What Is Subnet mask in Networking?
Also known as: subnet mask, subnet mask definition, what is a subnet mask, subnet mask explained, subnet mask for beginners
This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.
On This Page
What do you want to do?
Quick Definition
A subnet mask works like a filter for an IP address, helping routers and computers decide whether an IP address is on the same local network or a different one. It is written as four numbers separated by dots, like 255.255.255.0. By comparing the mask with the IP address, devices know if they should send data directly to a neighbor or forward it through a router. Understanding subnet masks is essential for setting up networks, configuring devices, and passing IT certification exams.
Common Commands & Configuration
ipconfig /allDisplays the subnet mask along with IP address, default gateway, and other network configuration details for all network interfaces on Windows.
Exams like Network+ and Security+ test your ability to interpret the subnet mask from this output to determine network size and address class.
ifconfigShows the subnet mask (often as netmask) for each interface on Linux/Unix systems, typically in dotted decimal or hex format.
CCNA and Linux+ questions may ask you to parse ifconfig output to identify the subnet mask and calculate broadcast address or usable host range.
ip addr showDisplays IP addresses and subnet masks in CIDR notation (e.g., 192.168.1.1/24) for all interfaces on modern Linux systems.
AWS SAA and Google ACE exams test understanding of VPC subnet masks using CIDR notation from this command to verify network segmentation.
show ip interface briefOn Cisco devices, displays a summary of interfaces with IP addresses and subnet masks in dotted decimal form (e.g., 255.255.255.0).
CCNA exam frequently uses this command to assess knowledge of subnet mask configuration on router interfaces and its impact on routing table.
show running-config | include ip addressDisplays the configured IP address and subnet mask on Cisco interfaces from the running configuration.
Used in CCNA and Network+ to verify subnet mask consistency and identify misconfigurations that cause connectivity issues.
netsh interface ipv4 show subinterfaceLists subnet masks for all IPv4 interfaces in Windows, useful for troubleshooting advanced network configurations.
AZ-104 and Network+ may test this command when diagnosing misaligned subnet masks in hybrid or Azure-connected networks.
ip route show | grep -E 'kernel|unicast'Shows routing table with subnet masks; used to verify that routes match the correct subnet mask for destination networks on Linux.
AWS SAA and Google ACE exams often test the relationship between subnet masks and route summarization in VPC route tables.
Subnet mask appears directly in 146exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on Cisco CCNA. Practise them →
Must Know for Exams
Subnet masks appear in nearly every major IT certification exam because they are fundamental to IP networking. In CompTIA Network+ (N10-008), exam objective 1.4 requires you to explain the characteristics of subnetting and calculate subnet masks. Questions may ask you to determine the number of hosts per subnet given a mask, or to choose the correct mask for a network with a specific number of devices. The test often includes scenario-based questions where you must identify why a device cannot communicate, and the answer frequently involves an incorrect mask.
In the Cisco Certified Network Associate (CCNA 200-301) exam, subnetting is a core skill. Objective 1.6 covers configuring and verifying IPv4 addressing and subnetting. You will be expected to quickly compute network addresses, broadcast addresses, and usable host ranges for given IP addresses and subnet masks. CCNA questions can be complex: they may present a network diagram and ask you to select the correct subnet mask to satisfy a requirement like "400 hosts in this subnet" or "at least 10 subnets." VLSM, route summarization, and CIDR notation are all tested.
For cloud certifications, such as AWS Solutions Architect Associate (SAA-C03) and Azure Administrator (AZ-104), subnet masks are used in designing virtual networks. In AWS, you must choose CIDR blocks for your VPC and subnets when launching resources like EC2 instances and RDS databases. The exam asks you to select appropriate subnet sizes to avoid overlapping with other networks when connecting via VPN or Direct Connect. In Azure, you must plan virtual network address spaces and subnets, and you need to understand how subnet masks affect routing between subnets and to on-premises networks.
CompTIA Security+ (SY0-601) includes subnetting in the context of network segmentation (objective 3.2). You need to know how subnet masks create boundaries that can be enforced with firewalls and ACLs. Exam questions may ask which subnet mask creates the smallest broadcast domain, or which segmentation strategy best isolates sensitive data. Google Associate Cloud Engineer (ACE) also covers VPC subnet creation and requires understanding of CIDR blocks.
