Skip navigation

If you’ve ever sat in front of a computer giving you one of those dreaded “no network connection” messages, you’ve probably clicked everything that looks like it might bring the Internet back at one point or another, and in your quest for connectivity, you’ve probably run across the term “subnet mask” at least once. If you don’t know a lot about networking, subnet masks might look kind of intimidating. I mean, there’s a lot of numbers and dots going on there.

A typical subnet mask that you’re likely to encounter in a home network should look like unless whoever configured the network did something unusual. If you’ve encountered subnet masks at your office, they might look like instead, but those are just typical subnet masks. Your mileage may vary.

So what the hell is a subnet mask, anyway? To put it simply, a subnet mask tells your network if traffic is going around locally or if it needs to go out onto a wider network.

Let’s break that down a bit more. At its heart, every IP address is a 32-bit binary number. Let’s take an IP address that most people have seen if they’ve ever set up a home wireless router; is 11000000.10101000.00000000.00000001 in binary (though the dots are just there for us silly humans to see so that we can comprehend what we’re seeing). This address has a subnet mask of (which is 11111111.11111111.11111111.00000000 in binary or, as the computer sees it, 11111111111111111111111100000000). Now if you or I were on this network and went looking for the address, it’s as plain as day that it’s on the same network and subnet, but a computer has to hold the address up against its assigned subnet mask and does a bit of binary math on it.

If you’re not familiar with the logical/binary AND operator, all you need to know is that it takes two one-bit binary arguments (a 1 or a 0) and compares them. If you pass in two 1s, you get back a 1, otherwise, you get a 0. Therefore, if you AND an address against a subnet mask, you will get back the network ID (in the case of the example I’ve been using, that’s the first three octets–192.168.0) followed by zeroes for the client ID. If the network ID of the address in question matches the address the traffic is coming from, then the system knows the traffic is local, otherwise, it needs to go outside of the local network.

I know what you’re saying right now–this is obvious stuff–why would I need to know about subnet masks? Well, if you’re dealing with simple networks, you mostly don’t. However, if you’re interested in splitting up your network into several subnets or VLANs (Virtual Local Area Networks). Let’s say that we have a network what starts at and we want to split it into several subnets, say to isolate network traffic between an administrative office and a public segment of your network. The base network is 192.168.8 /24 (the /24 indicates the number of bits in the subnet mask). Let’s split that into two networks. To do that, we add 1 bit to the subnet mask, making it /25 and creating two subnets with address ranges of - and - (the 0 and the 255 addresses in the last octet are reserved addresses).

Now if you look at two addresses for traffic on this network, it becomes a bit harder to tell which subnet traffic belongs to. (Of course in this example, it’s still easy to tell, but bear with me; I didn’t want to make more subnets.) Your subnet mask is /25, which is 25 1s and seven 0s totaling 32 bits. AND that subnet mask against your target address and presto! There’s your answer.

Now you know, and knowing is half the battle.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: