Variable-Length Subnet Masking is the skill that turns a CCNA candidate into someone who can stand at a whiteboard with five rectangles and turn them into a working network. The math is not complex. The discipline is. This lab walks you through carving a single /16 parent block into four right-sized subnets, configuring them on a real router, and proving the result with show ip route.
You will work on R1 from the PingLabz CCNA Base Topology, using loopback interfaces so you can run the entire exercise on one router without disturbing the rest of the lab.
What you will learn
- How to translate "I need a subnet for N hosts" into "use a /X mask"
- How to carve a parent block (10.50.0.0/16 here) into multiple right-sized children without wasting addresses
- How to configure those subnets on a Cisco router and verify them with
show ip route - How to spot the canonical IOS clue that VLSM is happening ("variably subnetted, N subnets, M masks")
- The two common mistakes that trip up engineers - overlap and unintended summarization
What this lab does NOT cover
- Route summarization for redistribution between protocols (covered in IP Connectivity labs)
- IPv6 subnetting (covered in nf-05)
- Private vs. public address policy (covered in nf-03)
The scenario
You have one parent block: 10.50.0.0/16. That is 65,536 addresses to spend. You need to allocate four subnets:
| Subnet | Hosts needed | Subnet size | Required mask |
|---|---|---|---|
| HQ-LAN | 500 | 512 (next power of 2 that fits) | /23 (510 usable) |
| Branch-LAN | 100 | 128 | /25 (126 usable) |
| DMZ | 14 | 16 | /28 (14 usable) |
| WAN-P2P | 2 (one each end) | 4 | /30 (2 usable) |
Total addresses needed: 512 + 128 + 16 + 4 = 660. Well under the 65,536 the parent /16 gives you. The challenge is to allocate them efficiently and without overlap.
Step 1: The hosts-to-mask rule
For a subnet that needs N usable hosts, you need (N + 2) addresses minimum (network + broadcast are not usable). Round up to the next power of 2. The mask is whatever number of host bits gives you that power of 2.
| Host bits | Total addresses | Usable hosts | Mask |
|---|---|---|---|
| 2 | 4 | 2 | /30 (255.255.255.252) |
| 3 | 8 | 6 | /29 (255.255.255.248) |
| 4 | 16 | 14 | /28 (255.255.255.240) |
| 5 | 32 | 30 | /27 (255.255.255.224) |
| 6 | 64 | 62 | /26 (255.255.255.192) |
| 7 | 128 | 126 | /25 (255.255.255.128) |
| 8 | 256 | 254 | /24 (255.255.255.0) |
| 9 | 512 | 510 | /23 (255.255.254.0) |
| 10 | 1024 | 1022 | /22 (255.255.252.0) |
500 hosts? Need at least 502 addresses. Closest power of 2 that fits is 512. That is 9 host bits, leaving 23 network bits. /23.
100 hosts? Need at least 102. Closest power of 2 is 128. That is 7 host bits, leaving 25 network bits. /25.
Step 2: Allocate from the parent block (biggest first)
The discipline that prevents overlap: allocate biggest first, contiguous from the parent block. If you start with the smallest and try to fit the biggest at the end, you waste space.
Starting at 10.50.0.0:
- HQ-LAN (/23, 512 addresses). Starts at 10.50.0.0. Ends at 10.50.1.255. Next free address: 10.50.2.0.
- Branch-LAN (/25, 128 addresses). Starts at 10.50.2.0. Ends at 10.50.2.127. Next free address: 10.50.2.128.
- DMZ (/28, 16 addresses). Starts at 10.50.2.128. Ends at 10.50.2.143. Next free address: 10.50.2.144.
- WAN-P2P (/30, 4 addresses). Starts at 10.50.2.144. Ends at 10.50.2.147. Next free address: 10.50.2.148.
