What Is a Subnet Mask? Plain-Language Explanation
A subnet mask defines the boundary between the 'network' part and the 'device' part of an IP address. For home users, 255.255.255.0 is almost always correct and almost never needs changing.
The one-sentence version
A subnet mask tells your device which part of an IP address identifies the network and which part identifies the individual device. At home, you almost never need to change it — the default (255.255.255.0) is almost always correct.
Why subnet masks exist
Every device on a network has an IP address like 192.168.1.45. The subnet mask tells the device: "the first three groups (192.168.1) identify our local network — only the last group (.45) is your unique device number."
Without this, devices couldn't determine whether to send traffic directly to another local device or to the router for forwarding to the internet.
Binary representation of a subnet mask
A subnet mask is a 32-bit number where all the 1-bits appear first (the network portion) and all the 0-bits appear last (the host portion). The two groups are always contiguous — you will never see a valid mask with 1-bits and 0-bits alternating. The decimal mask 255.255.255.0 in binary is:
11111111.11111111.11111111.00000000
The 24 leading 1-bits identify the network. The 8 trailing 0-bits are available for device addresses. This is why the same mask is written as /24 in CIDR notation — the number simply counts the 1-bits.
How a host applies the mask
When a device needs to decide whether a destination IP is on the local network or needs to go via the router, it performs a bitwise AND of the destination IP address with its own subnet mask. The result is the network address. If the result matches its own network address, the destination is local and can be reached directly. If not, the packet goes to the default gateway (your router).
Example: host 192.168.1.45 with mask 255.255.255.0 AND-ed with destination 192.168.1.100 gives 192.168.1.0 — matching the local network. The same host AND-ed with 8.8.8.8 gives 8.8.8.0 — not matching, so the packet goes to the router.
Host range and broadcast address
For any subnet, the first address (all host bits zero) is the network address and is not assigned to any device. The last address (all host bits one) is the broadcast address — packets sent here reach every device on the subnet. All addresses between them are usable host addresses. For a /24 network like 192.168.1.0/24, the network address is 192.168.1.0, the broadcast is 192.168.1.255, and usable host addresses are 192.168.1.1 through 192.168.1.254 — 254 devices.
Reading a subnet mask
The most common home network subnet mask is 255.255.255.0. Each 255 means "this octet is entirely network bits." The 0 means "this octet is entirely host bits."
| CIDR | Dotted-decimal mask | Usable hosts | Typical use |
|---|---|---|---|
| /8 | 255.0.0.0 | 16,777,214 | Large enterprise, 10.x.x.x private range |
| /16 | 255.255.0.0 | 65,534 | Campus or large office, 172.16.x.x range |
| /24 | 255.255.255.0 | 254 | Home networks and small offices — default |
| /25 | 255.255.255.128 | 126 | Split /24 into two subnets |
| /28 | 255.255.255.240 | 14 | Small VLAN or management segment |
| /30 | 255.255.255.252 | 2 | Point-to-point router links |
| /32 | 255.255.255.255 | 1 (host route) | Single host route, loopback addresses |
CIDR vs classful addressing
Before CIDR (Classless Inter-Domain Routing), IP addresses were divided into fixed classes: Class A used /8 masks, Class B used /16, and Class C used /24. A company that needed 500 addresses had to receive an entire Class B block (65,534 addresses), wasting tens of thousands. CIDR allows masks of any length, so a network can be sized precisely to its needs — a /23 for 510 hosts, a /22 for 1,022 hosts. Home routers have used CIDR since the 1990s, though the classful names still appear occasionally in older documentation.
Wildcard masks
Wildcard masks are the bitwise inverse of a subnet mask — wherever the subnet mask has a 1-bit, the wildcard mask has a 0-bit, and vice versa. The wildcard mask for 255.255.255.0 is 0.0.0.255. Cisco IOS uses wildcard masks in access control lists (ACLs) and OSPF area configurations. A 0-bit in a wildcard mask means "this bit must match exactly"; a 1-bit means "this bit can be anything." Understanding this is important when reading router configs or troubleshooting access lists on managed network equipment.
Variable-Length Subnet Masking (VLSM)
VLSM allows a single address block to be divided into subnets of different sizes, each with its own mask chosen to fit the number of hosts required. A company with a /24 allocation might carve it into a /26 (62 hosts) for the office LAN, a /27 (30 hosts) for Wi-Fi, a /28 (14 hosts) for servers, and /30 blocks (2 hosts each) for router-to-router links — all from the same /24. This eliminates the waste of assigning uniformly sized subnets to segments of wildly different sizes. Home networks rarely need VLSM, but it is standard practice in any multi-segment enterprise or ISP network.
IPv6 prefix length
IPv6 does not use dotted-decimal subnet masks. Instead, it uses only CIDR-style prefix lengths written after a slash, such as /64 or /48. The concept is identical — the prefix length indicates how many leading bits identify the network — but the notation is always compact. A typical home IPv6 assignment is a /64 prefix for the LAN, meaning the first 64 bits are the network identifier and the last 64 bits are the interface identifier (device address). ISPs typically delegate a /48 or /56 prefix to home customers, allowing the customer to sub-divide it into many /64 LAN segments.
How routers use masks in routing table lookups
A router's routing table lists network prefixes and their associated next-hop or outgoing interface. When a packet arrives, the router compares the destination IP against every prefix in the table using longest-prefix-match: the most specific matching prefix (the one with the most mask bits) wins. A packet to 192.168.1.50 might match both a 192.168.0.0/16 route and a 192.168.1.0/24 route — the /24 wins because it is more specific. This mechanism allows routers to have both broad default routes and specific per-subnet routes coexisting correctly in the same table.
When you'd actually need to change your subnet mask
Almost never, for home users. The only times you'd change it:
- You're setting a static IP address manually on a device — you must enter the correct mask or the device cannot determine local vs. remote destinations.
- You're configuring VLANs or multiple subnets in a home lab and need to size each segment correctly.
- You're adding more than 254 devices to a single network segment (extremely unusual at home).
If you're troubleshooting and someone asks for your subnet mask: check it in your network settings (Windows: ipconfig; Mac: System Settings → Network → WiFi → Details → TCP/IP). If it shows 255.255.255.0, it is almost certainly correct.
Finding your subnet mask
- Windows: Open Command Prompt → type
ipconfig→ look for "Subnet Mask" under your active network adapter - Mac: System Settings → Network → WiFi → Details → TCP/IP tab → Subnet Mask
- iPhone: Settings → WiFi → tap the (i) next to your network → Subnet Mask
- Android: Settings → Network & Internet → WiFi → tap your network → Advanced → IP details