The A+ core exams (220-1101 and 220-1102) cover subnet masks more briefly, but they appear in networking objectives related to configuring a SOHO router. You may be asked to explain the purpose of a subnet mask or to identify the correct mask for a given scenario. Overall, across all these exams, the weight of subnetting questions is significant, and a deep understanding of subnet masks is a prerequisite for scoring well.
Simple Meaning
Imagine you live in a large apartment building with many floors and many rooms. The full address of your apartment is something like "123 Main Street, Building A, Floor 3, Room 7." The street name and building number are like the network part of an IP address-they tell the mail carrier which building to go to. The floor and room numbers are like the host part-they tell the mail carrier exactly which apartment is yours.
A subnet mask is like a rule that tells the mail carrier how to split your address. It says, "The first part up to the building number is the network; the rest is the specific apartment." For example, if your mask says 255.255.255.0, it means the first three numbers (123.0.0.0) are the building location, and the last number (the 0) is your room. If the mask were 255.255.0.0, then only the first two numbers would be the building location, and the last two numbers would be the room. The mask determines how large or small the neighborhood is.
In networking, every device on the internet or a local network has an IP address, like 192.168.1.10. The subnet mask tells that device: "Your network is everything that starts with 192.168.1, and any device with an address starting the same way is your neighbor." If you want to send a message to 192.168.1.20, the mask says you can send it directly because it's in the same neighborhood. If you try to reach 192.168.2.10, the mask says that's a different neighborhood, so you must send the message to the router (like a post office) to forward it.
A helpful way to think about it is like a club membership card. The membership card (the subnet mask) tells you whether someone is a member of your club (same network) or not. Members can talk directly; non-members need to go through a gatekeeper (the router). The card is not the same as the person's name (the IP address), but it tells you how to interpret that name to check membership.
Every IT professional must grasp this idea because subnet masks are used every day. When you plug a computer into a network, it uses the subnet mask to figure out its local neighbors. When a router forwards traffic across the internet, it uses subnet masks to decide which path to take. Mistakes with subnet masks can break connectivity, making devices unable to reach the internet or each other. By understanding this simple "neighborhood boundary" concept, you can troubleshoot issues, design networks, and confidently answer exam questions.
Full Technical Definition
A subnet mask is a 32-bit binary number used in Internet Protocol (IP) networking to divide an IP address into two logical parts: the network identifier and the host identifier. In IPv4, IP addresses are 32 bits long, and the subnet mask determines how many of those bits belong to the network portion and how many belong to the host portion. This division is fundamental to routing-routers use the network portion to forward packets toward the correct destination network, while the host portion identifies a specific interface on that network.
The subnet mask is expressed in dotted-decimal notation, similar to an IP address, for example 255.255.255.0. In binary, this mask appears as 11111111.11111111.11111111.00000000. The bits set to 1 (the ones) represent the network portion, and the bits set to 0 represent the host portion. The boundary between ones and zeros is always contiguous; there is no valid subnet mask that has a mixture of ones and zeros after the boundary. This rule is required for proper classification and routing.
The subnet mask is associated with every IP interface on a device. When a host wants to send a packet to another IP address, it performs a logical AND operation between its own IP address and its subnet mask, creating its network address. For example, if a host has IP 192.168.1.10 (binary: 11000000.10101000.00000001.00001010) and subnet mask 255.255.255.0 (binary: 11111111.11111111.11111111.00000000), the result of the AND is 192.168.1.0 (binary: 11000000.10101000.00000001.00000000). This is the network address. The host then performs the same AND operation on the destination IP address. If both results match, the destination is on the same local network, and the host can send the packet directly using ARP (Address Resolution Protocol) to find the destination MAC address. If they do not match, the host sends the packet to its configured default gateway (a router) for onward delivery.
Subnet masks are also used in Classless Inter-Domain Routing (CIDR), which replaced the older classful addressing system (Class A, B, C). In CIDR, subnet masks can be written using a prefix length notation, such as /24 for 255.255.255.0, because the prefix length indicates the number of network bits. For example, 192.168.1.0/24 means the network address is 192.168.1.0, and the subnet mask has 24 bits set to 1. This notation is more flexible than traditional classful masks and allows variable-length subnet masking (VLSM), where different subnets in the same network can have different mask lengths (and thus different sizes). VLSM is critical for efficient IP address utilization in modern networks.
