Ever tried to squeeze four devices onto a single tiny slice of the internet and wondered why the numbers look like “/30” instead of the usual “255.255.That said, 255. 0”?
You’re not alone. ” The truth is a bit more practical—and a lot less mysterious. And most people see that slash and assume it’s some secret code for “extra‑secure” or “super‑fast. A /30 subnet mask is the network engineer’s way of saying, “I need exactly four IP addresses, no more, no less.
If you’ve ever set up a point‑to‑point link between two routers, or you’re curious why your ISP sometimes hands you a tiny block of addresses, you’ll want to keep reading. The short version is: a /30 gives you just enough room for two hosts, a network ID, and a broadcast address. Everything else in this post unpacks why that matters, how it works, and where you’ll actually see it in the wild.
What Is a /30 Subnet Mask
In plain English, a /30 subnet mask is a way of carving a larger IP network into a very small piece that contains exactly four IP addresses. The “/30” part tells you how many bits of the 32‑bit IPv4 address are set to “1” in the mask Simple as that..
The binary picture
IPv4 addresses are 32 bits long. A subnet mask also has 32 bits, and the “/30” tells you that the first 30 bits are ones, leaving the last two bits as zeros. In dotted‑decimal form that’s:
11111111.11111111.11111111.11111100 → 255.255.255.252
Those two zero bits are the only ones that can change, which means you can only have 2² = 4 possible addresses in that block Simple, but easy to overlook..
What those four addresses are
- Network address – the very first address (all host bits are 0). It identifies the subnet itself and can’t be assigned to a device.
- Usable host #1 – the first address you can actually assign.
- Usable host #2 – the second assignable address.
- Broadcast address – the last address (all host bits are 1). It’s used to talk to every device on that tiny subnet at once and also can’t be assigned.
So a /30 is essentially a “four‑slot” subnet: two slots for devices, two slots that the network reserves for itself.
Why It Matters / Why People Care
You might wonder why anyone would bother with such a tiny slice when a typical home network gets a /24 (256 addresses). The answer is all about efficiency and purpose But it adds up..
Point‑to‑point links
When two routers talk directly to each other—think of a VPN tunnel, a WAN link, or a simple Ethernet crossover—you only need two IPs: one for each router. Using a /30 means you’re not wasting address space on a larger subnet that would never be filled. In practice, many ISPs hand out /30 blocks for exactly this reason.
Security through minimal exposure
Fewer addresses mean fewer potential attack surfaces. If you accidentally expose a /30 to the internet, the only hosts that can reply are the two you intended. It’s a tiny, controlled environment, which is easier to monitor.
Cost and routing simplicity
Some older routing hardware counts the number of subnets rather than the number of hosts. Giving each link its own /30 can keep the routing table tidy and avoid unnecessary summarization headaches.
Real‑world example
Imagine a small office with two sites, each with its own router. The corporate network connects the sites via a dedicated fiber line. The ISP gives you a /30: 192.0.2.0/30.
- 192.0.2.0 – network ID (never used)
- 192.0.2.1 – router at Site A
- 192.0.2.2 – router at Site B
- 192.0.2.3 – broadcast (never used)
That’s it. No extra IPs cluttering the address plan, and the routers can ping each other without any extra configuration.
How It Works (or How to Do It)
Now that you know what a /30 is, let’s walk through the steps you’d actually take to configure one. I’ll use Cisco‑style CLI commands because they’re common, but the concepts translate to any vendor.
1. Determine the network block you need
If you’re handed a block like 10.10.10.0/30, you already have the network address (10.10.10.0) and the mask (255.255.255.252). If you have a larger block and need to carve a /30 out of it, you’ll do a quick binary check.
Quick tip
Start with the larger network, then count in increments of 4 (because 2² = 4). For a /24 (255.255.255.0), the first /30 is 192.168.1.0/30, the next is 192.168.1.4/30, then 192.168.1.8/30, and so on Still holds up..
2. Assign the usable IPs to your devices
Pick the second and third addresses in the block. In our example:
- Router A gets 10.10.10.1/30
- Router B gets 10.10.10.2/30
Make sure you don’t assign the .0 (network) or .3 (broadcast) to any interface Easy to understand, harder to ignore. Surprisingly effective..
3. Configure the mask on each interface
On a Cisco router the command looks like:
interface GigabitEthernet0/0
ip address 10.10.10.1 255.255.255.252
no shutdown
Do the same on the opposite side, swapping the IP Simple, but easy to overlook. Took long enough..
