If you have ever stared at something like 192.168.1.0/24 and quietly wondered what the slash 24 is doing there, you are not alone. The notation is from the late 1990s, designed by network engineers who assumed everybody else thought in binary. Most people do not.
Subnet masks are one of those topics where the actual concept is simple, but the way it gets explained in textbooks makes it sound like calculus. So let me try a different approach. No binary tables for the first half. Just plain English. Then we will get into the math when it actually helps.
Here is the whole idea in one sentence: a subnet mask is how you say "this part of the IP address is the neighborhood, and this part is the house number."
That is it. The rest is details.
Why We Even Split IP Addresses
An IPv4 address is 32 bits. Written out as four numbers separated by dots, like 192.168.1.42. Each number is 0 to 255. Four billion possible combinations across the whole space.
If we did not split the address, every device on the internet would need its own globally unique number, and routers would need a routing table with billions of entries to know where each one lives. The internet would be unusable. Routers would melt.
Instead, we cheat. We say "addresses that look similar live near each other." Specifically, addresses that share the first N bits all live on the same physical network. Routers only need to keep track of which networks live where, not which individual devices.
So we split the 32 bit IP into two parts. The first part identifies the network. The second part identifies a specific machine within that network. The subnet mask is what tells everyone which part is which.
The /24 Notation
When you see 192.168.1.0/24, the slash 24 means "the first 24 bits are the network part." That leaves 32 minus 24, which is 8, bits for the host part.
Eight bits gives you 256 possible values (2 to the power of 8). So a /24 network has 256 IP addresses in it. Two of them are reserved (the first and the last, more on that), so you actually have 254 usable addresses.
That is your home network, basically. Most home routers hand out addresses on a /24. You probably have devices like 192.168.1.10, 192.168.1.42, 192.168.1.99 right now. They are all in the same /24, which is why they can talk to each other directly without going through the internet.
The Quick Reference Table
Here is what every common slash number actually means:
| CIDR | Subnet Mask | Total IPs | Usable Hosts | Typical Use |
|---|---|---|---|---|
| /8 | 255.0.0.0 | 16,777,216 | ~16.7M | Massive networks. AT&T owned this back when Class A was a thing. |
| /16 | 255.255.0.0 | 65,536 | 65,534 | Big enterprise networks. Whole university campus. |
| /20 | 255.255.240.0 | 4,096 | 4,094 | Mid sized company. |
| /22 | 255.255.252.0 | 1,024 | 1,022 | Building or department. |
| /23 | 255.255.254.0 | 512 | 510 | Two /24s combined. |
| /24 | 255.255.255.0 | 256 | 254 | Office LAN. Home network. The default everyone knows. |
| /25 | 255.255.255.128 | 128 | 126 | Half a /24. |
| /26 | 255.255.255.192 | 64 | 62 | VLAN with around 50 devices. |
| /27 | 255.255.255.224 | 32 | 30 | Small VLAN. |
| /28 | 255.255.255.240 | 16 | 14 | Tiny VLAN. Maybe a meeting room. |
| /29 | 255.255.255.248 | 8 | 6 | Point to point with a few hosts. |
| /30 | 255.255.255.252 | 4 | 2 | Router to router link. |
| /31 | 255.255.255.254 | 2 | 2 | Modern point to point (RFC 3021). |
| /32 | 255.255.255.255 | 1 | 1 | A single host. Loopback addresses. |
The pattern: bigger slash number means smaller network. /8 is huge. /32 is a single address. The slash number is literally how many bits are locked in for the network part.
Why Minus 2
You might notice the "usable hosts" column is always two less than the total. That is because two addresses in every subnet are reserved.
The first address (all host bits set to 0) is the network ID. It identifies the subnet itself. You cannot assign it to a device.
The last address (all host bits set to 1) is the broadcast address. Sending a packet here means "everyone on this subnet, listen up." Your device cannot have it as its own address.
So a /24 has 256 total addresses, two reserved, 254 usable. A /30 has 4 total, 2 reserved, 2 usable.
There is one funny exception. /31 has only 2 addresses total, and modern systems (RFC 3021) treat it as having 2 usable, no broadcast or network ID. This works for point to point links between routers where you only have two devices anyway. /32 obviously is just one address.
The Old Class A, B, C System
You will sometimes hear people talk about "Class C addresses" or "Class B networks." This is a leftover from before 1993.
The original IPv4 spec divided the address space into rigid classes:
- Class A: First octet 1 to 126. Fixed /8 mask. 16 million hosts each.
- Class B: First octet 128 to 191. Fixed /16 mask. 65 thousand hosts each.
- Class C: First octet 192 to 223. Fixed /24 mask. 254 hosts each.
