A subnet mask is a 32-bit number that splits an IPv4 address into two parts: the network portion and the host portion. Every device on an IP network uses a subnet mask to determine whether it can send data directly to a machine on the same local network or if it must be forwarded through a router to reach an external destination. Without a correctly configured subnet mask, routers cannot distinguish local traffic from remote traffic, and even devices sitting on the same cable will fail to communicate.
Subnetting is the practice of dividing a larger IP network into smaller segments, and it’s foundational to how enterprise networks manage addressing, contain broadcast domains, enforce security policies, and scale over time. This guide explains what a subnet mask is, how it works at the bit level, and how subnetting fits into a broader network access control (NAC) strategy.
How Does a Subnet Mask Work?
A subnet mask works through a bitwise AND operation between itself and an IP address. The binary 1s in the mask mark the network bits; the binary 0s mark the host bits. The result of the AND operation is the network address, which is the identifier that tells routers which subnet the device belongs to.
Worked example:
| Component | Dotted Decimal | Binary |
| IP address | 192.168.10.45 | 11000000.10101000.00001010.00101101 |
| Subnet mask | 255.255.255.0 | 11111111.11111111.11111111.00000000 |
| Network address | 192.168.10.0 | 11000000.10101000.00001010.00000000 |
Because the first 24 bits match, the router knows that any address in the range 192.168.10.1 through 192.168.10.254 belongs to the same local subnet. Traffic destined for 192.168.11.45 does not match and gets forwarded to the default gateway.
Subnet masks can shrink or expand depending on your network requirements. In traditional IPv4 subnetting, the smallest practical subnet (/30) supports two usable host addresses, while RFC 3021 allows the use of 31-bit prefixes for point-to-point links; they aren’t “reserved” in the sense of being unavailable, but rather specifically enabled for that use case. With Variable Length Subnet Masking (VLSM), you can assign different-sized subnets to different parts of the same network, which reduces wasted address space considerably.
Subnet Mask Notation: Dotted Decimal vs. CIDR
Subnet masks are expressed in two common formats. Understanding both is necessary for reading router configurations, firewall rules, and access control lists.
Dotted Decimal Notation
Dotted decimal notation uses the same four-octet format as an IP address. Each octet is eight bits, totaling 32 bits. These are the three most common subnet masks in dotted decimal:
| Dotted Decimal | Binary | Network Class | Usable Hosts |
| 255.0.0.0 | 11111111.00000000.00000000.00000000 | Class A | ~16.7 million |
| 255.255.0.0 | 11111111.11111111.00000000.00000000 | Class B | 65,534 |
| 255.255.255.0 | 11111111.11111111.11111111.00000000 | Class C | 254 |
The first octet value of 255 means every bit in that octet is a 1. Those bits are locked to the network portion. An octet of 0 means all eight bits are available for host addressing.
CIDR Notation
Classless Inter-Domain Routing (CIDR) replaced the rigid Class A/B/C system to slow the exhaustion of IPv4 address space, as defined in RFC 1519. CIDR notation appends a slash and a number to an IP address. That number indicates how many bits belong to the network portion.
- /8 = 255.0.0.0 (Class A equivalent)
- /16 = 255.255.0.0 (Class B equivalent)
- /24 = 255.255.255.0 (Class C equivalent)
- /27 = 255.255.255.224 (30 usable hosts per subnet)
- /30 = 255.255.255.252 (2 usable hosts; common for router-to-router links)
A full subnet reference looks like this: “192.168.10.0/24”. The larger the CIDR number, the smaller the subnet and the fewer usable host addresses it contains.
What Is a /24 Subnet Mask?
A /24 is the most widely deployed subnet mask in enterprise LANs. It reserves 24 bits for the network and leaves 8 bits for hosts, providing 256 total addresses (254 usable, because the first address is the network ID and the last is the broadcast address). In dotted decimal, a /24 is “255.255.255.0”.
A /24 is a practical default for locations where the device count per segment stays under 250. When a segment grows beyond 254 devices, IT teams either move to a /23 (510 usable hosts) or split the segment into multiple /24 subnets with routing between them.
