%%{init: {'theme': 'base', 'themeVariables': { 'primaryColor': '#2C3E50', 'primaryTextColor': '#fff', 'primaryBorderColor': '#16A085', 'lineColor': '#16A085', 'secondaryColor': '#E67E22', 'tertiaryColor': '#7F8C8D'}}}%%
graph LR
subgraph Example["192.168.10.45 / 24"]
Network["Network Portion<br/>192.168.10<br/>24 bits = 1s"]
Host["Host Portion<br/>45<br/>8 bits = 0s"]
end
subgraph Mask["Subnet Mask: 255.255.255.0"]
M1["255<br/>11111111"]
M2["255<br/>11111111"]
M3["255<br/>11111111"]
M4["0<br/>00000000"]
end
Network -.->|"Identifies<br/>subnet"| M1
Host -.->|"Identifies<br/>device"| M4
style Network fill:#2C3E50,stroke:#16A085,stroke-width:2px,color:#fff
style Host fill:#E67E22,stroke:#2C3E50,stroke-width:2px,color:#fff
style M1 fill:#16A085,stroke:#2C3E50,stroke-width:2px,color:#fff
style M2 fill:#16A085,stroke:#2C3E50,stroke-width:2px,color:#fff
style M3 fill:#16A085,stroke:#2C3E50,stroke-width:2px,color:#fff
style M4 fill:#E67E22,stroke:#2C3E50,stroke-width:2px,color:#fff
611 Subnetting and CIDR for IoT Networks
611.1 Learning Objectives
By the end of this chapter, you will be able to:
- Interpret subnet masks: Convert between dotted-decimal and CIDR notation
- Calculate network addresses: Use binary AND operations to determine network boundaries
- Apply CIDR notation: Calculate host counts from prefix lengths
- Design IoT subnets: Plan network segmentation for security and management
- Use VLSM: Allocate variable-sized subnets for efficient address utilization
TipMVU: Minimum Viable Understanding
Core concept: A subnet mask divides an IP address into network portion (identifies the segment) and host portion (identifies devices within that segment).
Why it matters: Subnetting enables security isolation, broadcast control, and logical organization of thousands of IoT devices.
Key takeaway: Plan /24 subnets (254 hosts) per floor, building, or sensor type - always include 30% growth buffer.
611.2 Prerequisites
Before diving into this chapter, you should be familiar with:
- IPv4 Addressing Fundamentals: Understanding of 32-bit address structure and binary representation
- Networking Basics: Foundation in networking concepts
TipFor Beginners: What is Subnetting?
Subnetting is dividing a large network into smaller segments. Think of it like organizing a company: instead of one huge department with 10,000 employees, you create smaller teams (engineering, sales, HR).
Each subnet gets a range of IP addresses. For example, 192.168.1.0/24 gives you 254 usable addresses (192.168.1.1 through 192.168.1.254), perfect for a small office or building floor.
Why subnet? - Security: Isolate cameras from HVAC from sensors - Performance: Reduce broadcast traffic in each segment - Management: “All cameras are in 192.168.10.x” simplifies troubleshooting
| Term | Simple Explanation |
|---|---|
| Subnet Mask | Defines which part of IP is network vs device (255.255.255.0) |
| CIDR Notation | Slash notation for subnet size (/24 = 255.255.255.0) |
| Network Address | First address in subnet, identifies the segment |
| Broadcast Address | Last address in subnet, reaches all hosts |
611.3 Understanding Subnet Masks
A subnet mask determines which portion of an IP address represents the network and which represents the host. The mask is a 32-bit number where consecutive 1s represent the network portion, and 0s represent the host portion.