In IP subnetting, the subnet mask also defines the broadcast address, which is the address where all host bits are set to 1. For the network 192.168.1.0/24, the broadcast address is 192.168.1.255. Sending a packet to this address reaches all hosts on that subnet. The range of usable host addresses is between the network address (all host bits 0) and the broadcast address (all host bits 1), exclusive. So in a /24, usable IPs are from 192.168.1.1 to 192.168.1.254.
In IT certification contexts, subnet masks appear in configuration tasks for routers and switches (e.g., Cisco IOS, Azure virtual networks, AWS VPCs), in troubleshooting steps (using ipconfig, ifconfig, or netsh), and in routing table analysis. Understanding how subnet masks influence routing decisions, ACL behavior, and network segmentation is essential for roles in network administration, cloud engineering, and cybersecurity. Each certification exam, from CompTIA Network+ to CCNA, AWS SAA, and Azure AZ-104, tests the ability to compute, apply, and interpret subnet masks.
Real-Life Example
Think of a large city with a postal system. Every house has a unique address, like "1234 Oak Street." The street name is like the network part of an IP address, and the house number is the host part. The city's postal system has a rule that defines how many parts of the address are the street name and how many are the house number. This rule is the subnet mask.
Now, imagine you live at 1234 Oak Street, and your friend lives at 1240 Oak Street. The postal rule (subnet mask) says that the street name is "Oak Street" and the house number is the last part. So both addresses share the same street-they are on the same local network. You can walk next door and hand-deliver a letter directly without going to the post office. This is like sending a packet directly to a neighbor on the same subnet.
But suppose your cousin lives at 5678 Pine Avenue. The rule says that "Pine Avenue" is a different street. To send a letter, you must put it in a mailbox, and the mail carrier (the router) picks it up and delivers it to the other street. The mail carrier looks at the street name (the network portion) and knows that Pine Avenue is not Oak Street, so it forwards the letter through the postal sorting system. This is exactly what a router does when it sees that the destination IP is on a different subnet.
Now, suppose the city decides to change the rule. They say that instead of the street name being the first part, they make the rule shorter: the street name now only includes the first two letters of the street name, like "Oa" for Oak Street. Now all houses that start with "Oa" in their street name are considered the same neighborhood. This would turn many different streets into one giant neighborhood-reducing the number of neighborhoods but making each one much larger. This is like changing a subnet mask to have fewer 1 bits (like /16 instead of /24), which creates fewer but larger subnets.
Another example: You are organizing a large office building. Floors are like subnets. On floor 1, you have rooms 101 to 120 (20 people). On floor 2, you have rooms 201 to 230 (30 people). The floor number is like the network portion, and the room number is the host portion. The subnet mask (floor boundary) tells people whether they can walk directly to another room on the same floor or if they need to take the elevator (the router) to a different floor. If the building management changes the floor boundaries-for instance, merging floors 1 and 2 into one big floor-then the mask changes, and now everyone can walk directly within that larger space.
This analogy maps perfectly to IT: the subnet mask controls the size of the local broadcast domain and determines where routing is needed. Understanding this helps network engineers design efficient networks that minimize unnecessary router traffic while allowing enough hosts per subnet for growth.
Why This Term Matters
The subnet mask is a core concept that affects nearly every part of IP networking. Without it, devices would not know whether a destination is local or remote, making it impossible to decide whether to send a packet directly or forward it to a router. This decision is made every time a device communicates-whether you are browsing the web, sending an email, or streaming video. A misconfigured subnet mask can cause a device to think a server is on the same local network when it is not, leading to failed connections because the device tries to reach it directly instead of through the router. Conversely, it can cause a device to send all traffic to the router even when the destination is local, unnecessarily burdening the router and adding latency.
In practical IT work, subnet masks are configured on every network interface. When setting up a small office network, you assign a subnet mask to the router’s LAN interface and to each computer. The mask impacts IP address allocation: choose a mask that is too small, and you run out of addresses as the office grows; choose one too large, and you waste addresses and increase broadcast traffic. In cloud environments like AWS or Azure, subnet masks define the size of Virtual Private Cloud (VPC) subnets, and you must plan your CIDR blocks carefully to accommodate future workloads and avoid overlap with on-premises networks when setting up VPNs or Direct Connect.
