Few things are as fundamental in infrastructure management as subnet masks—and few are understood as superficially. Anyone who has ever configured a network interface has typed 255.255.255.0 almost on autopilot. But when it comes time to design the network architecture for a production environment, segment traffic across VLANs, size subnets for a private cloud deployment, or figure out why a firewall isn’t passing what it should, a real understanding of how subnet masks work is the difference between a well-designed infrastructure and a permanent source of incidents.
This guide covers the concept from the fundamentals through the practical scenarios that come up daily in datacenter and cloud environments, including reference tables, calculation examples, and the most common mistakes.
What is a subnet mask and why does it matter in infrastructure
A subnet mask is a 32-bit value that, when applied to an IP address, separates two things: the portion that identifies the network and the portion that identifies the host (the specific device within that network). It is, in essence, the tool that tells an operating system, a switch, or a router whether a packet should stay on the local network or be forwarded through the default gateway.
In binary, a subnet mask is always a sequence of contiguous ones followed by contiguous zeros. The ones mark the network bits; the zeros mark the host bits. No exceptions—although, as we’ll see later, there was a time when there were.
Two ways to express the same thing:
- Dotted decimal notation:
255.255.255.0 - CIDR notation:
/24
Both represent exactly the same thing: the first 24 bits are network, the remaining 8 are host.
How it works internally: the AND operation
When a device needs to determine whether a destination IP is on its own network, it doesn’t compare addresses by eye. It performs a logical AND operation between its own IP address and the mask, then does the same with the destination IP. If the results match, the packet goes directly. If not, it’s sent to the gateway.
Practical example with IP 192.168.1.45 and mask 255.255.255.0:
IP: 11000000.10101000.00000001.00101101 (192.168.1.45)
Mask: 11111111.11111111.11111111.00000000 (255.255.255.0)
────────────────────────────────────
AND: 11000000.10101000.00000001.00000000 → 192.168.1.0
The result—192.168.1.0—is the network address. If another device produces the same result when applying its mask, both are on the same subnet.
This seemingly simple mechanism is what makes all IP communication work: from the most basic home network to the network architecture of a datacenter with hundreds of VLANs.
Complete subnet mask table: /32 to /0
The following table is a reference worth keeping handy at all times. It includes the CIDR notation, the dotted decimal mask, the total number of IPs, usable hosts (subtracting the network address and broadcast), and the most common use case in real-world infrastructure environments.
| CIDR | Decimal mask | Total IPs | Usable hosts | Common use |
|---|---|---|---|---|
| /32 | 255.255.255.255 | 1 | 1 | Host route, loopback, firewall rules |
| /31 | 255.255.255.254 | 2 | 2* | Point-to-point links (RFC 3021) |
| /30 | 255.255.255.252 | 4 | 2 | Router-to-router interconnections |
| /29 | 255.255.255.248 | 8 | 6 | DMZ segment, small public IP blocks |
| /28 | 255.255.255.240 | 16 | 14 | Small public IP pool, management |
| /27 | 255.255.255.224 | 32 | 30 | Management network, small office |
| /26 | 255.255.255.192 | 64 | 62 | Department VLAN, server segment |
| /25 | 255.255.255.128 | 128 | 126 | Medium server subnet |
| /24 | 255.255.255.0 | 256 | 254 | Standard LAN, typical VLAN |
| /23 | 255.255.254.0 | 512 | 510 | Large LAN, campus |
| /22 | 255.255.252.0 | 1,024 | 1,022 | Campus, corporate WiFi |
| /21 | 255.255.248.0 | 2,048 | 2,046 | Large campus |
| /20 | 255.255.240.0 | 4,096 | 4,094 | ISP, cloud provider |
| /19 | 255.255.224.0 | 8,192 | 8,190 | ISP block |
| /18 | 255.255.192.0 | 16,384 | 16,382 | ISP block |
| /17 | 255.255.128.0 | 32,768 | 32,766 | ISP block |
| /16 | 255.255.0.0 | 65,536 | 65,534 | Large corporate network |
| /12 | 255.240.0.0 | 1,048,576 | 1,048,574 | Class B private range (172.16.0.0/12) |
| /8 | 255.0.0.0 | 16,777,216 | 16,777,214 | Class A private range (10.0.0.0/8) |
| /0 | 0.0.0.0 | 4,294,967,296 | — | Default route |
* The /31 mask, defined in RFC 3021, does not reserve a network address or broadcast address. It is widely supported on modern routers and saves one address compared to /30 on every point-to-point link—something that adds up when managing hundreds of interconnections in a datacenter.