{fig-alt=“Subnet mask diagram showing how 192.168.10.45/24 is divided into network portion (192.168.10, 24 bits of 1s) and host portion (45, 8 bits of 0s), with corresponding subnet mask 255.255.255.0”}
TipAlternative View: IoT Subnet Planning by Device Count
This variant shows subnet selection based on actual IoT deployment needs:
%%{init: {'theme': 'base', 'themeVariables': { 'primaryColor': '#2C3E50', 'primaryTextColor': '#fff', 'primaryBorderColor': '#16A085', 'lineColor': '#E67E22', 'secondaryColor': '#16A085'}}}%%
graph TB
subgraph SMALL["Small IoT (Home)"]
S1["/28 = 14 hosts<br/>Smart home devices"]
S2["/27 = 30 hosts<br/>Home + garage"]
S3["/26 = 62 hosts<br/>Large home"]
end
subgraph MEDIUM["Medium IoT (Building)"]
M1["/24 = 254 hosts<br/>Single floor"]
M2["/23 = 510 hosts<br/>Small building"]
M3["/22 = 1022 hosts<br/>Office building"]
end
subgraph LARGE["Large IoT (Campus/City)"]
L1["/20 = 4,094 hosts<br/>Campus network"]
L2["/16 = 65,534 hosts<br/>Smart city zone"]
L3["/8 = 16.7M hosts<br/>Enterprise global"]
end
style S1 fill:#16A085,stroke:#2C3E50,color:#fff
style S2 fill:#16A085,stroke:#2C3E50,color:#fff
style S3 fill:#16A085,stroke:#2C3E50,color:#fff
style M1 fill:#E67E22,stroke:#2C3E50,color:#fff
style M2 fill:#E67E22,stroke:#2C3E50,color:#fff
style M3 fill:#E67E22,stroke:#2C3E50,color:#fff
style L1 fill:#2C3E50,stroke:#16A085,color:#fff
style L2 fill:#2C3E50,stroke:#16A085,color:#fff
style L3 fill:#2C3E50,stroke:#16A085,color:#fff
Planning tip: Always allocate 50% more addresses than current needs to accommodate growth. A home with 20 sensors should use /26 (62 hosts), not /27 (30 hosts).
TipAlternative View: Subnet Mask Binary Visualization
This variant shows how the binary mask pattern determines network/host division:
%%{init: {'theme': 'base', 'themeVariables': { 'primaryColor': '#2C3E50', 'primaryTextColor': '#fff', 'primaryBorderColor': '#16A085', 'lineColor': '#E67E22', 'secondaryColor': '#16A085'}}}%%
graph LR
subgraph MASK24["/24 Mask (255.255.255.0)"]
M24["11111111.11111111.11111111|00000000<br/>Network (24 bits) | Host (8 bits)"]
end
subgraph MASK26["/26 Mask (255.255.255.192)"]
M26["11111111.11111111.11111111.11|000000<br/>Network (26 bits) | Host (6 bits)"]
end
subgraph MASK28["/28 Mask (255.255.255.240)"]
M28["11111111.11111111.11111111.1111|0000<br/>Network (28 bits) | Host (4 bits)"]
end
MASK24 -->|"Borrow 2 bits"| MASK26
MASK26 -->|"Borrow 2 bits"| MASK28
R24["254 hosts"]
R26["62 hosts"]
R28["14 hosts"]
M24 --> R24
M26 --> R26
M28 --> R28
style M24 fill:#16A085,stroke:#2C3E50,color:#fff
style M26 fill:#E67E22,stroke:#2C3E50,color:#fff
style M28 fill:#2C3E50,stroke:#16A085,color:#fff
style R24 fill:#16A085,stroke:#2C3E50,color:#fff
style R26 fill:#E67E22,stroke:#2C3E50,color:#fff
style R28 fill:#2C3E50,stroke:#16A085,color:#fff
Each borrowed bit doubles the number of subnets but halves the hosts per subnet.
