“What is a subnet mask?” is among the most common questions for aspiring network engineers. Network veterans have all been through it at one stage or another and we all have our tips and tricks for figuring them out.

But, that initial understanding is typically a grind involving some combination of cheat sheets, IP to binary converters, books, articles, and online resources. 

Spoiler alert for the network newbies: after all that work, many experienced network pros just use an IP mask calculator instead of manually calculating them. 

However, it’s still helpful to go through the grind of understanding what a subnet mask is, how they work, and why they’re important because that will help you make intelligent decisions when designing, configuring, and troubleshooting network issues. 

To help you make that grind a little easier, this article will break down the answer to “what is a subnet mask” in detail, including the technical information, key network lingo you should know, and the benefits of subnets. We’ll focus primarily on IPv4 subnetting but will touch on IPv6, too. 

What is a subnet mask?

A subnet mask is a 32-bit bitmask that splits an IP address into network and host sections to enable IPv4 network segmentation (a.k.a. subnetting). 

A lot is going on there, so let’s unpack it. I’ll introduce a few new terms as we go, but we’ll tie it all together at the end. 

  • 32-bit literally means 32 zeros or ones in a row, like 11111111000000000000000000000000 (which is the binary address for 255.0.0.0). Note that the numbers between the dots in an IPv4 address are called octets because they represent 8 bits. 
  • The ones tell us the network bits of an IP address. 
  • The zeros tell us the host bits of an IP address. 
  • Binary address is the name for those 32-bit strings of ones and zeros. They map directly to the dotted-decimal notation you know and love like, 192.0.2.11 (which is 11000000000000000000001000001011 in binary). 
  • Bitmask is a binary number you can overlay on another binary number to perform a bitwise operation

A bitwise AND operation is the relevant operation for IP subnetting. Using a subnet mask and IPv4 address in binary format, a bitwise AND operation will give you the network address. For example, here is how we could calculate the network address given an IPv4 address of 192.0.2.11 (11000000000000000000001000001011) and subnet mask of 255.0.0.0 (11111111000000000000000000000000). You can see how that works in the graphic below:

IPv4 address 192.0.2.1111111111000000000000000000000000
Subnet mask 255.0.0.011000000000000000000001000001011
Network address 192.0.0.011000000000000000000000000000000
  • The network address is the first address in a network, cannot be assigned to a specific host, and is important because routers and other network devices use it to uniquely identify the network (or subnet). 

💡 Pro tip: The ones (to the left) and zeros (to the right) in a binary subnet are always contiguous. That is, you’ll see consecutive ones on the left then consecutive zeros to the right. Therefore, something like 11000000000011000000001000001011 isn’t a valid subnet.

What is CIDR?

CIDR (Classless Inter-Domain Routing) notation is a common way to represent the number of network bits in a subnet mask. With CIDR, the number of network bits is added after a slash and you’re done.

For example, a subnet of 255.0.0.0 in dotted-decimal notation is /8 in CIDR notation because there are exactly 8 network bits in the binary representation (11111111000000000000000000000000). 

Typically, you’ll see a CIDR subnet appended to a dotted-decimal IP address (e.g., 192.0.2.0/8). 

IP subnet mask vs. IP subnet 

Networking terminology can be tricky. It’s important to note that a subnet mask is NOT the same thing as a subnet.

A subnet mask helps you define and identify different network segments while a subnet is a specific instance of one of those segments. Examples of how you might see a subnet mask represented are 255.255.255.0 (dotted decimal), /24 (CIDR), 11111111111111111111100000000 (binary), or 0xffffff00 (hexadecimal). 

A specific subnet will be an actual subnetwork. For example, suppose we have a 192.0.2.0/24 network we want to divide into 4 smaller evenly-sized subnets without unnecessarily wasting addresses. The resulting IP subnets are represented in the table below.

Subnet address (CIDR)Network addressBroadcast addressUseable host addressesTotal number of host addresses 
192.0.2.0/26192.0.2.0192.0.2.63192.0.2.1-192.0.2.6262
192.0.2.64/26192.0.2.64192.0.2.127192.0.2.65-192.0.2.12662
192.0.2.128/26192.0.2.128192.0.2.191192.0.2.128-192.0.2.19062
192.0.2.192/26192.0.2.192192.0.2.255192.0.2.193-192.0.2.25462

Note that after slicing up the subnets we end up with 248 usable host addresses, which is 6 less than the 254 we had with 192.0.2.0/24. That’s because for each new subnet we create we get a new network address and broadcast address that cannot be assigned to a host. 

What about IPv6 subnet masks? 

The size of IPv6 addresses (128 bits) and the magnitude of IPv6 addresses available (theoretically 2128 or 340 trillion, trillion, trillion IPv6 addresses), make IPv6 subnetting a bit different.

While we’re focused on IPv4 subnet masks for this article, here’s enough for you to discuss IPv6 subnetting if it comes up at a party (please invite me to that party!):

  • IPv6 addresses are typically represented as hexadecimal (e.g. 2001:DB8::9cff:4c9b:955d:9064:eb27).
  • A 128-bit IPv6 address is broken up into 3 key parts: network prefix, subnet ID, and interface identifier 
  • The 48-bit network prefix identifies a unique IPv6 network on the internet.
  • The 16-bit subnet ID enables the creation of subnets.
  • The 64-bit interface identifier uniquely identifies a specific interface. It is commonly derived from a MAC address, but can also be manually assigned or generated using a different mechanism. 
  • While there are some exceptions, IPv6 subnets are typically between /48-/64 in size. /48, /56, and /64 are the subnet masks you’ll often find used in practice. 

