What Is a Subnet Mask? Subnets, CIDR and Subnetting Explained
A subnet mask is the rule that splits an IP address into two pieces: the part
that identifies the network and the part that identifies an individual
host on it. It is what lets your computer decide whether another address is a
neighbour it can reach directly, or somewhere it must send through the router. This guide
explains what a subnet and a subnet mask are, how the dotted-decimal mask
(255.255.255.0) and modern CIDR slash notation (/24) describe the same
thing, how to read network and host bits, and how to work out the network address, broadcast
address and number of usable hosts. We finish with a fully worked example, a table of the common
masks, the private ranges, and a short FAQ.
What a subnet and a subnet mask actually are
Every IPv4 address is a 32-bit number, normally written as four decimal numbers from 0 to
255 separated by dots, such as 192.168.1.10. On its own, that address does not
say where the network ends and the host begins. The subnet mask supplies
that boundary. It is also a 32-bit value, written the same dotted way, and its job is to mark
which bits of the address belong to the network and which belong to the host.
The rule is simple: where the mask has a 1 bit, the matching bit of the address is part of the network; where the mask has a 0 bit, the matching bit is part of the host. The 1 bits are always contiguous and start from the left, so a valid mask is just a run of ones followed by a run of zeros.
A subnet is the block of addresses that all share the same network bits. Two
devices are on the same subnet, and can talk to each other directly without going through a
router, only if their addresses match across every network bit defined by the mask. Take the
mask 255.255.255.0: it makes the first three octets the network and the last
octet the host. So 192.168.1.10 and 192.168.1.200 are on the same
subnet, while 192.168.2.10 is on a different one, even though only a single
number changed.
Network part versus host part
Think of an IP address like a street address. The network part is the street name (everyone on it is a neighbour), and the host part is the house number (which identifies one specific building). The subnet mask is the line that says where the street name stops and the house number starts.
Dotted-decimal vs CIDR (/24) notation
There are two ways to write the same boundary, and you will meet both constantly.
Dotted-decimal masks
The traditional form writes the mask as four decimal octets, for example
255.255.255.0. Each 255 is a fully set octet
(11111111 in binary, eight network bits), and each 0 is a fully
clear octet (00000000, eight host bits). So 255.255.255.0 is
twenty-four 1 bits followed by eight 0 bits.
CIDR slash notation
CIDR (Classless Inter-Domain Routing) notation simply counts the network bits and writes that
count after a slash. Because 255.255.255.0 has 24 network bits, it is written
/24, and an address inside it looks like 192.168.1.10/24. The two
notations are interchangeable:
/8equals255.0.0.0/16equals255.255.0.0/24equals255.255.255.0/26equals255.255.255.192
CIDR is the modern standard because it is compact and supports any prefix length, not just the old class boundaries of /8, /16 and /24. If you ever need to convert a mask to a prefix or carve a block into smaller pieces, the CIDR Block Calculator does the conversion and the splitting for you.
Network bits and host bits in binary
Subnetting clicks into place once you look at the binary. Take the address
192.168.1.10 with a /26 mask
(255.255.255.192) and line them up:
| Value | Decimal | Binary (32 bits) |
|---|---|---|
| IP address | 192.168.1.10 |
11000000.10101000.00000001.00001010 |
| Subnet mask | 255.255.255.192 |
11111111.11111111.11111111.11000000 |
| Network address | 192.168.1.0 |
11000000.10101000.00000001.00000000 |
The mask has 26 ones, so the first 26 bits of the address are the network and the remaining 6
bits are the host. To find the network address, you keep every network bit of
the address and set every host bit to 0 - that is a bitwise AND of the address and the mask.
Here that gives 192.168.1.0. The host bits are what vary from one device to the
next inside that subnet.
Two useful counts fall straight out of the split. The number of host bits is
32 minus the prefix, and the number of host addresses is 2 raised to that
power. For our /26: 32 minus 26 is 6 host bits, and 2 to the power 6 is 64 total
addresses.