Subnet masks also affect security. A firewall or access control list (ACL) often uses the subnet mask to define a range of IP addresses. For example, allowing traffic from 192.168.1.0/24 permits the whole subnet. Misunderstanding the mask could lead to allowing too broad a range, creating a security risk, or too narrow, blocking legitimate traffic. Network segmentation using subnets and proper masks is a fundamental security practice-it isolates sensitive systems from general user traffic.
Finally, for troubleshooting, the subnet mask is one of the first things to check. When a user cannot reach the internet but can reach local devices, the mask or gateway is often misconfigured. Tools like ipconfig, ifconfig, and nmcli display the subnet mask, and understanding it helps you diagnose whether the device's network boundary is set correctly. In all these ways, the subnet mask is a small but mighty concept that no IT professional can afford to ignore.
How It Appears in Exam Questions
Subnet mask questions appear in multiple formats across certification exams. The most common type is the direct calculation question. For example: "Given the IP address 192.168.1.45 and subnet mask 255.255.255.192, what is the network address?" The candidate must perform the binary AND operation or use the shortcut of observing the subnet increment (/26 = 64). The answer is 192.168.1.0. Another variant: "How many usable host addresses are available in a /28 subnet?" The answer is 14 (2^(32-28) - 2).
Scenario-based questions are also frequent. A typical question: "A network administrator needs to create subnets for five departments. Each department requires at least 30 hosts. The network is 192.168.1.0/24. Which subnet mask should be used to maximize the number of subnets while meeting the host requirement?" The candidate must calculate that a /27 mask (255.255.255.224) provides 30 usable hosts per subnet and allows up to 8 subnets, meeting the requirement.
Configuration and troubleshooting questions are common in CCNA and cloud exams. For example: "A technician configures a router interface with IP 10.1.1.1 and mask 255.255.255.0. The connected devices are using mask 255.255.254.0. Why can some hosts not communicate with the router?" The answer is that the hosts think the network address is 10.1.0.0 but the router’s interface is on 10.1.1.0, causing confusion about which is the same subnet. Another question: "In an AWS VPC, you have a subnet 10.0.1.0/24. You need to add a subnet for a new application that requires 200 hosts. Which of the following CIDR blocks is appropriate?" The correct answer would be 10.0.2.0/24, which provides 254 hosts.
In Security+ and Network+, questions often involve ACLs: "A firewall rule allows traffic from 192.168.0.0/20. Which IP addresses are permitted?" The candidate must understand that the /20 mask covers 192.168.0.0 through 192.168.15.255. Another pattern: "Two devices have IPs 172.16.5.10/24 and 172.16.6.10/24. Can they communicate directly?" The answer is no because they are on different networks (172.16.5.0 vs 172.16.6.0), even though the masks are the same.
Finally, some exams present subnet mask questions within routing table analysis. A routing table entry might read: "192.168.0.0/16 via 10.0.0.1." The candidate must determine which destination IPs match this route. These questions test both calculation and conceptual understanding.
Practise Subnet mask Questions
Test your understanding with exam-style practice questions.
Example Scenario
You are setting up a small office network for a startup with 15 employees. The internet service provider gives you a public IP range, but for the local network, you decide to use the private IP range 192.168.1.0/24. This means your subnet mask is 255.255.255.0, and your network has 254 usable IP addresses (192.168.1.1 to 192.168.1.254), which is more than enough for 15 employees.
You configure the office router with LAN IP 192.168.1.1 and mask 255.255.255.0. All computers get IP addresses from the router’s DHCP server in the same range. Every computer can reach the router and each other because they are all on the same subnet. File sharing works without needing to go through the router. The internet is accessible through the router’s default gateway.
