Subnetting Interview Questions & Answers

An IPv4 address is a unique logical identifier assigned to a device's network interface so packets can find it, much like a postal address finds your house. It is 32 bits long, giving about 4.3 billion possible addresses (2^32).

Those 32 bits are split into four 8-bit groups called octets. Because raw binary like 11000000... is hard for humans to read, we write each octet as a decimal number (0-255) separated by dots. This is dotted-decimal notation, for example 192.168.1.10.

• Each octet = 8 bits, so 4 octets = 32 bits.
• One octet ranges from 0 to 255 (because 8 bits max = 11111111 = 255).
• An address always has a network portion and a host portion, defined by the subnet mask.

Interview tip: Always say "32 bits, four octets, each 0-255" in one breath.

In one octet, the 8 bit positions (left to right) carry these place values: 128 64 32 16 8 4 2 1. Adding the positions you turn ON gives the decimal value. The total of all eight equals 255.

To convert 200, greedily subtract from the largest place that fits:

1. 200 - 128 = 72, so set the 128 bit = 1
2. 72 - 64 = 8, so set the 64 bit = 1
3. 8 is too small for 32 and 16, so both = 0
4. 8 - 8 = 0, so set the 8 bit = 1
5. Remaining places 4, 2, 1 = 0

Result: 11001000. Check: 128 + 64 + 8 = 200.

Interview tip: Memorize the eight place values; subnetting math becomes instant mental arithmetic.

The class is decided by the first octet. Here the first octet is 172, which falls in the range 128-191, so 172.16.45.10 is a Class B address. It is also a private RFC 1918 address, since the 172.16.0.0/12 block (172.16 through 172.31) is reserved.

The classful default subnet masks are:

• Class A (1-126): 255.0.0.0 = /8, so 8 network bits.
• Class B (128-191): 255.255.0.0 = /16, so 16 network bits.
• Class C (192-223): 255.255.255.0 = /24, so 24 network bits.

A simple memory hook: A = one full octet of network, B = two, C = three.

Interview tip: Note 172.16.45.10 is also private; mentioning both class AND scope shows depth.

IPv4 classes are defined by the value of the first octet:

• Class A: 1-126 (large networks)
• Class B: 128-191 (medium networks)
• Class C: 192-223 (small networks)
• Class D: 224-239 (multicast, one-to-many)
• Class E: 240-255 (experimental/reserved)

You will notice 127 is missing between Class A's 126 and Class B's 128. That is because the entire 127.0.0.0/8 block is reserved for loopback (testing the local TCP/IP stack, e.g. 127.0.0.1). Since it never travels on a real network, it is not counted as usable host space.

Interview tip: The gap (126 then 128) is a classic trick question; loopback is the answer.

The three RFC 1918 private ranges are:

• 10.0.0.0/8 (10.0.0.0 - 10.255.255.255)
• 172.16.0.0/12 (172.16.0.0 - 172.31.255.255)
• 192.168.0.0/16 (192.168.0.0 - 192.168.255.255)

Public addresses are globally unique, routable on the internet, and assigned through ISPs and the Regional Internet Registries (RIRs); no two devices worldwide share one. Private addresses are free to reuse inside any organization and are not routable on the public internet; routers on the internet drop them. To reach the internet, private hosts share one public IP through NAT.

Think of private IPs like internal extension numbers in an office, and public IPs like the company's one external phone number.

Interview tip: Always pair private addressing with NAT; that is why private space does not run out.

Classful addressing locked every network to a fixed mask (/8, /16, /24) based purely on the first octet. This was hugely wasteful: an organization needing 300 hosts had to take a whole Class B (65,534 hosts) because a Class C (254 hosts) was too small, burning tens of thousands of addresses. It also bloated routing tables since every network had to be advertised separately.

It was replaced (standardized in 1993) by CIDR (Classless Inter-Domain Routing), which lets the mask sit at any bit boundary, written as /prefix (e.g. /26). CIDR enables:

• VLSM - right-sizing subnets to actual host counts.
• Route summarization (supernetting) - many networks advertised as one prefix, shrinking routing tables.

Interview tip: Say "CIDR + VLSM" together; classes are now only a historical naming convention.

A subnet mask is 32 bits where the leading 1s mark network bits and the trailing 0s mark host bits. Network bits identify which network; host bits identify which device within it. For /24 = 255.255.255.0, the first 24 bits are network and the last 8 are host (so 2^8 - 2 = 254 usable hosts).

To find the network address, the device performs a bitwise AND of the IP with the mask. AND returns 1 only when both bits are 1, so host bits (mask = 0) get zeroed out while network bits are preserved.

• IP 192.168.1.130 AND mask 255.255.255.0
• = 192.168.1.0 (the network address)

Routers do this to decide whether traffic is local or must be forwarded.

Interview tip: Remember the AND rule: mask 0 erases, mask 1 keeps.

Convert each octet using place values 128 64 32 16 8 4 2 1:

• 11000000 = 128 + 64 = 192
• 10101000 = 128 + 32 + 8 = 168
• 00000001 = 1
• 00011110 = 16 + 8 + 4 + 2 = 30

So the dotted-decimal address is 192.168.1.30.

The first octet is 192, which lies in the Class C range (192-223). Therefore it is a Class C address with the default mask 255.255.255.0 (/24). It is also within the private 192.168.0.0/16 block.

Interview tip: Convert octet-by-octet, check the first octet for class, and flag private scope if relevant; three quick wins in one answer.

The 127.0.0.0/8 block is reserved for loopback, addresses that refer back to the local machine itself. Traffic sent here never leaves the host or touches the physical network card; it loops inside the operating system's TCP/IP stack. Technically the whole /8 (over 16 million addresses) is reserved, but in practice almost everyone uses 127.0.0.1, mapped to the hostname localhost.

Practical uses of 127.0.0.1:

• Testing the network stack - ping 127.0.0.1 confirms TCP/IP is installed and working.
• Local development - run a web server and open http://127.0.0.1:8080 without any external network.
• Inter-process communication between programs on the same machine.

Think of it as calling your own phone, you reach yourself.

