What is a subnet mask? Why it matters for your network

Every device on a network needs a way to know where information should go. Without clear rules, data would move blindly, causing confusion and slowdowns. Subnet masks are one of the tools that make networks run smoothly, helping to organize connections and keep traffic flowing where it should.

In this guide, you’ll learn why subnet masks matter for both performance and security, how to find yours on any device, and what different mask values mean in practice. We’ll also explore advanced concepts like CIDR notation and IPv6 subnetting, giving you the context you need to understand how networks are structured today.

What is a subnet mask?

A subnet mask is a numerical pattern to determine which portion of an IP address refers to the network and which refers to the device (host).

When aligned with an IP address bit by bit, the subnet mask helps devices decide which addresses are “local” (on the same subnet) and which must be reached via a router.

In IPv4, the subnet mask is a 32-bit value typically shown in dotted-decimal form. While IPv6 addressing uses 128 binary bits, IPv4 remains the most widely used format today and is generally easier to understand, so this guide focuses primarily on IPv4 examples.

Learn more in our guide to IPv4 vs. IPv6.

Basic structure of subnet masks

A subnet mask in IPv4 is a 32-bit number made up of a continuous string of ones (1) followed by zeros (0), with the ones marking the network bits and the zeros marking the host bits.

For example, the mask 255.255.255.0 corresponds to the binary pattern 11111111.11111111.11111111.00000000. That’s 24 ones followed by 8 zeros, so the first 24 bits identify the network and the final 8 bits identify the hosts.

For a subnet mask to be valid, all its 1s must appear together at the start, followed by 0s at the end, with no mixing between them. This pattern ensures a clear boundary between the network and host portions of an IP address.

This consistent format makes it possible to write subnet masks in both binary and dotted-decimal notation and ensures devices can quickly distinguish between network addresses and host addresses.

Dotted decimal vs. binary representation

Subnet masks can be written in two forms: binary and dotted decimal. Computers process them in binary, but that notation is long and difficult for people to read. To make it easier, the same 32 binary bits are grouped into four blocks of eight and shown in decimal numbers separated by periods.

Each bit within an octet has a weight: 128, 64, 32, 16, 8, 4, 2, and 1. To convert binary to dotted decimal, you add the values of the positions marked with a 1. For example, the binary string 11111111.11111111.11111111.00000000 becomes 255.255.255.0 in dotted-decimal form. Both formats mean the same thing; the dotted decimal is just a human-friendly way to write what the system uses.

Subnets vs. subnet masks

A subnet mask and a subnet are related, but they’re not the same thing. The subnet mask is the numerical value that tells a device where to split an IP address into network and host parts. It’s the instruction that guides the division.

A subnet is a smaller, logical section of a larger network, defined by applying a subnet mask to an IP address. For example, with the IP address 192.168.123.132 and the subnet mask 255.255.255.0, the first 24 bits (192.168.123) define the network part, and the last 8 bits (.132) identify the host within that subnet. This means the address belongs to the 192.168.123.0 subnet, with .132 as its unique host.

Put simply, the subnet mask defines the boundary, and the subnet is the network that exists within it.

What is the purpose of a subnet mask?

A subnet mask’s job is to tell devices which part of an IP address belongs to the network and which part identifies a specific device (host). By doing so, it helps devices decide whether communication can stay local (within the same subnet) or must be routed through a gateway.

Using subnet masks, networks can be sliced into smaller segments, or subnets, which makes routing more efficient, traffic lighter, and network management easier. Subnet masks reduce unnecessary broadcast traffic, help isolate segments for security, and clarify the path data should take to reach its destination.

How subnetting improves network performance

Subnetting makes networks faster and easier to manage by reducing unnecessary traffic. When a large network is divided into smaller subnets, devices within each subnet communicate directly with one another, keeping that local traffic contained instead of sending it across the entire network.

Subnetting also supports route summarization, which means routers can advertise one summarized route instead of multiple individual ones. This reduces the number of entries each router needs to store and check, making routing tables smaller and faster to process. As a result, lookups take less time, and the overall network becomes more scalable. The combination of smaller broadcast domains and simplified routing leads to smoother performance across the network.

Benefits of network segmentation

Breaking up a network into smaller segments does more than keep it organized; it has direct effects on speed, management, and compliance. Subnetting keeps local traffic where it belongs, reduces unnecessary congestion, and gives administrators finer control over how information flows.