Decimal to binary conversion: the values that appear in each octet
| Decimal | Binary | Network bits |
|---|---|---|
| 0 | 00000000 | 0 |
| 128 | 10000000 | 1 |
| 192 | 11000000 | 2 |
| 224 | 11100000 | 3 |
| 240 | 11110000 | 4 |
| 248 | 11111000 | 5 |
| 252 | 11111100 | 6 |
| 254 | 11111110 | 7 |
| 255 | 11111111 | 8 |
These are the only valid values that can appear in a subnet mask octet. If someone configures a different value (for example, 255.255.255.200), the configuration is incorrect.
The most commonly used masks in professional environments
Not all masks are used with the same frequency. In datacenter and cloud infrastructure practice, these are the ones that come up again and again:
/24 — The standard mask
The most common in LANs and VLANs. It provides 254 hosts, making it suitable for most enterprise network segments: workstations, servers in a rack, management networks, or storage VLANs.
Example: 10.10.5.0/24 covers from 10.10.5.1 to 10.10.5.254, with broadcast at 10.10.5.255.
/25 — Splitting a /24 in two
When a /24 is too large and you need to separate two environments (for example, production and staging), a /25 divides the block into two subnets of 126 hosts each.
| Subnet | Range | Hosts |
|---|---|---|
| 10.10.5.0/25 | .1 – .126 | 126 |
| 10.10.5.128/25 | .129 – .254 | 126 |
/26 — Four segments per /24
Ideal for separating VLANs within a single block when smaller segments are needed: server network, management network, monitoring network, and user network, each with up to 62 hosts.
| Subnet | Network address | First host | Last host | Broadcast |
|---|---|---|---|---|
| 1 | 10.10.5.0/26 | 10.10.5.1 | 10.10.5.62 | 10.10.5.63 |
| 2 | 10.10.5.64/26 | 10.10.5.65 | 10.10.5.126 | 10.10.5.127 |
| 3 | 10.10.5.128/26 | 10.10.5.129 | 10.10.5.190 | 10.10.5.191 |
| 4 | 10.10.5.192/26 | 10.10.5.193 | 10.10.5.254 | 10.10.5.255 |
/27 — 30-host segments
Widely used for management networks (iDRAC/IPMI, switches, smart PDUs) where there are only a few dozen devices and a reduced broadcast domain is desirable.
/28 — Small public IP blocks
When a provider assigns a block of public IPs to a customer, /28 (14 hosts) is one of the most common units. Also used for DMZs with few exposed services.
/30 and /31 — Point-to-point links
In any datacenter network with multiple interconnected routers or firewalls, the links between them use /30 (2 hosts) or /31 (2 hosts with no waste). In an infrastructure with 50 interconnections, the difference between /30 and /31 amounts to 50 saved IP addresses—something that matters at scale.
/32 — The individual host
Not a “subnet” in the strict sense: it identifies a single IP address. Used in host routes (static routes to a specific host), specific firewall rules, router loopback interfaces, and IP assignment in point-to-multipoint networks.
Network design with VLSM: a real-world example
In a production infrastructure, subnets rarely all need to be the same size. The VLSM (Variable Length Subnet Mask) technique allows you to assign each segment exactly the mask it needs, optimizing address utilization.
