- Introduction
- Why Subnet Masks Exist
- Binary Foundations: Bits and IP Addresses
- What a Subnet Mask Actually Does
- How Network and Host Portions Work
- Classful vs. Classless Addressing (CIDR)
- Subnet Mask Notation and Representation
- Common Subnet Masks and Their Meanings
- Real-World Applications
- Subnet Masks in IPv6
- Subnet Mask Quick Reference Table
- Tools and Further Reading
If you’ve ever looked at an IP address like 192.168.1.10 and wondered what decides where that address belongs, you’re standing at the gates of subnet masks.
A subnet mask is one of those quiet heroes of computer networking rarely noticed, often misunderstood, but absolutely essential. It tells your device which part of an IP address refers to the network (the neighborhood) and which part refers to the host (your specific house).
Think of it like a postal system.
An IP address is a full street address, but the subnet mask defines which part is the city and which part is the house number. Without it, devices would have no idea which ones are “local” neighbors and which ones live in faraway networks.
For example:
IP Address: 192.168.1.10
Subnet Mask: 255.255.255.0
That mask quietly says, “The first three sections (192.168.1) identify the network everything sharing that part is local. The last number identifies the individual device.”
Even if you’ve configured hundreds of routers, it helps to revisit subnet masks with fresh eyes because every IP calculation, every route, and every firewall rule depends on this fundamental division of network and host.
Back in the early days of the internet, networks were divided into fixed “classes” Class A, B, and C each with a preset size. It was simple but wasteful.
A company with only 100 computers might receive an address block big enough for 65,000. Another with 70,000 devices might need several networks stitched together awkwardly.
Subnet masks were invented to solve this problem by adding flexibility. Instead of rigid classes, a subnet mask lets you custom-shape your network. You decide how many bits describe the network and how many bits describe the hosts.
In practice, that means you can split one big network into smaller ones or merge smaller ones into a larger whole depending on what you need.
A subnet mask defines these boundaries precisely, allowing devices and routers to understand whether another IP is within the same local network or must be reached through a gateway.
For instance, if two computers have:
192.168.1.10/24
192.168.2.20/24
their subnet masks (/24 means 255.255.255.0) tell them they live in different neighborhoods. They’ll talk to each other through a router, not directly. Change their masks to /16 (255.255.0.0), and suddenly they’re back on the same street no router needed.
In short: the subnet mask exists to make IP addressing efficient, organized, and scalable.
Without it, the internet would either waste vast address space or drown in confusion.
Before diving deeper into subnet masks, it helps to peel back the layers and see what an IP address really is not just the familiar dotted numbers, but the raw binary underneath.
Computers don’t actually see 192.168.1.10. They see a long string of 1s and 0s, like this:
192.168.1.10 → 11000000.10101000.00000001.00001010
Each IP address is 32 bits long (that’s 4 bytes, 8 bits each).
Every bit is a switch that can be either on (1) or off (0). Together, those switches form a unique pattern that identifies a device.
Humans use decimal notation (base 10) because we have ten fingers.
Computers use binary (base 2) because they only understand two states: current or no current, 1 or 0.
So when we see a dotted-decimal IP address, it’s just a friendly mask for the binary truth underneath.
Here’s a quick example:
| Decimal | Binary |
|---|---|
| 192 | 11000000 |
| 168 | 10101000 |
| 1 | 00000001 |
| 10 | 00001010 |
When we put them together:
192.168.1.10 = 11000000 10101000 00000001 00001010
That’s the language routers and network interfaces speak fluently.
So why does this matter? Because subnet masks work bit by bit.
They decide which portion of those 32 bits belong to the network and which belong to the host and that decision is made through binary math, not magic.
A subnet mask looks deceptively similar to an IP address: four numbers separated by dots, like 255.255.255.0.
But unlike an IP, it isn’t a location it’s a filter, a bitwise stencil that helps your device separate the network ID from the host ID.
Imagine the subnet mask as a transparent overlay of 1s and 0s that sits on top of your IP address:
| Type | Binary Representation |
|---|---|
| IP Address | 11000000.10101000.00000001.00001010 |
| Subnet Mask | 11111111.11111111.11111111.00000000 |
Every 1 in the subnet mask marks a bit that belongs to the network portion.
Every 0 marks a bit reserved for the host portion.
To find the network address, your device performs a simple binary operation: AND.
Binary AND means:
- 1 AND 1 = 1
- 1 AND 0 = 0
- 0 AND 1 = 0
- 0 AND 0 = 0
When you AND the IP and the subnet mask, you get the network address the shared part that identifies which network the device belongs to.