Common Subnet Masks:
| CIDR | Subnet Mask | Binary | Network Bits | Host Bits | Total Hosts | Usable Hosts |
|---|---|---|---|---|---|---|
| /8 | 255.0.0.0 | 11111111.00000000… | 8 | 24 | 16,777,216 | 16,777,214 |
| /16 | 255.255.0.0 | 11111111.11111111.0… | 16 | 16 | 65,536 | 65,534 |
| /24 | 255.255.255.0 | 11111111.11111111.11111111.0 | 24 | 8 | 256 | 254 |
| /25 | 255.255.255.128 | …11111111.10000000 | 25 | 7 | 128 | 126 |
| /26 | 255.255.255.192 | …11111111.11000000 | 26 | 6 | 64 | 62 |
| /27 | 255.255.255.224 | …11111111.11100000 | 27 | 5 | 32 | 30 |
| /28 | 255.255.255.240 | …11111111.11110000 | 28 | 4 | 16 | 14 |
| /29 | 255.255.255.248 | …11111111.11111000 | 29 | 3 | 8 | 6 |
| /30 | 255.255.255.252 | …11111111.11111100 | 30 | 2 | 4 | 2 |
ImportantWhy “Usable Hosts” is Less Than Total
Two addresses in each subnet are reserved: - Network address (all host bits = 0): Identifies the subnet itself (e.g., 192.168.1.0) - Broadcast address (all host bits = 1): Sends to all hosts on subnet (e.g., 192.168.1.255 for /24)
A /24 subnet has 256 total addresses, but only 254 are assignable to devices.
611.4 Calculating Network and Broadcast Addresses
Example: 192.168.10.45/26
Step 1: Convert subnet mask to binary - /26 = 255.255.255.192 = 11111111.11111111.11111111.11000000
Step 2: Calculate network address (AND operation)
IP: 192 . 168 . 10 . 00101101 (45)
Mask: 255 . 255 . 255 . 11000000 (192)
--- --- --- --------
Net: 192 . 168 . 10 . 00000000 (0)Network Address: 192.168.10.0
Step 3: Calculate broadcast address (set all host bits to 1)
Network: 192.168.10.00000000
Broadcast: 192.168.10.00111111 = 192.168.10.63Step 4: Determine usable range - First usable host: 192.168.10.1 - Last usable host: 192.168.10.62 - Total usable hosts: 62
611.5 CIDR Notation and Classless Addressing
CIDR (Classless Inter-Domain Routing) replaced the rigid class-based system with flexible prefix lengths, enabling efficient address allocation.
CIDR Format: network-address/prefix-length - Example: 192.168.1.0/24 - /24 means “first 24 bits are network, remaining 8 bits are host”
%%{init: {'theme': 'base', 'themeVariables': { 'primaryColor': '#2C3E50', 'primaryTextColor': '#fff', 'primaryBorderColor': '#16A085', 'lineColor': '#16A085', 'secondaryColor': '#E67E22', 'tertiaryColor': '#7F8C8D'}}}%%
graph TD
CIDR["CIDR Notation Examples"]
C24["192.168.1.0/24<br/>254 usable hosts<br/>Small network"]
C26["192.168.1.0/26<br/>62 usable hosts<br/>Small subnet"]
C22["10.0.0.0/22<br/>1,022 usable hosts<br/>Large subnet"]
C30["10.0.0.0/30<br/>2 usable hosts<br/>Point-to-point link"]
CIDR --> C24
CIDR --> C26
CIDR --> C22
CIDR --> C30
style CIDR fill:#2C3E50,stroke:#16A085,stroke-width:3px,color:#fff
style C24 fill:#16A085,stroke:#2C3E50,stroke-width:2px,color:#fff
style C26 fill:#E67E22,stroke:#2C3E50,stroke-width:2px,color:#fff
style C22 fill:#16A085,stroke:#2C3E50,stroke-width:2px,color:#fff
style C30 fill:#E67E22,stroke:#2C3E50,stroke-width:2px,color:#fff
{fig-alt=“CIDR notation examples showing different prefix lengths: /24 (254 hosts, small), /26 (62 hosts, smaller), /22 (1022 hosts, large), and /30 (2 hosts, point-to-point)”}
611.5.1 CIDR Calculation Formula
Number of addresses = 2^(32 - prefix length)
Examples: - /24: 2^(32-24) = 2^8 = 256 addresses - /26: 2^(32-26) = 2^6 = 64 addresses - /30: 2^(32-30) = 2^2 = 4 addresses (2 usable, for point-to-point links)
