub-network address spaces. Because of this, certain addresses will no longer be considered local to one another.

Calculating ranges of addresses isn’t difficult, but we’ll again need to go back to binary to understand how this is accomplished.

Consider the example of network with a custom subnet mask of Remember that this is one of the private address ranges outlined in RFC 1918, and the default mask is in this case. To begin, we’ll need to convert the subnet mask to binary, and define the network, subnet, and host portions, as shown in the figure below.

Figure: Network, subnet and host portions based on the custom subnet mask

Notice that the first 16 bits represent the network, the next 5 define subnets, and the last 11 are used to uniquely identify hosts on a subnet.

Since 5 bits are used to define the subnet portion of the address, this gives us 25-2 or 30 possible subnets. Each subnet can support 211-2, or 1022 unique hosts. Calculating the range of available addresses for each subnet involves beginning with the first subnet that is not all binary 0s, and then looking at the additional subnets. In this case, the first subnet is defined as the one where all but the last bit is set to binary 0. The first host on the 00001 subnet will be the lowest host value that is not all 0s, since the all 0s address identifies the subnet. The highest address in a range will be the highest host value that is not all 1s, since that value is reserved for broadcasts. I know this can be a little confusing, so take a look at the example in the figure below.

Figure: Defining the IP address range for the first subnet.

If you take the addresses in the figure above and convert them back to decimal, you’ll see that the range of IP addresses available on the first subnet are those from up to

Calculating the next range of addresses requires that we change the subnet ID to its next lowest value. In this case, it would be 00010. To make things easier, consider this to be an isolated 5-bit binary number. The first subnet is 1; the next is 2, then 3, then 4, and so forth. In this way, the first five subnet IDs in our example would be those listed in the table below.

Subnet ID Decimal Value 00001 1 00010 2 00011 3 00100 4 00101 5

Notice that each subnet simply increases by a value of 1 when we consider it as an isolated 5-bit number. This would continue all the way up to 11110, at which point we run out of subnets. Remember that according to Cisco, the subnet IDs of all binary 0s and all binary 1s should be avoided.

Our example continues by calculating the ranges for the second and third subnets. Notice in the figure below that the subnet ID has changed for each, but that we still always include the lowest and highest possible host values – the beginning and end of each range.

Figure: Defining the IP address ranges for the second and third subnets.

The table below outlines the first three address ranges, along with the subnet ID (when the host bits are all set to binary 0) and the broadcast address for that subnet (where the host ID is set to all binary 1).

Subnet ID Address Range Broadcast Address – – –

If you look closely, you should notice a pattern developing – each new subnet (in this example) starts at a multiple of 8 in the third octet, and each ends just before the next multiple of 8. In this case, the fourth subnet would begin at the next multiple of 8, and go up to just before the next multiple of 8 in the third octet. Since the next multiple of 8 is 40 (and represents the beginning of the next subnet), it must end at 39, or

The pattern with multiples of 8 only occurs with a 248 custom mask value. With different masks, different multiples will become clear.

Let’s try another example. We’ll use the address with a subnet mask of With this example, there are 8 bits used for subnetting, leaving 16 bits for hosts. The figure below outlines the first three ranges of addresses in this example, beginning with the first subnet – 00000001 in the second octet.

Figure: First three address ranges for the address using the custom mask

In this case, the ranges move in multiples of 1 in the second octet – the first subnet is 1, the second is 2, the third is 3, and so forth. It would be safe to say that the fourth subnet will be the range between – Once you’ve found the multiple, determining the ranges is much easier. The first three subnet IDs, address ranges, and the broadcast address on each subnet are shown in the table below.

Subnet ID Address Range Broadcast Address – – –

Some people find Class C address ranges a little trickier to deal with, but if you follow the rules, they are no more difficult that any other range. For example, let’s say that we have the network address with a subnet mask of We know that subnetting occurs in the fourth octet in this example, and that we have 4 subnet bits and 4 host bits. The first subnet will again be lowest non-zero value, or 0001. The first host in each range will be the first non-zero value, and the last host the highest value that is not all binary 1s. The figure below outlines the first 3 ranges in this case.

Figure: First three address ranges for the address using the custom mask

Notice that the values in the ranges look a little different when converted to decimal, as illustrated in the figure above. This is because the subnet IDs end in non-zero values.

Subnet ID Address Range Broadcast Address – – –

If you’re confused by this example, it’s probably because of the oddities that seem to occur in the ranges. For example, why is not a valid IP address when a subnet mask of is used? Look again at what happens when you convert this address to binary – the host portion is all binary 0s, which we already know is not allowed! The key to understanding address ranges is always the same – when in doubt, break everything down into binary. Looking at addresses in decimal only will often make things much more confusing than they need to be.

Defining Custom Subnet Masks

In this section we’re going to look at the process for custom subnetting Class A, B, and C network addresses. The good news is that the process is all just mechanics – if you follow the steps, you will always be able to define a custom subnet mask that meets your requirements.

When defining a custom mask, we always start with the default mask for the class of address that we’re working with. For a Class A address, the default mask is Recall that when the default subnet mask is used, it means that no subnetting is currently taking place.

In order to define sub-networks, we’ll need to play around with the value of the subnet mask. The extent to which the mask is changed will impact both how many subnets we can have, and how many host addresses will be available on each subnet. Creating a custom mask is accomplished by what I refer to as “stealing bits”. We’re literally going to create another division within the address space in order to identify our subnets.
Consider the basic example in the figure below. In it, the subnet mask clearly defines the boundary between the network and host portion of the IP address shown.

Figure: Subnet mask defining the division between the network and host portions of an IP address.

In order to define subnets, we’ll need to extend the subnet mask. Notice that currently, the boundary between the network and the host portion of an address is defined by where the binary 1s stop – again, you really need to look at this in binary, or it really won’t make sense. To create our custom mask, we’re actually going to start replacing some of the subnet mask 0s with 1s, beginning on the left and moving to the right. In this way, we are “stealing” bits from the host portion of the address space, in what is referred to as “high order”.