Interview tip: The IPv6 equivalent of loopback is ::1.

IPv4 has only ~4.3 billion addresses (2^32), and the explosion of internet-connected devices outgrew that. Early classful allocation made it worse: organizations grabbed entire Class A/B blocks and wasted millions of unused addresses. IANA's central free pool was exhausted in February 2011, and the RIRs ran out over the following years (APNIC 2011, RIPE NCC 2012, ARIN 2015).

Three mechanisms bought time:

• Private addressing (RFC 1918) - lets every network reuse 10.x, 172.16-31.x, 192.168.x internally, removing huge demand for public IPs.
• NAT - lets many private hosts share one public IP by translating addresses and ports, so a whole office needs just one (or a few) public addresses.
• CIDR/VLSM - ends fixed class boundaries, allocating exactly the size needed and summarizing routes.

These delay, but do not solve, exhaustion; the real fix is IPv6.

Interview tip: Frame CIDR/NAT/RFC 1918 as a stopgap; IPv6 is the permanent answer.

An IPv6 address is 128 bits long (vs IPv4's 32), giving an astronomically large space (2^128). It is written as eight groups of four hex digits called hextets, separated by colons, e.g. 2001:0db8:0000:0000:0000:ff00:0042:8329. Each hextet represents 16 bits.

Two rules shorten it:

• Leading-zero suppression: drop leading zeros within a hextet, so 0042 becomes 42 and 0000 becomes 0.
• Double-colon (::): replace ONE run of consecutive all-zero hextets with ::. You may use it only once per address (otherwise the length is ambiguous).

Applied, the address above becomes 2001:db8::ff00:42:8329.

Interview tip: Stress that :: is allowed only once; using it twice is the most common mistake.

Apply the two compression rules step by step.

1. Suppress leading zeros in each hextet: 0db8 becomes db8, and each 0000 becomes 0. This gives 2001:db8:0:0:0:0:1428:57ab.
2. Collapse the longest run of zero hextets with :: Here there are four consecutive zero hextets in the middle. Replace that whole run with a single ::.

Final compressed form: 2001:db8::1428:57ab

Note that 1428 and 57ab have no leading zeros to drop, so they stay as-is. You can always re-expand by counting hextets: the :: stands for as many zero groups as needed to reach eight total.

Interview tip: Always collapse the longest zero run with ::, and never apply :: twice.

Each prefix maps to a specific IPv6 address type:

• 2000::/3 - Global Unicast (GUA): public, internet-routable addresses (the IPv6 equivalent of IPv4 public IPs).
• FC00::/7 (in practice fd00::/8) - Unique Local Address (ULA): private, used inside an organization, not routed on the internet (the IPv6 equivalent of RFC 1918). The fd00::/8 half (locally assigned, with a random global ID) is the part actually used; the fc00::/8 half is reserved.
• FE80::/10 - Link-Local: auto-configured on every IPv6 interface, valid only on the local link, used by NDP and routing protocols.
• FF00::/8 - Multicast: one-to-many delivery (IPv6 has no broadcast).
• ::1 - Loopback: refers to the local host (IPv6 equivalent of 127.0.0.1).

Interview tip: Remember "FE80 = link-local, FF = multicast"; they are high-frequency exam picks.

The standard IPv6 LAN subnet is a /64. This splits the 128-bit address into two halves: the first 64 bits are the network/subnet prefix and the last 64 bits are the interface ID (the host portion).

It is used almost universally because:

• SLAAC requires it - stateless address autoconfiguration (and EUI-64) expects exactly 64 host bits to build the interface ID, so a prefix other than /64 breaks auto-addressing.
• No address scarcity - a single /64 holds 2^64 (about 18 quintillion) addresses, so there is no reason to make subnets smaller to "save" space, unlike in IPv4.
• Consistency - uniform /64s simplify design, routing, and NDP.

Larger blocks like /48 or /56 are for routing and aggregation, not individual LANs.

Interview tip: Say "/64 because SLAAC/EUI-64 need 64 host bits".

IPv6 allocation is hierarchical: larger prefixes contain many smaller ones, like country to city to street.

• /48 (site) - a common allocation to a whole organization or site. The bits from /48 up to /64 (16 bits) are the subnet ID, giving 2^16 = 65,536 possible /64 subnets.
• /56 (ISP-to-customer) - a smaller block ISPs often hand to homes/small sites. It leaves 8 subnet bits (/56 to /64), giving 2^8 = 256 /64 subnets.
• /64 (subnet/LAN) - the actual link where hosts live, with 64 host bits.

Nesting: one /48 contains many /56s, each /56 contains 256 /64s, and each /64 holds the hosts. More 1s in the prefix = smaller block.

Interview tip: /48 to /56 to /64 = site to customer to LAN.

EUI-64 stretches a 48-bit MAC into the 64-bit interface ID a /64 needs. Take MAC 00:1A:2B:3C:4D:5E:

1. Split the MAC in half: first 24 bits (the OUI) 00:1A:2B and last 24 bits 3C:4D:5E.
2. Insert FFFE in the middle: 00:1A:2B:FF:FE:3C:4D:5E (now 64 bits).
3. Flip the U/L bit - this is the Universal/Local bit, the second-lowest bit of the first byte (the 7th bit counting from the left). For first byte 00 = 00000000, flipping that bit gives 00000010 = 02.

Result interface ID: 021A:2BFF:FE3C:4D5E. Prepend a /64 prefix (e.g. 2001:db8::) to form the full address.

The flip inverts the meaning so that a globally-unique (vendor-burned) MAC is marked Universal in the interface ID.

Interview tip: Memorize the three steps: split, insert FFFE, flip the U/L bit.

SLAAC (Stateless Address Autoconfiguration) lets a host configure its own IPv6 address without a server. The flow uses ICMPv6 NDP messages:

• Router Solicitation (RS): the booting host multicasts "Are there any routers?"
• Router Advertisement (RA): the router replies with the /64 prefix and flags. The host appends its own interface ID (EUI-64 or, more commonly today, a random/stable-private ID) to that prefix to form a full address.
• DAD (Duplicate Address Detection): before using the address, the host sends a Neighbor Solicitation to check no one else has it, ensuring uniqueness on the link.