611.5.2 Quick Reference: Common IoT Subnet Sizes
| Prefix | Hosts | Usable | Typical IoT Use Case |
|---|---|---|---|
| /30 | 4 | 2 | Point-to-point links (gateway to gateway) |
| /29 | 8 | 6 | Very small sensor clusters |
| /28 | 16 | 14 | Small room automation (lighting, HVAC) |
| /27 | 32 | 30 | Single floor sensors and actuators |
| /26 | 64 | 62 | Medium building floor, lab environment |
| /25 | 128 | 126 | Large floor, small building |
| /24 | 256 | 254 | Typical building network, standard choice |
| /23 | 512 | 510 | Multi-building campus segment |
| /22 | 1024 | 1022 | Large campus, industrial facility |
| /20 | 4096 | 4094 | Smart city district |
611.6 Subnetting for IoT Networks
611.6.1 Why Subnet IoT Deployments?
1. Security Isolation - Separate IoT devices from corporate networks - Contain breaches (compromised camera can’t access HR data) - Apply different firewall rules per device type
2. Broadcast Domain Management - IoT devices often use mDNS, DHCP broadcasts - Large broadcast domains degrade performance - Subnetting reduces broadcast traffic
3. Logical Organization - Group devices by function, floor, building, or security level - Simplifies troubleshooting (“all cameras are in 192.168.10.x”) - Enables targeted firmware updates
4. QoS and Traffic Prioritization - Route critical sensor data (fire alarms) through priority paths - Throttle non-critical traffic (environmental sensors)
5. Scalability - Plan for growth (reserve address space for future devices) - Hierarchical addressing supports large deployments
611.6.2 IoT Subnetting Design Principles
%%{init: {'theme': 'base', 'themeVariables': { 'primaryColor': '#2C3E50', 'primaryTextColor': '#fff', 'primaryBorderColor': '#16A085', 'lineColor': '#16A085', 'secondaryColor': '#E67E22', 'tertiaryColor': '#7F8C8D'}}}%%
graph TD
Network["192.168.0.0/16<br/>Smart Building Network"]
Cameras["192.168.10.0/24<br/>Security Cameras<br/>(254 hosts)"]
Sensors["192.168.20.0/23<br/>Temperature Sensors<br/>(510 hosts)"]
Lights["192.168.30.0/22<br/>Smart Lighting<br/>(1,022 hosts)"]
Access["192.168.40.0/25<br/>Access Control<br/>(126 hosts)"]
Infra["192.168.50.0/28<br/>Infrastructure<br/>(14 hosts)"]
Network --> Cameras
Network --> Sensors
Network --> Lights
Network --> Access
Network --> Infra
style Network fill:#2C3E50,stroke:#16A085,stroke-width:3px,color:#fff
style Cameras fill:#16A085,stroke:#2C3E50,stroke-width:2px,color:#fff
style Sensors fill:#16A085,stroke:#2C3E50,stroke-width:2px,color:#fff
style Lights fill:#16A085,stroke:#2C3E50,stroke-width:2px,color:#fff
style Access fill:#E67E22,stroke:#2C3E50,stroke-width:2px,color:#fff
style Infra fill:#E67E22,stroke:#2C3E50,stroke-width:2px,color:#fff
{fig-alt=“IoT subnetting design showing smart building network divided by device type: cameras (/24, 254 hosts), sensors (/23, 510 hosts), lighting (/22, 1022 hosts), access control (/25, 126 hosts), and infrastructure (/28, 14 hosts)”}
Design Checklist: - [ ] Inventory all device types and quantities - [ ] Add 20-30% buffer for growth - [ ] Choose subnet sizes that accommodate growth - [ ] Reserve subnets for future expansion - [ ] Document IP ranges in network diagram - [ ] Plan for DHCP ranges vs static assignments - [ ] Consider VLAN tagging if using managed switches
611.6.3 Practical Subnetting Example: Smart Building
Scenario: Design addressing for a 10-floor smart office building with: - 50 HVAC sensors per floor (500 total) - 200 LED lighting controllers per floor (2,000 total) - 30 security cameras per floor (300 total) - 20 access control readers per floor (200 total) - 10 environmental sensors per floor (100 total) - 5 network infrastructure devices per floor (50 total)