Now, one year later, the company grows to 50 employees. Still fine with /24 providing 254 addresses. But then you acquire a second office in the same building, and you want to logically separate the two teams for security. You could create two subnets: Office1 using 192.168.1.0/25 (subnet mask 255.255.255.128, providing 126 usable IPs) and Office2 using 192.168.1.128/25 (also 126 usable IPs). You configure the router with two LAN interfaces (or a VLAN) each with its own subnet. Now devices in Office1 cannot directly reach devices in Office2 without passing through the router, which can enforce firewall rules. This is why subnet masks matter-they allow you to split a larger network into smaller, manageable, and secure segments.
In this scenario, if you accidentally used /24 for both, the router would see them as the same network and would not route between them, breaking your security goal. Conversely, if you used /26 (62 usable IPs each), you might run out of addresses in one office as it grows. This illustrates why planning subnet masks based on current and future needs is a critical IT skill.
Common Mistakes
Thinking the subnet mask is part of the IP address.
The subnet mask is a separate parameter that defines how to interpret the IP address. The IP address itself does not contain the mask. Devices need both the IP and the mask to determine the network boundary.
Always treat the subnet mask as a separate network setting, not as part of the IP address string. When writing an IP with CIDR notation (e.g., 192.168.1.10/24), the /24 is the mask, not the IP.
Assuming all addresses in a subnet are valid for hosts.
Each subnet has two reserved addresses: the network address (all host bits 0) and the broadcast address (all host bits 1). These cannot be assigned to devices. For example, in a /24, .0 and .255 are reserved.
Always subtract 2 from the total number of addresses to get the usable host count. The network address identifies the subnet, and the broadcast address is used to send packets to all hosts.
Using a subnet mask with a non-contiguous binary pattern (e.g., 255.255.255.254).
Valid subnet masks must have all 1 bits contiguous on the left, then all 0 bits. 255.255.255.254 in binary is 11111111.11111111.11111111.11111110, which has a 0 in the last bit but then no more bits-this is actually a /31 mask, which is valid and contiguous. However, masks like 255.255.255.192 are valid, but 255.255.255.16 is invalid because it would be 11111111.11111111.11111111.00010000-not contiguous. Some novices mistakenly create custom masks from decimal numbers without checking binary contiguity.
Always convert the subnet mask to binary to verify that the ones are contiguous from the left. If you see a pattern like 0 followed by 1, the mask is invalid.
Confusing subnet mask with wildcard mask (used in ACLs).
Wildcard masks are the inverse of subnet masks. For a subnet mask of 255.255.255.0, the wildcard mask is 0.0.0.255. Using a subnet mask in an ACL in place of a wildcard mask will cause the ACL to match the wrong addresses.
Remember that subnet masks have 1s in the network part; wildcard masks have 0s for the part that must match exactly. Calculate the wildcard mask as 255.255.255.255 minus the subnet mask.
Forgetting that the subnet mask affects routing decisions, not just local host communication.
Routers use subnet masks in their routing tables to determine the network portion of a destination IP. If you manually configure a route with the wrong mask, the router may not forward traffic correctly, potentially causing black holes or sending traffic to the wrong interface.
When adding static routes, ensure the subnet mask matches the network's actual mask. Use CIDR notation to avoid confusion. Double-check routing table entries after configuration.
Assuming that a /24 mask always means the third octet changes.
A /24 mask always has the first three octets for the network, but the actual network address depends on the IP. For example, 10.0.0.0/24 has a network range of 10.0.0.0 to 10.0.0.255, while 10.0.5.0/24 ranges to 10.0.5.255. The mask only sets the boundary; the specific IP determines the actual network.
Remember that the subnet mask defines how many bits are fixed, but the value of those bits comes from the IP address. Always calculate the network address by ANDing the IP with the mask.
Exam Trap — Don't Get Fooled
{"trap":"A question presents an IP address like 192.168.1.0/24 and asks for the broadcast address. Some learners might answer 192.168.1.0, confusing the network address with the broadcast address."
,"why_learners_choose_it":"They see .0 and think it is the beginning or the end, not realizing that .0 is the network address, not broadcast. In some contexts, beginners think broadcast is always .
255, but they may see .0 and think it is the broadcast because they misremember which is reserved.","how_to_avoid_it":"Always remember that the network address has all host bits set to 0, and the broadcast address has all host bits set to 1.
For a /24, the host portion is the last octet, so .00000000 (0) is network, .11111111 (255) is broadcast. Practice converting the subnet mask to binary and identifying the host bits.