Done. Plenty of /16 left over for future allocations.
| Subnet | CIDR | Network | First host | Last host | Broadcast |
|---|---|---|---|---|---|
| HQ-LAN | 10.50.0.0/23 | 10.50.0.0 | 10.50.0.1 | 10.50.1.254 | 10.50.1.255 |
| Branch-LAN | 10.50.2.0/25 | 10.50.2.0 | 10.50.2.1 | 10.50.2.126 | 10.50.2.127 |
| DMZ | 10.50.2.128/28 | 10.50.2.128 | 10.50.2.129 | 10.50.2.142 | 10.50.2.143 |
| WAN-P2P | 10.50.2.144/30 | 10.50.2.144 | 10.50.2.145 | 10.50.2.146 | 10.50.2.147 |
Step 3: Configure the four subnets on R1
Console into R1 and configure four loopback interfaces, one per subnet, taking the first usable host address in each:
R1# configure terminal
R1(config)# interface Loopback1
R1(config-if)# description HQ-LAN (needs 500 hosts -> /23 = 510 usable)
R1(config-if)# ip address 10.50.0.1 255.255.254.0
R1(config-if)# no shutdown
R1(config-if)# interface Loopback2
R1(config-if)# description Branch-LAN (needs 100 hosts -> /25 = 126 usable)
R1(config-if)# ip address 10.50.2.1 255.255.255.128
R1(config-if)# no shutdown
R1(config-if)# interface Loopback3
R1(config-if)# description DMZ (needs 14 hosts -> /28 = 14 usable)
R1(config-if)# ip address 10.50.2.129 255.255.255.240
R1(config-if)# no shutdown
R1(config-if)# interface Loopback4
R1(config-if)# description WAN-P2P (needs 2 hosts -> /30 = 2 usable)
R1(config-if)# ip address 10.50.2.145 255.255.255.252
R1(config-if)# no shutdown
R1(config-if)# endEach loopback gets the FIRST USABLE host in its subnet. That is the convention - the router itself takes .1 (or the lowest available), and remaining addresses go to hosts.
Step 4: Verify with show ip interface brief
Real capture from the lab after running the config above:
R1# show ip interface brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 10.20.0.1 YES TFTP up up
Ethernet0/1 unassigned YES unset administratively down down
Ethernet0/2 unassigned YES unset administratively down down
Ethernet0/3 unassigned YES unset administratively down down
Loopback0 10.255.0.1 YES TFTP up up
Loopback1 10.50.0.1 YES manual up up
Loopback2 10.50.2.1 YES manual up up
Loopback3 10.50.2.129 YES manual up up
Loopback4 10.50.2.145 YES manual up upFive loopbacks total now - Loopback0 is the base topology's router-ID, Loopback1-4 are the VLSM allocations we just made. The Method column distinguishes them: TFTP for the configs loaded from the CML startup-config, manual for the changes you just typed.
Step 5: The "variably subnetted" line is the proof
This is the signature line that tells you VLSM is happening. Run show ip route connected on R1:
R1# show ip route connected
<...routing protocol codes legend omitted...>
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 11 subnets, 6 masks
C 10.20.0.0/24 is directly connected, Ethernet0/0
L 10.20.0.1/32 is directly connected, Ethernet0/0
C 10.50.0.0/23 is directly connected, Loopback1
L 10.50.0.1/32 is directly connected, Loopback1
C 10.50.2.0/25 is directly connected, Loopback2
L 10.50.2.1/32 is directly connected, Loopback2
C 10.50.2.128/28 is directly connected, Loopback3
L 10.50.2.129/32 is directly connected, Loopback3
C 10.50.2.144/30 is directly connected, Loopback4
L 10.50.2.145/32 is directly connected, Loopback4
C 10.255.0.1/32 is directly connected, Loopback0Read it carefully:
- "10.0.0.0/8 is variably subnetted, 11 subnets, 6 masks". This is the giveaway. IOS prints this line whenever a single parent network has subnets of different mask lengths inside it. The "11 subnets" counts every connected route under 10/8 (5 C entries plus 6 L entries because IOS also shows each interface's /32 local route). The "6 masks" counts the unique prefix lengths: /8 (the parent), /23 (HQ-LAN), /24 (LAN), /25 (Branch-LAN), /28 (DMZ), /30 (WAN-P2P), /32 (the local routes and the loopback). VLSM in action.
- Connected vs. local routes. Each interface with an IP creates two routing-table entries: a
Cfor the subnet ("everything in 10.50.0.0/23 is reachable via Loopback1") and anLfor the interface address itself as a /32 ("10.50.0.1 specifically is me"). The L entries are why a /23 subnet shows up as two route entries.