Scenario: A company has the allocated block 172.16.10.0/24 and needs:
- Production servers: 100 hosts
- User network: 50 hosts
- Management/IPMI network: 20 hosts
- DMZ: 10 hosts
- Two WAN links: 2 hosts each
The allocation—always starting with the largest subnet—would be:
| Segment | Hosts needed | CIDR | Mask | Available hosts | Assigned network |
|---|---|---|---|---|---|
| Production | 100 | /25 | 255.255.255.128 | 126 | 172.16.10.0/25 |
| Users | 50 | /26 | 255.255.255.192 | 62 | 172.16.10.128/26 |
| Management | 20 | /27 | 255.255.255.224 | 30 | 172.16.10.192/27 |
| DMZ | 10 | /28 | 255.255.255.240 | 14 | 172.16.10.224/28 |
| WAN 1 | 2 | /30 | 255.255.255.252 | 2 | 172.16.10.240/30 |
| WAN 2 | 2 | /30 | 255.255.255.252 | 2 | 172.16.10.244/30 |
Out of the 256 addresses in the original block, 238 are being used with minimal waste. Without VLSM, you would need to assign a /24 to each segment, requiring six /24 blocks instead of one.
Wildcard mask: the other side of the subnet mask
In ACL (access control list) configurations on routers and switches, and in protocols like OSPF, the subnet mask is not used directly. Instead, its inverse is used: the wildcard mask.
The calculation is straightforward: 255.255.255.255 - subnet mask = wildcard.
| Subnet mask | Wildcard |
|---|---|
| 255.255.255.255 (/32) | 0.0.0.0 |
| 255.255.255.252 (/30) | 0.0.0.3 |
| 255.255.255.240 (/28) | 0.0.0.15 |
| 255.255.255.0 (/24) | 0.0.0.255 |
| 255.255.0.0 (/16) | 0.0.255.255 |
Cisco ACL example: Allow traffic from the server network 172.16.10.0/25:
access-list 100 permit ip 172.16.10.0 0.0.0.127 any
OSPF example: Advertise the management network 172.16.10.192/27:
router ospf 1
network 172.16.10.192 0.0.0.31 area 0
Quick calculation formulas
Two formulas worth having committed to memory:
Usable hosts per subnet:
2^(32 - CIDR_prefix) - 2
Number of subnets when dividing a block:
2^(new_prefix - original_prefix)
Quick examples:
- How many hosts fit in a /27? → 2^(32-27) – 2 = 30
- How many /28s can I carve from a /24? → 2^(28-24) = 16 subnets
- I need at least 500 hosts: 2^n ≥ 502 → n = 9 → /23
Route aggregation (supernetting)
CIDR doesn’t just allow dividing networks into smaller subnets—it also allows aggregating multiple networks into a larger announcement. This is critical for keeping routing tables manageable, especially in BGP.
Example: Instead of advertising four separate routes:
192.168.0.0/24
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
You can advertise a single summary route: 192.168.0.0/22, reducing the load on neighboring routers. This only works if the networks are contiguous and align on a power-of-2 boundary.
Private addresses (RFC 1918) and CGNAT
Three address blocks are reserved for internal use and are not routed on the public Internet:
| Block | CIDR | Total hosts | Common use |
|---|---|---|---|
| 10.0.0.0 – 10.255.255.255 | 10.0.0.0/8 | 16,777,214 | Large corporate networks, private cloud, datacenters |
| 172.16.0.0 – 172.31.255.255 | 172.16.0.0/12 | 1,048,574 | Mid-size networks, infrastructure segments |
| 192.168.0.0 – 192.168.255.255 | 192.168.0.0/16 | 65,534 | Home networks, small offices |
Additionally, the block 100.64.0.0/10 is reserved for CGNAT (Carrier-Grade NAT, RFC 6598), a technique used by ISPs to share public IPs across multiple customers. It’s important not to use this range in your own internal networks to avoid conflicts.
A brief history: from flat networks to CIDR
IP addressing hasn’t always worked this way:
1970s: IP networks were flat. They always assumed 8 bits for the network and 24 for the host. Only 256 networks were possible across the entire Internet.
1981 (RFC 791): Jon Postel introduces Classes A, B, and C. The mask was implicitly derived from the class. The problem: a mid-size organization needed a Class B (65,534 hosts) because Class C (254 hosts) was too small, wasting thousands of addresses.
