Home > Articles > Certification > Cisco Certification > CCNP

This chapter is from the book

Hierarchical Addressing Using Variable-Length Subnet Masks

VLSM is a crucial component of an effective IP addressing plan for a scalable network. This section introduces VLSM, provides examples, and discusses methods of determining the best subnet mask for a given address requirement.

Network Mask and Prefix Length

The concept and definition of a network mask and the prefix length field relate to hierarchically addressed network implementation. This section discusses the purpose of the network mask and the prefix length and describes their use within a network.

IP Addressing and Subnetting


This section is an overview of IP addressing and subnetting. Appendix A, "Job Aids and Supplements," includes a more detailed review of these topics.

A subnet mask is a 32-bit value that identifies which bits in an address represent network bits and which represent host bits. To create a subnet mask for an address, use a 1 for each bit of the address that you want to represent the network or subnet portion of the address, and use a 0 for each bit of the address that you want to represent the node portion of the address. Note that the 1s in the mask are contiguous. The default subnet masks for Classes A, B, and C addresses are as shown in Table 1-1.

Table 1-1 IP Address Default Subnet Masks


Default Mask in Binary

Default Mask in Decimal







When contiguous 1s are added to the default mask, making the all-1s field in the mask longer, the definition of the network part of an IP address is extended to include subnets. Adding bits to the network part of an address decreases the number of bits in the host part. Thus, creating additional networks (subnets) is done at the expense of the number of host devices that can occupy each network segment.

The number of bits added to a default routing mask creates a counting range for counting subnets. Each subnet is a unique binary pattern.

The number of subnetworks created is calculated by the formula 2n, where n is the number of bits by which the default mask was extended. Subnet 0 (where all the subnet bits are 0) must be explicitly allowed using the ip subnet-zero global configuration command in Cisco IOS releases before 12.0. In Cisco IOS Release 12.0 and later, subnet 0 is enabled by default.


This book describes the formula for obtaining the number of subnets differently than some previous Cisco courses and books. Previously, the same formula that was used to count hosts, 2n – 2, was used to count subnets. Now 2n subnets and 2n – 2 hosts are available. The 2n rule for subnets has been adopted because the all-1s subnet has always been a legal subnet according to the RFC, and subnet 0 can be enabled by a configuration command on Cisco routers (and, in fact, it's on by default in Cisco IOS Release 12.0 and later). Note, however, that not all vendor equipment supports the use of subnet 0.

The remaining bits in the routing mask form a counting range for hosts. Host addresses are selected from these remaining bits and must be numerically unique from all other hosts on the subnetwork.

The number of hosts available is calculated by the formula 2n – 2, where n is the number of bits in the host portion. In the host counting range, the all-0s bit pattern is reserved as the subnet identifier (sometimes called the wire), and the all-1s bit pattern is reserved as a broadcast address, to reach all hosts on that subnet.

Both the IP address and the associated mask contain 32 bits. Routers are similar to computers in that both use the binary numbering scheme to represent addresses. Network administrators, however, typically do not use binary numbers on a daily basis and therefore have adopted other formats to represent 32-bit IP addresses. Some common formats include decimal (base 10) and hexadecimal (base 16) notations.

The generally accepted method of representing IP addresses and masks is to break the 32-bit field into four groups of 8 bits (octets) and to represent those 8-bit fields in a decimal format, separated by decimal points. This is known as 32-bit dotted-decimal notation.


Although dotted-decimal notation is commonly accepted, this notation means nothing to routing or computing devices, because devices internally use the 32-bit binary string. All routing decisions are based on the 32-bit binary string.

Subnet masks are used to identify the number of bits in an address that represent the network, subnet, and host portions of the address. Another way of indicating this information is to use a prefix. A prefix is a slash (/) followed by a numeric value that is the number of bits in the network and subnet portions of the address—in other words, the number of contiguous 1s that are in the subnet mask. For example, assume you are using a subnet mask of The binary representation of this mask is 11111111.11111111.11111111.00000000, which is 24 1s followed by eight 0s. Thus, the prefix would be /24, for the 24 bits of network and subnet information, the number of 1s in the mask.

