Calculating Subnet Masks

By Joshua Erdman
Digital Foundation, inc.

Subnet Masks in Binary

The easiest way to explain a subnet mask is by looking at the IP address and subnet mask in its
binary format. Before you continue, be sure you have a good grip on counting with binary, we
have provided a quick binary primer if you need a refresher. If you do not care for the intricacies
of calculating a subnet mask and just need to know the correct mask for your situation, we have
provided a reference table.

Not to mention you should already be familiar with the IP address. This article explains the basic
use of an IP address and why we need a subnet mask.

A regular IP address when converted to binary is 32 bits in length, each segment being 8 bits
long. Refer to our first address example of 63.26.15.5 with a subnet mask of 255.255.255.0 in
binary.

Network and Host Addresses

In this example, it is only the last segment that changes from one host to another; this last
segment is known as the host address; the first 3 segments, for this example, make up the
network address. If we were to use an address with a subnet mask of 255.255.0.0 then the first 2
segments would make up the network address and the last two would be the host address. This is
the kind of effect the subnet mask has on your IP address. It determines how big your network
group is.

With that said, to go into any deeper detail we must look at the addressing in binary. Since we
are just dealing with 32 binary bits we can stop grouping them in sets of 8 bits per segment and
deal with them as a 32 bit string. Now when you create a mask, it does not have to be limited to
groups of 8 bits (and it can have man more values than 255 or 0). These are called Variable
Length Subnet Masks (VLSMs). By calculating out your VLSM you can create any block of IP
addresses in sizes of powers of 2 minus 2.

For example, We can create a mask that only allows for 14 hosts (remember 14 hosts is 2 to the
power of 4 then we subtract 2). Knowing that it is 2 to the power of 4, we know that we have an
address block (subnet) with 4 bits for the hosts. That leaves a remaining 28 bits for the network
address, also known as a /28. Now that we know the size of the network block we want (14
hosts) let's calculate the subnet mask that we would use for a /28 network.

CLUE: A block of IP addresses is referred to as a subnet. Because of this that is how subnet
masks got their name, they are key into declaring how large a subnet actually is.
First map out your binary numbers again and keep them in groups of 8 bits each. That makes it
easy to get the decimal number for each segment. Since our network size is 28 bits long we
represent that with a string of 28 1s and the remainings 4 bits as 0s. So the first 3 segments (of 8
bits each) are all 1s. The decimal equivalent of an 8 bit segment of all 1s is 255. So the first 3
segments are 255. That leaves us with 4 bits left in the mask for the last segment. It will look
something like this:

128 64 32 16 8 4 2 1
1 1 1 1 0 0 0 0

To make it easy, we have included a subnet mask calculator. This calculator converts decimal IP
addresses and Subnet Masks. You can also optionally enter a destination IP address to see the
results.

Add up the bits that are flagged with a one and we see that the last segment of the subnet mask
with 14 hosts ( 16 - 2 ) is 240. For a subnet mask of 255.255.255.240; That is pretty much it with
creating subnet masks, but now you need to learn a new rule about addressing.

IP Addresses with VLSMs

When you use a subnet mask of 255.255.255.192 what you have essentially done is divided up
your last segment into 4 blocks (subnets). Using the binary of the last segment we can see our
subnet mask only uses the first 2 most significant bits. Recall that the network address is made
up from all the bits that line up with the 1s in the subnet mask. So in this case the network
address 'overflows' into the last segment because it has two bits available in the last segment. The
host address has the last 6 bits in the last segment. Let's see what this subnet masks looks like:

128 64 32 16 8 4 2 1
1 1 0 0 0 0 0 0

First lets say we have a network subnet of 10.10.10.X and we are using the same subnet mask
255.255.255.192  Our network host (HOST1) is currently using the address 10.10.10.75  Now
lets display the binary of the last segment for both the subnet mask and the address of our host.

|
128 64|32 16 8 4 2 1
SM 1 1| 0 0 0 0 0 0
HOST1 0 1| 0 0 1 0 1 1
|
Network Host

Notice the bar I drew in that divides the bits of the last segment. The last 6 bits on right are the
host bits, we know this because it matches up with all the 0s in the subnet masks. From the same
logic we know about all the bits for the network masks because of the same reason, the network
address matches up with all the 1s in the subnet mask.
So let's calculate the first and last addresses that can exist on the subnet of HOST1. To do this,
that the ful address of the host and make the host side all 0s and do it again with all 1s. Look at
the example:

|
128 64|32 16 8 4 2 1
SM 1 1| 0 0 0 0 0 0=192
HOST1 0 1| 0 0 1 0 1 1=75
0s 0 1| 0 0 0 0 0 0=64
1s 0 1| 1 1 1 1 1 1=127
|
Network Host

The valid host addresses in the same subnet as our sample host are in the range of 10.10.10.64 -
10.10.10.127
Notice how there is specific requirements of the available addresses in the subnet.

So why doesn't a host with the IP address of 10.10.10.33 and SM 255.255.255.192 (HOST2) see
HOST1 as a local computer?
Let's display all the data in binary:

|
128 64|32 16 8 4 2 1
SM 1 1| 0 0 0 0 0 0=192
HOST1 0 1| 0 0 1 0 1 1=75
HOST2 0 0| 1 0 0 0 0 1=33
|
Network Host

Look at the first 2 bits in the network section of the each host. HOST1 and HOST2 have
DIFFERENT network addresses! So a subnet mask plays a much more complicated role than just
declaring the size of a subnet. It also limits that addresses you can use in a subnet. In our last
example we noticed that a subnet mask of 255.255.255.192 will create a subnet of 64 addresses
(for 62 hosts). But if you tried to start the addressing at 10.10.10.32 - 10.10.10.95 what actually
happens is that your subnet overlaps into two separate subnets. Just do the calculations and you
will see (just as I displayed above) that the network addresses of the first 32 hosts in the invalid
subnet will have a different network address than the last 32 hosts in the invalid subnet.

Application
Learning how to create and declare subnet masks is not only useful for the technicians of ISPs
who are assigning subnets to their customers. Using subnet masks is also key for firewalls and
access lists. If you group IP addresses together based on host type (such as assigning all the
workstations the addresses 10.10.10.128 - 10.10.10.254 and the servers the addresses 10.10.10.1
- 10.10.10.127) but use the subnet mask 255.255.255.0 (so that the hosts will communicate
directly) you can then use masking as a way to apply different access rules with your firewall
without having to specify each IP address individually.