1985 (RFC 950): Subnet masks are formalized, allowing networks to be divided into smaller subnets.
1993 (RFC 1519): CIDR (Classless Inter-Domain Routing) is born, eliminating the class concept and adopting VLSM. This is the system in use today and the one that allowed IPv4 to survive far longer than anyone expected.
An interesting historical note: in the early years, masks didn’t require contiguous bits. A mask like 255.255.192.128 was perfectly valid. The practice was abandoned in the early 1990s because it made efficient longest prefix match routing computationally impractical.
Subnet masks in IPv6
In IPv6, dotted decimal mask notation doesn’t exist. Only prefix notation, equivalent to CIDR, is used:
2001:0db8:85a3::1/64
The most common prefix is /64 for local networks (2^64 = 18.4 quintillion addresses per subnet—more than enough for any scenario). ISPs receive /32 or /48 blocks from regional registries (RIPE, ARIN, LACNIC, etc.).
In practice, subnet planning in IPv6 is simpler than in IPv4: the abundance of addresses eliminates the need for the fine-grained subnetting that makes mastering VLSM essential in IPv4.
Checking your subnet mask: quick commands
Linux (the mask appears in CIDR notation):
ip addr show
# Example output: inet 10.10.5.45/24 brd 10.10.5.255 scope global eth0
Windows:
ipconfig
# Look for: Subnet Mask . . . . . . . . . . . : 255.255.255.0
macOS:
ifconfig en0
# Look for: netmask 0xffffff00 (hex for 255.255.255.0)
On a Cisco switch or router:
show ip interface brief
show running-config interface Vlan10
Common configuration mistakes
These are the most frequent problems found in network audits—worth knowing so you can avoid them:
Inconsistent masks on the same VLAN. If one server has /24 and another has /25 on the same physical network, part of the range will be unreachable for one of them. This is a classic source of “it works sometimes” issues that are notoriously difficult to diagnose.
Overlapping subnets. When manually assigning blocks with VLSM without a clear plan, it’s easy for two subnets to overlap. The result: packets arriving at the wrong destination or ambiguous routes.
Defaulting to /24 when it’s not needed. A WAN link between two routers doesn’t need 254 addresses. A /30 or /31 is the right choice; using /24 wastes 252 IPs on every link.
Forgetting to subtract 2 when calculating hosts. The network address (all host bits set to 0) and the broadcast address (all set to 1) are not assignable. A /24 has 254 hosts, not 256. A /30 has 2, not 4.
Forgetting to update the gateway and DNS. When changing a mask, the default gateway and firewall rules must reflect the new scheme. Changing a mask without reviewing the gateway is a guaranteed outage.
Subnet masks in the context of private cloud
In private cloud and bare metal environments, subnet design is one of the first architectural decisions. The choice of masks directly affects scalability, traffic isolation, and operational complexity.
A typical datacenter infrastructure design uses separate VLANs with masks tailored to each function:
| VLAN | Function | Typical mask | Why |
|---|---|---|---|
| VLAN 10 | Production | /24 or /23 | Enough room for servers and growth |
| VLAN 20 | Management/IPMI | /27 or /28 | Few devices, critical isolation |
| VLAN 30 | Storage (iSCSI/NFS) | /24 | Dedicated traffic, jumbo MTU, no gateway |
| VLAN 40 | Backup | /24 | Separated from production traffic |
| VLAN 50 | DMZ | /28 or /27 | Only exposed services, strict firewall |
| VLAN 100 | Router interconnections | /31 per link | Maximum IP utilization |
This type of design, combined with inter-VLAN firewall rules and thorough IP addressing documentation, is what separates a professional infrastructure from an improvised deployment.
At Stackscale, network management is designed so that each customer has properly sized and isolated segments, with network-level redundancy and connectivity to multiple carriers. If you’re planning a deployment that requires custom network design, our team can help you size the subnets, VLANs, and segmentation rules that best fit your use case.
