IP Tutorial: Subnet Mask and Subnetting

Gain flexibility in defining relationships among network hosts

In This Article

Jump to a Section

A subnet allows the flow of network traffic between hosts to be segregated based on a network configuration. By organizing hosts into logical groups, subnetting can improve network security and performance.

Subnet Mask

Perhaps the most recognizable aspect of subnetting is the subnet mask. Like IP addresses, a subnet mask contains four bytes (32 bits) and is often written using the same dotted-decimal notation. For example, here's a common subnet mask in its binary representation:

11111111 11111111 11111111 00000000

This subnet mask is typically shown in the equivalent, more readable form:

Each of the four bytes is eight bits long. In binary notation, a byte consists of eight zeroes and ones, representing powers of two. The "to the power of" value is a function of the position of the value in the string, with the rightmost value starting at 0. A bit value of 11111111 is equal to 27+26+25+24+23+22+21+20, or 255. By contrast, a bit value of 00100001 is equal to 25+20, or 33.

Applying a Subnet Mask

A subnet mask neither works as an IP address nor does it exist independently of IP addresses. Instead, subnet masks accompany an IP address, and the two values work together. Applying the subnet mask to an IP address splits the address into two parts, an extended network address and a host address.

For a subnet mask to be valid, its leftmost bits must be set to 1. For example:

00000000 00000000 00000000 00000000

This subnet mask is not usable on your network because the leftmost bit is set to 0.

Conversely, the rightmost bits in a valid subnet mask must be set to 0, not 1. For example:

11111111 11111111 11111111 11111111

This subnet mask can't be used on a network.

All valid subnet masks contain two parts: the left side with all mask bits set to 1 (the extended network portion) and the right side with all bits set to 0 (the host portion), such as the first example above.

Subnetting in Practice

Subnetting works by applying the concept of extended network addresses to individual computer (and another network device) addresses. An extended network address includes both a network address and additional bits that represent the subnet number.

Together, these two data elements support a two-level addressing scheme recognized by standard implementations of IP. The network address and subnet number, when combined with the host address, support a three-level scheme.

Subnetting scheme

Consider the following real-world example: A small business plans to use the network for its internal (intranet) hosts. The human resources department wants their computers to be on a restricted part of this network because they store payroll information and other sensitive employee data. But because this is a Class C network, the default subnet mask of allows all computers on the network to be peers (to send messages directly to each other) by default.

The first four bits of


This places the network in the Class C range and also fixes the length of the network address at 24 bits. To subnet this network, more than 24 bits must be set to 1 on the left side of the subnet mask.

For every additional bit set to 1 in the mask, another bit becomes available in the subnet number to index additional subnets. A two-bit subnet number can support up to four subnets, a three-bit number supports up to eight subnets, and so on.

Private Networks and Subnets

The governing bodies that administer Internet Protocol have reserved certain networks for internal uses. In general, intranets using these networks gain more control over managing their IP configuration and internet access. Consult RFC 1918 for more details about these special networks.


Subnetting allows network administrators some flexibility in defining relationships among network hosts. Hosts on different subnets can only talk to each other through specialized network gateway devices like routers. The ability to filter traffic between subnets can make more bandwidth available to applications and can limit access in desirable ways.

Was this page helpful?