Use of the Network Mask

If a PC has an IP address of with a mask of (or a prefix length of /28), it uses this mask to determine the valid host addresses for devices on its local connection. These devices have the first 28 bits in their IP address in common (the range of these local devices is through If communication with any of these devices is necessary, the PC uses Address Resolution Protocol (ARP) to find the device's corresponding media access control (MAC) address (assuming that it does not already have a destination MAC address for the IP address in its MAC table). If a PC needs to send information to an IP device that is not in the local range, the PC instead forwards the information to its default gateway. (The PC also uses ARP to discover the MAC address of the default gateway.)

A router behaves in a similar manner when it makes a routing decision. A packet arrives on the router and is passed to the routing table. The router compares the packet's destination IP address to the entries in the routing table. These entries have a prefix length associated with them. The router uses the prefix length as the minimum number of destination address bits that must match to use the corresponding outbound interface that is associated with a network entry in the routing table.

Network Mask Example

Consider a scenario in which an IP packet with a destination address of is sent to a router. The router's IP routing table is shown in Example 1-1.

Example 1-1 IP Routing Table for Network Mask Example

In this scenario, the router determines where to send a packet that is destined for by looking at the routing table. The routing table has four entries for network The router compares the destination address to each of the four entries for this network.

The destination address of has the first three octets in common with all four entries in the routing table, but it is not clear by looking at the decimal representation which of those entries is the best match to route this packet. A router handles all packets in binary, not dotted-decimal, notation.

Following is the binary representation of the last octet for destination address and the binary representation of the last octet for the four entries in the IP routing table. Because the prefix length is 28 and all four entries match at least the first 24 bits of 192.168.1, the router must find the routing table entry that matches the first 4 bits (bits 25 to 28) of the number 67. It is not important if the last 4 bits match, so the target is 0100xxxx. The routing entry 64, which has a value of 0100 in the first 4 bits, is the only one that matches the requirement:

  • 67—01000011

  • 16—00010000

  • 32—00100000

  • 64—01000000

  • 80—01010000

The router therefore uses the entry in the routing table and forwards this packet to the next router ( on the Ethernet 0 interface.

Implementing VLSM in a Scalable Network

Key Point: Classful Versus Classless Routing

A major network (also known as a classful network) is a Class A, B, or C network.

With classful routing, routing updates do not carry the subnet mask. Therefore, only one subnet mask must be in use within a major network. This is known as Fixed-Length Subnet Masking (FLSM). Examples of classful routing protocols are RIP version 1 (RIPv1) and IGRP.

With classless routing, routing updates do carry the subnet mask. Therefore, different masks may be used for different subnets within a major network. This is known as VLSM. Examples of classless routing protocols are RIP version 2 (RIPv2), OSPF, Intermediate System-to-Intermediate System (IS-IS), and Enhanced Interior Gateway Routing Protocol (EIGRP).


Classful and classless routing protocols are discussed further in Chapter 2.

VLSM allows more than one subnet mask within a major network and enables the subnetting of a previously subnetted network address.

The network shown in Figure 1-10 is used to illustrate how VLSM works.

Figure 10Figure 1-10 Network for the VLSM Example

The following are some characteristics that permit VLSMs to conserve IP addresses:

  • Efficient use of IP addresses—Without the use of VLSMs, companies are locked into implementing a single subnet mask within an entire Class A, B, or C network number.

  • For example, suppose a network architect decides to use the address space to design a corporate network. The architect determines that 64 blocks of addresses with up to 1022 hosts in each are required. Therefore, 10 host bits (210 – 2 = 1022) and 6 subnet bits (26 = 64) are required for each block. The mask is therefore; the prefix is /22.

    The network architect assigns address block to Division X, as shown in Figure 1-10. The prefix mask of /22 indicates that all addresses within that range have the first 22 bits in common (when reading from left to right). The prefix mask provides Division X with a range of addresses from through The details of the range of addresses available to Division X are shown in the center block of Figure 1-11. Within Division X, the networks are assigned addresses in this range, with varying subnet masks. Details of these address assignments are provided in the next section.