Example:
| Component | Decimal Notation | Binary Notation |
|---|---|---|
| IP Address | 192.168.1.10 | 11000000.10101000.00000001.00001010 |
| Subnet Mask | 255.255.255.0 | 11111111.11111111.11111111.00000000 |
| Network ID | 192.168.1.0 | 11000000.10101000.00000001.00000000 |
Convert that back to decimal, and you get:
Network Address = 192.168.1.0
That’s how your computer decides who’s local and who’s not.
Anything that matches those first 24 bits (/24) is in the same neighborhood and can be reached directly. Anything else? It gets sent to the gateway for routing elsewhere.
In plain language:
- Subnet mask = the map key.
- IP address = the street address.
- Network address = the neighborhood.
- Gateway = the road out of town.
Now that we’ve met the subnet mask, let’s look closer at how it actually divides an IP address into two halves: the network portion and the host portion.
When an IP address is combined with a subnet mask, the binary mask draws a line between these two regions.
Every bit covered by a 1 in the mask belongs to the network portion, and every 0 belongs to the host portion.
For example, take this familiar pair:
IP Address: 192.168.1.10
Subnet Mask: 255.255.255.0 (/24)
In binary form:
IP: 11000000.10101000.00000001.00001010
Mask: 11111111.11111111.11111111.00000000
Here, the first 24 bits (the ones) are the network bits they define the shared identity of this local network.
The remaining 8 bits (the zeros) are the host bits they define the individual devices living inside that network.
That means:
- All devices on the
192.168.1.0/24network will share the first 24 bits. - Only the last 8 bits will differ, giving each device a unique host address.
So if we imagine this as a neighborhood:
- Network portion → the neighborhood name (
192.168.1) - Host portion → the house number (
.10,.42,.200, etc.)
This division determines how large the neighborhood can be.
More bits for the network = fewer bits for hosts (smaller neighborhoods).
Fewer bits for the network = more bits for hosts (bigger neighborhoods).
For a /24 network (8 host bits), there are 2^8 = 256 total combinations. Two are reserved:
- One for the network address (all host bits = 0)
- One for the broadcast address (all host bits = 1)
That leaves 256 - 2 = 254 usable host addresses enough for a small office LAN.
Pro insight: Network and host bits are like the sliding scales of a see-saw. The more precision you want in dividing networks, the fewer hosts each can hold. Subnetting is simply the art of balancing that trade-off.
Back in the 1980s, when the internet was young and engineers wore pocket protectors with pride, IP addresses were divided into fixed classes. It was simple but rigid and quickly became a problem as the network grew.
Classful addressing defined networks by the first few bits of the IP address.
Here’s how it worked:
| Class | First Octet Range | Default Mask | Networks | Hosts per Network |
|---|---|---|---|---|
| A | 1–126 | 255.0.0.0 (/8) | 128 | ~16 million |
| B | 128–191 | 255.255.0.0 (/16) | 16,384 | ~65,000 |
| C | 192–223 | 255.255.255.0 (/24) | 2 million+ | 254 |
This was fine when the internet was small, but it wasted massive chunks of address space.
Imagine giving a company of 200 devices an entire Class B network that’s like renting a stadium for a chess club meeting.
Classful addressing couldn’t adapt to the real-world variety of network sizes. Something had to evolve.
Introduced in the 1990s, CIDR abandoned the idea of fixed classes and introduced a smarter, more flexible system.
Instead of saying “Class A” or “Class C,” we specify exactly how many bits belong to the network.
That’s where slash notation comes from:
/8, /16, /24, /29, and so on.
Each number after the slash shows how many bits of the address are network bits.
For example:
192.168.1.10/24→ 24 bits for network, 8 bits for host.10.0.0.15/12→ 12 bits for network, 20 bits for host.
CIDR allows us to slice networks into perfectly sized pieces. No more waste, no more rigid classes just binary precision.
CIDR’s superpower is aggregation.
A router can represent multiple consecutive networks with one summarized entry, reducing the size of global routing tables and keeping the internet’s brain from exploding under the weight of trillions of entries.
Example:
Instead of four /24 networks:
192.168.0.0/24
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
CIDR can summarize them as:
192.168.0.0/22
Subnet masks can be written in two main forms: dotted decimal and slash (CIDR) notation.
Both describe the same concept how many bits of an IP address belong to the network but they do so in different ways.
This is the classic format, where the mask looks like an IP address:
255.0.0.0255.255.0.0255.255.255.0255.255.255.128
Each “255” means that all 8 bits in that octet are network bits (11111111 in binary).
