Practice the subnet interview questions hiring managers actually ask, from CIDR and VLSM to VPC design, troubleshooting, and routing.
Subnet Interview Questions: 30 Most Asked (2026)
Subnet questions come up in networking, DevOps, cloud, and platform-engineering interviews because subnetting is where theory meets real infrastructure. This guide covers the 30 questions hiring managers actually ask, grouped by experience level: fresher, intermediate, and scenario-based. Each comes with a concise, interview-ready answer. Work through all 30 and you'll know what to expect.
Why subnet questions come up so often
Subnetting isn't niche. It sits at the intersection of networking fundamentals, cloud architecture, and security — fair game for network engineers, DevOps engineers, SREs, platform engineers, and backend developers who touch infrastructure.
In a recent platform-engineer interview recap on dev.to, a candidate reported that recruiters explicitly asked about "VPC, BGP, firewall, subnets, IPs, cross-network communication." That's not unusual. Subnetting is the connective tissue between all of those topics.
Interviewers also care about how things fail, not just what they are. One DevOps hiring manager on Reddit described their favorite question as: "I see you have experience with tech X — how does it fail?" That applies directly to subnetting. Knowing the definition of a /28 is table stakes. Knowing what breaks when two subnets overlap is what gets you the offer.
For context: subnetting accounts for roughly 15% of CCNA exam content. In interviews, the weight is similar — it's not the whole conversation, but it's a section you can't afford to fumble.
Fresher level subnet interview questions
At this level, interviewers are testing conceptual clarity. They want clean definitions and basic calculation fluency — not speed, not design opinions.
Q1 — What is subnetting?
Subnetting divides a larger IP network into smaller, logically distinct sub-networks. Each subnet operates as its own network segment, which improves routing efficiency, reduces broadcast traffic, and makes security policies easier to enforce. Hiring managers use this question to check whether you understand what a subnetwork actually entails — not just the word.
Q2 — What is a subnet mask, and what does it do?
A subnet mask is a 32-bit number that separates the network portion of an IP address from the host portion. For example, 255.255.255.0 means the first 24 bits identify the network and the last 8 bits identify hosts within it. Routers use the subnet mask to determine whether a destination IP is local or needs to be forwarded.
Q3 — What is CIDR notation?
CIDR (Classless Inter-Domain Routing) notation expresses an IP address and its subnet mask as a single value — for example, 192.168.1.0/24. The number after the slash indicates how many bits are used for the network prefix. CIDR replaced the old classful addressing system and allows more flexible allocation of IP space.
Q4 — What is the difference between a network address and a broadcast address?
The network address is the first address in a subnet — all host bits set to 0. It identifies the subnet itself. The broadcast address is the last address — all host bits set to 1. Packets sent to the broadcast address reach every host on that subnet. Neither is assignable to a device.
Q5 — How many usable hosts does a /24 subnet have?
A /24 subnet has 256 total addresses (2⁸). Subtract 2 — one for the network address, one for the broadcast address — and you get 254 usable host addresses.
Q6 — What is the default subnet mask for a Class C network?
255.255.255.0, which corresponds to /24. Class C networks use the first three octets for the network portion and the last octet for hosts. IPv4 classes (A, B, C, D, E) are largely historical now that CIDR is standard, but interviewers still ask about them.
Q7 — What is the difference between public and private IP addresses?
Private IP addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) are used within internal networks and are not routable on the public internet. Public IP addresses are globally unique and routable. NAT (Network Address Translation) bridges the two by mapping private addresses to a public address for outbound traffic.
Q8 — What is a default gateway and why does it matter in subnetting?
The default gateway is the IP address of the router interface on a host's local subnet. When a host needs to reach a destination outside its own subnet, it sends the packet to the default gateway. DHCP typically assigns the gateway along with the IP address, subnet mask, and DNS server.
Q9 — What is NAT and how does it relate to subnets?
NAT translates private IP addresses to a public IP address (and vice versa) at the network boundary. It lets multiple hosts on a private subnet share a single public IP for internet access. In cloud environments, NAT gateways serve the same function for instances in private subnets that need outbound connectivity.
Q10 — What is the difference between IPv4 and IPv6 addressing?
IPv4 uses 32-bit addresses (~4.3 billion total), written in dotted-decimal notation (e.g., 192.168.1.1). IPv6 uses 128-bit addresses (effectively unlimited), written in hexadecimal colon notation (e.g., 2001:0db8::1). IPv6 was designed to solve address exhaustion and includes built-in auto-configuration and simplified headers. Subnetting exists in both, but the mechanics differ — IPv6 subnets are typically /64 by convention.
At this level, interviewers want clean definitions. Avoid over-explaining.
Intermediate subnet interview questions
Here the bar shifts. Interviewers expect calculation speed, design reasoning, and awareness of how subnetting works in cloud environments — not just on paper.
Q11 — How do you calculate the number of subnets from a given CIDR block?