Difference: SLAAC is stateless - the host builds its own address and no server tracks who has what. Stateful DHCPv6 works like IPv4 DHCP: a server assigns and records specific addresses, useful when you need central control or want to push options like DNS.

Interview tip: RS/RA exchange between host and router, DAD guarantees uniqueness, and SLAAC keeps no server state.

Key differences between IPv4 and IPv6:

• Address size: IPv4 = 32 bits (~4.3 billion); IPv6 = 128 bits (2^128, effectively unlimited).
• Broadcast vs multicast: IPv4 uses broadcast; IPv6 removes broadcast entirely and relies on multicast and anycast, reducing noise.
• Autoconfiguration: IPv6 supports SLAAC (self-addressing) plus DHCPv6; IPv4 mainly needs DHCP or manual config.
• Header: IPv6 has a simplified fixed 40-byte base header with optional extension headers, no router fragmentation, and no header checksum, so routing is faster.
• ARP vs NDP: IPv6 replaces ARP with NDP (Neighbor Discovery Protocol) over ICMPv6 for neighbor/router discovery and address resolution.

IPv6 was also designed with IPsec support in mind and has no built-in need for NAT.

Interview tip: "No broadcast, NDP not ARP, SLAAC, 40-byte header" covers most marks.

RFC 8981 privacy / temporary addresses are short-lived IPv6 addresses with a randomly generated interface ID, used for outbound connections alongside a stable address. They are rotated periodically (e.g. daily) and deprecated over time. RFC 8981 (2021) replaced the older RFC 4941.

The problem with classic EUI-64 is that it embeds the device's MAC address in the interface ID. Since the MAC is globally unique and constant, the same device would carry the same interface ID across every network it joins, letting websites and trackers fingerprint and follow a user worldwide, a serious privacy leak.

So modern OSes (Windows, macOS, iOS, Android, Linux) now default to:

• Randomized or stable-private interface IDs (RFC 7217) for the stable address, plus
• Temporary addresses (RFC 8981) that change for outgoing traffic.

Interview tip: EUI-64 leaks the MAC, making the device trackable, which is why randomized interface IDs are now the default.

Three common transition strategies:

• Dual-stack: devices run IPv4 and IPv6 simultaneously, each using whichever protocol the destination supports. Simplest and most compatible, but you must operate and secure two stacks and still consume scarce IPv4.
• IPv6-only + NAT64/DNS64: the network is pure IPv6. DNS64 synthesizes an AAAA record (typically using the well-known prefix 64:ff9b::/96) when a destination only has an A record, and NAT64 translates that synthesized IPv6 address to real IPv4 so IPv6 clients can still reach IPv4-only servers. It breaks IPv4-literal apps and some legacy software.
• 464XLAT: adds a client-side CLAT that translates the app's IPv4 to IPv6, then a NAT64 PLAT translates back, fixing IPv4-literal apps over an IPv6-only core (common on mobile carriers).

Choose IPv6-only when IPv4 scarcity/cost is high, the environment is greenfield, or you want to retire the operational complexity of running dual stacks, e.g. large mobile networks and modern data centers.

Interview tip: 464XLAT = NAT64 plus a client-side CLAT to save IPv4-literal apps.

APIPA (Automatic Private IP Addressing) is the range 169.254.0.0/16 — also called the IPv4 link-local block (RFC 3927). A host auto-assigns itself an address here (e.g. 169.254.45.12) when it asks for DHCP but gets no reply.

So seeing a 169.254.x.x address is a red flag: it means the device tried to lease an IP and the DHCP server never answered — maybe DHCP is down, the cable/VLAN is wrong, or a switch port is blocking traffic. Think of it as the device printing its own temporary visitor badge because reception was empty.

APIPA addresses are not routable — they only let devices on the same physical link talk to each other, never across a router or to the internet. (Hosts actually pick from 169.254.1.0 to 169.254.254.255; the first and last /24 are reserved.)

👉 Interview tip: Say it plainly — 169.254.x.x = DHCP failed; first thing to check is the DHCP server and the link.

These are two special-purpose IPv4 addresses, not normal host addresses.

• 0.0.0.0 means this host / unspecified / any. A device uses it as its source address before it has an IP (e.g. inside a DHCP Discover). In routing, 0.0.0.0/0 is the default route (everything else). When a server listens on 0.0.0.0, it means accept connections on every local interface.
• 255.255.255.255 is the limited (local) broadcast address — a packet sent here goes to every host on the same subnet but is never forwarded by a router.

Analogy: 0.0.0.0 is no fixed address yet / anyone, while 255.255.255.255 is shouting to the whole room you are standing in.

👉 Interview tip: Tie 0.0.0.0/0 to the default route and 255.255.255.255 to local-only broadcast.

A point-to-point WAN link (like a router-to-router serial or fiber link) only ever has two devices on it. A /30 gives exactly enough addresses for that with the classic network + broadcast overhead, so it avoids wasting a large block.

A /30 has 4 total addresses (2 to the power of 32 minus 30 = 4):

• 1 network address (all host bits 0)
• 1 broadcast address (all host bits 1)
• 2 usable host addresses — one for each router

Example: 10.0.0.0/30 → network 10.0.0.0, usable 10.0.0.1 and 10.0.0.2, broadcast 10.0.0.3.

Analogy: a two-seat bench — exactly two seats, no leftover space.

👉 Interview tip: Memorize /30 = 4 total, 2 usable. Modern designs often prefer /31 (next question) to reclaim those 2 wasted addresses.

RFC 3021 defines a special case for point-to-point links using a /31 mask (only 1 host bit, so 2 total addresses). Normally that would be network + broadcast = 0 usable, but on a true point-to-point link there is no need for either:

• There are only two endpoints, so a broadcast adds nothing — all hosts is just the other end.
• RFC 3021 therefore says both addresses in a /31 are usable host addresses.

Example: 10.0.0.0/31 → 10.0.0.0 and 10.0.0.1 are both assignable to the two routers.