The Role of Subnet Masks in IP Addressing
IP addressing is the process of assigning a unique address to every device on a network. A subnet mask is what gives that address meaning; it tells every device and router on the network how to interpret the address.
Without a subnet mask:
- Routers cannot distinguish local devices from remote destinations.
- Devices on the same physical segment may fail to communicate.
- Broadcast traffic floods the entire address space, degrading performance.
With an incorrect subnet mask, the problems can be subtler. Two devices on the same switch might calculate different network addresses from their own IPs and treat each other as remote hosts, sending traffic to the default gateway instead of communicating directly. Troubleshooting this issue is a common pain point for IT teams, especially in environments where DHCP scopes, static assignments, and VLAN configurations overlap.
Network Segmentation and Security With Subnetting
Subnetting is one of the most direct ways to implement network segmentation, the practice of dividing a flat network into isolated zones with defined trust boundaries. This is a foundational layer in any defense-in-depth architecture.
How subnetting improves security:
- Reduced broadcast domains. Each subnet acts as its own broadcast domain. Limiting broadcast traffic reduces the amount of data an attacker can access from a compromised segment.
- Granular access control. Firewalls and ACLs operate on subnet boundaries. Placing finance, HR, IoT devices, and student devices on separate subnets lets you write targeted rules for each group.
- Blast radius containment. If malware compromises a device on one subnet, lateral movement is limited to that segment (unless the attacker can also compromise the router or firewall separating subnets).
- VLAN-to-subnet mapping. In most enterprise networks, each VLAN corresponds to a subnet. RADIUS policies can dynamically assign devices to the correct VLAN (and by extension, the correct subnet) at the moment of authentication, based on user role, device type, or compliance posture.
This last point is where subnetting intersects directly with network access control. Static VLAN assignments work for small networks. But at scale, dynamic VLAN assignment through RADIUS enables segmentation policy enforcement without constant manual reconfiguration.
Subnet Masks vs. IP Addresses vs. Default Gateways
| Component | What It Does | Example |
| IP address | Uniquely identifies the device on the network | 10.0.5.42 |
| Subnet mask | Tells the device how to split the IP into network and host portions | 255.255.255.0 (/24) |
| Default gateway | The IP address of the router the device uses to reach other networks | 10.0.5.1 |
When a device wants to send a packet, it applies the subnet mask to its own IP and the destination IP. If the network portions match, the packet goes directly to the destination on the local segment. If they do not match, the packet is forwarded to the default gateway for routing.
A misconfigured default gateway means the device cannot reach anything outside its own subnet. And a misconfigured subnet mask means the device may be unable to reach its own gateway.
Common Subnet Masks: A Quick Reference
This table covers the subnet sizes IT teams encounter most often in enterprise and campus environments.
| CIDR | Dotted Decimal | Usable Hosts | Typical Use Case |
| /8 | 255.0.0.0 | 16,777,214 | Large ISP or private 10.x.x.x address space |
| /16 | 255.255.0.0 | 65,534 | Campus-wide or data center supernet |
| /22 | 255.255.252.0 | 1,022 | Large wireless SSID pools |
| /24 | 255.255.255.0 | 254 | Standard office VLAN or branch site |
| /25 | 255.255.255.128 | 126 | Split a /24 into two segments |
| /27 | 255.255.255.224 | 30 | Server farm or small IoT segment |
| /30 | 255.255.255.252 | 2 | Point-to-point router links |
| /32 | 255.255.255.255 | 1 | Loopback or host route |
Benefits and Challenges of Subnetting
Benefits
- Reduced congestion. Without subnets, broadcast traffic reaches every device in the network. Subnetting confines broadcasts to their segment, reducing unnecessary traffic and improving throughput.
- Stronger security posture. Isolated subnets let administrators restrict access to sensitive resources such as databases, admin consoles, and payment systems using firewall rules and ACLs tied to subnet boundaries.
- IP address conservation. IPv4 has roughly 4.3 billion addresses total, and public IPv4 space has been exhausted since 2011. VLSM and CIDR let organizations carve their private address space into right-sized subnets, avoiding the waste of classful allocations.
- Scalability. Adding a new department, building, or device class means adding a new subnet, not redesigning the entire network.