4. Verify the link
A quick ping 10.10.10.2 from Router A should succeed. If it fails, double‑check:
- Both ends use the same mask (255.255.255.252)
- No ACLs or firewalls are blocking ICMP
- The physical connection is good
5. Optional: Set a static route (if needed)
If the /30 is just a transit link, you might add a static route on each router pointing to the other network’s larger LAN.
ip route 192.168.20.0 255.255.255.0 10.10.10.2
That tells Router A that to reach the remote LAN, it should forward traffic to Router B’s /30 address.
6. Test real traffic
Ping a host on the far side, or try a traceroute. If the path goes through the /30 link, you’ve nailed it.
Common Mistakes / What Most People Get Wrong
Even seasoned admins slip up with /30s. Here are the pitfalls I see most often Nothing fancy..
Using the broadcast address as a host
Because the block is so tiny, it’s tempting to “just use the .3” for a device. The network will still work for unicast traffic, but broadcast‑dependent services (like DHCP or ARP) will break, and you’ll get puzzling “no response” errors Easy to understand, harder to ignore..
Forgetting the network ID in routing tables
When you advertise a /30 in a routing protocol, you must use the network address (the .0) as the prefix. Advertising “10.10.10.1/30” confuses the protocol and can cause black‑hole routes Not complicated — just consistent. Took long enough..
Mixing masks
Sometimes you’ll see a /30 written as “255.255.255.252” and later someone copies the mask incorrectly as “255.255.255.0.” A single typo and the whole link goes silent That's the part that actually makes a difference..
Assuming /30 works for LANs
A /30 is great for point‑to‑point, but never use it for a regular LAN where you need more than two hosts. You’ll quickly run out of IPs and end up with “IP address already in use” errors Most people skip this — try not to. Simple as that..
Over‑subnetting a /30 from a /30
Trying to carve a /31 or /32 out of a /30 is a recipe for “invalid subnet mask” errors. Remember, the smallest usable IPv4 subnet for hosts is a /30 (four addresses). A /31 is only for point‑to‑point links without a broadcast address, but you can’t derive it from a /30 block without re‑calculating the range.
Practical Tips / What Actually Works
Here are the nuggets you can start applying right now.
-
Keep a spreadsheet of /30 allocations – Write down the network, usable IPs, purpose, and date assigned. It saves you from accidentally reusing a block later That alone is useful..
-
Use /31 for pure router‑to‑router links if your gear supports it – Modern equipment accepts a /31 (255.255.255.254) which gives you exactly two usable IPs without a broadcast address. It’s even more efficient than a /30 The details matter here. That alone is useful..
-
Label the physical cables – When you have dozens of point‑to‑point links, a simple “10.10.10.0/30 – Site A ↔ Site B” tag on the fiber or copper helps troubleshooting.
-
Automate with scripts – If you provision many links, a short Python script that takes a base network and spits out sequential /30 blocks can cut hours of manual work That's the part that actually makes a difference..
-
Check for overlapping subnets – Run an IPAM (IP Address Management) scan before you hand out new /30s. Overlaps cause routing loops that are hard to trace Most people skip this — try not to..
-
Document the purpose, not just the numbers – A /30 used for a DMZ, a backup line, or a monitoring console each has different security considerations. Note that in your design docs.
-
Test with both ICMP and a real service – Ping works, but try a TCP connection (e.g.,
telnet <host> 22) to make sure the link handles actual traffic.
FAQ
Q: Can I use a /30 for a LAN with more than two devices?
A: No. A /30 only gives you two usable host addresses. For a LAN you’ll need at least a /29 (8 addresses) or larger Nothing fancy..
Q: Why does a /30 have a broadcast address if I only need two hosts?
A: The broadcast address is part of the IPv4 subnet definition. Even tiny subnets reserve it for compatibility with protocols that rely on broadcast (like ARP).
Q: Is a /31 ever better than a /30?
A: Yes, when both ends of the link are routers and you don’t need a broadcast address. A /31 gives you exactly two usable IPs and eliminates the “wasted” network/broadcast slots.
Q: How many /30 subnets fit inside a /24?
A: A /24 has 256 addresses. Divide that by 4 (the size of a /30) and you get 64 distinct /30 blocks.
Q: My ISP gave me a /30, but I need three devices on that link. What do I do?
A: You can’t. Ask for a larger block (e.g., /29) or create a separate VLAN on a router that can NAT the extra hosts behind the two /30 IPs.
That’s the whole story behind the little slash and the even smaller block it creates. Think about it: a /30 subnet mask isn’t a fancy security feature or a performance booster—it’s a precise tool for when you need exactly two hosts, a network ID, and a broadcast address. Use it for point‑to‑point links, keep your documentation tidy, and you’ll never waste an IP address again Simple, but easy to overlook. But it adds up..
Happy subnetting!