The saving: a /30 spends 2 of its 4 addresses on network+broadcast; a /31 uses 2 instead of 4 per link — halving the address burn. Across hundreds of WAN/underlay links that reclaims a lot of scarce IPv4 space.

👉 Interview tip: Both endpoints must support RFC 3021 — modern Cisco IOS/IOS-XE/NX-OS and Juniper Junos do.

All three rewrite IP addresses as traffic crosses a NAT boundary, but they differ in mapping:

• Static NAT — a fixed one-to-one map: one private IP always maps to the same one public IP. Used to make an internal server reachable from outside.
• Dynamic NAT — a pool of public IPs; private hosts grab one temporarily. Still one-to-one while in use, so you cannot have more concurrent hosts than public IPs in the pool.
• PAT (Port Address Translation, a.k.a. NAT overload or masquerade) — many-to-one. Many private hosts share one public IP, distinguished by unique source port numbers in the translation table.

PAT is the one that lets many private hosts share a single public IP — it is what your home router does.

Analogy: PAT is one office phone number with extensions; each call is tracked by its extension (port).

👉 Interview tip: The IP-plus-port tuple is what makes PAT scale to thousands of sessions on one IP.

IPv4 has only about 4.3 billion addresses, and they ran out. NAT (with PAT) lets a whole network sit behind one or a few public IPs, so organizations do not need a public address for every device — this is the main reason IPv4 survived address exhaustion.

RFC 1918 reserves three private ranges that are not routable on the public internet:

• 10.0.0.0/8
• 172.16.0.0/12
• 192.168.0.0/16

The relationship: you assign these private addresses internally (they are free and reusable in every network), then NAT translates them to a real public IP at the edge whenever traffic goes to the internet. Without NAT, RFC 1918 addresses could never reach the internet; without RFC 1918, every device would need a scarce public IP.

Analogy: private ranges are internal room numbers; NAT is the front desk that maps them to the building's one public street address.

👉 Interview tip: NAT is a stopgap; IPv6's huge address space removes the need for it.

A host route is the most specific possible route: it points to exactly one address. In IPv4 that is a /32 (all 32 bits fixed); in IPv6 it is a /128 (all 128 bits fixed). There is no range — just a single host.

Because routers always prefer the longest (most specific) match, a host route wins over any broader route, so it is a precise override.

Where you would use one intentionally:

• Loopback addresses advertised into OSPF/BGP/IS-IS so a device's management or router-ID IP is reachable.
• Anycast services (e.g. DNS, a shared gateway) where the same /32 is advertised from many places.
• Policy/security overrides — pin one host to a specific next-hop, or blackhole a single malicious IP (a /32 pointed to null).
• VPN / overlay reachability for a single tunnel endpoint.

Analogy: a city map (the subnet) vs. a pin on one exact house (the host route).

👉 Interview tip: Mention longest-prefix-match — that is why a /32 always overrides a broader route.

CGNAT (Carrier-Grade NAT) is NAT run by an ISP: many customers are placed behind a shared pool of public IPs to stretch scarce IPv4. RFC 6598 reserves 100.64.0.0/10 as shared address space specifically for the segment between the customer's router and the carrier's NAT.

How it differs from RFC 1918: RFC 1918 (10.0.0.0/8, etc.) is for inside a single organization. 100.64.0.0/10 exists because an ISP cannot safely reuse RFC 1918 there — customers already use 10.0.0.0/8 internally, which would collide. RFC 6598 gives carriers a distinct non-internet-routable block to avoid that overlap.

Why a home server breaks: with CGNAT you get a 100.64.x.x address, not a real public IP, and the carrier's NAT only opens mappings for outbound sessions. There is no public IP to point DNS at and no port to forward (you do not control the carrier NAT), so unsolicited inbound connections have nowhere to land.

👉 Interview tip: Fixes are a tunnel/reverse-proxy (e.g. Cloudflare Tunnel), a relay, or asking the ISP for a public IP or IPv6.

Zero Trust drops the old trust-the-internal-network model — every flow must be explicitly authorized, regardless of where it originates (never trust, always verify). Micro-segmentation applies that by shrinking trust zones down to the smallest unit, ideally a single workload.

That pushes design toward fine-grained subnets and /32 (host-level) thinking:

• Instead of one big /24 where everything talks freely, policy is written per host or per workload — effectively a /32 identity for each.
• East-west traffic between two servers in the same VLAN is no longer implicitly allowed; each /32-to-/32 flow needs an explicit allow rule.
• Identity-based policy (workload tags, not just IP) and host-route enforcement let you blast-radius-contain a compromised host — a breached machine cannot laterally scan its neighbors.

For a SOC, granular segments mean richer, attributable telemetry: every cross-segment attempt is a discrete, loggable, alertable event, making lateral movement loud instead of invisible.

Analogy: not one open office, but a building where every door needs a badge — and the logs show each tap.

👉 Interview tip: Stress least privilege + explicit allow + per-workload identity = blast-radius reduction + better detection.

An EVPN-VXLAN fabric has two layers: the underlay (the physical leaf-spine IP network that carries traffic) and the overlay (VXLAN tunnels carrying tenant traffic, with EVPN over BGP as the control plane).

Why /31 on the underlay: every leaf-to-spine connection is a routed point-to-point link. A large fabric has hundreds of these. Using /31 (RFC 3021) gives each link exactly its 2 needed addresses with no waste on network/broadcast, conserving IPv4 and keeping the routing table tidy. Numbered /31s also make troubleshooting (traceroute, per-link telemetry) clearer than unnumbered links.

Anycast gateway: the same default-gateway IP and MAC are configured on every leaf for a given subnet. So whichever leaf a VM or host is attached to, its first hop is local — no hair-pinning to a single gateway. This means:

• Optimal routing — the first hop is always the nearest leaf.
• Seamless VM mobility — a workload can move between leaves and keep the same gateway, with no re-ARP.

👉 Interview tip: Call it the distributed anycast gateway — it removes the centralized FHRP bottleneck and enables east-west scale.

VLSM means using different subnet masks for different subnets carved out of the same parent block — instead of forcing one mask everywhere.