  • Greater capability to use route summarization—VLSMs allow for more hierarchical levels within an addressing plan and thus allow better route summarization within routing tables. For example, in Figure 1-10, address summarizes all the subnets that are further subnets of

Figure 11Figure 1-11 Range of Addresses for VLSM for Division X in Figure 1-10

  • Reduced number of routing table entries—In a hierarchical addressing plan, route summarization allows a single IP address to represent a collection of IP addresses. When VLSM is used in a hierarchical network, it allows summarized routes, which keeps routing table entries (on the routers that receive the summarized routes) manageable and provides the following benefits:

    • More-efficient routing

    • Reduction in the number of CPU cycles to sort through the routing table entries to find a match and for routing table recalculation

    • Reduction in router memory requirements

    • Reduced bandwidth required to send the fewer, smaller routing updates

    • Faster convergence after a change in the network

    • Easier troubleshooting

    • Increased network stability

    Because of the reduced router requirements, it also might be possible to use some less-powerful (and therefore less-expensive) routers in the network.

The address represents all the addresses that have the same first 22 bits as Figure 1-11 displays the binary representation of networks through Notice that through all have the first 22 bits in common, whereas and do not have the same first 22 bits. Therefore, the address represents the range of addresses through

VLSM Calculation Example

You can best understand the design and implementation of a scalable IP address plan if you study a detailed example of how a VLSM network is laid out.

Figure 1-12 shows a detailed view of the same Division X shown in Figure 1-10.

Figure 12Figure 1-12 Detailed IP Addressing of Division X in Figure 1-10

In Division X, the following exist:

  • One VLAN on each of the two Ethernet ports of Router D, each with 200 users.

  • Three remote sites, at Routers A, B, and C, each with a 24-port Cisco 2924 10/100 switch. Corporate management guarantees that the number of users at each remote site does not exceed 20.

  • Three serial links to the remote sites. The serial links are point-to-point Frame Relay and require an address on each side.

VLSM allows you to further subnet the address space, using variable masks, to accommodate the network requirements. For example, because point-to-point serial lines require only two host addresses, you can use a subnetted address that has only two host addresses and therefore does not waste scarce subnet numbers.

To start the VLSM process, determine the number of subnets necessary for the networks to which you need to assign IP addresses, and determine the number of hosts necessary per subnetwork. You can determine the number of hosts by checking corporate policy to see if a limit is set per segment or VLAN, checking the physical number of ports on a switch, and checking the current size of the network or networks at other sites that fulfill the same role.


The decimal-to-binary conversion chart in Appendix A might be helpful when you are calculating VLSMs.

LAN Addresses

Because IP addresses are binary, they are used in blocks of powers of 2. A block of addresses contains 2, 4, 8, 16, 32, 64, 128, 256, 512, 1024, 2048, and so on addresses. Two addresses are lost each time you create a subnet: one for the network (wire) address and the other for the broadcast address.

The lowest address of the range, where the host bits are all 0s, is known as the network number or the wire address. The top of the address range, where the host bits are all 1s, is the broadcast address. The number of addresses in a block that can be assigned to devices is 2n – 2, where n is the number of host bits. For example, with 3 host bits, 23 – 2 = 8 – 2 = 6 addresses can be assigned.

To determine the size of the block of addresses needed for a subnet, follow these steps:

Step 1

Calculate the maximum number of hosts on that subnet.

Step 2

Add 2 to that number for the broadcast and subnet numbers.

Step 3

Round up to the next higher power of 2.

In this example, the VLANs each have 200 users; therefore, the number of addresses required is 200 + 2 = 202. Rounding up to the next power of 2 gives you 256. Thus, 8 (28 = 256) host bits are required for the VLANs; therefore, the prefix is /24 (32 bits – 8 bits for the host = 24 bits). The network administrator subnets the into four /24 subnets on router D. is assigned to VLAN 1, and is assigned to VLAN 2. This leaves two /24 subnets, and, to use for the switches at the three remote sites and the three serial point-to-point links.