Key benefits include:

• Reduced congestion and better performance: Local traffic stays inside its own subnet, which prevents unnecessary broadcasts from slowing down the whole network.
• Stronger security and isolation: Each subnet limits internal access and helps contain potential threats within its boundaries. This is a concept that aligns with zero trust principles, which emphasize verifying every connection rather than assuming trust within a network.
• Better visibility and access control: Admins can apply specific rules to each subnet and monitor activity more precisely than in one large network.
• Regulatory and compliance advantages: Sensitive systems can be kept in dedicated segments, so fewer devices need to meet strict audit requirements.

Risk mitigation through subnetting

Subnetting adds a layer of defense by splitting a big network into smaller, contained areas. If one part is compromised, the damage is kept within that subnet instead of spreading across the whole system. This containment makes attacks easier to stop and limits their overall impact.

It also reduces the attack surface. Because traffic has to pass through clear boundaries, subnetting makes it harder for threats to move laterally across the network. The result is more barriers for attackers and more control for security teams over how data moves between segments.

Common mistakes to avoid

Subnetting can make networks faster and safer, but only if it’s set up correctly. Small configuration errors can lead to serious connectivity or performance issues. Here are some common mistakes to avoid:

• Using the wrong subnet mask: If devices are configured with a mask that doesn’t match the network, they may fail to communicate properly.
• Mismatched or default subnet masks: Using a subnet mask that doesn’t fit the actual network setup can lead to communication failures or routing issues.
• Making subnets too large: More hosts per subnet means more broadcast traffic, which slows performance.
• Overlapping subnets: If two subnets use overlapping address ranges, devices may fail to connect as expected, since many platforms block connectivity when overlaps are detected.
• Forgetting reserved addresses: The first (network ID) and last (broadcast) address in every subnet can’t be assigned to hosts. Misusing them can break connectivity.
• Poor planning and documentation: Without a clear subnet plan, scaling or troubleshooting becomes much harder, increasing the chance of misconfigurations.

Subnetting vs. VPN: What’s the difference?

Subnetting and virtual private networks (VPNs) both shape how network traffic moves, but they solve different issues. Subnetting works inside a network: it splits a large network into smaller ones, keeps local traffic contained, and makes it easier to manage performance and security.

A VPN, by contrast, protects traffic as it travels across networks. It encrypts data and routes it through a secure tunnel, shielding it from interception or tampering on the way to its destination.

Together, they create layered protection: subnetting for internal organization and a VPN for secure external connections. Combined with good network security practices, this approach helps safeguard both internal and external traffic across an organization’s infrastructure.

How do I find my subnet mask?

While subnet masks are often managed automatically, knowing where to find yours can help with basic network troubleshooting, like diagnosing slow connections, fixing IP conflicts, or setting up a home network manually.

To check your subnet mask, you can open your device’s network settings or use a simple system command.

Instructions for Windows

1. Open the Command Prompt (press the Windows key, type Command Prompt, and click it).
   
2. Type ipconfig /all and press Enter.
   
3. Look for Subnet Mask under your active network adapter to see the value.
   

If you want to change your subnet mask manually, you can do so through the Network and Sharing Center. Choose Change adapter settings, right-click your connection, and select Properties. Then, choose Internet Protocol Version 4 (TCP/IPv4), and enter the correct subnet mask manually.

Instructions for macOS

1. Open System Settings in the Apple menu.
   
2. Select Network from the sidebar, and choose Wi-Fi.
   
3. Click Details.
   
4. Open the TCP/IP tab, and you’ll find your subnet mask listed below your IP address.
   

To change it, you can open the Configure IPv4 dropdown in the same menu, select Manually, and enter the correct subnet mask.

Instructions for iOS

1. Open Settings on your iPhone or iPad, and tap Wi-Fi.
   
2. Select your current network.
   
3. Scroll down to view your subnet mask, listed under the IP address.
   

To change it, tap Configure IP > Manual, then enter the subnet mask manually.

Instructions for Android

1. In Settings, go to Network & Internet, and tap Internet.
   
2. Select the network you’re connected to, and tap the gear icon (or Advanced on some older Android versions) to see connection details.
   
3. Your subnet mask will be shown along with the IP address.

To change it, tap the pencil icon, open IP settings, switch from DHCP to Static, and enter the correct subnet mask or prefix length manually.

Common subnet masks and their meanings

Not all subnet masks serve the same purpose. Some are designed for small local networks, while others are made for larger setups with thousands of devices.

Today, subnet masks are often written using CIDR (Classless Inter-Domain Routing) notation, which simply shows how many bits of the IP address are used for the network. For example, /24 means the first 24 bits are for the network, i.e., the same as the subnet mask 255.255.255.0.