Count the bits borrowed from the host portion. If you start with a /24 and subnet to /26, you've borrowed 2 bits, giving you 2² = 4 subnets. Each subnet has 2⁶ − 2 = 62 usable hosts. The formula: number of subnets = 2^(new prefix − original prefix).
Q12 — What is a /28 subnet? How many hosts does it support?
A /28 subnet has a mask of 255.255.255.240. It provides 16 total addresses (2⁴), of which 14 are usable for hosts. Common use case: small server clusters or management networks where you need a handful of addresses and want tight broadcast domains.
Q13 — What is route summarization (supernetting)?
Route summarization combines multiple contiguous subnets into a single, shorter-prefix route advertisement. For example, four /26 subnets (192.168.1.0/26 through 192.168.1.192/26) can be summarized as 192.168.1.0/24. This reduces routing table size and improves convergence time.
Q14 — What is a wildcard mask and how does it differ from a subnet mask?
A wildcard mask is the inverse of a subnet mask. Where a subnet mask uses 1-bits to mark the network portion, a wildcard mask uses 0-bits. For a /24 subnet mask (255.255.255.0), the wildcard mask is 0.0.0.255. Wildcard masks appear in ACLs and routing protocol configurations (OSPF, EIGRP) to define which bits must match.
Q15 — What is VLSM (Variable Length Subnet Masking)?
VLSM lets you use different subnet mask lengths within the same network. Instead of giving every subnet the same size, you allocate based on actual need — a /30 for a point-to-point link, a /24 for a large user segment. VLSM reduces IP waste and is standard practice in modern network design.
Q16 — What is the difference between a VLAN and a subnet?
A VLAN is a Layer 2 construct — it segments a physical switch into logically separate broadcast domains. A subnet is a Layer 3 construct — it defines a range of IP addresses that share a common network prefix. In practice, each VLAN is typically mapped to one subnet, but they operate at different layers and serve different purposes.
Q17 — How does DHCP assign subnet information?
When a host sends a DHCP Discover broadcast, the DHCP server responds with an Offer that includes an IP address, subnet mask, default gateway, DNS server, and lease duration. The subnet mask tells the host which portion of its IP identifies the network vs. the host. Without DHCP, every device on the subnet would need manual configuration.
Q18 — What is the purpose of subnetting in a VPC?
In a cloud VPC (Virtual Private Cloud), subnetting divides the VPC's CIDR block into public and private segments. Public subnets have routes to an internet gateway; private subnets route outbound traffic through a NAT gateway. This separation controls which resources are internet-facing and which are isolated — it's foundational to cloud security architecture.
Q19 — What is the difference between a /29 and a /27 subnet?
A /29 gives you 8 total addresses (6 usable hosts), with a mask of 255.255.255.248. A /27 gives you 32 total addresses (30 usable hosts), with a mask of 255.255.255.224. The choice depends on how many hosts you need — /29 for point-to-point or tiny management networks, /27 for small teams or service clusters.
Q20 — How does subnetting reduce broadcast traffic?
Every subnet is its own broadcast domain. A broadcast sent by one host reaches every other host on the same subnet — but not hosts on different subnets. Dividing a large flat network into smaller subnets limits the blast radius of broadcast traffic, which reduces congestion and improves performance.
At this level, show your work. Interviewers want to see the reasoning, not just the answer.
Experienced / scenario based subnet interview questions
Senior and platform-engineer interviews move from "what is" to "what would you do when." One hiring manager on Reddit put it directly: "How would you handle internal and external connectivity? As the network grows, what are some potential issues with the responses you've given?" That's the mindset for this section.
Frame every answer around three things: the constraint, your approach, and the failure mode you're guarding against.
Q21 — You need to allocate subnets for three environments (dev, staging, prod) in a single VPC. Walk me through your approach.
Start with the VPC CIDR — say 10.0.0.0/16. Divide it into non-overlapping blocks sized to each environment's needs. Prod gets the largest allocation (e.g., 10.0.0.0/18) because it scales most. Dev and staging get smaller blocks (e.g., /20 each). Leave unallocated space for future growth. Use separate route tables and NACLs per environment to enforce isolation.
Q22 — A host can't reach another host on a different subnet. How do you troubleshoot?
Check the basics first: does the source host have the correct IP, subnet mask, and default gateway? Can it ping its own gateway? If yes, check the routing table on the gateway — is there a route to the destination subnet? Then check ACLs, security groups, and firewall rules between the subnets. Finally, verify the destination host's subnet mask and gateway. Most failures are misconfigurations, not hardware.
Q23 — How would you subnet a /22 block to support 10 teams, each needing at least 50 hosts?
A /22 gives you 1,024 addresses. Each team needs at least 50 hosts, so you need subnets with at least 62 usable addresses — that's a /26 (64 total, 62 usable). Ten /26 subnets consume 640 addresses, leaving 384 for future use. If some teams need more, use VLSM — give larger teams a /25 and smaller teams a /27.