- Simplified troubleshooting. When problems are confined to a subnet, the scope of investigation is smaller. Network monitoring tools can report on a per-subnet basis, making it faster to isolate issues.
Challenges
- Planning complexity. A poorly planned subnetting scheme creates address conflicts, routing loops, or subnets that are too small to grow. IP address management (IPAM) tools help, but upfront design matters.
- Hardware requirements. Inter-subnet traffic must pass through a Layer 3 device (router or switch). Extensive subnetting means more routing, which requires appropriately sized infrastructure.
- Documentation overhead. Every subnet needs to be documented: its purpose, VLAN ID, DHCP scope, gateway address, and allowed devices. Undocumented subnets become security blind spots.
- Legacy device compatibility. Older devices or embedded systems may not support modern CIDR-based addressing, requiring workarounds or dedicated subnets with classful masks.
Subnetting and IPv6
Even though most conversations surrounding subnetting focus on IPv4, the concepts apply to IPv6 as well. However, it’s worth noting that unlike IPv4 addresses, IPv6 addresses are 128 bits long, and the standard subnet prefix length is /64. This provides 2^64 (roughly 18.4 quintillion) host addresses per subnet, meaning IPv6 subnets never run out of host addresses, and the subnetting challenge shifts from address conservation to logical organization and routing policy.
Organizations running dual-stack networks (IPv4 and IPv6 simultaneously) still rely on IPv4 subnetting for their existing infrastructure while using IPv6 prefix delegation for new deployments.
Subnetting as Part of a Broader Access Control Strategy
Subnet masks and subnetting define the logical boundaries of your network. But that’s not enough. A properly segmented network with open, unauthenticated access still leaves gaps. You still need to control what crosses those network boundaries.
The strongest approach pairs subnetting with identity-aware network access. Devices authenticate at the network edge (over 802.1X) and a Cloud RADIUS server evaluates user identity, device posture, and policy before assigning the device to a VLAN and subnet. If a device falls out of compliance, it can be moved to a quarantine subnet or disconnected.
SecureW2 supports this model with JoinNow Cloud RADIUS and Dynamic PKI. Certificate-based authentication removes passwords from the equation, and real-time identity lookups during RADIUS authentication enforce segmentation policies dynamically. There’s no need for VLAN reassignment or static port configs. For IT teams managing multi-site or BYOD-heavy environments, this combination of subnetting and certificate-based access control enables network segmentation at scale.
Learn how SecureW2 enforces dynamic network segmentation with Cloud RADIUS and certificate-based authentication.
Frequently Asked Questions
How Do I Find My Subnet Mask?
On Windows, open Command Prompt and run “ipconfig”. On macOS or Linux, run “ifconfig” or “ip addr show”. The subnet mask appears alongside your IP address and default gateway in the output.
What Happens if My Subnet Mask Is Wrong?
A misconfigured subnet mask causes the device to incorrectly calculate which addresses are local and which are remote. Devices on the same physical network may be unable to communicate directly, and traffic that should stay local gets routed through the gateway unnecessarily or dropped entirely.
What Is the Difference Between Subnetting and VLAN Segmentation?
Subnetting divides a network at Layer 3 (the IP layer). VLANs divide a network at Layer 2 (the data link layer). In most enterprise deployments, each VLAN maps to a single subnet. The VLAN handles frame-level isolation on the switch, while the subnet handles IP-level routing. Together, they form the backbone of network segmentation policies.
Can I Use Subnetting To Improve Wi-Fi Security?
Yes. Placing different user groups like staff, guests, BYOD devices, and IoT sensors on separate subnets (mapped to separate VLANs and SSIDs) limits access by group. When combined with 802.1X certificate-based authentication, a RADIUS server can dynamically assign each device to the appropriate VLAN and subnet at connection time, enforcing segmentation without manual switch-port configuration.
Does Subnetting Affect Network Speed?
Subnetting itself does not reduce throughput. It improves perceived performance by reducing broadcast traffic within each subnet. However, inter-subnet traffic must traverse a router, which adds a small amount of latency compared to intra-subnet switching. Modern Layer 3 switches handle inter-VLAN routing at wire speed, so the difference is negligible in well-designed networks.