For a deeper dive on IPv6 subnet masks, check out the canonical IPv6 subnetting question on ServerFault

How does subnetting work?

Subnetting works by splitting up a range of IP addresses into smaller groups of addresses. Every device in the same subnet can communicate with other devices in that subnet without going through a routing device (e.g. a router or layer 3 switch). 

For example, suppose my IP subnet mask combo is: 

  • IPv4 address: 192.0.2.5 which is 11000000000000000000001000000101 in binary.
  • Subnet mask: /26 in CIDR, which is  255.255.255.192 in dotted-decimal, which is 1111111.1111111.1111111.11000000 in binary.

From there, we can work backwards to determine that our network address is 192.0.2.0, our broadcast address is 192.0.2.63, and our usable host IP addresses are 192.0.2.1-192.0.2.62. That means, any other PCs, printers, IoT devices, or other IPv4-enabled equipment in that range and connected to my network should be directly accessible from my PC. 

Anything outside of that range, my PC would need to send the traffic to a routing device that is typically called a default gateway. 

For a deeper dive on how subnets work, check out Kevin Dooley’s excellent Subnetting: What it is and How it Works post. 

Why is subnetting important?

Subnetting is a fundamental IPv4 networking concept that enables better network design, streamlines troubleshooting, and can make networks more efficient. 

3 key benefits of subnetting 

To understand why subnetting is so important, let’s break down 3 key benefits of subnetting:

  • More efficient networks: Slicing a network up into smaller subnets reduces the amount of broadcast messages and noise that can degrade network performance. Additionally, subnetting improves IP address management (IPAM) and enables network administrators to allocate IPv4 addresses efficiently. 
  • Better network administration: Logical separation of subnets for different business functions— such as accounting, HR, finance, support, engineering, and sales—or other groupings can make managing a business network easier. 
  • Improved security: Slicing a network into subnets logically isolates them and enables stronger security through network segmentation

IP addresses and subnet masks

Subnet masks and IP addresses are two sides of the same coin because subnet masks define an IP addresses network.

The key to understanding this relationship boils down to two concepts:

  • Host vs. network bits in a subnet
  • The bitwise AND operation to determine a network address

A subnet mask like 255.255.255.0 can be represented in binary as 1111111.1111111.1111111.00000000. All the ones in the mask are network bits that will represent the network portion of an IPv4 address. All the zeros in the mask are the host bits that can be used for individual hosts on a network. That’s why you’ll notice that IP addresses in the same subnet always begin with the same numbers

The bitwise AND operation we discussed earlier enables you to derive the network address from an IP and subnet combo. Since you already know the network bits in the subnet, you can also derive the broadcast address, available host addresses, and available IP address range.

IP classes and subnet masks

Today, networks use classless addressing and support variable length subnet mask (VLSM) addresses, but understanding IPv4 address classes is useful as they still often come up. Classful addressing had three default subnets and did not allow them to be split up outside of those default ranges. Simply put, that made classful less flexible than the industry needed, and classless addressing and VLSM emerged as solutions. 

Here is a quick breakdown of the three default classful subnets. Note that networks in these ranges are often called “Class A,” “Class B,” or “Class C” networks even today. Class A allowed for many hosts while Class C allowed for many subnetworks.

IPv4 address classNetwork MaskCIDR notation of maskIPv4 address range
A255.0.0.0/80.0.0.0-127.255.255.255
B255.255.0.0/16128.0.0.0-191.255.255.255
C255.255.255.0/24192.0.0.0-223.255.255.255

For a deeper dive on the topic, check out Classful and Classless Addressing Explained by Steve Petryschuk. 

Network address and subnet masks

A network address is the first address in a subnet’s range. As we’ve seen above, you can use an IPv4 address and its IP mask to derive a network address with a bitwise AND operation. It might sound complicated, but it’s simple once you get the hang of it.

Here is an overview of the process:

  1. Convert your IP address and subnet to binary.
  2. Line the bits up with one another.
  3. Anywhere there is a 1 in both the IP address and subnet, put a 1 in the network address; every other bit gets a 0
  4. The resulting binary number is your network address

What is a subnet mask calculator?

A subnet mask calculator is what an experienced network pro uses to calculate subnets after going through the grind of figuring out how it all works manually. 😁

Frankly, it’s just more pragmatic to let a tool do the job of making these calculations. Instead of manually doing the math to convert to and from binary, derive available hosts, determine the CIDR or dotted-decimal notation, you can simply modify some inputs to a tool and get the details you need. 

To help both network pros and those still figuring out this whole subnetting thing, we built our own subnet calculator you can use for free.

Try it out and you can see how it quickly does all those conversions that would be a pain to do manually.

Auvik's subnet calculator to figure out subnet masks
The Auvik IPv4 subnet calculator

Final thoughts

Knowing the basics of IP subnet masks is great, but putting the knowledge into practice is what matters. Once you understand how it works under the hood (we hope this article helped), using a tool like an IP mask calculator makes sense for calculating the specific numbers.

Once you’re comfortable with those topics, you can move on to more advanced topics like configuring network devices, VLSM, wildcard masks, and IPv6 subnetting. 

Leave a Reply

Your email address will not be published. Required fields are marked *