Use a systematic approach: write the network address, then set all host bits to 1 for the broadcast."
Commonly Confused With
An IP address identifies a specific device on a network, while a subnet mask identifies the network boundary. The IP address is like a house number; the subnet mask tells you what street it belongs to. Without the mask, the IP address alone cannot tell if two devices are neighbors.
192.168.1.10 is an IP address. With mask 255.255.255.0, it belongs to network 192.168.1.0. With mask 255.255.0.0, it belongs to network 192.168.0.0.
The default gateway is the IP address of the router that a device uses to send traffic to other networks. The subnet mask determines what is 'other networks.' If the mask is wrong, the device might try to send remote traffic directly instead of to the gateway.
A host with IP 10.0.1.5/24 and default gateway 10.0.1.1 sends traffic to 10.0.2.5 via the gateway because the /24 mask shows that 10.0.2.0 is a different network.
A wildcard mask is used in ACLs and OSPF to specify which bits of an IP address must match (0) and which can vary (1). It is the inverse of a subnet mask. For example, a subnet mask of 255.255.255.0 (/24) corresponds to a wildcard mask of 0.0.0.255. Confusing the two will cause ACLs to match wrong addresses.
To permit traffic from 192.168.1.0/24 using an ACL, you use 192.168.1.0 with wildcard mask 0.0.0.255, not 255.255.255.0.
CIDR notation (e.g., /24) is a shorthand for the subnet mask. It counts the number of consecutive 1 bits in the mask. So /24 is equivalent to 255.255.255.0. The difference is only in representation, not function.
Writing 10.0.0.0/16 is the same as writing 10.0.0.0 with mask 255.255.0.0. Both mean the network has 16 network bits.
The network address is the result of applying the subnet mask to an IP address. It identifies the subnet itself and cannot be assigned to a host. The subnet mask is the tool used to derive the network address.
For IP 192.168.1.10/24, the network address is 192.168.1.0. The subnet mask (255.255.255.0) is the tool that helps compute this.
Step-by-Step Breakdown
Understand the purpose of a subnet mask
The subnet mask tells network devices which part of an IP address belongs to the network and which part belongs to the host. This is essential because devices use this information to decide if a destination is local or remote, which determines how they send data.
Convert the subnet mask to binary
Write the subnet mask as a 32-bit binary number. For example, 255.255.255.0 becomes 11111111.11111111.11111111.00000000. All bits set to 1 indicate the network portion, and bits set to 0 indicate the host portion. The boundary between ones and zeros must be contiguous.
Determine the IP address in binary
Convert the IP address to binary as well. For example, 192.168.1.10 becomes 11000000.10101000.00000001.00001010. This binary form is used in the next step to compute the network address.
Perform the AND operation
Compare each bit of the IP address with the corresponding bit of the subnet mask. The result (network address) has 1 only where both bits are 1. Using the example: IP (11000000.10101000.00000001.00001010) AND mask (11111111.11111111.11111111.00000000) yields 11000000.10101000.00000001.00000000, which is 192.168.1.0.
Identify the network address and broadcast address
The result from step 4 is the network address. The broadcast address is derived by setting all host bits to 1. In a /24, that means setting the last 8 bits to all 1s: 192.168.1.255. The usable host addresses are those between these two, exclusive.
Calculate the number of hosts
The number of host bits is 32 minus the prefix length. For /24, that is 8 host bits. Total addresses = 2^8 = 256. Subtract 2 for network and broadcast addresses: 254 usable host addresses. This step is critical for planning network capacity.
Apply in a configuration context
When configuring a device, you enter the IP address and subnet mask. The device uses the mask to automatically compute its network address and default gateway expectations. For example, on a Cisco router: interface GigabitEthernet0/0, ip address 192.168.1.1 255.255.255.0. This sets the interface on network 192.168.1.0/24.
Verify communication using subnet mask
Use commands like ipconfig (Windows) or ifconfig (Linux) to check the subnet mask on a host. If the mask is wrong, the host may not communicate correctly. For example, if a host with IP 192.168.1.10 is given mask 255.255.0.0 instead of 255.255.255.0, it will consider 192.168.2.x as local and try to send directly, failing.