How to calculate network, broadcast and usable hosts
Three formulas cover almost everything you will need:
- Network address. Keep the network bits, set all host bits to 0. It is the first address in the block.
- Broadcast address. Keep the network bits, set all host bits to 1. It is the last address in the block.
- Usable hosts.
2^(32 - prefix) - 2. The minus 2 removes the network and broadcast addresses, which cannot be assigned to a device.
The broadcast address is the all-host-bits-set address because a packet sent there reaches every host on the subnet at once. The network address, with all host bits clear, names the subnet itself. That is why both are reserved and why a block of 256 addresses only gives you 254 you can actually hand to machines.
A fully worked example: 192.168.1.10 /24
Suppose your laptop has the address 192.168.1.10 with a /24 mask
(255.255.255.0), a very common home-network setup. Here is how to work out the
whole subnet by hand:
- Host bits. 32 minus 24 is 8 host bits.
- Total addresses. 2 to the power 8 is 256 addresses in the block.
- Network address. Set the 8 host bits to 0: the last octet becomes 0, giving
192.168.1.0. - Broadcast address. Set the 8 host bits to 1: the last octet becomes 255, giving
192.168.1.255. - Usable host range. Everything between the two reserved addresses:
192.168.1.1to192.168.1.254. - Usable hosts. 2 to the power 8, minus 2, is 254.
Now tighten the same address to a /26 (255.255.255.192). The block
shrinks to 64 addresses: the network address is 192.168.1.0, the broadcast
address is 192.168.1.63, the usable range is 192.168.1.1 to
192.168.1.62, and you get 62 usable hosts. Borrowing two bits from the host part
split the old /24 into four smaller /26 subnets.
Check your working instantly
Rather than do the bitwise arithmetic by hand every time, drop the address and prefix into our IP Subnet Calculator. It returns the mask, network and broadcast addresses, the usable host range and the host count, so you can confirm a hand calculation in seconds or plan a new addressing scheme with confidence.
Common subnet masks at a glance
These are the masks you will see most often. Memorising the last octet values for
/25 through /30 (128, 192, 224, 240, 248, 252) makes mental
subnetting much faster.
| CIDR | Subnet mask | Total addresses | Usable hosts |
|---|---|---|---|
/8 |
255.0.0.0 |
16,777,216 | 16,777,214 |
/16 |
255.255.0.0 |
65,536 | 65,534 |
/24 |
255.255.255.0 |
256 | 254 |
/25 |
255.255.255.128 |
128 | 126 |
/26 |
255.255.255.192 |
64 | 62 |
/27 |
255.255.255.224 |
32 | 30 |
/28 |
255.255.255.240 |
16 | 14 |
/29 |
255.255.255.248 |
8 | 6 |
/30 |
255.255.255.252 |
4 | 2 |
The /30 is popular for point-to-point router links because it gives exactly two
usable addresses, one for each end. A newer convention defined in RFC 3021, the
/31, uses both addresses for the two ends of a point-to-point link and skips the
network and broadcast reservation entirely, which is why the usual minus-2 rule does not apply
to it.
Private IP address ranges (RFC 1918)
Subnet masks are most visible on the private ranges reserved by RFC 1918 for use inside home and corporate networks. These addresses are never routed on the public internet, so countless separate networks reuse the same blocks behind NAT (Network Address Translation):
| CIDR block | Mask | Address range |
|---|---|---|
10.0.0.0/8 |
255.0.0.0 |
10.0.0.0 to 10.255.255.255 |
172.16.0.0/12 |
255.240.0.0 |
172.16.0.0 to 172.31.255.255 |
192.168.0.0/16 |
255.255.0.0 |
192.168.0.0 to 192.168.255.255 |
Note the 172.16.0.0/12 range carefully: the /12 mask
(255.240.0.0) makes the network span the second octet from 16 to 31, so the block
runs all the way to 172.31.255.255, not 172.16.255.255. That is one
of the most common subnetting mistakes. If you want to know what your own connection looks
like to the outside world - your public address rather than the private one your device holds
on the LAN - check it with our
IP Lookup tool.