Q24 — What happens if two subnets overlap? How do you detect and fix it?
Overlapping subnets cause routing ambiguity — packets may be delivered to the wrong subnet or dropped entirely. Symptoms include intermittent connectivity and ARP conflicts. Detect it by auditing your IP address management (IPAM) records and comparing CIDR blocks. Fix it by re-addressing one of the overlapping subnets and updating all route tables, DHCP scopes, and firewall rules accordingly.
Q25 — How does subnetting interact with security groups and firewall rules?
Security groups and firewall rules reference CIDR blocks to define allowed traffic. A well-designed subnet scheme makes security rules cleaner — you can allow 10.0.1.0/24 (the app subnet) to reach 10.0.2.0/24 (the database subnet) on port 5432, and deny everything else. Poor subnetting forces overly broad rules or excessive per-host exceptions.
Q26 — Explain how Kubernetes pod networking relates to subnets.
In Kubernetes, each pod gets its own IP from a pod CIDR range. Nodes are assigned a subnet slice of that range (e.g., each node gets a /24 from a cluster-wide /16). The CNI plugin handles routing between pod subnets across nodes. In cloud-managed clusters (EKS, GKE), pod IPs may come from the VPC's own subnet space, which means your VPC CIDR planning must account for pod density.
Q27 — What is VXLAN and when would you use it instead of traditional subnetting?
VXLAN (Virtual Extensible LAN) is an overlay protocol that encapsulates Layer 2 frames inside UDP packets, letting you stretch Layer 2 domains across Layer 3 boundaries. Use it when you need more than 4,094 VLANs (VXLAN supports ~16 million segment IDs), or when workloads need Layer 2 adjacency across data centers or availability zones without re-architecting the underlay.
Q28 — How does BGP interact with subnet advertisement?
BGP advertises network prefixes (CIDR blocks) to neighboring autonomous systems. When you advertise a subnet via BGP, you're telling the internet (or your internal peers) that traffic for that prefix should route to you. Misconfigured BGP advertisements — like advertising a subnet you don't own, or advertising overlapping prefixes — can cause route hijacking or black-holing.
Q29 — What are the trade offs between using many small subnets vs. fewer large ones?
Many small subnets give you tighter security boundaries and smaller broadcast domains, but increase routing table size and management complexity. Fewer large subnets simplify routing and administration, but create larger blast radii for broadcasts and make fine-grained access control harder. The right answer depends on the environment — a multi-tenant cloud deployment leans toward smaller subnets; a small office network doesn't need that granularity.
Q30 — How would you design subnets for a multi region cloud deployment?
Assign each region a non-overlapping CIDR block from your global allocation (e.g., us-east gets 10.0.0.0/16, eu-west gets 10.1.0.0/16). Within each region, subdivide by environment and tier. Ensure no overlap across regions — this matters for VPC peering and transit gateway routing. Plan for NAT gateways in private subnets, and leave headroom in each block for scaling. Document everything in a central IPAM system.
At this level, structure your answer: state the constraint, your approach, and the failure mode you're guarding against.
How to practice subnet interview questions
Three things that actually help:
Do timed calculations. Practice /24 through /28 host counts until they're automatic. Subnetting math should feel like arithmetic, not algebra. The faster you calculate, the more time you have to explain your reasoning.
Explain your reasoning out loud. Interviewers care about the thought process, not just the number. Practice narrating your approach — "I'm borrowing 4 bits from the host portion, which gives me 16 subnets of 14 usable hosts each" — until it sounds natural.
Tie answers to real systems. Mention VPCs, security groups, or Kubernetes pod CIDRs where relevant. It signals that you understand subnetting in the context of modern infrastructure, not just textbook exercises.
If you want to practice under realistic conditions, Verve AI's Interview Copilot lets you run mock interviews on networking and infrastructure topics with real-time feedback — useful for building the habit of explaining subnet reasoning out loud before you're doing it for real.
Quick reference — subnet mask cheat sheet
The CIDR values you'll be asked about most often:
- /30 — 255.255.255.252 — 2 usable hosts (point-to-point links)
- /29 — 255.255.255.248 — 6 usable hosts
- /28 — 255.255.255.240 — 14 usable hosts
- /27 — 255.255.255.224 — 30 usable hosts
- /26 — 255.255.255.192 — 62 usable hosts
- /25 — 255.255.255.128 — 126 usable hosts
- /24 — 255.255.255.0 — 254 usable hosts
Memorize /24 through /28. These appear in the majority of interview calculations.
---
Subnet questions test both calculation speed and design reasoning. The 30 questions above cover both — from "what is a subnet mask" to "design subnets for a multi-region deployment." Work through them, practice explaining your answers out loud, and you'll know exactly what to expect.
Verve AI's Interview Copilot can help you rehearse networking questions with real-time suggestions — so the first time you explain a /22 allocation plan isn't in front of a hiring manager.
Verve AI
Archive