IP Subnetting Deep-dive

Dedicated BEMS IP networks are usually very simple in terms of subnetting. However, when they need to be integrated with a customer's IT network, the subnetting can get a little tricky. Let's try and clarify things in simple terms.


Most of us I'm sure are very familiar with the basic idea of IP subnetting; if we have a project with a few dozen IP BEMS devices we will naturally select a familiar IP address range of say with a subnet mask of We know this will give us plenty of addresses to future proof such an installation and understand that if the first 3 fields of the IP address and all fields in the  subnet mask are the same on all devices, they will all be sitting on a single subnet and happily communicate with each other. However, life cannot always be that simple....

Why Things Can Get More Complicated

The usual reason is that you are required to integrate the BEMS devices with a customer's IT network - they will probably have a detailed network design specification relating to network architecture and IP addressing that you will have to follow. They will have many hosts (e.g. devices, PCs, servers etc.) sitting on a complex network with routers, switches etc. that require a complex subnetting scheme to ensure the network can run and be managed efficiently. Whilst this takes the weight of IP design responsibility off of your shoulders to a certain degree, their scheme may use subnet masking that is unfamiliar to you and may use terms, achronyms and notation that they assume you will understand and be able to decipher. Of course, the old adage of "If in doubt ask" still holds true, but it always helps to be armed with as much knowledge of a topic as possible to start with.

Basic Clarifications

Before we dive in, let's clarify something about network classes - there are different IP network classes for addressing normal IP devices, A, B and C - without going into a detailed history, this originated from the early days of IP addressing (circa 1985) but things have developed since and it is important not to get too bogged down in their relevance today as it seems to cause a lot of confusion (if internet forums are anything to go by!). Instead, let's just say they are (or maybe were??) a thing, but it's more important these days to know which address schemes are available for you to use, which is best for your application and how to apply subnets to them in order to group devices/hosts how you or your customer desires in order to suit your application.

Private Network Address Ranges

Whether you or your customer are allocating BEMS IP addresses, for a typical site, they should in the vast majority of cases be private IP addresses. This is well defined by the IP gods (for very good reasons that we will not go into here) and are in the following address range blocks -

  • to @ 16 million addresses available
  • to @ 1 million addresses available
  • to @ 65 thousand addresses available

You will notice the top range in the list has the first number fixed to 10 whilst all the other numbers (or "octets") are freely settable - let's quickly dispell a misunderstanding I've come across in the past - whilst it can have a subnet mask of this range of addresses is not limited to this. It could also have a subnet mask of and many others - it all depends on the network IP design you or your customer comes up with to divide the network into various subnets to suit your requirements.

On the other hand, the bottom one has the 1st and 2nd numbers (or octets, we'll see why they are called this later) fixed to 192.168 - this should have a subnet mask of at least (it should not be set to, for example) and can be set in many other ways such as too, (that 240 at the end may be alien to some of you, have no fear, all will be explained!) but more usually in simple, small home networks, for example.

Which range is selected for your BEMS IP devices will either depend on your customer - usually big corporations or universities use the range due to the huge number of devices they need to cater for - or yourself; usually the range will work for a BEMS system in isolation from a corporate network but there is nothing to stop you using the others if it fits your scheme better and that doesn't necessarily have to be down to quantities.

Subnet Notation

So I imagine we are all familiar with basic BEMS networks and our home networks that quite often have an IP address configuration such as -

  • IP Address
  • Subnet mask

What does this mean? The subnet mask is actually a decimal representation of 4 binary octets (8 bits) that tells you which parts of the address are used to define  the "Network" address, which tells the device which subnet it is part of, and which is the "Host" address part, its unique address on the subnet; if a subnet mask bit is 1 the corresponding bit in the address is used for the network address, if it is 0 it is used for the host part of the address -

                            Octet 1    | Octet 2   | Octet 3  | Octet 4

Subnet in dec.         255.             255.          255.        0       

Binary result        11111111    11111111   11111111   00000000

Role                     nnnnnnnn   nnnnnnnn  nnnnnnnn   hhhhhhhh (n = network, h = host part)