Why subnetting matters
Splitting a large network into smaller subnets is not busywork; it solves real problems:
- Efficient address use. Handing a point-to-point link a full
/24wastes 252 addresses. A/30gives it exactly the two it needs. - Smaller broadcast domains. Broadcast traffic stays inside its subnet, so a busy network does not flood every device with chatter it does not need.
- Security and segmentation. Putting guests, servers and staff on separate subnets lets firewalls control exactly what can talk to what.
- Cleaner routing. Routers make forwarding decisions on the network portion of an address, so well-planned subnets keep routing tables compact and predictable.
Related tools & reading
- IP Subnet Calculator - enter an address and prefix to get the mask, network, broadcast, host range and host count.
- CIDR Block Calculator - convert between masks and prefixes and split a block into smaller subnets.
- Subnet Cheat Sheet - a printable /8 to /32 table of every CIDR prefix, subnet mask, wildcard mask and host count.
- IP Lookup - see what your public IP address reveals about your connection.
- Understanding IP Addresses - how IPv4 and IPv6 addresses are structured.
- Back to the Learning Center
Frequently asked questions
What is a subnet mask in simple terms?
A subnet mask is a 32-bit value, written like an IP address (for example 255.255.255.0), that tells a device which part of an IP address identifies the network and which part identifies the individual host. Where the mask has a 1 bit, that position belongs to the network; where it has a 0 bit, that position belongs to the host. With a 255.255.255.0 mask the first three numbers are the network and the last number is the host, which is why 192.168.1.10 and 192.168.1.20 are on the same local network but 192.168.2.10 is not.
What is the difference between a subnet and a subnet mask?
A subnet is the network itself: a group of IP addresses that share the same network portion and can talk to each other directly, such as 192.168.1.0/24. A subnet mask is the rule that defines where that network portion ends and the host portion begins. Put simply, the mask is the measuring tool and the subnet is the block of addresses it carves out. Change the mask and you change the size and boundaries of the subnet.
What does /24 mean in an IP address?
The /24 is CIDR (Classless Inter-Domain Routing) notation. It means the first 24 bits of the address are the network part, which leaves 8 bits for hosts. A /24 is exactly the same as the subnet mask 255.255.255.0, because 24 ones followed by 8 zeros, grouped into four octets, is 255.255.255.0. A /24 block holds 256 total addresses and 254 usable host addresses once you set aside the network and broadcast addresses.
How do I calculate the number of usable hosts in a subnet?
Take the number of host bits (32 minus the CIDR prefix), raise 2 to that power to get the total addresses, then subtract 2 for the network and broadcast addresses. The formula is usable hosts = 2^(32 - prefix) - 2. A /24 has 8 host bits, so 2^8 - 2 = 254 usable hosts; a /26 has 6 host bits, so 2^6 - 2 = 62; a /30 has 2 host bits, so 2^2 - 2 = 2. The only exceptions are /31 point-to-point links and single-host /32 addresses, where the minus-2 rule does not apply.
What are the private IP address ranges?
RFC 1918 reserves three ranges for private use inside home and corporate networks: 10.0.0.0/8 (10.0.0.0 to 10.255.255.255), 172.16.0.0/12 (172.16.0.0 to 172.31.255.255), and 192.168.0.0/16 (192.168.0.0 to 192.168.255.255). These addresses are not routed on the public internet, so many separate networks reuse them behind NAT. The common 172 trap is to assume it stops at 172.16.255.255; the /12 actually runs all the way through the 172.31 block.
Why does a subnet lose two addresses?
In a normal subnet the first address is the network address (the identifier for the subnet as a whole) and the last address is the broadcast address (used to reach every host on that subnet at once). Neither can be assigned to a regular host, so a block of 256 addresses such as a /24 yields 254 usable host addresses. Modern /31 links are a special case defined by RFC 3021 that uses both addresses for point-to-point connections.