If you've ever configured a network interface, set up a router, or read a firewall rule, you've encountered subnet masks and CIDR notation. These concepts are the foundation of how networks are organized and how devices determine which other devices are on the same local network versus which ones require routing through a gateway. Despite being fundamental, they're among the most commonly misunderstood topics in networking.

In over 20 years of IT and network administration, I've helped countless people get past the initial confusion around subnetting. The key is understanding that it's really just about dividing IP address space into smaller, manageable pieces โ€” like splitting a phone book into sections by area code. Once that clicks, everything else follows logically.

What Is a Subnet Mask?

Every device on an IP network has two pieces of addressing information: an IP address and a subnet mask. The IP address identifies the specific device, but the subnet mask tells the device which portion of that address refers to the network and which portion refers to the individual host. Think of it like a street address โ€” the street name identifies the neighborhood (network), and the house number identifies the specific location (host). The subnet mask defines where the dividing line between "street name" and "house number" falls.

The most common subnet mask you'll encounter in home networks is 255.255.255.0. In binary, this is 24 consecutive 1s followed by 8 consecutive 0s. The 1s mark the network portion of the address, and the 0s mark the host portion. So if your IP address is 192.168.1.50 with a subnet mask of 255.255.255.0, the network portion is 192.168.1 and the host portion is 50. Any device with an address in the range 192.168.1.1 through 192.168.1.254 is on the same subnet as you.

Why does this matter? Because when your computer wants to send data to another IP address, it uses the subnet mask to determine if the destination is on the local network or if the data needs to be sent to the gateway (router) for forwarding. If the destination is on the same subnet, the device sends the data directly using the local network. If it's on a different subnet, the data goes to the default gateway, which routes it appropriately. This is why getting your subnet mask wrong can cause bizarre connectivity issues โ€” your device might try to reach a local device through the router, or try to reach an internet host directly on the local network.

Common Subnet Masks

While subnet masks can be any valid combination of consecutive 1s followed by 0s in binary, a few are far more common than others. The mask 255.255.255.0 (called a /24) is the standard for home networks and small offices. It gives you 254 usable host addresses (1 through 254), which is more than enough for most homes. The .0 address is reserved as the network address and .255 is the broadcast address, so neither can be assigned to devices.

The mask 255.255.0.0 (a /16) is common in larger corporate networks. It provides 65,534 usable host addresses, enough for a large campus or enterprise. The 10.0.0.0/16 range, for instance, gives you addresses from 10.0.0.1 through 10.0.255.254. You'll sometimes see this in enterprise environments where simplicity is preferred over efficiency โ€” it's easier to put everything in one big subnet than to manage many smaller ones.

The mask 255.0.0.0 (a /8) is rarely used in practice because it allows over 16 million hosts on a single subnet, which would be completely impractical. However, the 10.0.0.0/8 range is frequently used with smaller subnet masks carved out of it for different departments or locations within an organization.

Subnet masks with boundaries that don't fall neatly on the octet are where things get more interesting. A mask of 255.255.255.128 (a /25) splits a standard /24 network in half, giving you two subnets of 126 hosts each. A mask of 255.255.255.192 (a /26) creates four subnets of 62 hosts each. This is where subnetting really becomes useful โ€” when you need to carve a network into specific-sized pieces for different purposes.

CIDR Notation Explained

Writing out full subnet masks like 255.255.255.0 gets tedious quickly, especially in documentation and configuration files. CIDR (Classless Inter-Domain Routing) notation provides a compact shorthand. Instead of writing the IP address and subnet mask separately, CIDR appends a forward slash and a number to the IP address. The number represents how many bits in the subnet mask are set to 1.

So 192.168.1.0/24 means "the network 192.168.1.0 with a subnet mask of 255.255.255.0" โ€” the /24 indicates 24 bits for the network portion, leaving 8 bits for hosts. Similarly, 10.0.0.0/16 means the subnet mask is 255.255.0.0 (16 bits for the network), and 172.16.0.0/12 means the subnet mask is 255.240.0.0 (12 bits for the network).

CIDR notation is used everywhere in networking โ€” firewall rules, routing tables, cloud infrastructure configurations, and network documentation. When you see a firewall rule that says "allow traffic from 10.10.5.0/24," it means allow traffic from any address in the range 10.10.5.0 through 10.10.5.255. Understanding CIDR is essential for reading and writing network configurations accurately.