Total devices: ~3,150 devices
Solution 1: By Device Type (Flat Network)
| Device Type | Count | Buffer | Total | Subnet | CIDR | Usable IPs | IP Range |
|---|---|---|---|---|---|---|---|
| HVAC Sensors | 500 | 150 | 650 | 192.168.1.0 | /22 | 1,022 | .1.1 - .3.254 |
| Lighting | 2,000 | 600 | 2,600 | 192.168.4.0 | /21 | 2,046 | .4.1 - .11.254 |
| Cameras | 300 | 100 | 400 | 192.168.12.0 | /23 | 510 | .12.1 - .13.254 |
| Access Control | 200 | 60 | 260 | 192.168.14.0 | /24 | 254 | .14.1 - .14.254 |
| Environmental | 100 | 30 | 130 | 192.168.15.0 | /24 | 254 | .15.1 - .15.254 |
| Infrastructure | 50 | 15 | 65 | 192.168.16.0 | /26 | 62 | .16.1 - .16.62 |
Solution 2: By Floor (Hierarchical)
Each floor gets 10.X.0.0/16, where X = floor number: - Floor 1: 10.1.0.0/16 (subdivided into device types) - Floor 2: 10.2.0.0/16 - Floor 3-10: Similar pattern
Example Floor 1 subdivision:
| Device Type | Subnet | CIDR | Usable IPs |
|---|---|---|---|
| HVAC | 10.1.1.0 | /26 | 62 (50 needed) |
| Lighting | 10.1.2.0 | /24 | 254 (200 needed) |
| Cameras | 10.1.3.0 | /27 | 30 (30 needed) |
| Access Control | 10.1.4.0 | /27 | 30 (20 needed) |
| Environmental | 10.1.5.0 | /28 | 14 (10 needed) |
| Infrastructure | 10.1.6.0 | /29 | 6 (5 needed) |
Recommendation: Solution 2 (hierarchical by floor) offers better: - Scalability: Easy to add floors - Troubleshooting: “Problem on Floor 3” = check 10.3.x.x - Physical topology mapping: IP matches physical location - Firewall rules: Floor-level access controls
611.6.4 VLSM (Variable Length Subnet Masking)
VLSM allows different subnet sizes within the same network, maximizing address efficiency.
Example: Subdividing 192.168.10.0/24
%%{init: {'theme': 'base', 'themeVariables': { 'primaryColor': '#2C3E50', 'primaryTextColor': '#fff', 'primaryBorderColor': '#16A085', 'lineColor': '#16A085', 'secondaryColor': '#E67E22', 'tertiaryColor': '#7F8C8D'}}}%%
graph TD
Parent["192.168.10.0/24<br/>256 total addresses"]
S1["192.168.10.0/26<br/>Cameras (64)"]
S2["192.168.10.64/26<br/>HVAC (64)"]
S3["192.168.10.128/27<br/>Access Control (32)"]
S4["192.168.10.160/27<br/>Environmental (32)"]
S5["192.168.10.192/28<br/>Infrastructure (16)"]
S6["192.168.10.208/28<br/>Future (16)"]
S7["192.168.10.224/27<br/>Reserved (32)"]
Parent --> S1
Parent --> S2
Parent --> S3
Parent --> S4
Parent --> S5
Parent --> S6
Parent --> S7
style Parent fill:#2C3E50,stroke:#16A085,stroke-width:3px,color:#fff
style S1 fill:#16A085,stroke:#2C3E50,stroke-width:2px,color:#fff
style S2 fill:#16A085,stroke:#2C3E50,stroke-width:2px,color:#fff
style S3 fill:#E67E22,stroke:#2C3E50,stroke-width:2px,color:#fff
style S4 fill:#E67E22,stroke:#2C3E50,stroke-width:2px,color:#fff
style S5 fill:#16A085,stroke:#2C3E50,stroke-width:2px,color:#fff
style S6 fill:#7F8C8D,stroke:#2C3E50,stroke-width:2px,color:#fff
style S7 fill:#7F8C8D,stroke:#2C3E50,stroke-width:2px,color:#fff
{fig-alt=“VLSM example showing 192.168.10.0/24 subdivided into variable-sized subnets: two /26 (64 hosts each), two /27 (32 hosts each), two /28 (16 hosts each), with efficient use of all 256 addresses”}
Breakdown: 1. 192.168.10.0/26 (64 addresses) → Cameras 2. 192.168.10.64/26 (64 addresses) → HVAC 3. 192.168.10.128/27 (32 addresses) → Access Control 4. 192.168.10.160/27 (32 addresses) → Environmental 5. 192.168.10.192/28 (16 addresses) → Infrastructure 6. 192.168.10.208/28 (16 addresses) → Future expansion 7. 192.168.10.224/27 (32 addresses) → Reserved
Total: 256 addresses allocated with zero waste!