IP address               192.        168.           1.              1

IP Add. Role         |      Network/subnet address      | Host part |

In the example above, when you see "255" you can take it that the whole of the number (or octet) is used as part of the Network address, as this will set the binary octet to all 1s (decimal 255 = binary 11111111), therefore the network address is (as the 4th octet is fully used for the host part it effectively sets this octet to 0 for the network address). The last/4th octet of the subnet mask is 0 so this means the 4th octet is used exclusively for the host part, it is free to be set in the range 1-254 and in our case the full host IP address is - the network and host parts combined - other hosts with a different IP address but with the same subnet mask AND network address will be on the same subnet as this device, e.g. whereas with the same subnet mask (or otherwise) would not be, the network address would be = different subnet.

Now, when talking about subnet masks it gets very tiresome saying "the subnet is" many times in meetings/techy discussions and writing it down isn't much fun either (and takes up a lot of room). There is another way of describing network subnets - the example above could be said to be on a network subnet of -


So what does the "/24" (you may hear people refer to it as "slash twenty four") mean? It obviously replaces the way of describing the subnet mask, but how does that work? As we saw above, when we type in into a subnet mask we are effectively setting each bit in 4 binary octets (8 bits each) in the mask to 1 or 0 to indicate which parts refer to the network address and which are the host part of the address i.e. -

                            Octet 1    | Octet 2   | Octet 3  | Octet 4

Decimal value       255.             255.          255.        0       

Binary result        11111111    11111111   11111111   00000000

Number of 1s              8       +       8       +      8       +        0       = 24

The "/24" just tells us how many 1s are being set in the subnet mask by using any particular subnet mask, simple as that! If you see any other "slash" notation e.g. /17, to create the mask, make yourself a table like the one above and just set the octet bits from left to right to 1 until you have set a total of 17 then set the rest to 0 and then work out the equivalent decimal number for each octet so you can set the subnet mask in your devices correctly. Alternatively, jump online and find a subnet calculator that can do it all for you, but it helps to understand how the decimal numbers are arrived at and how the different notations work.

To follow on from that, here's some more examples -

  • IP address of with Subnet of =
    • Subnet mask in binary 11111111  00000000  00000000  00000000
  • IP address of with Subnet of =
    • Subnet mask in binary 11111111  11111111  00000000  00000000
  • IP address of with Subnet of =
    • Subnet mask in binary 11111111  11111111  11111111  00000000
  • IP address of with Subnet of =
    • Subnet mask in binary 11111111  11111111  11111111  11110000

The last example is a little bit more involved and harder to deal with as the 4th octet is used to tell us part of the host IP address AND part of the network address to work out which subnet the device will reside on. Let's go a bit deeper to see how this works.

Subnetting Deep-dive

So hopefully we're all clear on basic subnetting, what it's used for and how it can be written in different ways.

Let's go a bit deeper with the last example from above, IP address of with Subnet of or, to write it another way,

We understand how a network would provide a subnet with 254 possible hosts. Some network designers may want to further split this network, i.e. instead of having one subnet with 254 devices, they may want 16 subnets with 14 devices on each, one for PCs, one for BEMS, one for lighting etc. This is where you might also see something like "" - let's see how this works - firstly, lets revisit how to calculate the subnet mask from the given notation -

                          Octet 1    | Octet 2   | Octet 3  | Octet 4

Decimal value       255.             255.          255.        240      

Binary result        11111111    11111111   11111111   11110000

Number of 1s              8       +       8       +      8       +        4       = 28

To work out the 4th octet decimal value from "/28" notation, we just count in binary in the same way you might set an address on an old Trend BMS controller or some Modbus devices with address DIP switches, in the same way we arrived at 255 for the other octets i.e. -

128 64 32 16 8 4 2 1

1     1    1   1 0 0 0 0 = 128+64+32+16 = 240

There are also handy little subnet calculators on the internet to do this for you and much more, e.g. https://www.calculator.net/ip-subnet-calculator.html

In the above example, Octet 4 has a dual role as some of its bits are set to 1 and some to 0 - this means the decimal number "50" in the IP address tells us two things -

  • It is simply the number, decimal 50, to make up part of the unique host IP address, i.e.
  • When we apply the subnet mask to it (240 = binary 11110000) it will reveal the 4th octet of the network address to us, but how?