The smaller numbers (like 128, 192, 224) indicate that part of the octet is reserved for the network, and part for the hosts.
| Subnet Mask | Binary Form | Network Bits | Host Bits |
|---|---|---|---|
| 255.0.0.0 | 11111111.00000000.00000000.00000000 | 8 | 24 |
| 255.255.0.0 | 11111111.11111111.00000000.00000000 | 16 | 16 |
| 255.255.255.0 | 11111111.11111111.11111111.00000000 | 24 | 8 |
| 255.255.255.128 | 11111111.11111111.11111111.10000000 | 25 | 7 |
This notation makes the division visible, but it can be awkward when subnetting gets more precise.
That’s why we often use CIDR notation.
CIDR (Classless Inter-Domain Routing) introduced a simpler shorthand:
Instead of writing 255.255.255.0, you just write /24.
That “/24” literally means 24 bits for the network, and the rest (32−24=8 bits) for the hosts.
| CIDR | Equivalent Mask | Network Bits | Host Bits | Usable Hosts |
|---|---|---|---|---|
| /8 | 255.0.0.0 | 8 | 24 | 16,777,214 |
| /16 | 255.255.0.0 | 16 | 16 | 65,534 |
| /24 | 255.255.255.0 | 24 | 8 | 254 |
| /30 | 255.255.255.252 | 30 | 2 | 2 |
The formula for usable hosts per network is:
2^host_bits - 2
One address is reserved for the network, and one for the broadcast, leaving the rest for actual devices.
CIDR notation is universal in modern networking you’ll see it in router configs, firewall rules, and IP planning tools. It’s the lingua franca of IP addressing.
Beginner’s takeaway:
/24is just a quicker way of saying “255.255.255.0.”
Expert’s reflection: CIDR isn’t just convenient it’s the compression format that keeps routing tables sane.
Subnet masks come in many sizes, but a few appear so often that they’ve become part of everyday network life.
Each one represents a balance between network size (how many separate subnets) and host capacity (how many devices per subnet).
| CIDR | Subnet Mask | # of Subnets (from /8) | Hosts per Subnet | Typical Use |
|---|---|---|---|---|
| /8 | 255.0.0.0 | 1 | 16,777,214 | Very large networks (historical Class A) |
| /16 | 255.255.0.0 | 256 | 65,534 | Medium-sized organization or campus network |
| /24 | 255.255.255.0 | 65,536 | 254 | Standard LAN segment or home network |
| /25 | 255.255.255.128 | 131,072 | 126 | Splitting a /24 in half |
| /26 | 255.255.255.192 | 262,144 | 62 | Small VLAN or subnet for limited hosts |
| /30 | 255.255.255.252 | 4,194,304 | 2 | Point-to-point links (routers, tunnels) |
| /32 | 255.255.255.255 | 1 | Single host route (loopback, VPN peer) |
Notice how every step increases the network bits and decreases the available hosts.
That’s the binary balancing act we saw earlier in action.
Think of it as zooming in and out on a map:
/8→ one huge country/16→ a region/24→ a city block/30→ two houses across the street
Every increase in prefix length (/) is like drawing finer borders on the same land.
In short:
- Dotted decimal masks show the raw binary boundaries.
- CIDR notation shows how many bits are used for those boundaries.
- Common masks like
/24and/30are the everyday tools of networking, quietly shaping how every packet finds its way home.
So far, we’ve treated subnet masks like mathematical puzzles. But in the real world, they’re everywhere quietly defining how data moves through networks large and small. Let’s look at how subnet masks show up in daily network life.
In most home and business LANs, you’ll see networks like:
192.168.1.0/2410.0.0.0/24172.16.0.0/24
These use private IP address ranges, and the /24 mask provides up to 254 usable host addresses perfect for a small office, lab, or home network.
All devices within this range communicate directly, no router required. Anything outside their subnet? The packet goes to the default gateway (the router).
Routers use subnet masks to decide where packets should go. Each routing table entry defines a destination network and a mask.
Example routing entry:
- Destination
192.168.1.0 - Subnet Mask
255.255.255.0 - Next Hope
192.168.2.1
This tells the router: “Anything matching the first 24 bits (192.168.1) belongs here; send everything else elsewhere.”
In CIDR notation, that same route would simply be:
192.168.1.0/24 via 192.168.2.1
Efficient, clean, and universal.
Firewalls use subnet masks (or CIDR notation) to define who can talk to whom.
For example:
- allow
10.1.2.0/24→10.1.3.0/24 - deny
0.0.0.0/0
That last one (0.0.0.0/0) is a special wildcard meaning “everything.” It’s often used to block or permit all traffic.
Subnet masks are central to IP address planning. Network engineers use them to allocate address blocks efficiently assigning larger masks (/16 or /20) to data centers, and smaller ones (/26, /30) to point-to-point links or device subnets.