You could only get one of these three sizes. If you needed 300 IP addresses for your university, you got a Class B (65,536 addresses), wasted 99% of them, and went on with your day. If you needed 50 addresses, you got a Class C (254 addresses) and managed.
This wasted addresses on a massive scale. By the early 1990s, everyone could see that IPv4 was going to run out of addresses purely from this waste. CIDR (Classless Inter-Domain Routing) was the fix in 1993. CIDR is what gave us the flexible /N notation. Now you can get a /22 or a /17 or whatever fits your actual needs.
The class system officially does not exist anymore. But the terminology stuck because old textbooks still teach it. If somebody says "I need a Class C," they probably mean "give me a /24."
What Subnet Masks Actually Look Like in Binary
OK here comes some binary. If you do not care about the inner workings, skip ahead. The high level concept is enough for most jobs.
Still here? Good.
A subnet mask is also 32 bits. The trick is that the bits are arranged as a sequence of 1s followed by a sequence of 0s. The 1s mark the network bits. The 0s mark the host bits.
For /24 the mask in binary is:
11111111.11111111.11111111.00000000
Convert each octet from binary to decimal:
255.255.255.0
That is what /24 looks like in dotted decimal form. 24 ones at the start, 8 zeros at the end.
For /28 the mask is 28 ones followed by 4 zeros:
11111111.11111111.11111111.11110000 = 255.255.255.240
For /30 it is 30 ones followed by 2 zeros:
11111111.11111111.11111111.11111100 = 255.255.255.252
The pattern: every additional bit halves the size of the subnet. /24 has 256 addresses. /25 has 128. /26 has 64. /27 has 32. And so on.
How Routing Actually Uses This
When your computer needs to send a packet to another address, it checks: is the destination in my own subnet, or is it somewhere else? If it is in my subnet, send it directly. If not, send it to the gateway router.
The math: take your destination IP, take your own subnet mask, do a bitwise AND. The result is the destination's network ID. Compare it to your own network ID. Same? Local. Different? Remote.
Worked example. Your computer is 192.168.1.42 with mask 255.255.255.0 (/24). You want to send a packet to 192.168.1.99.
192.168.1.99 in binary: 11000000.10101000.00000001.01100011
255.255.255.0 in binary: 11111111.11111111.11111111.00000000
AND result: 11000000.10101000.00000001.00000000 = 192.168.1.0
Your own network ID is also 192.168.1.0. Same. Local delivery. The packet goes directly to your switch and over to the other machine.
Now you want to send to 8.8.8.8:
8.8.8.8 in binary: 00001000.00001000.00001000.00001000
255.255.255.0 in binary: 11111111.11111111.11111111.00000000
AND result: 00001000.00001000.00001000.00000000 = 8.8.8.0
That is not your network. Different. Send to the default gateway. The router takes it from there.
This is the entire job of the subnet mask. Tell each device whether a destination is in the same network or somewhere out on the internet. That is why every device needs both an IP and a mask. The IP says who you are. The mask says where your neighborhood ends.
When You Use Each Subnet Size
Some practical rules of thumb.
/24 for office LANs. This is the default. Up to 254 devices. Easy to think about. Easy to type. Most home routers and small business routers use /24 by default.
/16 or /20 for big private networks. When you have multiple buildings, multiple departments, multiple VLANs. Carve up the /16 into smaller subnets per location. AWS gives you a /16 for VPCs by default and lets you subdivide.
/30 for point to point links. Two routers connected back to back. You only need 2 usable addresses, one for each end. /30 gives you exactly that.
/31 for modern point to point. Slightly more efficient than /30. Skips the network ID and broadcast since they do not apply on a 2 host link. RFC 3021 standardized it. Some older equipment does not support /31, so /30 is still common.
/28 for small VLANs. 14 usable hosts. Good for guest WiFi, IoT segments, small lab networks.
/27 for slightly bigger VLANs. 30 hosts. Good for small office departments.
/32 for individual host routes. Loopback interfaces. Specific firewall rules. Single host whitelist entries.
To plan a network properly, count your devices, add 50% headroom for growth, then pick the smallest subnet that fits. Going too small is painful (renumber later when you outgrow it). Going too big is fine but wastes private address space, which usually does not matter.
If you need to do the math interactively, our free subnet calculator at whatismyip.technology/tools/subnet-calculator handles CIDR to mask, host count, network range, broadcast address, all in one shot.