Practical Mini-Lesson
Subnet masks are a daily tool for network administrators, cloud architects, and security professionals. In practice, you will encounter subnet masks in multiple contexts: configuring interfaces, designing IP plans, setting up DHCP scopes, and troubleshooting connectivity.
When configuring a network device, you always specify the subnet mask along with the IP address. On a Linux server, you might use 'ip addr add 10.0.0.10/24 dev eth0'. The /24 tells the kernel that this interface is on network 10.0.0.0, and any traffic to 10.0.0.x is considered local. Traffic to 10.0.1.x must go to the default gateway. This decision is made by the kernel's routing stack, and the subnet mask is the key parameter.
In larger networks, you need to plan subnets using VLSM. For example, you have a network 172.16.0.0/16, and you need subnets for different departments: Sales needs 500 hosts, Engineering needs 1000 hosts, and Management needs 50 hosts. Using a fixed mask for all subnets is inefficient. With VLSM, you assign a /23 (510 usable hosts) to Sales, a /22 (1022 usable hosts) to Engineering, and a /26 (62 usable hosts) to Management. This conserves addresses and allows growth. This is a core skill tested in CCNA and cloud exams.
One common issue in practice is misconfiguration of subnet masks on routers or firewalls, causing asymmetric routing or connectivity loss. For instance, if a router's interface has a /24 mask but the devices on that segment use /23, the router will think its network is 192.168.1.0/24, while the hosts think it is 192.168.0.0/23. The router will not reply to ARP requests for addresses in the .0.0 range, causing failures. To diagnose, you check the interface configuration with 'show running-config' on Cisco or 'ip addr show' on Linux.
Professionals must also understand how subnet masks interact with routing protocols. When OSPF advertises a route, it includes the subnet mask. If the mask is incorrect, the receiving router may install a route with the wrong prefix length, causing suboptimal or broken routing. Similarly, in BGP, the prefix length defines reachability.
In cloud environments like AWS, you must choose CIDR blocks for VPCs and subnets. AWS reserves the first four and last one IP addresses in each subnet (e.g., for a /24, .0, .1, .2, .3, .255 are reserved). So your subnet mask must be selected to allow enough usable IPs for your resources. A common mistake is selecting a /28 (16 total, but only 11 usable after AWS reservations) when fewer than 11 hosts are needed. Understanding this nuance is essential for AWS Solutions Architect and Azure Administrator exams.
What can go wrong? A wrong subnet mask can cause a device to think it is on a different network, leading to inability to reach the default gateway. For example, assigning 255.255.255.0 instead of 255.255.254.0 to a host with IP 192.168.1.10 will make it believe its network is 192.168.1.0, but if the gateway is on 192.168.0.1, the host will not see the gateway as local and will not send ARP. The fix is to correct the mask. Always double-check subnet masks during troubleshooting, especially after DHCP scope changes or manual configuration.
Troubleshooting Clues
Mismatched subnet mask between devices on same segment
Symptom: Devices cannot communicate despite being on the same IP network and connected to the same switch.
If Device A uses /24 (255.255.255.0) and Device B uses /25 (255.255.255.128), they interpret the network boundary differently, causing ARP failures and unreachable destinations.
Exam clue: CCNA and Network+ questions often present two IPs with different subnet masks and ask why they cannot ping each other.
Incorrect subnet mask causing broadcast address miscalculation
Symptom: Broadcast traffic (e.g., DHCP discovery) fails to reach all hosts; some hosts do not receive broadcasts.
A subnet mask that does not match the actual network segment results in incorrect broadcast address calculation; hosts with different masks compute different broadcast IPs.
Exam clue: Security+ and CCNA may test this by giving an IP and mask and asking for the correct broadcast address, or identifying why broadcasts don't propagate.
Subnet mask too large causing overlapping subnets
Symptom: Routing loops or duplicate IP conflicts; traffic intended for one subnet reaches another.
Using a /16 mask instead of /24 on a router interface makes the interface claim ownership of a larger address range, overlapping with other subnets in the same network.
Exam clue: AWS SAA and AZ-104 questions test this with VPC subnet CIDR overlaps, asking how to avoid or detect them.
Host cannot reach internet due to incorrect default gateway mask
Symptom: Internal LAN works, but internet access fails; default gateway is unreachable from host.