A useful trick for quick calculations: each step down in the CIDR number doubles the number of addresses. A /24 has 256 addresses, a /23 has 512, a /22 has 1,024, and so on. Going the other direction, a /25 has 128, a /26 has 64, a /27 has 32, and a /28 has 16. The formula is 2 raised to the power of (32 minus the CIDR number) for the total addresses, then subtract 2 for the usable host count (network address and broadcast address are reserved).

Why Subnetting Matters

Network segmentation is the primary reason organizations subnet their networks. By dividing a large network into smaller subnets, you can separate departments, floors, or device types. The accounting department might be on 10.10.1.0/24, engineering on 10.10.2.0/24, and guest Wi-Fi on 10.10.100.0/24. This separation allows you to apply different security policies to each segment โ€” accounting can't reach engineering's development servers, and guest Wi-Fi can't reach any internal resources.

Broadcast control is another important reason. Every subnet has a broadcast address, and broadcast traffic is sent to every device on the subnet. In a network with thousands of devices on a single subnet, broadcast traffic can consume significant bandwidth. Breaking the network into smaller subnets contains broadcast traffic within each segment, improving overall performance.

IP address management becomes much more organized with proper subnetting. Instead of having 10,000 devices scattered randomly across a /16 range, you can allocate specific /24 blocks to specific locations or purposes. This makes it much easier to track address usage, troubleshoot connectivity issues, and plan for growth.

Security and compliance requirements often mandate network segmentation. PCI DSS compliance, for instance, requires that systems handling credit card data are isolated on their own network segment. Proper subnetting, combined with firewall rules between subnets, is how organizations achieve this isolation.

Subnetting in Practice

Let's walk through a practical example. Suppose you're managing a small office network and your ISP has given you the network 192.168.10.0/24, providing 254 usable addresses. You need separate subnets for the office computers (about 50 devices), the server room (about 10 devices), and the guest Wi-Fi (about 30 devices), with room to grow.

You could divide the /24 into four /26 subnets, each with 62 usable addresses. The first subnet, 192.168.10.0/26, covers addresses 192.168.10.1 through 192.168.10.62, which you'd assign to office computers. The second subnet, 192.168.10.64/26, covers 192.168.10.65 through 192.168.10.126, which you'd use for servers. The third subnet, 192.168.10.128/26, covers 192.168.10.129 through 192.168.10.190, which becomes your guest network. The fourth subnet, 192.168.10.192/26, stays in reserve for future use.

Each subnet needs its own gateway address on the router (typically the first or last usable address in the range), and the router handles traffic between subnets according to your firewall rules. Devices within the same subnet communicate directly, while cross-subnet traffic passes through the router where it can be filtered and logged.

Subnetting and Your Home Network

Most home users don't need to subnet their network โ€” a single /24 with 254 addresses is plenty for a typical household. However, as smart home devices proliferate, some security-conscious users are starting to segment their home networks. Putting IoT devices on a separate subnet from your computers and phones means a compromised smart bulb can't be used to attack your laptop.

If you want to experiment with subnetting at home, many consumer routers support VLANs (Virtual LANs) that let you create multiple network segments. More advanced setups using pfSense, OPNsense, or even a managed switch can give you full control over subnet configuration. Even if you never subnet your home network, understanding how it works will help you troubleshoot issues โ€” knowing that a device with the wrong subnet mask can't reach other local devices, for example, can save hours of frustrated debugging.

You can use IP Lobster's Geolocation tool to look up information about any public IP address, and the DNS Lookup tool to verify hostname resolution across different network segments.

Quick Reference

Here are the most commonly used CIDR ranges and their details. A /24 uses subnet mask 255.255.255.0, provides 254 usable hosts, and is the standard for small networks. A /25 uses 255.255.255.128 with 126 usable hosts. A /26 uses 255.255.255.192 with 62 usable hosts. A /27 uses 255.255.255.224 with 30 usable hosts. A /28 uses 255.255.255.240 with 14 usable hosts. A /29 uses 255.255.255.248 with 6 usable hosts. And a /30 uses 255.255.255.252 with just 2 usable hosts, typically used for point-to-point links between routers.

Understanding subnetting is one of those networking skills that separates someone who can set up a home router from someone who can design and troubleshoot a complex network. Even if you only use a small fraction of this knowledge in practice, having the conceptual foundation makes every other networking topic easier to understand.