The Reserved Private Ranges
Not all IPv4 addresses are routable on the public internet. RFC 1918 reserved three blocks specifically for private networks. These addresses can be used freely inside your network, but they will never appear on the public internet.
| Range | CIDR | Total Addresses | Common Use |
|---|---|---|---|
| 10.0.0.0 to 10.255.255.255 | 10.0.0.0/8 | 16.7 million | Large enterprise networks. AWS VPCs. |
| 172.16.0.0 to 172.31.255.255 | 172.16.0.0/12 | 1 million | Mid sized businesses. Default Docker bridge. |
| 192.168.0.0 to 192.168.255.255 | 192.168.0.0/16 | 65,536 | Home and small office networks. |
If your home router is handing out 192.168.1.x addresses, that is RFC 1918 territory. Same on the next street over. Same in offices around the world. Everyone uses the same private ranges. The trick is that NAT (Network Address Translation) at your router translates outbound packets to your single public IP, so private addresses never collide on the internet.
There is also CGNAT (Carrier-Grade NAT) at 100.64.0.0/10. ISPs use this when they have run out of public IPv4 and need to put multiple customers behind shared addresses. If you see your "public" IP starting with 100.64 through 100.127, your ISP is using CGNAT and you do not have a real public IP. This affects things like port forwarding and incoming connections.
You can check what your actual public IP looks like and whether you are behind CGNAT by visiting whatismyip.technology and comparing it to your router's WAN address.
IPv6 Subnetting Is Different
IPv6 uses 128 bit addresses. The math changes because the address space is so much larger.
Standard IPv6 subnets are /64. That means 64 bits of network and 64 bits of host. A single /64 subnet has 18 quintillion possible host addresses. You will never fill it.
Why /64 specifically? Because IPv6 uses Stateless Address Autoconfiguration (SLAAC), which uses the bottom 64 bits to encode a host's MAC address (or a randomized variant). The protocol assumes 64 host bits. Going smaller than /64 breaks SLAAC.
Most ISPs hand out /48 prefixes to customers. That is 65,536 possible /64 subnets per site. You are not supposed to feel constrained.
The whole "saving addresses" mindset from IPv4 does not apply. You can use a full /64 for a single VLAN with two devices on it. You can use a different /64 for each subnet. The math works.
Common Subnetting Mistakes
I have seen all of these in real production environments.
Picking too small. "We have 20 employees, /28 should be plenty." Then you add IP phones, printers, conference room TVs, badges, security cameras, and suddenly /28 (14 usable) is full. You renumber. It is painful. Pick generously.
Overlapping subnets. Two engineers each set up subnets that overlap in the address space. Maybe one uses 192.168.1.0/24 and another uses 192.168.0.0/23. Now packets do not route correctly because the more specific match keeps winning unpredictably. Always check for overlap when you add new subnets.
Forgetting the minus two. Designer plans for "256 hosts on a /24." Reality: 254 usable. Two missing addresses do not seem like a big deal until you actually try to assign IP 256 and realize there is no IP 256, the addresses go 0 to 255.
Mixing CIDR and class thinking. "I need 300 hosts so I will get a Class B." No. /23 gives you 510 hosts and is plenty. The class system is dead. Use what fits.
Putting public IPs inside. I once helped a small company that had configured their internal LAN with 8.0.0.0/8 because someone thought "8 is a Class A and we are big enough to need that." The result: their employees could not reach any IP starting with 8 on the actual internet. Including Google DNS at 8.8.8.8. They fought routing problems for months before someone figured it out. Use RFC 1918 ranges only.
How Subnets Tie Into Real Tools
If you are running a server and you want to know what subnet your IP belongs to from the outside, our WHOIS lookup at whatismyip.technology/tools/whois shows you the registered network range (which is essentially the public-facing CIDR allocation) for any IP. That is the official block your ISP or hosting provider was assigned.
If you are checking whether a specific IP falls inside a known range, the subnet calculator does the math for you. Enter a CIDR, get the network range, broadcast, host count, all of it.
If you want to understand what an IP actually reveals geographically and organizationally, see what your IP reveals. The CIDR block your IP lives in is part of that picture, because IP geolocation databases work at the block level, not per-individual address.
Wrapping Up
Subnet masks look intimidating because the notation involves binary math, but the concept is just a question of where you draw the line between "network" and "host" in a 32 bit address. Higher slash number means smaller network, fewer hosts, less waste. Lower slash number means bigger network, more hosts, more flexibility.
Memorize a few common ones (/8, /16, /24, /28, /30) and the rest is just interpolation. You can always look up the exact numbers on a cheat sheet or a calculator.
The reason this matters: every network engineer, sysadmin, and DevOps person ends up doing subnet math at some point. Reading a firewall rule with a CIDR. Setting up a VPC in AWS. Configuring a VPN. Understanding why a traceroute is going where it is going. The math is not that bad once you see what it actually means.
Now you have seen it.