We know the first 3 octets/numbers of the network address as the subnet mask is 255 for each of those, i.e. ALL 1s, so all related to network address ONLY, therefore they are 192.168.1 - so far so good.

To get the 4th number, we need to apply the subnet mask for that octet (240) in binary to the binary representation of decimal 50 (from the IP address, i.e.

We get the network address in binary by comparing the bits in each corresponding position and placing a 0 in the result where the bits are NOT both 1, and a 1 in the result where BOTH bits are 1 like so -

Address octet 4, decimal 50 in binary -          00110010

Subnet mask octet 4, decimal 240 in binary - 11110000

Resulting network add. 4th octet in binary -   00110000, which in decimal is -

128 64 32 16 8 4 2 1

0     0    1   1 0 0 0 0 = 32+16 = 48

Therefore, the full network address is

To further explain whats going on, if we stick with the 192.168.1.n/28 subnets for now, what other subnets could we have defined by the last octet (n)? Well, the last octet subnet mask allows the 4 most significant bits to be used to set part of the network address (240 = 11110000) so there are 16 possible combination of setting those 4 bits -

  • 0000xxxx - 0 decimal = network address
  • 0001xxxx - 16 decimal = network address
  • 0010xxxx - 32 decimal = network address
  • 0011xxxx - 48 decimal = network address (as per above example)
  • etc. going up to -
  • 1111xxxx - 240 decimal = network address

You may have noticed the network number increments by 16 each time - this gives 16 subnets with 16 address gaps between them (set by the remaining bits to the right of the network address portion, i.e. xxxx) so -

  • For the network/subnet the addresses comprise of -
    • Network address - - this is ALWAYS the LOWEST address of the subnet
    • Host IP addreses, e.g. for Jaces, PCs, laptops - to
    • Subnet broadcast address - - this is ALWAYS the HIGHEST address of the subnet

And in our example device's ( subnet -

  • For the network/subnet the addresses comprise of -
    • Network address - - this is ALWAYS the LOWEST address of the subnet
    • Host IP addreses, e.g. for Jaces, PCs, laptops to (which our device sits inside)
    • Subnet broadcast address - - this is ALWAYS the HIGHEST address of the subnet

So, as you can see, ANY address between (except the network and broadcast addresses for each subnet which MUST NOT BE USED FOR HOSTS) is valid as a host IP address with a subnet mask of (or /28) BUT they will now fall into smaller subnets instead of one large subnet as per when we used the same IP range with a (or /24) subnet mask.

Conversely, if we want less subnets with more host IDs in each, we can set up a subnetting scheme to cater for that too, e.g. - this will give us an extra 2 bits in the 3rd octet to use with the 4th octet to set host addresses with. This gives us a total of 10 bits and therefore 2∧10 = 1024 (less 2 for network and broadcast address = 1022) host addresses instead of the previous 254 in each subnet, but less subnets to play with, of course.

One Final Note RE Default Gateway Addressing - these need to be in the same subnet as the devices that need to use them, i.e. devices that have a default gateway setting needed to reach other subnets or networks, e.g. for our device the default gateway would need to be set between addresses (excluding 50 of course) - usually they are the first or last available address in the subnet host address range BUT they are configured according to the IT design scheme and should not be guessed at (also, there can be more than one) - essentially, if you didn't provide and/or configure the router used as the default gateway on the subnet in question, someone else needs to provide its details.

This address should not be confused with the subnet's broadcast address, of course. The broadcast address is used by devices when they want to broadcast to all devices within the same subnet. The default gateway address is used when a device in the subnet needs to reach another device on a different subnet or network and needs to send the message to a router first to get the message routed on correctly.