If the host's subnet mask does not match the gateway's subnet mask, the host may believe the gateway is on a different network, so it never sends traffic to it.
Exam clue: Network+ and Google ACE exams provide a scenario where a host has the correct IP but wrong mask, and ask why the default gateway is not reachable.
Subnet mask missing or zeroed out in DHCP lease
Symptom: Client receives IP address but no subnet mask; network detection fails and host uses default /8 or /16 incorrectly.
DHCP server misconfiguration (e.g., missing option 1) delivers an IP without a subnet mask; client OS defaults may cause incorrect routing decisions.
Exam clue: Security+ and CCNA test this with DHCP option definitions; a question might show a lease output missing the mask and ask about the symptom.
VLSM (Variable Length Subnet Mask) misalignment in OSPF area
Symptom: OSPF neighbors form but routes are not exchanged properly or flapping occurs.
OSPF expects consistent subnet masks within an area; mismatched VLSM can cause LSDB inconsistencies and route suppression.
Exam clue: CCNA exam questions often require identifying VLSM conflicts in OSPF configurations and proposing correct masks.
Subnet mask conflict with network address assignment
Symptom: Router rejects IP configuration on an interface with error 'overlaps with another interface'.
Assigning an IP with a subnet mask that causes overlap with an existing directly connected subnet triggers a validation error in router OS (e.g., Cisco IOS).
Exam clue: CCNA and Network+ lab simulations may include this error; the technician must choose a non-overlapping mask or IP.
Memory Tip
Think of the subnet mask as a cookie cutter: the IP address is the dough, the mask determines the shape (network boundary) of the cookie you cut out.
Learn This Topic Fully
This glossary page explains what Subnet mask means. For a complete lesson with labs and practice, see the topic guide.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
SY0-701CompTIA Security+ →AZ-104AZ-104 →200-301Cisco CCNA →N10-009CompTIA Network+ →ACEGoogle ACE →SAA-C03SAA-C03 →220-1101CompTIA A+ Core 1 →PCAGoogle PCA →Legacy Exam Context
Older materials may mention these exam versions, but learners should use the current objectives for their target exam.
N10-008N10-009(current version)SY0-601SY0-701(current version)Related Glossary Terms
802.1Q is the networking standard that allows multiple virtual LANs (VLANs) to share a single physical network link by tagging Ethernet frames with VLAN identification information.
An A record is a type of DNS resource record that maps a domain name to an IPv4 address.
An AAAA record is a DNS record that maps a domain name to an IPv6 address, allowing devices to find each other over the internet using the newer IP addressing system.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
Quick Knowledge Check
1.A host has IP address 192.168.10.35 with subnet mask 255.255.255.224. What is the network address?
2.Two devices on the same VLAN have IPs 10.0.1.5/24 and 10.0.1.6/25. Why can't they communicate?
3.A network engineer configures a Cisco router interface with 'ip address 172.16.0.1 255.240.0.0'. What is the wildcard mask for this subnet?
4.In AWS VPC, you create a subnet with CIDR 10.0.2.0/24. How many usable IP addresses does this provide?
5.Which subnet mask would allow 30 hosts per subnet with minimal waste in a 192.168.1.0/24 network?
Summary
The subnet mask is a fundamental building block of IPv4 networking that determines how an IP address is divided into a network identifier and a host identifier. Without it, devices cannot make the critical decision of whether a destination is local or remote, which is essential for efficient and correct data delivery. In practice, the subnet mask is used in every network configuration, from small office networks to large cloud infrastructures.
It enables network segmentation, improves security, reduces broadcast traffic, and allows for efficient use of IP address space. For IT certification exams like CompTIA Network+, CCNA, AWS Solutions Architect, and Azure Administrator, understanding subnet masks is non-negotiable. You must be able to calculate network addresses, broadcast addresses, and usable host ranges, and apply this knowledge to real-world scenarios and troubleshooting.
Mastering the subnet mask will not only help you pass your exams but will also make you a more competent and confident network professional in the field. Remember that the subnet mask is a binary mask that you apply to an IP address, not an address itself, and that the number of ones in the mask defines the size of the network. Keep practicing with different subnet masks, and the concept will become second nature.