With fixed-length subnetting (FLSM), every subnet is the same size. So a point-to-point WAN link that needs only 2 host addresses still gets, say, a /24 with 254 usable hosts — wasting ~250 addresses. Multiply that across many links and you burn through your block fast.

VLSM fixes this by right-sizing each subnet to its actual host count: a /30 (2 hosts) for WAN links, a /26 for a 60-user LAN, and so on. It is essentially subnetting a subnet.

Think of it like cutting cloth: FLSM cuts every piece the same size; VLSM cuts each piece to fit the garment.

Interview tip: VLSM needs classless routing — the routing protocol must carry the subnet mask (prefix length) in its updates. OSPF, EIGRP, IS-IS, and BGP all do; RIPv2 does too (RIPv1 does not). Classful protocols can't support VLSM.

In VLSM you carve subnets of different sizes from one block, so the order matters. You allocate the largest subnet first, then the next largest, and so on.

The reason is boundary alignment. A subnet must start on a boundary that is a multiple of its own block size (a /26 can only begin at .0, .64, .128, or .192). If you hand out small subnets first, they land at low addresses and consume part of the range where a big subnet would have to start — leaving no aligned, contiguous block large enough for it.

Allocating smallest-first leads to fragmentation and overlap: the large subnet you need later would have to reuse addresses already given to small subnets, or it simply won't fit on a valid boundary. Largest-first keeps every subnet on a clean boundary with no collisions and no wasted gaps.

Analogy: park the buses before the bikes — fill the big slots first, then squeeze the small ones into the gaps.

Interview tip: Sort host requirements in descending order, then assign top-down from the start of the block.

Allocate largest-first. Pick the smallest mask whose usable host count (2^h − 2) covers each requirement:

• 60 hosts → /26 (255.255.255.192, 62 usable). Network 192.168.1.0/26; usable .1–.62; broadcast .63.
• 28 hosts → /27 (255.255.255.224, 30 usable). Network 192.168.1.64/27; usable .65–.94; broadcast .95.
• 12 hosts → /28 (255.255.255.240, 14 usable). Network 192.168.1.96/28; usable .97–.110; broadcast .111.
• 2 hosts → /30 (255.255.255.252, 2 usable). Network 192.168.1.112/30; usable .113–.114; broadcast .115.

Each subnet starts on its own aligned boundary with no overlap, and .116–.255 stays free for future growth.

Interview tip: /30 is the classic point-to-point WAN-link mask (2 usable hosts — one per router). On modern Cisco/IOS you may also see /31 for P2P links, which uses both addresses (no broadcast) per RFC 3021.

Both adjust the prefix length, but in opposite directions.

Subnetting borrows host bits to make the prefix longer, splitting one big network into several smaller ones. Example: /24 → four /26 subnets. Goal: segment a network, isolate broadcast domains, conserve addresses.

Supernetting (a.k.a. route summarization or aggregation) does the reverse — it gives up network bits to make the prefix shorter, combining several contiguous networks into one advertised route. Example: 172.16.0.0/24 through 172.16.3.0/24 (four nets) → one 172.16.0.0/22.

Subnetting happens inside a site for design; supernetting happens at routers to shrink the routing table, reduce update churn, and hide topology changes behind one stable route.

Analogy: subnetting splits a pizza into slices; supernetting is one address that says "the whole pizza is here."

Interview tip: Longer prefix = more specific (subnet); shorter prefix = less specific (summary). Routers always forward using the longest-prefix match, so a more-specific subnet route always wins over a summary.

To collapse several networks into one summary route, all three must hold:

1. Contiguous (consecutive) block. The networks must form an unbroken numeric range — e.g. 172.16.0.0, 172.16.1.0, 172.16.2.0, 172.16.3.0 with no gaps.
2. Aligned on a power-of-two boundary. The number of networks summarized must be a power of two (2, 4, 8…) and the first network must sit on that block boundary, so they share a common high-order bit pattern. (Four /24s starting at .0 align to a /22; starting at .1 they would not.)
3. Reachable the same way / in the same direction. All the networks must be reachable out the same interface or via the same next hop, and you should only advertise a summary for space you actually own and can route to.

Interview tip: The summary prefix length = the number of leftmost bits all the networks have in common.

Summary: 172.16.0.0/22 (mask 255.255.252.0).

Look only at the third octet in binary — the first two octets (172.16) are identical:

• 0 = 00000000
• 1 = 00000001
• 2 = 00000010
• 3 = 00000011

The first six bits (000000) are common to all four; only the last two bits change. So the boundary falls after 16 bits (octets 1+2) + 6 bits (octet 3) = 22 bits.

Counting confirms it: 4 networks = 2², so we shorten the /24 by 2 bits → /22. The summary address keeps the common bits and zeros the rest: 172.16.0.0. That /22 covers 172.16.0.0 through 172.16.3.255 — exactly the four networks, no more.

Interview tip: Combining 2ⁿ contiguous, aligned networks shortens the prefix by exactly n bits.

A wildcard mask is the bitwise inverse of a subnet mask. A 0 bit means "must match exactly" and a 1 bit means "don't care" — so it tells the router which address bits to compare and which to ignore.

The reliable way to derive it is to flip every bit (bitwise NOT) of the subnet mask. For a normal contiguous mask this is the same as subtracting each octet from 255. Example: subnet mask 255.255.255.0 → wildcard 0.0.0.255.

Where it's used:

• ACLs — to match a range of addresses, e.g. access-list 10 permit 192.168.1.0 0.0.0.255 matches the whole /24. Unlike subnet masks, ACL wildcards can be non-contiguous (e.g. match all odd hosts).
• OSPF — network 10.1.1.0 0.0.0.255 area 0 selects which interfaces join an area.
• EIGRP — network 10.1.1.0 0.0.0.255 selects which interfaces run EIGRP.

Interview tip: Cisco ACLs and OSPF/EIGRP network statements use wildcards, not subnet masks — getting that backwards is a classic slip.

