IP Addressing and Subnets for Hosting: Reading the Network Like a Map

What an IPv4 Address Tells You in Hosting

An IPv4 address is a 32-bit identifier written as four decimal octets (for example, 203.0.113.10). In hosting work, you read an IP address together with its subnet mask (often written as CIDR like /24) to answer operational questions: can two servers talk directly on the same L2 segment, what is the correct default gateway, and which addresses are reserved (network/broadcast) vs usable for hosts.

Think of the IP + mask as a map legend: it tells you which part is the “neighborhood” (network) and which part is the “house number” (host). If two devices share the same neighborhood, they can ARP and talk locally; if not, they must send to a router (default gateway).

IPv4 Address + CIDR Prefix

CIDR /n means “the first n bits are the network portion.” The remaining (32-n) bits are host bits. Common hosting prefixes: /24 (small VLAN), /26 (smaller segments for security or tenant separation), /20 (larger internal networks).

• /24: 8 host bits, 256 total addresses
• /26: 6 host bits, 64 total addresses
• /20: 12 host bits, 4096 total addresses

In most traditional subnets, two addresses are not usable by hosts: the network address (all host bits 0) and the broadcast address (all host bits 1).

Private vs Public IPs You’ll See in Hosting

Public IPs are globally routable on the Internet. Private IPs are used inside networks and are not routed on the public Internet; they typically reach the Internet via NAT.

Continue in our app.

You can listen to the audiobook with the screen off, receive a free certificate for this course, and also have access to 5,000 other free online courses.

Or continue reading below...

Download the app

RFC1918 Private Ranges (Recognize These in Logs)

• 10.0.0.0/8 (10.0.0.0–10.255.255.255)
• 172.16.0.0/12 (172.16.0.0–172.31.255.255)
• 192.168.0.0/16 (192.168.0.0–192.168.255.255)

Practical log reading: if a web server access log shows a client IP like 10.12.4.9, that is not a real Internet client; it’s likely a load balancer, reverse proxy, CDN edge inside your network, or a misconfigured header chain. You may need to inspect X-Forwarded-For (or equivalent) to find the true public client IP.

Core Outcomes You Must Be Able to Do

Outcome 1: Determine Whether Two IPs Are in the Same Subnet

Two IPs are in the same subnet if they produce the same network address when you apply the subnet mask.

Operational meaning: if they are in the same subnet, they should communicate directly (no routing). If not, traffic should go to the default gateway (routing required).

Step-by-step method (works every time)

• Convert the prefix (/n) to a subnet mask.
• Compute the network address for each IP: IP AND mask.
• If the two network addresses match, they are in the same subnet.

In practice, you often do this without full binary by using “block size” in the interesting octet.

Outcome 2: Identify Network and Broadcast Address

Network address: first address in the subnet (host bits all 0). Broadcast address: last address in the subnet (host bits all 1). Usable host range is between them (exclusive) for typical IPv4 subnets.

Outcome 3: Choose the Correct Default Gateway

A host’s default gateway must be an IP address inside the same subnet as the host (so the host can ARP for it). In hosting, the gateway is commonly the first usable address (like .1) or last usable (like .254), but you must confirm the actual gateway used by your environment.

Rule: if the destination IP is not in the local subnet, the server sends the packet to the default gateway (next hop router). If the gateway is outside the subnet, the server cannot reach it at all.

Subnetting in Hosting: Practical Patterns

Selecting a Subnet for a New Web Server

When adding a new web server, you typically choose a subnet based on: required number of hosts, isolation needs (prod vs staging, tenant separation), and routing boundaries (which networks should be reachable).

• Small dedicated segment for a DMZ web tier: /26 (up to 62 usable hosts) can be enough for web nodes, load balancers, and monitoring endpoints.
• Large internal app tier: /20 (up to 4094 usable hosts) might be used for east-west traffic-heavy services, but consider blast radius and segmentation.
• Classic small VLAN: /24 (254 usable hosts) is common for a single rack/VLAN or a small cloud subnet.

Also decide whether the server needs a public IP. Many deployments use private IPs on the server and expose services via a public load balancer or reverse proxy.

Exercises: /24, /26, /20 (Usable Range + Routed or Not)

Exercise 1: /24 (Common “one VLAN” subnet)

Scenario: You are deploying a web server with IP 192.168.50.23/24. The proposed default gateway is 192.168.50.1. Another server is 192.168.51.10/24.

Step 1: Identify subnet mask

/24 = 255.255.255.0

Step 2: Network address and broadcast

• Network: 192.168.50.0
• Broadcast: 192.168.50.255
• Usable hosts: 192.168.50.1–192.168.50.254

Step 3: Is the default gateway valid?

192.168.50.1 is inside 192.168.50.0/24, so it is a valid gateway choice.