CIDR and traditional subnet masks describe the same thing; CIDR is just a more modern and compact way to represent it.

/24 subnet mask explained (255.255.255.0)

The /24 subnet mask, written as 255.255.255.0, creates 256 total addresses, of which 254 can be assigned to devices after reserving the network and broadcast addresses. It’s one of the most commonly used masks for local networks because it provides enough space for dozens or even hundreds of devices.

Other common subnet masks

Subnet masks aren’t limited to /24. A /16 mask (255.255.0.0) includes over 65,000 addresses in one subnet, making it a good fit when thousands of devices need to share the same network.

On the smaller side, a /30 mask (255.255.255.252) gives just four addresses, with two usable for devices. It was commonly used for point-to-point links, where only two devices (like routers) need to communicate. Later, the /31 subnet (255.255.255.254) was introduced to optimize address usage for point-to-point links, allowing both IPs to be used and eliminating the need for separate network and broadcast addresses in that specific case.

Other smaller subnet sizes like /25 or /26 further divide a /24 network into smaller segments, reducing the number of available host addresses while improving control and reducing local traffic.

Historically, a /8 mask (255.0.0.0) was the default for Class A networks, giving more than 16 million addresses in a single block. These large allocations were common in the early days of the internet, but they were inefficient. Modern networks use CIDR to allocate IP ranges more efficiently; this allows flexible subnetting, reduces wasted address space, and simplifies routing. It’s become the standard way to express subnet masks in both IPv4 and IPv6.

Here’s a summary of the common subnet masks:

Advanced subnetting concepts

While understanding basic subnet masks like /24 or /16 is often sufficient to grasp how networks are divided, there are more advanced ideas that help networks scale and stay efficient.

IP classes (A-E) and subnet masks

Before CIDR became the standard, IP addresses were grouped into fixed IP address classes. Each class was defined by the first few bits of the IP address and had a default subnet mask and a specific range of possible addresses.

These classes were hard-coded into early networking equipment, so the size of a network was determined automatically based on the IP address itself. This often led to wasted IP space; for example, a company might be assigned an entire Class B network with more than 65,000 addresses when it only needed a few hundred. The system also lacked flexibility, as administrators couldn’t adjust network sizes to fit their needs.

CIDR solved this by allowing any subnet size to be defined using a prefix length (e.g., /16), regardless of the IP address’s starting number. While traditional class masks align with common CIDR blocks (e.g., Class A = /8, B = /16, C = /24), CIDR isn’t bound by class rules.

Today, classful addressing is largely obsolete, but the old classes are still useful to understand when dealing with legacy systems or historical documentation.

IPv6 subnet masks

IPv6 is the newer version of the Internet Protocol, created to replace IPv4 and expand the available address space. It uses 128-bit addresses, which allows for far more than the roughly 4 billion possible addresses with IPv4 and allows the internet to keep growing as more devices come online.

IPv6 doesn’t use subnet masks at all; instead, it relies on a prefix length that specifies how many bits of the address define the network. For example, 2001:db8::/32 means the first 32 bits represent the network, while the remaining bits are available for creating subnets and assigning to devices.

This system makes splitting or combining networks much easier. Instead of calculating subnet masks, broadcast addresses, or usable host ranges, you simply adjust the prefix length to divide or merge networks as needed. IPv6 also doesn’t use separate broadcast addresses at all; multicast replaces that function, further simplifying network management.

In practice, a /64 is the standard size for an IPv6 subnet and the minimum required to support Stateless Address Autoconfiguration (SLAAC), which allows devices to generate their own IP addresses automatically. Most internet service providers assign at least a /64, and often a larger block such as a /48, which can be divided into up to 65,536 individual /64 subnets, enough for separate LANs, guest networks, VPNs, or IoT segments.

Subnetting in home networks with VPN routers

At home, subnetting can help organize devices into smaller groups instead of leaving everything on one big network. This makes it easier to separate work devices, smart TVs, or IoT gadgets into their own segments while still keeping them connected through the same router.

When subnetting, keep in mind that not every address in a subnet is usable. The first and last addresses of each subnet are reserved, so they can’t be assigned to devices. This simple rule applies in home setups just like in larger corporate networks.

Some advanced home routers, such as the ExpressVPN Aircove router, support VPN connections at the router level. This lets you protect devices that don’t support VPN apps directly, like game consoles or smart TVs. With a setup like this, subnetting helps organize your network into zones for work, guests, or IoT, while still routing all traffic through an encrypted VPN tunnel.