Step 1 — find the wildcard. Subtract each octet of the subnet mask from 255 (equivalently, flip the bits):

• 255 − 255 = 0
• 255 − 255 = 0
• 255 − 255 = 0
• 255 − 224 = 31

So the wildcard mask is 0.0.0.31. (Sanity check: /27 = 5 host bits = 2⁵ = 32 addresses, range 0–31.)

Step 2 — write the ACL. A standard ACL permitting that subnet:

access-list 10 permit 10.1.1.0 0.0.0.31

This matches 10.1.1.0 through 10.1.1.31 (the first /27 block). Remember every ACL ends with an implicit deny any, so add a permit for other traffic if it should pass.

Interview tip: Quick check — wildcard value + 1 = block size. Here 31 + 1 = 32 addresses, confirming the /27.

Over-summarization is advertising an aggregate route that is broader than the address space you actually own and can reach — for example summarizing to 172.16.0.0/16 when you only host 172.16.0.0/22.

Two main risks:

• Black-holing. The router advertises the whole broad block, so peers send it traffic for destinations inside that block that don't actually exist behind it. With no matching specific route, the router drops (null-routes) those packets — traffic silently disappears. (This is exactly why routers auto-install a Null0 route for a configured summary: it intentionally discards traffic for the unused parts of the aggregate instead of looping it.)
• Advertising unowned space. If the summary overlaps addresses that belong to another router or another network, you can attract and steal their traffic, causing reachability loss or routing loops — effectively a route hijack within the domain.

It can also mask failures: a too-broad summary keeps advertising reachability even when a component subnet behind it is down, so upstream routers never learn to reroute.

Interview tip: Summaries must be exact — only aggregate the contiguous, aligned space you genuinely own and can reach.

The golden rule: allocate hierarchically and contiguously so each region's networks share common leading bits — then one shorter prefix covers them all.

1. Size each region as a power-of-two block (a /16, /19, etc.) so it falls on a clean binary boundary. A region needing roughly 256 /24 subnets gets a /16.
2. Assign regional blocks contiguously and aligned, e.g. Region A = 10.0.0.0/16, Region B = 10.1.0.0/16, Region C = 10.2.0.0/16. Each hub then summarizes its whole region as one /16.
3. Subnet downward inside the region only (site → building → VLAN), never letting a site's prefixes leak outside the regional boundary.
4. Keep allocations stable — don't scatter the same region's subnets across non-adjacent blocks, or summarization breaks.

Analogy: phone numbers — country code, then area code, then local number; each level rolls up cleanly into the one above.

Interview tip: Leave headroom in each block so future growth stays inside the same summary — the most common real-world cause of broken aggregation is a region outgrowing its block and spilling into a non-adjacent range.

A /26 means the first 26 bits of the 32-bit mask are 1 (network) and the last 6 bits are 0 (host). Write the mask one octet (8 bits) at a time:

• Octet 1: 11111111 = 255
• Octet 2: 11111111 = 255
• Octet 3: 11111111 = 255
• Octet 4: 11000000 = the first 2 bits on

That last octet adds the bit values 128 + 64 = 192. So /26 = 255.255.255.192. Think of it like filling buckets left to right: you turn on 26 ones, three full octets eat 24, leaving 2 ones in the fourth.

👉 Interview tip: Memorise the last-octet ladder: /25=128, /26=192, /27=224, /28=240, /29=248, /30=252.

CIDR notation just counts how many 1 bits are in the mask. The first three octets are 255, and each 255 is 11111111 = 8 bits, giving 8 + 8 + 8 = 24 bits so far.

The fourth octet is 240. In binary that is 11110000 = four 1 bits. Add them: 24 + 4 = 28.

So 255.255.255.240 = /28.

Shortcut: from the last-octet ladder, 240 always equals 4 host-borrowed bits, so it's /24 + 4 = /28. A /28 carves a network into blocks of 16 addresses.

👉 Interview tip: Practise the reverse map instantly: 128→/25, 192→/26, 224→/27, 240→/28, 248→/29, 252→/30, 254→/31, 255→/32.

The formula is usable hosts = 2^h - 2, where h is the number of host bits (host bits = 32 - prefix for IPv4).

We subtract 2 because every subnet reserves two special addresses that cannot be assigned to a device:

• Network address (all host bits = 0): the name/ID of the subnet itself, used by routers.
• Broadcast address (all host bits = 1): used to reach every host on that subnet at once.

Analogy: an apartment block has a street name (network) and a fire-alarm that rings every flat (broadcast) — neither is a flat someone lives in. Everything in between is rentable.

Note: on point-to-point /31 links (RFC 3021) the -2 rule is waived, giving 2 usable hosts. A /32 is a single host route (1 address, e.g. a loopback).

👉 Interview tip: Always say "2 to the power of host bits, minus 2" and name both reserved addresses.

Step 1 — host bits: a /27 uses 27 network bits, so host bits = 32 - 27 = 5.

Step 2 — total addresses: 2^5 = 32.

Step 3 — subtract the 2 reserved addresses (network + broadcast): 32 - 2 = 30.

So a /27 gives 30 usable hosts.

You can sanity-check it: a /27 mask is 255.255.255.224, and its block size in the last octet is 256 - 224 = 32 — matching the 32 total addresses we calculated.

👉 Interview tip: Lock in the small ones cold — /30=2, /29=6, /28=14, /27=30, /26=62, /25=126. These are the most-asked subnet sizes.

The interesting octet for a /26 is the 4th. Mask = 255.255.255.192, so block size = 256 - 192 = 64.

Subnets step in 64s in that octet: 0, 64, 128, 192. Our host octet is 77, which falls in the 64–127 block.

• Network address: 192.168.10.64
• Broadcast address: 192.168.10.127 (next block start 128, minus 1)
• First usable host: 192.168.10.65 (network + 1)
• Last usable host: 192.168.10.126 (broadcast - 1)

That gives the expected 62 usable hosts for a /26.

👉 Interview tip: Always find the block size first, list the multiples, then drop your IP into the right bucket — fast and error-proof.

The magic number is 256 - (the mask value in the interesting octet). The interesting octet is the one where the mask is neither 255 nor 0 — that's where subnets actually divide. The magic number is your block size: subnets begin at every multiple of it.

