Subnet Mask and Subnetting

An IP mask is used to determine what subnet the IP belongs to.

A subnet allows you to segregate the network traffic between hosts based on network configuration. Subnetting gives you the possibility to organize your hosts into logical groups, configuration that improves the network security and performance.

Subnet Mask

When we talk about subnetting, we can clearly state that its most recognizable aspect is the subnet mask. Like for the IP address, the subnet mask is made of four octets of bites (32 bits) and can be expressed either using the decimal or the binary form.

In the below example you will see how a subnet mask is represented in both decimal and binary form:

binary 11111111.11111111.11111111.00000000

Obviously it is easier for us to remember the decimal form.

For a subnet mask to be valid, its first (leftmost) bits must be set to 1. For example, 00000000 00000000 00000000 00000000 is an invalid subnet mask because the first bit is set to 0.

On the other part, for a subnet mask to be valid, it must have last (rightmost) bits set to 0, not 1. Therefore, 11111111 11111111 11111111 11111111 is invalid.

In subnetting we can apply the concept of extended network address to the individual computer (or any other network device). This extended network address includes both network address and the subnet number (additional bits). By combining the extended network address and the subnet number, we have a two-level addressing scheme, which is also recognize by the SIIP (Standard Implementation of IP).

If we combine the above mentioned data elements with a third one called host address (defined in a previous post -- Understanding IP Addressing), we have a three-level addressing scheme.

Please check the below example in order to better understand the above concept:

You have a small business and are designing the network infrastructure. You have reached the decision to use a Class C network ( for the internal hosts. Suddenly you receive a communication from the HR Manager who requests that all the HR hosts need to be on a restricted part of this network due to security policies (payroll data storage and employees sensitive data). However this being a Class C network, the default subnet mask is and allows all the hosts on the network to act like peers (can send messages directly to each other).

How do you configure the network in order to satisfy the HR manager request keeping in place the Class C network?

What do we know?

We have the network which is

If we convert the first four bits of the network we have:1100

At this point we can place this network in the Class C range and also fix the length of the network address at 24 bits. To subnet this network, more than 24 bits must be set to 1 on the left side of the subnet mask.

For instance, the 25-bit mask acts as splitter and creates a two-subnet network. All this is explained in the below table

Network address (24 bits)Subnet number (1 bit)Extended networkHost address range
11000000 10101000 00000001 0 ?
11000000 10101000 00000001 1 ?

The table below illustrates all the subnets you can do with Class C networks:

Network BitsSubnet MaskNumber of SubnetsNumber of Hosts
/24 0 254
/25 2 (0) 126
/26 4 (2) 62
/27 8 (6) 30
/28 16 (14) 14
/29 32 (30) 6
/30 64 (62) 2

When working with subnetting, it is recommended to use an online tool for the conversion to make your job easier. Otherwise, you can start writing down and calculating all the possible subnet combinations using pen and paper.

Private Networks and Subnets

As additional information, the governing bodies that administer Internet Protocol have reserved certain networks for internal uses. The default subnet masks associated with these private networks are listed below.

Network address rangeDefault mask -- -- --

In short, what you need to remember about Subnetting is that it allows network administrators to control network traffic between the hosts. Devices on different subnets (host1 from network 1 and ost A from network A) can only exchange data packets between them if the system administrator allows this via a specialized network devices such as routers (or Layer3 switches that allow routing protocols). All these can make more bandwidth available to applications and can limit access as per the administrator needs.