Subnet Masks Explained
How subnet masks work at the binary level to separate network and host portions of an IP address.
What Is a Subnet Mask?
A subnet mask is a 32-bit number that separates the network portion of an IP address from the host portion. Like an IP address, it's written in dotted decimal notation:
IP Address: 192.168.1.100
Subnet Mask: 255.255.255.0
Binary Representation
The key to understanding subnet masks is looking at them in binary. A mask is a series of 1s followed by 0s:
255.255.255.0 in binary:
11111111.11111111.11111111.00000000
└── network bits (24) ──┘└ host (8)┘
The 1-bits mark the network portion. The 0-bits mark the host portion. A /24 mask has 24 ones.
Bitwise AND Operation
To find the network address, perform a bitwise AND between the IP address and the subnet mask:
IP: 192.168.1.100 = 11000000.10101000.00000001.01100100
Mask: 255.255.255.0 = 11111111.11111111.11111111.00000000
AND: 192.168.1.0 = 11000000.10101000.00000001.00000000
└────────── network address ──────────┘
Any IP address that produces the same network address after ANDing belongs to the same subnet.
Common Subnet Masks
| Decimal | Binary | CIDR | Hosts |
|---|---|---|---|
| 255.255.255.252 | ...11111100 | /30 | 2 |
| 255.255.255.248 | ...11111000 | /29 | 6 |
| 255.255.255.240 | ...11110000 | /28 | 14 |
| 255.255.255.224 | ...11100000 | /27 | 30 |
| 255.255.255.192 | ...11000000 | /26 | 62 |
| 255.255.255.128 | ...10000000 | /25 | 126 |
| 255.255.255.0 | ...00000000 | /24 | 254 |
Wildcard Masks
A wildcard mask is the inverse of a subnet mask. Used in router ACLs and OSPF configurations:
Subnet mask: 255.255.255.0 (match the network)
Wildcard mask: 0.0.0.255 (ignore the host portion)
Wildcard = 255.255.255.255 - Subnet Mask
Practice Example
Given 10.20.30.40/20, find the network address:
/20mask =255.255.240.0=11111111.11111111.11110000.00000000- AND with
10.20.30.40: - Third octet:
30 AND 240=00011110 AND 11110000=00010000=16 - Network address:
10.20.16.0/20