Step 4: Same subnet check (routing decision)

• 192.168.50.23 is in 192.168.50.0/24
• 192.168.51.10 is in 192.168.51.0/24

They are not in the same subnet. Traffic from 192.168.50.23 to 192.168.51.10 should be routed via the default gateway (assuming routing exists between those subnets).

Exercise 2: /26 (Smaller segments for isolation)

Scenario: A hosting provider gives you 203.0.113.64/26 for a small public-facing segment. You want to assign a server 203.0.113.90/26. You also see 203.0.113.130 in a firewall rule and want to know if it’s in the same subnet.

Step 1: Understand /26 block size

/26 means 6 host bits, so each subnet has 64 addresses. In the last octet, the block size is 64. Subnet boundaries in the last octet are: 0, 64, 128, 192.

Step 2: Identify the subnet for 203.0.113.64/26

• Network: 203.0.113.64
• Broadcast: 203.0.113.127 (64 + 63)
• Usable hosts: 203.0.113.65–203.0.113.126

Step 3: Is 203.0.113.90 usable in this subnet?

Yes. 90 is between 65 and 126.

Step 4: Is 203.0.113.130 in the same subnet?

130 falls in the 128–191 block, which corresponds to 203.0.113.128/26, not 203.0.113.64/26. So it is not in the same subnet; traffic must be routed (and on public IP space, routing depends on provider edge configuration).

Exercise 3: /20 (Large internal subnet; common in cloud VPCs)

Scenario: Your internal app network is 10.20.16.0/20. A new server is proposed as 10.20.27.200/20 with gateway 10.20.16.1. You need to confirm the usable range and whether 10.20.33.10 is local or routed.

Step 1: Find the “interesting octet” for /20

/20 means 16 bits (first two octets) + 4 bits into the third octet. So the third octet determines the subnet blocks. The block size in the third octet is 16 (because 256 / 2^4 = 16). Third-octet boundaries: 0, 16, 32, 48, ...

Step 2: Determine network and broadcast for 10.20.16.0/20

• Network: 10.20.16.0
• Broadcast: 10.20.31.255 (third octet 16 through 31)
• Usable hosts: 10.20.16.1–10.20.31.254

Step 3: Validate 10.20.27.200/20

Third octet 27 is within 16–31, so 10.20.27.200 is inside the subnet and is usable (not network/broadcast).

Step 4: Validate gateway 10.20.16.1

10.20.16.1 is inside the subnet and is a valid gateway choice.

Step 5: Decide routed vs local for 10.20.33.10

Third octet 33 is in the 32–47 block, which is 10.20.32.0/20. That is a different subnet, so traffic to 10.20.33.10 should be routed via the default gateway.

Fast Techniques You’ll Use While Troubleshooting

Technique: “Block size” mental math

When the prefix is not on an octet boundary (like /26 or /20), find the block size in the relevant octet and identify which block the IP falls into.

• /26: block size 64 in the 4th octet (0, 64, 128, 192)
• /27: block size 32 in the 4th octet (0, 32, 64, 96, 128, 160, 192, 224)
• /20: block size 16 in the 3rd octet (0, 16, 32, 48, ...)

Technique: Gateway sanity checks

• Gateway must be in the same subnet as the host.
• Gateway must not be the network address or broadcast address.
• If you can ping another host in the same subnet but cannot reach the gateway, suspect VLAN/subnet mismatch, wrong mask, or security filtering.

Technique: Reading logs for private/public clues

• Client IP in RFC1918 range often indicates a proxy/load balancer in front of the server.
• If you expect public clients but see only 10.x/172.16-31.x/192.168.x, verify proxy headers and the application’s “real IP” configuration.
• If you see a mix of public and private, confirm whether some traffic is internal health checks or east-west calls.

Practice Set (Do These Without a Calculator)

Problem A: Same subnet?

Are 198.51.100.14/26 and 198.51.100.62/26 in the same subnet?

Work: /26 block size is 64 in last octet. 14 and 62 are both in 0–63, so yes: same subnet (198.51.100.0/26). Traffic should be local (no routing).

Problem B: Network/broadcast/usable range

For 172.20.40.77/24, identify network, broadcast, usable range.

• Network: 172.20.40.0
• Broadcast: 172.20.40.255
• Usable: 172.20.40.1–172.20.40.254

Problem C: Routed or not?

A server is 10.1.5.10/20 with gateway 10.1.0.1. Should traffic to 10.1.14.200 be routed?

Work: /20 block size 16 in third octet. Subnet is 10.1.0.0–10.1.15.255, so 10.1.14.200 is local; it should not be routed (it should ARP directly). If it is being routed, suspect wrong mask on one side.

Problem D: Gateway correctness

A server is configured as 203.0.113.200/26 with gateway 203.0.113.193. Is that gateway in the same subnet?

Work: /26 blocks: 192–255 is the subnet for .200. Network is .192, usable .193–.254, broadcast .255. Gateway .193 is valid and in-subnet.