WarningTradeoff: Flat Network vs Hierarchical Subnetting for IoT
Option A: Flat network (single /16 or /8) - All 3,000+ devices in one broadcast domain. Simpler initial setup, no inter-subnet routing needed, DHCP serves all devices from one pool. Broadcast traffic: 3,000 devices x ARP requests + mDNS + DHCP = ~50-100 broadcast packets/second consuming 2-5% of 100 Mbps link.
Option B: Hierarchical subnetting (multiple /24-/28) - Devices grouped by type or location. Requires router/L3 switch ($500-2,000), more complex DHCP configuration, firewall rules per subnet. Broadcast traffic isolated: each subnet sees only 50-200 device broadcasts = ~5-10 packets/second per segment.
Decision Factors: Use flat for <500 devices, single building, and when all devices need to discover each other (mDNS/Bonjour). Use hierarchical when >500 devices (broadcast storms degrade Wi-Fi performance), security isolation needed (cameras separate from HVAC), or troubleshooting clarity matters (IP 10.1.x.x = Floor 1). Rule of thumb: segment when broadcast traffic exceeds 1% of link capacity.
WarningTradeoff: Static IP Assignment vs DHCP for IoT Devices
Option A: Static IP addresses - Each device configured manually with fixed IP, subnet mask, gateway. No DHCP dependency (works during network outages), predictable firewall rules, easy asset tracking. Management cost: 2-5 minutes per device setup, spreadsheet/IPAM database required, IP conflicts if mismanaged.
Option B: DHCP with reservations - Server assigns IPs automatically, reservations tie MAC address to specific IP. Self-healing (device reboots get correct IP), centralized management, automatic DNS registration. Dependencies: DHCP server must be available at boot, reservation database must be maintained, potential delays (DORA: 4 packets, 50-500ms).
Decision Factors: Use static for critical infrastructure (<20 devices), devices that must work during network failures (safety systems, gateways), or extremely constrained devices without DHCP client. Use DHCP for large deployments (>50 devices), devices with easy configuration interfaces, or when devices move between locations. Hybrid approach: static for gateways/servers, DHCP for sensors.
611.7 Summary
- Subnet masks divide IP addresses into network and host portions using consecutive 1s (network) and 0s (host)
- CIDR notation expresses masks compactly: /24 = 255.255.255.0 = 256 addresses (254 usable)
- Network address is calculated by ANDing the IP with the mask; broadcast address has all host bits set to 1
- Subnet sizing formula: 2^(32 - prefix length) = total addresses, minus 2 for network and broadcast
- IoT subnetting provides security isolation, broadcast control, logical organization, and scalability
- VLSM enables efficient address allocation with variable-sized subnets for different device types
- Design best practice: Inventory devices, add 30% growth buffer, document everything, and consider hierarchical addressing for large deployments
611.8 What’s Next
Now that you understand subnetting and CIDR, continue with:
- Ports and NAT: Learn how port numbers identify services and how NAT enables internet access
- IPv6 for IoT: Explore the next-generation addressing with massive address space
- DHCP and Address Resolution: Configure automatic IP assignment and understand ARP/ND protocols