The number of addresses required for the LANs at each remote site is 20 + 2 = 22. Rounding this up to the next power of 2 gives you 32. Thus, 5 host bits (25 = 32) are required to address the remote users at each site. Therefore, the prefix to use is /27 (32 bits – 5 bits for the host = 27).

You cannot use the or networks, because they are assigned to VLANs 1 and 2 on router D. The process to further subnet into /27 subnets is shown in Figure 1-13. The first three subnets calculated in Figure 1-13 are used on the LANs in Figure 1-12.

Figure 13Figure 1-13 Calculating Subnet Addresses for the LANs in Figure 1-12

Serial Line Addresses

After you establish the addresses for the LANs at the remote sites, you must address the serial links between the remote sites and router D. Because the serial links require two addresses, the number of addresses required is 2 + 2 = 4 (the two additional addresses are for the network number and the broadcast address).

In this case, there is no need to round up, because 4 is a power of 2. Therefore, 2 host bits will allow for two hosts per subnet. A network mask of /30 (32 bits – 2 host bits = 30 bits) is used. This prefix allows for only two hosts—just enough hosts for a point-to-point connection between a pair of routers.

To calculate the subnet addresses for the WAN links, further subnet one of the unused /27 subnets. In this example, is further subnetted with a prefix of /30. The three additional subnet bits result in 23 = 8 subnets for the WAN links.

Key Point: Further Subnet Only Unused Subnets

It is important to remember that only unused subnets should be further subnetted. In other words, if you use any addresses from a subnet, that subnet should not be further subnetted. In Figure 1-12, three subnet numbers are used on the LANs. Another, as-yet unused subnet,, is further subnetted for use on the WANs.

The WAN addresses derived from are as follows. The shaded bits are the 3 additional subnet bits:

  • =

  • =

  • =

  • =

  • =

  • =

  • =

  • =

The first three of these subnets are used on the WANs shown in Figure 1-12.

The address information for the router A to router D link is as follows:

  • Network number—

  • Router A serial interface—

  • Router D serial interface—

  • Broadcast address—

The address information for the router B to router D link is as follows:

  • Network number—

  • Router B serial interface—

  • Router D serial interface—

  • Broadcast address—

The address information for the router C to router D link is as follows:

  • Network number—

  • Router C serial interface—

  • Router D serial interface—

  • Broadcast address—

Note that to provide the most flexibility for future growth, the subnet was selected for the WANs instead of using the next available subnet, For example, if the company purchases more switches, the next IP segment could be assigned the subnet, and the new remote site would be connected to router D with the serial subnet.

The block could have been used for these /30 subnets, but only three subnets are currently needed, so a lot of the address space would be unused. The block is now available to use on another LAN in the future.

Summary of Addresses Used in the VLSM Example

Figure 1-14 summarizes the addresses, in binary, used in this example.

Figure 14Figure 1-14 Binary Representation of the Addresses Used in Figure 1-12

Another VLSM Example

This section illustrates another example of calculating VLSM addresses. In this example, you have a subnet address, and you need to assign addresses to a network that has ten hosts. With this subnet address, however, you have 212 – 2 = 4094 host addresses, so you would be wasting more than 4000 IP addresses. With VLSM, you can further subnet the address to give you more subnetwork addresses and fewer hosts per network, which would work better in this network topology. For example, if you subnet to, you gain 64 (26) subnets, each of which can support 62 (26 – 2) hosts.

To further subnet to, do the following, as illustrated in Figure 1-15:

Step 1

Write in binary.

Step 2

Draw a vertical line between the 20th and 21st bits, as shown in Figure 1-15.

Step 3

Draw a vertical line between the 26th and 27th bits, as shown in Figure 1-15.

Step 4

Calculate the 64 subnet addresses using the bits between the two vertical lines, from lowest to highest. Figure 1-15 shows the first five subnets available.

Figure 15Figure 1-15 Further Subnetting a Subnetted Address


VLSM calculators are available on the web. The following URL contains the one offered by Cisco: http://www.cisco.com/cgi-bin/Support/IpSubnet/home.pl. (Note that you need to have an account on Cisco's website to use this calculator.)

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.


Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.


If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.


This site is not directed to children under the age of 13.


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020