Subnet Masks Explained

Every packet your device sends asks the same question: Can I talk to them directly, or do I need to go through a router?

The subnet mask provides the answer in microseconds.

The Split-Second Decision

A subnet mask is a 32-bit number that divides every IPv4 address into two parts:

• Network portion: Which network does this device belong to?
• Host portion: Which specific device is it on that network?

Your computer applies this mask to every outbound packet. Same network? Send directly. Different network? Hand it to the router. This decision happens thousands of times per second, and it must be instantaneous.

How the Mask Works

In binary, a subnet mask is consecutive 1s followed by consecutive 0s. The 1s mark the network portion, the 0s mark the host portion.

The most common subnet mask, 255.255.255.0, looks like this:

Decimal:  255       255       255       0
Binary:   11111111  11111111  11111111  00000000
          |--- Network (24 bits) ---|  |- Host -|

First 24 bits identify the network, last 8 identify individual hosts.

The Bitwise AND Operation

When your device compares two IP addresses, it performs a bitwise AND—comparing each bit position:

Your IP:        192.168.1.100
Subnet mask:    255.255.255.0
Destination A:  192.168.1.50
Destination B:  192.168.2.50

The operation on the third octet, where it matters:

Your IP (third octet):      00000001  (1)
Subnet mask:                11111111  (255)
Result:                     00000001  → network 192.168.1.x

Dest A (third octet):       00000001  (1)
Result:                     00000001  → network 192.168.1.x  ✓ Same

Dest B (third octet):       00000010  (2)
Result:                     00000010  → network 192.168.2.x  ✗ Different

After applying the mask:

Your network:    192.168.1.0
Destination A:   192.168.1.0   → Send directly
Destination B:   192.168.2.0   → Route through gateway

The AND operation masks out the host bits, revealing only the network portion. Same result? Local. Different result? Remote.

Common Subnet Masks

Different masks create different network sizes:

More network bits means more possible networks but fewer hosts per network. More host bits means the opposite.

Why Usable Hosts ≠ Total Addresses

A /24 network has 8 host bits, giving 256 total addresses (2^8). But only 254 are usable. Two addresses in every subnet are reserved:

• Network address: All host bits = 0 (e.g., 192.168.1.0) identifies the subnet itself
• Broadcast address: All host bits = 1 (e.g., 192.168.1.255) sends to all devices on the subnet

Total addresses minus two. Every time.

CIDR Notation

Writing 255.255.255.0 repeatedly is tedious. CIDR notation counts the 1s:

255.255.255.0 = 11111111.11111111.11111111.00000000
                |------ 24 ones total ------|         → /24

So 192.168.1.100 with subnet mask 255.255.255.0 becomes 192.168.1.100/24.

The number after the slash is how many bits are dedicated to the network portion. This notation is everywhere—router configs, cloud infrastructure, network diagrams.

Calculating From CIDR

Quick formula: 2^(32 - CIDR) = Total Addresses

/24: 2^(32-24) = 2^8  = 256 addresses (254 usable)
/27: 2^(32-27) = 2^5  = 32 addresses  (30 usable)
/30: 2^(32-30) = 2^2  = 4 addresses   (2 usable)

Real-World Examples

Home Network

Router:        192.168.1.1/24
Network:       192.168.1.0/24
Usable Range:  192.168.1.1 - 192.168.1.254

254 possible devices. Enough for smartphones, laptops, TVs, and every IoT device you'll ever plug in.

Small Office

IP:            10.0.10.65/27
Network:       10.0.10.64/27
Usable Range:  10.0.10.65 - 10.0.10.94

30 addresses for a small team. Right-sized, no waste.

Router Link

Router A:      10.0.0.1/30
Router B:      10.0.0.2/30
Network:       10.0.0.0/30
Total:         4 addresses (2 usable + network + broadcast)

The smallest practical subnet. Two routers talking to each other need exactly two addresses—a conversation has two participants.

Why This Matters

Instant routing decisions. Without subnet masks, devices would query a router for every destination. The overhead would be crippling. Subnet masks make the decision local, instant, automatic.

Network segmentation. 10.0.1.0/24 for Sales, 10.0.2.0/24 for Engineering, 10.0.3.0/24 for Guest WiFi. Each can have different security policies, bandwidth limits, access controls.

Security boundaries. "Guest network cannot access engineering network" is one firewall rule with subnets. Without them, you'd need rules for every IP address.

Reduced broadcast noise. Broadcast messages only reach devices on the same subnet. A single /16 with 1,000 devices sees every broadcast from all 1,000. Ten /24 networks of 100 devices each? Each only sees 100.

Common Pitfalls

Overlapping subnets:

❌ Subnet A: 10.0.0.0/24   (10.0.0.0   - 10.0.0.255)
   Subnet B: 10.0.0.128/25 (10.0.0.128 - 10.0.0.255)  ← Overlap

✅ Subnet A: 10.0.0.0/25   (10.0.0.0   - 10.0.0.127)
   Subnet B: 10.0.0.128/25 (10.0.0.128 - 10.0.0.255)

Forgetting reserved addresses: Always subtract 2 from total. A /30 gives 4 addresses but only 2 usable hosts.

Mismatched masks: Every device on the same physical network must use the same subnet mask. Router uses /24 but laptop configured with /16? Routing breaks in bizarre, hard-to-debug ways.

Subnet Masks Today

The fundamental question hasn't changed since IPv4's creation: "Is this destination local or remote?"

• IPv6 uses similar concepts with standardized /64 subnets
• Software-Defined Networking allows dynamic subnet adjustment
• Cloud infrastructure uses subnets extensively for VM isolation and security groups

Whether you're troubleshooting a home network or architecting cloud infrastructure, subnet masks remain fundamental. The question they answer—"Can I reach this directly?"—is as essential in 2025 as it was in 1985.

The technology changes. The question doesn't.