Step 6: Common mistakes
| Mistake | What happens | How to detect |
|---|---|---|
| Allocating smallest first | Big subnets do not fit on a boundary, you end up "wasting" the gap and reusing addresses | The math fails: you allocate /28 at 10.50.0.0, then need /23 starting at 10.50.0.16 which is not a /23 boundary |
| Two subnets that overlap | 10.50.2.0/25 and 10.50.2.128/25 do NOT overlap (good). But 10.50.0.0/23 and 10.50.1.0/24 DO overlap. The /24 is inside the /23. | show ip route shows one of them as "longer match"; the broader one is masked by the more specific. Confusing routing decisions. |
| Wrong mask on the router interface | You meant /25 but typed 255.255.255.0 (which is /24) | show ip interface brief shows the address; show ip interface eth-or-loopback shows the /xx |
| Asymmetric masks on a P2P link | R1 is /30 (255.255.255.252) but R2 is /29 (255.255.255.248). Reachable in one direction only. | Ping R2 from R1 fails or returns asymmetric replies; mask check on both sides reveals the issue |
Verification
- You can take "I need 50 hosts" and immediately reach for /26.
- You allocate biggest first, contiguous, from the parent block.
show ip interface briefon R1 lists Loopback1-4 with the four /23, /25, /28, /30 addresses, all up.show ip route connectedshows "10.0.0.0/8 is variably subnetted, 11 subnets, 6 masks" followed by the C and L entries for every interface.
Troubleshooting matrix
| Symptom | Likely cause | Confirm with | Fix |
|---|---|---|---|
| "% Bad mask /29 for address 10.50.0.1" | The mask you typed does not align the address to a subnet boundary | The error message shows the address and mask | Check that the address is the network address or a usable host in the subnet that mask defines |
show ip route shows fewer subnets than you configured | One of your ip address commands was overwritten by a later one on the same interface | Re-check with show running-config interface Loopback1 etc. | Reconfigure the interface with the right address and mask |
| "variably subnetted" line is missing | All your subnets have the same mask, so it is not actually VLSM | show ip route uses a single-mask format | Not a problem unless you specifically intended different mask lengths |
| Subnets overlap accidentally | Allocation math was wrong | Check that each subnet's address range does not intersect another's | Re-derive the allocation table; biggest first prevents this |
Engineer's note: production reality
Real address plans live in spreadsheets, IPAM tools (Infoblox, BlueCat, NetBox), or YAML files in version control. You do not usually do VLSM math at a whiteboard - you do it once, capture it in IPAM, and the rest of the team consumes the plan.
The skill the math teaches you is what to do when IPAM is wrong, when someone's documentation lies, or when you have to absorb a new acquisition's address space into your own. The math is fast once the discipline is muscle memory: hosts -> bits -> mask, biggest first, biggest first, biggest first.
Modern best practice for new designs: use /16 or larger per site, leave room to grow, document hierarchically (region.site.purpose), and never let two subnets touch even when they could be carved into one. The address space is cheap; the cognitive overhead of overlap is expensive.
Related reading on PingLabz
- Lab nf-03: IPv4 addressing essentials - the foundation this lab builds on
- Lab nf-07: Static routes - next-hop vs exit-interface - use these subnets in routing decisions
- CCNA Labs: IP Connectivity - where the routing happens
Key takeaways
- For N hosts, find the smallest power of 2 that is greater than or equal to (N + 2). That tells you the host bits. Subtract from 32 to get the prefix length.
- Allocate biggest first, contiguous from the parent block. This is the single discipline that prevents waste and overlap.
show ip routeprints "variably subnetted, N subnets, M masks" whenever you have VLSM in a single parent network. That line is the proof.- Each interface creates two routing-table entries: a
C(the subnet) and anL(the /32 for the interface itself). - The two common mistakes are smallest-first allocation and overlapping subnets. Biggest-first contiguous allocation prevents both.
Up next
Lab nf-05: IPv6 addressing and EUI-64 takes the same address-and-mask logic into the 128-bit world. Same math, more bits, slightly different conventions.
