1) Why subnet masks needed; 2) Most subnet masks are nonstandard?

Two questions about subnet masks as I’m learning from a book.

First, I don’t get why they’re needed. Sounds like they function to identify which parts of the IP address refer to subnets and which refer to hosts, and they only get used by routers to decide whether packets should go to the local subnet or get translated and sent up to a wider area. But, shouldn’t the router be able to do this by testing whether each octet or byte of the address matches its own? That is, if only the first part matches, the subnet mask would have been, and so forth. Why isn’t this sufficient?

Second, my book says that and and are standard masks, but that most applications use other, nonstandard masks. I’m surprised, as I have seen all these used but have never seen any others used. BTW I can see why you might want to use a nonstandard mask and how you would do it, and can accept that systems allow it. My only question is in doubting the statement that most subnet masks include octets other than 255 and 0.


First question: other routers and devices that are not on the same network need to be able to identify the network, for routing purposes etc. The IP address alone is not sufficient. In the early days of class A/B/C networks, it was sufficient - you could work out if it was a class A, B, or C network just by looking at the first few bits of the address. Which brings us on to your second question: these days it is usual to use “classless” IP addressing (in which the boundary between subnet and host address does not necessarily fall on an octet boundary). However, it then requires the overhead of a subnet mask, so that you know precisely where the boundary falls. These days with smaller and/or more efficient address allocations, it is very common to have networks in which the subnet is something other than the first /8, /16 or /24 bits. The and and subnet masks mentioned by your book correspond to the old A/B/C classes.

Forgive me if this has only gone unmentioned because it’s so obvious, but the benefit is conservation of IP addresses it allows. Without subnetting, if an organization has need for two separate networks with a hundred devices each on them, they would need to have two class C networks assigned to them, and 406 addresses would be wasted.

If you’re not locked into using the last eight bits as host bits, and can instead say that the twenty-fifth bit is a network bit, then you can do the same thing with one class C address space and no waste. (Except of course that you can assign less devices net, because you have twice as many network and broadcast addresses.)

It’s true that you usually see standard masks, because you’re usually looking at networks that use addresses in the public space, for internal use only. It just makes it easier if you divide the network and host bits at the octets, because we have grown used to dotted decimal formatting (x.x.x.x) If you have a need to efficiently design a network using an assigned range of ip addresses, you are going to mask off the networks non-standardly, for sure.

Ah, thanks - that makes sense.

This reminds me of another thing I was wondering - how did we choose to write IP addresses in decimal? I know we use more decimal than hex or binary in general, but it seems like IP addresses are so much clumsier in decimal. Also, it’s not like most people that would have to type an IP address would also need to do math with them. If you look at them in binary, at least the masks become obvious.

Subnet mask is real simple - when a device has to send a apcket to another device on the network: it does an"AND" of its own subnet mask and destination address, and an AND of source (it’s own) address and subnet mask.

If the two results (network numbers) are identical then the destination is local; it then uses an ARP broadcast to determine the destination’s ethernet MAC address on the local network.

If the networks are not the same, then the data is sent to the DEFAULT GATEWAY; same process, ARP the default gateway for MAC address and then send the packets to that MAC address. Then the gateway figures out how to forward the packet where it needs to go, in this case (usually) using routing tables to determine the next route.

In the good old days, when most setups like routing tables were done by hand, it was probably sensible to have Class A,B, or C networks. As you can see from my post above, the subnet algorithm really does not care about nice neat 8-bit boundaries, it works in everything from 30 bits subnet to 0 bits. Also, way back when in the early days, the idea that we would run out of IP4 addresses (even after NAT) was crazy. However, we are.

The concept of wasting 252 addresses to set up a point-to-point IP connection makes no sense. This is why tehre are /30 subent addresses, which still waste 2 potential addresses with a point-to-point connection; and for super-ranges, I have seen networks with /22 or /21 where you can have a thousand or two of computers on the same subnet. Without such enlarged subnets eithe (a) you’d have to subdivide and put expensive routers in the way or (b) waste a class B (65,000 addresses) for a range that needed about 2,000.

You’re probably used to seeing subnet masking applied to non-routable private IPs, such as In those cases, where the subnet sits behind a NAT, there’s little harm in using a whole Class C chunk, because the address space isn’t visible outside your home. So I’d say that most subnet masks of private IP are

But in routing actual traffic, you’ll see a bunch more or uses. And in large scale organizations, you’ll see a bunch of used.

I live in an apartment, my cable modem is set to dhcp, and the IP address pushed down from my isp comes with a .252 subnet mask. (4 host max, minus two for network broadcasts and stuff.)

It’s not exactly accurate to call non-octet-boundary subnet masks “nonstandad.” CDIR is a published standard, and any subnet mask from 0 to 32 bits conforms to the standard.

Only three such masks correspond to the old classful subnets, which is an obsolete standard.

Do the binary subnet masks ever look like this, with a region where 0s and 1s are mixed?


It would make sense that such a thing could work. I haven’t heard of it, though. Can’t think of reasons to do it this way either.

Then, if subnet masks are always of the form “n 1s followed by (32-n) 0s”, why aren’t they written as a 5 bit number representing n or (32-n)? Humanity stopped counting with multiple parallel lines thousands of years ago, didn’t we?

Not really. The subnet mask is there to delineate a boundary (net/host, used for the forwarding decision described by md2000), and so it has to be contiguous.

Many if not most people will now write address and mask in the form “address”/“number of bits in the subnet mask”, as in: - meaning the same as Lots of equipment will understand that notation as well.

I spent a frustrating couple of hours trying to figure out why a Microsoft Systems Management Server site did not work properly. Some PCs showed up in the site list, but not all. I listed all the working and non-working IP addresses, in binary even. Eventually in the SMS subnet properties I saw that the configuring engineer had entered the subnet as


A simple reset to had everything working fine. I never did find out who did the original setup, though. I guess no-one wanted to own up.


No, the standard requires that the network number be some group of leftmost bits, and the node number is the rest.

They are. See CIDR notation. The reason why they’re configured as actual octet strings is that your TCP stack wants to compare the mask to addresses with simple bitwise operators.

In theory you could use non-contiguous binary subnet masks like that, yes. I don’t think it was ever supported in the standards, so it was unlikely to work with anybody else’s implementation. You have to remember that in those days it was a near miracle if any one piece of network equpiment communicated successfully with another. Standards were fluid, poorly observed, and largely dictated by the most successful manufacturer of the moment.

But in practice, everybody used contiguous bits for network/host, which meant that the network was indeed the the first n bits of the address. This is commonly represented by the slash notation, for example /26 meaning that the first 26 bits of the address are the network address, equivalent to a decimal subnet mask of

The main reason for this - all continuous 1’s for subnet - is for route aggregation. Let’s say one area is 142.100.x.x and one area is 142.105.x.x and so on. If all the 142’s are through one service provider or one geographical area, then the routing table for the areas around it just need one entry, how to send packets to 142.x.x.x, rather than 256 entries on how to route to 142.000.x.x through 142.255.x.x. About 15 or 20 years ago the big push was to consolidate address spaces to make routing tables smaller.

No matter how you arrange the subnet mask, from 101010101010100011100 to 1111111110000000000 will work if the algorithm is implemented properly. It’s just confusing to humans if the network number is arbitrary, and you could own, say, 142.97.1.x, 142.98.1.x, 142.99.1.x, and so on. You still only can have one of that address on the internet. It just makes consolidating routes difficult and makes keeping track of who owns what addresses more complicated.

SO network first, host range second…