A well-planned subnet mask layout:
- Minimizes wasted addresses
- Keeps routing tables organized
- Simplifies troubleshooting
In modern cloud environments (AWS, Azure, GCP, Kubernetes), subnet masks define virtual private clouds (VPCs), subnets, and pods. Even when networks are virtual, the same binary logic applies.
Example from AWS:
- VPC:
10.0.0.0/16 - Subnet 1:
10.0.1.0/24 - Subnet 2:
10.0.2.0/24
Subnet masks still act as the invisible scaffolding of connectivity, whether you’re wiring a rack or deploying containers in the cloud.
Takeaway: Every IP conversation on Earth and most in the cloud depends on subnet masks. They’re not theory; they’re infrastructure.
IPv6 rewrites the scale of networking, but not the concept.
It still divides addresses into network and interface (host) portions the philosophy of subnetting remains, even if the syntax evolved.
IPv4 addresses are 32 bits long. IPv6 addresses are 128 bits long so vast that every grain of sand on Earth could have its own subnet (and still have leftovers).
An IPv6 address looks like this:
2001:0db8:85a3:0000:0000:8a2e:0370:7334
That’s a mouthful, so we often abbreviate it:
2001:db8:85a3::8a2e:370:7334
IPv6 doesn’t use dotted-decimal masks like 255.255.255.0.
Instead, it always uses prefix length notation, the same as CIDR in IPv4:
2001:db8:abcd:12::/64
That /64 means the first 64 bits identify the network prefix, and the remaining 64 bits identify the interface ID.
In other words:
- The first half (network prefix) → defines the subnet.
- The second half (interface ID) → uniquely identifies the device.
Most IPv6 subnets are /64. That gives an absurd number of hosts 2^64 (about 18 quintillion) per subnet.
The reason isn’t about space but functionality: IPv6’s auto-configuration (SLAAC) depends on 64-bit host identifiers.
Other common prefix lengths:
| Prefix | Purpose |
|---|---|
| /48 | Typical allocation to an organization |
| /56 | Allocation for a small business or site |
| /64 | Standard LAN or VLAN subnet |
| /128 | Single device (like a loopback or endpoint) |
Because the IPv6 world abandoned dotted masks entirely. The prefix length /64 is the mask it tells routers exactly how many bits to match.
So in IPv6, you’ll never see “255.255.255.0.” Instead, you’ll see clean prefixes like /48 or /64.
Summary Thought:
Subnet masks in IPv4 are the dividing lines of scarcity.
IPv6 prefixes are the organizing grid of abundance.
The logic is the same; only the universe got bigger.
For quick lookups, here’s a compact table that maps common subnet masks, prefix lengths, and their key properties.
Keep this handy when configuring routers, firewalls, or IP plans it’s the cheat sheet every network admin memorizes eventually.
| CIDR | Subnet Mask | # of Host Bits | Usable Hosts | Network Size | Typical Use |
|---|---|---|---|---|---|
| /8 | 255.0.0.0 | 24 | 16,777,214 | Huge | Very large networks (rare today) |
| /12 | 255.240.0.0 | 20 | 1,048,574 | Large | ISPs, large private blocks |
| /16 | 255.255.0.0 | 16 | 65,534 | Medium | Campus or regional networks |
| /20 | 255.255.240.0 | 12 | 4,094 | Mid-sized | Cloud subnets, data centers |
| /24 | 255.255.255.0 | 8 | 254 | Small | LANs, home networks |
| /25 | 255.255.255.128 | 7 | 126 | Small | Split /24 for load balancing |
| /26 | 255.255.255.192 | 6 | 62 | Small | VLANs, small workgroups |
| /27 | 255.255.255.224 | 5 | 30 | Tiny | Security zones, small clusters |
| /30 | 255.255.255.252 | 2 | 2 | Point-to-point | Router links, tunnels |
| /32 | 255.255.255.255 | 0 | 1 | Single host | Loopbacks, VPN peers |
Remember the pattern:
- Usable Hosts =
(2^host_bits) - 2
One address for the network, one for the broadcast, the rest for devices.
Once you see that formula everywhere, subnet masks stop being numbers they become architecture.
Tip: If you can mentally map
/24to “255.255.255.0 → 254 hosts,” you’re already fluent in network sizing.
The world of networking is vast, and subnet masks are just one of its elegant foundations.
Here are some tools and resources to experiment, calculate, and deepen understanding.
- IP Calculator – Convert between subnet masks, CIDR notation, and host counts.
https://www.ipaddressguide.com/cidr - Subnet Cheat Sheet – Printable quick reference for network engineers.
https://www.aelius.com/njh/subnet_sheet.html - IPv6 Subnet Calculator – For exploring prefix allocations and /64 boundaries.
https://www.ultratools.com/tools/ipv6CIDRCalculator