CIDR, VLSM & VLAN Design: A Practical Reference for Network Engineers
The calculator above handles the math. This reference covers the reasoning behind the numbers — covering CIDR notation, subnet sizing rules, VLSM allocation strategy, and VLAN segmentation principles for enterprise deployments.
Understanding CIDR Notation and Subnet Masks
Classless Inter-Domain Routing (CIDR) replaced the old Class A / B / C system because fixed class boundaries wasted enormous amounts of address space. A Class B allocation handed out 65,534 host addresses regardless of whether the organization needed 50 or 50,000. CIDR fixes this with a trailing slash notation that defines exactly how many bits belong to the network identifier.
In a /n prefix, the first n bits identify the network and the remaining 32 - n bits address individual hosts within it. The usable host count follows the formula 2^(32-n) - 2, where the two subtracted addresses are the network identifier (all host bits zero) and the broadcast address (all host bits one), both of which are reserved by protocol and cannot be assigned to endpoints.
| CIDR Prefix | Subnet Mask | Usable Hosts | Common Use |
|---|---|---|---|
| /8 | 255.0.0.0 | 16,777,214 | Enterprise supernet (10.0.0.0/8) |
| /16 | 255.255.0.0 | 65,534 | Regional or site parent block |
| /24 | 255.255.255.0 | 254 | Standard VLAN segment |
| /26 | 255.255.255.192 | 62 | Small branch or printer VLAN |
| /28 | 255.255.255.240 | 14 | DMZ, management, or server block |
| /30 | 255.255.255.252 | 2 | Router-to-router WAN link (legacy) |
| /31 | 255.255.255.254 | 2 | Point-to-point link (RFC 3021) |
The CIDR Lookup tab above calculates all values for any prefix you enter.
The standard host formula breaks for /31 subnets by design. Because a point-to-point link has exactly two interfaces and no broadcast domain, RFC 3021 eliminates the network and broadcast reservations entirely — both addresses become valid, assignable endpoints. This recovers two addresses per WAN link compared to a /30, which matters at scale. Cisco IOS, Juniper Junos, and Fortinet FortiOS all support /31 on routed interfaces natively. The calculator above reflects this correctly.
RFC 1918 Private Address Space — Choosing the Right Range
RFC 1918 defines three private IPv4 ranges that are non-routable on the public internet. Routers at the internet boundary drop traffic sourced from or destined to these addresses, which is why NAT exists at every enterprise edge. The three ranges are not interchangeable — each has practical characteristics that make it more or less appropriate for a given deployment context.
The standard choice for enterprise deployments. Large enough to support full VLSM hierarchies across multiple regions and sites. Plan supernet boundaries from day one — running out of usable space mid-deployment inside a /8 is an allocation problem, not an exhaustion problem.
Frequently underutilized. Spans 172.16.0.0 through 172.31.255.255 — 16 full /16 blocks. A practical option for segmenting a secondary site, a cloud-connected VPC, or an isolated compliance environment away from the primary 10.x allocation.
Fine for small offices and home labs. Avoid using it as a primary allocation in medium or large enterprise environments — it exhausts quickly, conflicts with remote worker home routers, and creates split-tunnel VPN headaches when employees connect from consumer-grade equipment using the same range.
Do not use RFC 6598 (100.64.0.0/10) for internal VLANs. This range is reserved for Carrier-Grade NAT and is actively used by ISPs delivering SD-WAN circuits, LTE failover links, and cloud security edges. Internal VLAN assignments that overlap with this space cause routing asymmetry at WAN interfaces and are one of the harder problems to diagnose under time pressure.
VLSM: Carving Subnets the Right Way
Variable Length Subnet Masking (VLSM) allows different subnets within the same parent block to use different prefix lengths. This is the correct approach for any network with segments of varying sizes — assigning a /24 to every VLAN regardless of actual host count wastes address space and produces unnecessarily large broadcast domains.
The VLSM Planner tab implements the standard allocation algorithm: subnets are sorted largest-first, then each is assigned the smallest prefix that satisfies its host requirement, aligned to the next valid boundary within the parent block. Allocating largest-first minimizes address waste from alignment padding. The remaining space after all allocations is your growth buffer — plan to keep it above 30%.
/31/32/28/26 – /27/25 – /26/24/23/22Enter any parent block and required host counts in the VLSM Planner tab to get assigned CIDRs, usable ranges, and a space utilization summary automatically.
VLAN Segmentation: Why Traffic Separation Matters
A VLAN (Virtual LAN) is a logical Layer 2 broadcast domain defined by an 802.1Q tag. Devices on the same VLAN communicate directly at Layer 2 without passing through a router. Traffic between VLANs requires inter-VLAN routing — either a Layer 3 switch with SVIs (Switched Virtual Interfaces) or a dedicated router interface — which is where firewall policy and QoS enforcement happen.
Proper VLAN segmentation is not just an organizational convention. It is the enforcement boundary for QoS policies, security zones, and compliance controls. Without it, all traffic competes on the same broadcast domain and there is no clean point at which to apply differentiated treatment.
Deploying unified communications — Microsoft Teams Direct Routing, Webex Calling, or a traditional on-prem PBX — over a flat, unsegmented network is a reliable path to jitter, packet loss, and one-way audio. Standard data traffic is bursty and high-volume. RTP audio streams are time-sensitive and intolerant of queuing delay.
Assigning voice endpoints to a dedicated VLAN (commonly VLAN 100 or VLAN 20 depending on your scheme) creates a clean enforcement boundary for QoS DSCP markings. The Layer 3 switch or gateway can then prioritize EF (DSCP 46) marked packets from that VLAN into a priority queue, ensuring voice traffic is processed ahead of bulk file transfers regardless of link utilization.
| VLAN | Segment | Rationale |
|---|---|---|
| 10 | Data | Workstations and desktops. Default DSCP best-effort. |
| 20 | Voice | IP phones and softphones. DSCP EF (46) priority queuing. |
| 30 | Wireless | Corporate SSIDs. Isolated from wired data to limit broadcast propagation. |
| 40 | Servers | Internal file and application servers. East-west firewall policy enforced at L3 boundary. |
| 50 | Management | Out-of-band access to switches, routers, and APs. Restricted to admin source IPs only. |
| 70 | DMZ | Externally accessible services. Full stateful inspection inbound and outbound. |
| 99 | Guest | BYOD and visitor Wi-Fi. Internet access only — no route to internal VLANs. |
Load this scheme directly into the VLAN Planner tab using the Reset to Default Layout Template button.
Once your VLAN table is built, the Enterprise VLAN Config Pack has production-ready configuration templates for Cisco IOS and Aruba CX — VLAN creation, access ports, trunk ports, SVIs, and DHCP scopes. Swap in your subnets from the planner above and deploy.