8. Plan for future growth — don’t “hard‑code” the /30 forever
Even though a /30 is perfect for a static point‑to‑point circuit, networks evolve. , reserve the next two /30s after the one you’re using). When you design the surrounding topology, keep a few spare /30 blocks in the same super‑net (e.g.That way, if you later need to add a monitoring tap, a secondary backup link, or migrate to a dual‑stack IPv6‑only tunnel, you already have contiguous address space to work with without having to renumber the existing link.
9. take advantage of IPv6 where possible
IPv6 eliminates the whole “run out of /30s” problem because the address space is effectively infinite for point‑to‑point links. Modern routers can run a /127 (the IPv6 equivalent of a /31) on a link‑local address pair, which provides the same two‑host efficiency without the broadcast concerns of IPv4. If you’re deploying new equipment, consider enabling IPv6 on the link and using it as the primary transport, falling back to IPv4 only when required by legacy gear.
10. Integrate with network‑wide policies
Most enterprises enforce security policies via firewalls, ACLs, or SD‑WAN controllers. Because a /30 is a distinct prefix, you can easily reference it in policy rules:
- Zero‑trust segmentation – Allow only the required protocols (e.g., OSPF, BGP, IPsec) between the two IPs.
- QoS shaping – Bind a traffic‑class to the /30 to guarantee bandwidth for latency‑sensitive services.
- Logging – Enable flow‑recording on the exact /30 so you can audit every packet that traverses the link.
By treating the /30 as a first‑class object in your policy engine, you keep the link’s behavior predictable and auditable Worth keeping that in mind..
11. Monitor link health beyond “up/down”
A simple show ip interface brief will tell you whether the interface is administratively up, but it won’t reveal subtle degradations. Deploy one of the following:
| Tool | What it measures | Typical alert |
|---|---|---|
| BFD (Bidirectional Forwarding Detection) | Detects loss of forwarding path in sub‑second intervals | Link considered down after 3 missed BFD packets |
| IP SLA (Cisco) / Ping‑mon (Juniper) | Tracks latency, jitter, packet loss over time | Trigger alarm if loss > 2 % for 30 seconds |
| SNMP rttMon | Centralized monitoring with thresholds | Correlate with syslog for faster root‑cause analysis |
| NetFlow / sFlow | Traffic volume and protocol mix | Spot unexpected spikes that could indicate a mis‑configuration |
When you combine these health checks with the static nature of a /30, you get a very clean signal‑to‑noise ratio for troubleshooting It's one of those things that adds up..
12. Backup the configuration
Because a /30 is often part of a critical transport, the router configuration that contains the address assignments should be version‑controlled. Store the config snippet in a Git repository or an automated configuration‑management system (Ansible, Salt, etc.) Less friction, more output..
- name: Configure point‑to‑point link
ios_config:
lines:
- interface GigabitEthernet0/2
- ip address 10.10.10.1 255.255.255.252
- description "Site‑A ↔ Site‑B"
- no shutdown
save_when: changed
Now, if a device fails, you can redeploy the exact same /30 settings on a replacement with a single command.
TL;DR – The “Golden Rules” for /30 Point‑to‑Point Links
| Rule | Why it matters |
|---|---|
| Use /30 (or /31) only for two‑router links | Guarantees no wasted addresses and avoids broadcast traffic. |
| Label cables and interfaces | Saves hours of debugging when a link flaps. |
| Automate address allocation | Prevents human error and speeds up large roll‑outs. So |
| Validate with IPAM | Stops overlapping subnets that can cause routing black holes. |
| Document purpose & security stance | Enables proper ACLs, QoS, and compliance reporting. |
| Test with real traffic | Confirms that the link handles the intended services, not just pings. |
| Plan for growth & IPv6 | Future‑proofs the design without re‑addressing. And |
| Integrate into policy and monitoring | Turns a static /30 into a managed, observable service. |
| Version‑control the config | Makes disaster recovery a single‑click operation. |
Conclusion
A /30 subnet is the unsung workhorse of the modern network—small enough to be efficient, yet large enough to carry the essential control plane traffic that keeps sites talking. Day to day, by treating each /30 as a deliberately crafted, documented, and monitored service, you transform a simple two‑host link into a reliable, auditable component of your wider architecture. Whether you stick with classic IPv4, migrate to IPv6 /127 links, or blend both in a dual‑stack environment, the principles remain the same: allocate precisely, label clearly, automate wisely, and monitor relentlessly. This leads to follow these practices, and your point‑to‑point circuits will stay up, stay secure, and stay easy to manage—no wasted IPs, no surprise outages, and no mystery when something goes wrong. Happy subnetting, and may your links always be low‑latency and high‑availability The details matter here..