For a /28, the mask is 255.255.255.240, so the interesting octet is the 4th and block size = 256 - 240 = 16.

So /28 subnets in that octet start at: 0, 16, 32, 48, 64, 80, 96, 112, 128, 144, 160, 176, 192, 208, 224, 240 — sixteen subnets of 16 addresses each (14 usable hosts apiece).

Example: .40 sits in the 32–47 block → network .32, broadcast .47.

👉 Interview tip: Once you know the block size, every boundary is just repeated addition — no binary math needed.

To create 4 equal subnets you must borrow enough host bits so that 2^borrowed >= 4. Since 2^2 = 4, you borrow 2 bits from the /24.

New prefix = 24 + 2 = /26, mask = 255.255.255.192.

• Subnets created: 2^2 = 4
• Host bits left: 32 - 26 = 6
• Usable hosts each: 2^6 - 2 = 62

Using a 192.168.1.0/24 example, the four subnets are: .0/26, .64/26, .128/26, .192/26 — block size 64, matching 256 - 192.

👉 Interview tip: The rule is "borrow bits for subnets (left side), keep bits for hosts (right side)" — 2^n subnets, 2^h - 2 hosts.

Find the smallest power of 2 whose usable count (2^h - 2) is at least 500.

• h = 8 → 2^8 - 2 = 254 (too small)
• h = 9 → 2^9 - 2 = 510 (enough!)

So you need 9 host bits. Prefix = 32 - 9 = /23, mask = 255.255.254.0.

A /23 provides 512 total addresses and 510 usable hosts — comfortably above 500, with no smaller mask able to fit.

Tip: a /23 spans two full /24 blocks (e.g. 10.0.0.0 and 10.0.1.0 joined), so the third octet steps in 2s.

👉 Interview tip: "Smallest mask" means the largest prefix number that still fits — always round up to the next power of two, then convert to host bits.

A /19 = 255.255.224.0. The first two octets (16 bits) are fixed; the 3rd octet is interesting because the mask there is 224, not 255 or 0.

Block size in the 3rd octet = 256 - 224 = 32. So /19 subnets step every 32 in the third octet: 0, 32, 64, 96, 128, 160, 192, 224.

Our 3rd octet is 96, which is itself a boundary, so it falls in the 96–127 block.

• Network address: 10.20.96.0
• Broadcast address: 10.20.127.255 (next boundary 128 minus 1, with 4th octet maxed)

That block holds 32 × 256 = 8192 addresses (8190 usable).

👉 Interview tip: When the interesting octet isn't the last one, the host range fills the remaining octets — the 4th octet runs the full 0–255.

CIDR (Classless Inter-Domain Routing) writes an address with an explicit prefix length, e.g. 192.168.0.0/22, instead of relying on fixed Class A/B/C boundaries. The /n says exactly how many bits are network.

Old classful addressing locked masks to /8, /16, or /24. That wasted addresses badly: an org needing 2,000 hosts had to take a whole Class B (65,534 hosts), stranding the rest.

CIDR fixes two things:

• Address utilization: you allocate a right-sized block (a /21 gives 2,046 usable hosts for a ~2,000-host need), so far fewer addresses are wasted.
• Routing-table efficiency: contiguous blocks can be summarised/aggregated into one route (supernetting), shrinking Internet routing tables instead of one entry per small network.

👉 Interview tip: Name both wins — VLSM/right-sizing for utilisation and route aggregation/summarisation for smaller routing tables.

A 169.254.x.x address is APIPA (Automatic Private IP Addressing, the 169.254.0.0/16 link-local range). The OS self-assigns it when it is set for DHCP but got no reply from a DHCP server. So the real problem is DHCP, not the PC's IP stack.

First two checks:

1. Physical link: is the cable plugged in / Wi-Fi associated? Look for link lights and an "up" interface — no Layer 1, no DHCP.
2. DHCP path: is the DHCP server / scope alive, and can the request reach it (correct VLAN, working DHCP relay / ip helper-address, scope not exhausted)? Then renew with ipconfig /release and ipconfig /renew.

Analogy: the PC dialled the front desk for a room number, no one answered, so it scribbled its own — useless for talking to anyone else.

👉 Interview tip: Say "APIPA = DHCP failure" immediately; that one line shows you know it.

Work bottom-up through the layers so each step rules out one cause:

1. L1 — link: cable seated, link light on, Wi-Fi connected, interface up. No link, nothing else matters.
2. L3 config: run ipconfig / ip addr — valid IP, correct mask, and a default gateway set (not 169.254 / blank).
3. Ping loopback ping 127.0.0.1: confirms the local TCP/IP stack works.
4. Ping own IP / same-subnet host: confirms the NIC and local subnet.
5. Ping the gateway: confirms reachability to the router (Layer 2/3 to the LAN edge).
6. Ping a remote IP (e.g. 8.8.8.8): confirms routing off-LAN. If IP works but names don't, it's DNS.

👉 Interview tip: Always test IP before name — ping 8.8.8.8 then a hostname isolates DNS from routing in seconds.

No — it will not reach that gateway. A /26 mask (255.255.255.192) has block size 256 - 192 = 64, so subnets are .0–.63, .64–.127, .128–.191, .192–.255.

• Host 192.168.1.130 lives in the .128–.191 subnet (network .128, broadcast .191).
• Gateway 192.168.1.1 lives in the .0–.63 subnet.

They are in different subnets. The host believes anything outside .128/26 must be reached through the gateway — but the configured gateway isn't even on the host's local subnet, so the host can't ARP it. Result: traffic off-subnet fails.

Fix: set a gateway inside 192.168.1.128/26 (e.g. 192.168.1.129), or change the mask so both share a subnet.

👉 Interview tip: A gateway must always be a host address within the same subnet as the client.

Collect each host's IP and mask, then compute the subnet each one actually believes it is in.

