Netmask
Subnet Mask
A 32-bit number paired with an IP address that identifies which part of the address is the network and which is the host — telling your device which destinations it can reach directly and which must go via the router.
A netmask (also called subnet mask) works like a stencil over an IP address. The bits set to 1 in the mask correspond to the network portion of the address; bits set to 0 correspond to the host portion. Your device performs a bitwise AND between its IP address and the netmask to determine the network address, then compares the result to the destination address. Same network? Send directly via ARP. Different network? Send to the default gateway (router). The most common home netmask is 255.255.255.0 (/24), which gives 254 usable host addresses on one subnet.
Subnet mask structure
A subnet mask is always a sequence of contiguous 1-bits followed by contiguous 0-bits — it cannot alternate. In binary, 255.255.255.0 is:
11111111.11111111.11111111.00000000
The 24 leading 1s identify the network portion; the 8 trailing 0s identify the host portion. A mask like 255.255.0.255 with non-contiguous bits is invalid and not accepted by modern network stacks. The total number of leading 1-bits gives the CIDR prefix length — 255.255.255.0 has 24 leading 1s, so its CIDR notation is /24.
How a host uses the mask: bitwise AND
To determine whether a destination IP is on the local subnet, a host ANDs its own IP address and the destination IP address each with the subnet mask, then compares the results. Consider a host at 192.168.1.50 with mask 255.255.255.0 trying to reach 192.168.1.200:
- 192.168.1.50 AND 255.255.255.0 = 192.168.1.0 (host's network)
- 192.168.1.200 AND 255.255.255.0 = 192.168.1.0 (destination's network)
- Results match → same subnet → send directly using ARP
Now trying to reach 8.8.8.8:
- 8.8.8.8 AND 255.255.255.0 = 8.8.8.0 (destination's network)
- 8.8.8.0 ≠ 192.168.1.0 → different network → forward to default gateway
A misconfigured netmask is one of the most common sources of partial connectivity failures — some hosts reachable, others not — because the host incorrectly classifies remote addresses as local or local addresses as remote.
Default masks for classful addresses
Before CIDR, IPv4 used a classful scheme with fixed default masks based on the first octet of the address. Class A (1–126.x.x.x) used /8 (255.0.0.0), Class B (128–191.x.x.x) used /16 (255.255.0.0), and Class C (192–223.x.x.x) used /24 (255.255.255.0). This was inflexible — a Class B block wasted tens of thousands of addresses for organisations that needed only a few hundred. CIDR (RFC 1519, 1993) replaced classful addressing with variable-length subnet masks, allowing any prefix length and enabling efficient allocation. Classful notation is obsolete in practice but still appears in legacy documentation.
CIDR notation as shorthand
CIDR (Classless Inter-Domain Routing) notation expresses both the IP address and its prefix length in one compact form: 192.168.1.0/24. The number after the slash is the count of leading 1-bits in the subnet mask — identical information to the dotted-decimal mask but far more readable. Routing tables, firewall rules, cloud security groups, and all modern network configuration use CIDR. The two notations are interchangeable: /24 = 255.255.255.0, /16 = 255.255.0.0, /8 = 255.0.0.0.
Calculating network, broadcast, and host range
Given an IP address and prefix length, three values are derived:
- Network address: AND the IP with the mask. For 192.168.1.50/24 → 192.168.1.0. This address identifies the subnet and cannot be assigned to a host.
- Broadcast address: set all host bits to 1. For /24 → 192.168.1.255. Packets sent here reach all hosts on the subnet. Cannot be assigned to a host.
- Usable host range: all addresses between network + 1 and broadcast − 1. For 192.168.1.0/24 → 192.168.1.1 through 192.168.1.254 = 254 usable addresses.
The formula for usable hosts is 2^(32 − prefix) − 2. A /24 gives 2^8 − 2 = 254. A /25 gives 2^7 − 2 = 126. A /28 gives 2^4 − 2 = 14.
Common netmask values
| Netmask | CIDR | Usable hosts | Typical use |
|---|---|---|---|
| 255.255.255.0 | /24 | 254 | Home and small office (default) |
| 255.255.255.128 | /25 | 126 | Split a /24 into two segments |
| 255.255.255.240 | /28 | 14 | Small device group, IoT VLAN |
| 255.255.0.0 | /16 | 65,534 | Large enterprise network |
| 255.0.0.0 | /8 | 16,777,214 | Large private range (10.x.x.x) |
| 255.255.255.255 | /32 | 1 (host route) | Single specific host in a routing table |
Supernet masks
Subnetting divides a larger block into smaller ones (longer prefix = smaller subnet). Supernetting does the reverse — combining multiple smaller blocks into a larger summary route (shorter prefix = larger block). A router advertising 192.168.0.0/22 summarises four /24 networks (192.168.0.0, 192.168.1.0, 192.168.2.0, 192.168.3.0) into a single routing table entry. ISPs and large networks use supernetting to reduce routing table size — instead of advertising thousands of individual /24 prefixes, they advertise a few summarised routes. The subnet mask works identically; only the prefix length changes to be shorter than the classful default.
How routers use masks in routing tables
A router's routing table contains prefix/mask pairs. When forwarding a packet, the router performs a longest-prefix match — it finds all entries whose network address matches the destination IP (after AND with the mask), then selects the entry with the longest (most specific) prefix. A /28 match beats a /24 match beats a /0 default route. The default route (0.0.0.0/0) has a mask of all zeros and matches every destination — it is the catch-all forwarding entry used when no more specific route exists, typically pointing toward the internet gateway.
IPv6 prefix length vs netmask
IPv6 does not use dotted-decimal subnet masks. Prefix lengths are always expressed in CIDR notation: 2001:db8::/32 or fe80::1/64. The /64 prefix length is the standard for LAN segments — the lower 64 bits are the interface identifier, often auto-generated via SLAAC (Stateless Address Autoconfiguration). IPv6 eliminates broadcast; the functions that IPv4 broadcast served (ARP, DHCP discovery) are replaced by multicast in IPv6 (Neighbour Discovery Protocol uses ff02::1 and ff02::2). The underlying logic of "compare network portion to determine local vs. routed" is identical to IPv4 — only the address length (128 bits) and notation differ.
Frequently Asked Questions
What does 255.255.255.0 mean as a netmask?
The first 24 bits identify the network, the last 8 bits identify the host (/24 in CIDR). On 192.168.1.0/24, addresses .1 through .254 are on the same subnet and reachable without routing. .0 is the network address and .255 is the broadcast address — neither is assignable to a host.
What is the difference between a netmask and CIDR notation?
The same information in different formats. 255.255.255.0 = /24; 255.255.0.0 = /16; 255.0.0.0 = /8. CIDR counts the number of leading 1-bits in the mask. CIDR is more compact and is universally used in modern routing tables, firewall rules, and cloud configurations.
Why would I change my subnet mask?
The default /24 allows 254 hosts — sufficient for home use. Larger offices use /16 for more addresses. Security-conscious setups use smaller subnets (/28, /25) to isolate IoT devices, guest networks, or server segments, forcing cross-segment traffic to route through a firewall where access control can be enforced.