An IP address like 192.168.47.129 appears to be four numbers separated by dots. But which part identifies the network, and which part identifies the specific device? Without additional information, it's impossible to know.

The IP address 192.168.47.129 could represent:

• Host 47.129 on network 192.168.0.0 (if it's a /16)
• Host 129 on network 192.168.47.0 (if it's a /24)
• Host 1 on network 192.168.47.128 (if it's a /25)

This ambiguity is resolved by the subnet mask—a 32-bit value that explicitly declares where the network portion ends and the host portion begins. The subnet mask is not optional metadata; it is an integral part of how IP addressing functions.

A subnet mask is a 32-bit binary number that masks the network portion of an IP address. When applied to an IP address using a bitwise AND operation, it extracts the network (and subnet) address, stripping away the host identifier.

The Core Concept:

A subnet mask consists of:

• 1s (ones): All the bits that belong to the network/subnet portion
• 0s (zeros): All the bits that belong to the host portion

The 1s and 0s are always contiguous—all the 1s come first, followed by all the 0s. There is never a 0 followed by a 1 in a valid subnet mask.

Example:

Subnet Mask:  255.255.255.0
Binary:       11111111.11111111.11111111.00000000
              └─────── Network Portion ───────┘└─Host─┘
                        (24 bits)              (8 bits)

This mask indicates: "The first 24 bits are the network address; the last 8 bits are the host address."

Historical Context:

In the original classful addressing scheme, subnet masks were implicit:

• Class A: 255.0.0.0 (/8)
• Class B: 255.255.0.0 (/16)
• Class C: 255.255.255.0 (/24)

RFC 950 introduced explicit subnet masks that could extend beyond these defaults, enabling the flexible subnetting we discussed in Page 1. Today, subnet masks are always explicit—never assumed from the address class.

To truly understand subnet masks, you must be comfortable with their binary representation. Every subnet mask is a 32-bit value where the pattern is always:

1111...1111 0000...0000
└─ n ones ─┘└─ 32-n zeros ─┘

Converting Between Decimal and Binary:

Each octet (8 bits) converts between decimal and binary independently:

The Key Pattern:

These are the ONLY valid values for any octet in a subnet mask:

• 255: All 8 bits are network bits
• 254, 252, 248, 240, 224, 192, 128: Partially network bits (transition octet)
• 0: All 8 bits are host bits

Any other value (like 253, 100, or 177) is invalid because it would have non-contiguous 1s and 0s.

Examples of Invalid Subnet Masks:

255.255.253.0  ← Invalid! 253 = 11111101 (0 between 1s)
255.255.255.100 ← Invalid! 100 = 01100100 (1s not contiguous)
255.0.255.0    ← Invalid! Non-contiguous octets

Transition Octet:

A subnet mask has at most one "transition" octet where the 1s end and 0s begin. All octets before it are 255; all octets after it are 0.

255.255.240.0
│   │   │   └── All zeros (after transition)
│   │   └────── Transition octet (11110000 = 240)
│   └────────── All ones (255, before transition)
└────────────── All ones (255, before transition)

Subnet masks can be expressed in three equivalent formats. Understanding all three is essential because different documentation, tools, and contexts use different formats.

Converting Between Formats:

CIDR to Dotted-Decimal:

1. Write the CIDR length (e.g., /22 = 22 network bits)
2. Fill 22 ones, then pad with zeros to 32 bits
3. Convert each 8-bit group to decimal

/22 = 11111111.11111111.11111100.00000000
    = 255.255.252.0

Dotted-Decimal to CIDR:

1. Convert each octet to binary
2. Count the total number of 1s

255.255.248.0 = 11111111.11111111.11111000.00000000
              = 8 + 8 + 5 + 0 = 21 ones
              = /21

The subnet mask's practical function is to extract the network address from any IP address using a bitwise AND operation. This operation is fundamental to how every TCP/IP device determines whether a destination is local or remote.