1. On every host run ipconfig /all (Windows) or ip addr / ip route (Linux) and record IP, mask, gateway.
2. Compare masks: if two hosts can ping each other but a third can't, the odd host likely has a wider/narrower mask, so its computed network differs.
3. Verify by ANDing IP with mask, or use a CLI subnet check — confirm whether each host's network and the gateway fall in the same range.
4. Check arp -a: a host with the wrong mask will fail to ARP devices it wrongly thinks are remote.

Example: a host set /26 instead of /24 will treat some same-VLAN peers and the gateway as off-subnet and route them away.

👉 Interview tip: The mask, not the IP, decides who is "local" — always diff the masks, not just the addresses.

Detect:

1. List the new branch's subnet/prefix and compare it against your existing IPAM/address plan and routing tables. Check whether the ranges share any addresses (e.g. branch 10.10.0.0/16 swallowing an existing 10.10.5.0/24).
2. On routers run show ip route — look for two paths to the same prefix, or a longer/shorter mask shadowing existing routes.
3. Watch the symptom: intermittent reachability means traffic for a duplicated range is sometimes routed to the wrong site. traceroute from both ends will show paths diverging.

Fix: re-IP one side onto a unique, non-overlapping block (the clean fix), tighten the over-broad prefix, or — only as a stopgap — use NAT to mask the overlap. Then update IPAM so it can't recur.

Analogy: two houses with the same street address — the postman delivers to whichever he reaches first.

👉 Interview tip: Overlap = a routing/uniqueness problem; the durable fix is re-IP plus IPAM discipline, not NAT band-aids.

This is a DNS (name-resolution) issue, not an addressing/Layer-3 issue. Because ping by IP succeeds, you've proven that IP addressing, subnet mask, gateway, and routing all work — packets reach the destination fine. The only thing failing is turning a name into an IP.

Name resolution is an application-layer (Layer 7) service (DNS over UDP/TCP port 53), so the fault sits there, above the network layer.

How to confirm and fix:

• nslookup hostname or dig hostname — if it fails or returns the wrong IP, DNS is the culprit.
• Check the configured DNS server (ipconfig /all / /etc/resolv.conf), reachability to it, and the host record itself.
• Check the local hosts file for stale overrides.

👉 Interview tip: "Ping by IP works, name fails" is the textbook fingerprint of DNS — say it confidently and reach for nslookup / dig.

Kubernetes uses three separate address spaces that must not overlap: the pod CIDR (per-node pod IPs, e.g. 10.244.0.0/16), the service CIDR (virtual ClusterIPs, e.g. 10.96.0.0/12), and the node/host network (e.g. 10.0.0.0/16).

If they overlap, routing becomes ambiguous: a packet destined for a ClusterIP may match a node or pod route instead, so kube-proxy / CNI rules send it to the wrong place — and it often breaks only across nodes because intra-node traffic can stay local and short-circuit the bad route.

Investigate:

1. Read the cluster config: --pod-network-cidr, the API server --service-cluster-ip-range, and the host subnet — diff them for any intersection.
2. Inspect CNI config and ip route on a node; check iptables / ipvs rules for conflicting matches.
3. Confirm whether VPC / host routes shadow the pod / service ranges.

👉 Interview tip: State the rule first — pod, service, and node CIDRs must be mutually exclusive; the fix is re-IP a range, which usually means a cluster rebuild.

Both sides using overlapping 10.0.0.0/8 ranges means a destination IP is ambiguous — routing alone can't tell which company a 10.x host belongs to. Options:

• Re-IP one side: renumber the smaller/overlapping site onto a unique range. Cleanest long-term, but disruptive (DHCP, DNS, firewall rules, hard-coded IPs).
• Standard NAT/PAT: hide one side behind translated addresses. Works when traffic is mostly one-directional or client-to-server.
• Twice/overlapping-subnet NAT (dual NAT): translate both source and destination so each side reaches the other through a unique, non-overlapping "shadow" range. Best for bidirectional access without immediate renumbering.

Choose by: traffic direction, number of overlapping hosts, urgency, and tolerance for downtime. Common play: dual-NAT now for day-one connectivity, then re-IP over time as the strategic fix.

👉 Interview tip: Frame it as a trade-off — NAT buys time, re-IP buys correctness; name twice-NAT for the overlap case.

VPC/VNet peering creates a flat, route-table-merged network between the two sides. Routing requires every destination prefix to be unique. If both VPCs use the same RFC 1918 range (e.g. both 10.1.0.0/16), a packet to 10.1.x.x is ambiguous — the route table can't decide which VPC owns it — so AWS/Azure reject the peering outright rather than create a black hole.

This is why RFC 1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) being "private and reusable" bites you: reuse is fine in isolation, fatal once networks join.

IPAM strategy prevents it at scale by centrally allocating non-overlapping blocks from a master plan — each VPC/region/account gets a unique slice (e.g. AWS 10.0.0.0/12, Azure 10.16.0.0/12), with tooling (AWS VPC IPAM, Azure IPAM / Virtual Network Manager, Infoblox) enforcing uniqueness before any VPC is created.

👉 Interview tip: Say "peering needs globally unique CIDRs" and credit IPAM for designing non-overlap before deployment, not after.

On broadcast and non-broadcast OSPF network types, two routers form an adjacency only if their interfaces agree they are on the same subnet (same network and mask). On a /30 link (255.255.255.252, block size 4: usable pair like .1 and .2), if one router is /30 but the other is mistakenly /29 or /24, OSPF sees a subnet/mask mismatch. The mismatched Hellos are dropped, so the neighbour never progresses — it appears stuck in INIT (the local router hears nothing valid back), or never shows up at all, and never reaches FULL.

Verify:

• show ip ospf neighbor — see it stuck or absent.
• show ip interface brief / show running-config interface — compare the masks on both ends.
• debug ip ospf adj — logs a "mismatch" message (network mask / hello-parameter mismatch).

Fix: set both interfaces to the same /30 mask (and same area). Note: the OSPF point-to-point network type does not enforce the subnet-mask match, but matching masks is still the correct, clean fix.

👉 Interview tip: OSPF Hello must match subnet mask (on broadcast/NBMA types), area ID, hello/dead timers, and authentication — a mask mismatch is a classic stuck-INIT / no-neighbour cause.