Grokking the Mask – understanding classless subnetwork masks

I’ve noticed that many networking students have few problems answering questions about the simpler, classful networks and their subnet masks. But then many struggle when problems involve CIDR networks.

I think it’s because beginners have grasped the basics using some rules of thumb, but not the underlying principles.

When we take the class C netmask,, the shortcut thought is that the magic number 255 means “part of network”, and magic 0 means “part of host address”. But if that’s all you know, then as soon as you see a netmask like, you’re stumped. What does the 192 mean?

The two keys to decrypting 172 are understanding what a mask, generically, is, and thinking in binary, instead of base-10.

Base 10 to Base 2

Computers and networking systems are very binary-oriented devices, and this typically means data structures are conformed to some power of 2- a byte, 16, 32 or 64 bits, etc. IPv4 addresses, are of course, 32 bits. But these are unwieldy to write down or remember (it’s handy to know a few addresses to vital services, for when DNS is suspected as a problem), and so we break them into 4 bytes, convert each byte to base 10, and write them out in the familiar “dotted quad” notation.

00001000000010000000100000001000 is towards the easier end, but still easy to mistype. is much more memorable and compact. It’s also Google’s open nameserver address, a definite candidate for a must-remember number.

Base10 8 8 8 8
Base2 00001000 00001000 00001000 00001000


Masks, in computing, are like stencils- sheets of card, with holes cut out in strategic locations. Some are used in graphical applications, to hide unwanted parts of an image. In programming, a bitmask can be a great way to compactly store and retrieve boolean values (an 8-bit byte variable can be a number, sure, but you can also think of it as 8 different yes/no values).

The netmask is difficult to see in decimal, but if we line up the IP address and the netmask in binary, it starts to make more sense. Let’s use my earlier example,, and an IP address of:…what would be the range of IP addresses considered part of the local network?

11111111 11111111 11000000 00000000   <-- netmask (
11001011 00001110 01001110 10100010   <-- our IP address (
11001011 00001110 01000000 00000000   <-- our network address (

The dark green bit- the 1s of the netmask, can be thought of as each saying “yes, a bit in this position is the network part” and the 0s say “no, this is the host part”, so we can look down to the IP address, and where there is a 1 above, we copy the 1 or 0 value down as part of the network address. This, you may already know, is a bitwise-AND operation.

So, what’s the range, then? Well, that’s found by taking the host part, and going from “one one” to “all but one”- not zero, that’s the network address we just found. And not “all ones”, because that’s the network’s broadcast address.

11001011 00001110 01000000 00000000   <-- our network address (
11001011 00001110 01000000 00000001   <-- first localnet host (
11001011 00001110 01111111 11111110   <-- last localnet host (

Of those two IP addresses, one is usually used as the gateway.

The next time you have to answer a question on this topic, try writing it out in binary to double-check your result!

Leave a Reply

Your email address will not be published. Required fields are marked *