Bitwise AND Rules:

When you AND an IP address with a subnet mask:

• Bits where the mask is 1 preserve the IP address bit (network portion)
• Bits where the mask is 0 become 0 (host portion stripped)

Worked Example:

Determine the network address for 192.168.47.129 with mask 255.255.255.192 (/26):

IP Address:    192.168.47.129
Binary:        11000000.10101000.00101111.10000001

Subnet Mask:   255.255.255.192
Binary:        11111111.11111111.11111111.11000000
─────────────────────────────────────────────────
AND Result:    11000000.10101000.00101111.10000000
Decimal:       192.168.47.128 Network Address: 192.168.47.128 / 26

Why This Works:

The subnet mask's 1s preserve the network bits exactly. The 0s zero out the host bits, leaving only the network identifier. No matter what host bits were in the original address, ANDing with 0s produces 0s—giving us the base network address.

The Local/Remote Algorithm:

Source: 192.168.47.129 / 26
Dest A: 192.168.47.190
Dest B: 192.168.47.65
Mask: 255.255.255.192

Source AND Mask = 192.168.47.128(network address) 

Dest A AND Mask: 
  192.168.47.190 AND 255.255.255.192
  = 11000000.10101000.00101111.10111110
    AND
    11111111.11111111.11111111.11000000
  = 11000000.10101000.00101111.10000000
  = 192.168.47.128 ← MATCHES source's network!
  → Dest A is LOCAL (same subnet)

Dest B AND Mask:
  192.168.47.65 AND 255.255.255.192
  = 11000000.10101000.00101111.01000001
    AND
    11111111.11111111.11111111.11000000
  = 11000000.10101000.00101111.01000000
  = 192.168.47.64 ← Does NOT match!
  → Dest B is REMOTE (different subnet)

This simple AND comparison, performed billions of times per second across the Internet, is the foundation of IP routing.

For practical work, memorizing key subnet mask values accelerates calculations and troubleshooting. Here's a comprehensive reference organized by the transition octet.

The Block Size Trick:

The block size (also called increment or jump) is the number of addresses in each subnet. It's calculated as:

Block Size = 256 - (value of transition octet)

For /26 (255.255.255.192):

• Block Size = 256 - 192 = 64
• Subnet boundaries: 0, 64, 128, 192
• For address 192.168.1.100, find the highest multiple of 64 ≤ 100:
  • 64 ≤ 100 < 128
  • Network = 192.168.1.64/26

This mental math shortcut eliminates binary conversion for most practical calculations.

Third-Octet Subnet Masks:

When subnetting crosses into the third octet:

The pattern continues identically, just with larger address ranges per subnet.

While subnet masks are used by operating systems and most routing configurations, some network equipment (particularly Cisco routers for access control lists) uses wildcard masks—the bitwise inverse of subnet masks.

The Relationship:

Subnet Mask:   255.255.255.192  (match network bits)
Wildcard Mask:   0.0.0.63       (match host bits)

Subnet Mask + Wildcard Mask = 255.255.255.255 (always)

Why Wildcards Exist:

Wildcard masks originated in Cisco IOS for access control lists (ACLs) where the semantics are inverted:

• Subnet mask: "These bits must match" (network portion)
• Wildcard mask: "These bits don't matter" (can vary)

In an ACL, permit 192.168.1.0 0.0.0.255 means "permit any IP where the first three octets are 192.168.1—the last octet can be anything."

Quick Conversion:

To convert subnet mask to wildcard (or vice versa), subtract each octet from 255:

Subnet:   255.255.255.192
          255-255 . 255-255 . 255-255 . 255-192
          = 0.0.0.63
Wildcard: 0.0.0.63

Common Wildcard Masks:

Subnet masks appear throughout network configurations. Understanding where and how they're specified is essential for practical networking.

Troubleshooting Subnet Mask Issues:

Incorrect subnet masks cause subtle but serious problems:

1. Mask too large (e.g., /24 instead of /25)

   • Device thinks it's on a larger network
   • May try to ARP for devices that should be routed
   • Packets fail when target is actually on different subnet

2. Mask too small (e.g., /26 instead of /24)

   • Device thinks it's on a smaller network
   • Routes traffic to gateway when local delivery would work
   • Gateway may not route back correctly

3. Mask mismatch between devices

   • Devices on same wire may not communicate
   • Asymmetric routing issues
   • Intermittent connectivity based on address ranges

The subnet mask is the critical piece of information that gives IP addresses their meaning. Without it, network boundaries are undefined and routing is impossible.

What's Next:

With the subnet mask mechanics understood, we're ready to apply this knowledge to create subnets. The next page covers subnet creation—the process of designing a subnetting scheme that meets organizational requirements for host counts, subnet counts, and efficient address utilization.