Skip to main content

CompTIA A+

Subnet Masks and How Subnetting Works

16 min read

Two computers can share the same wire, the same switch, and the same building, and still be unable to talk to each other. The reason usually isn't a bad cable. It's that their addresses say they live on different networks. The subnet mask is the setting that draws that line, and if you don't read it correctly, you'll chase network problems that were never physical.

CompTIA A+ Core 1 (220-1201) Objective 12 covers IP addressing and SOHO networks. This part of the objective expects you to understand IPv4 addresses, subnet masks, CIDR notation, the difference between public and private addresses, and how these pieces come together on a small office/home office network. On the exam you'll see questions that ask you to identify a valid host address, recognize a private range, or explain why a device can't reach the gateway. In the field, this is the knowledge that tells you whether a misconfigured mask is the cause of an outage.

This article walks through what a subnet mask actually does, how binary sits underneath it, how CIDR shorthand works, and how subnetting divides one network into several. The goal is that you can look at an address and mask and know exactly which network a device belongs to.

An IP address only has meaning when you pair it with a mask

An IPv4 address is 32 bits long, written as four numbers separated by dots, like 192.168.1.10. Each of those four numbers is an octet, meaning it represents 8 bits, and each octet can range from 0 to 255. That gives you the familiar dotted-decimal format. By itself, though, an address tells you almost nothing. You can't know which part identifies the network and which part identifies the specific host until you also know the subnet mask.

The subnet mask is the second value, and it does one job: it splits the 32 bits into a network portion and a host portion. Where the mask has a 1, that bit belongs to the network. Where the mask has a 0, that bit belongs to the host. So an address of 192.168.1.10 with a mask of 255.255.255.0 means the first three octets (192.168.1) identify the network, and the last octet (.10) identifies the host on that network.

Why does this matter on the job? When a device wants to send traffic, it compares its own network portion to the destination's network portion. If they match, it delivers the traffic directly on the local network. If they don't match, it hands the traffic to the default gateway, which is usually the router. A wrong subnet mask breaks this decision. A host might think a device on the same LAN is remote, or think a remote device is local, and either mistake causes traffic to go nowhere useful.

In exam terms, remember that an IP address and a subnet mask are a pair. A question that gives you only an address without a mask is incomplete on purpose, and the correct answer often depends on the mask you're told to assume.

Binary is the layer underneath every mask, and you only need eight values

You can pass most subnet questions without doing heavy math, but you do need to see the binary underneath. Each octet is 8 bits, and each bit position has a value: 128, 64, 32, 16, 8, 4, 2, 1, reading left to right. Add the positions that are set to 1, and you get the decimal number.

A subnet mask is always a run of 1s followed by a run of 0s, with no mixing. That's why only certain decimal values are valid in a mask. Working from the left, the possible values for a single octet are:

Binary Decimal Bits set
00000000 0 0
10000000 128 1
11000000 192 2
11100000 224 3
11110000 240 4
11111000 248 5
11111100 252 6
11111110 254 7
11111111 255 8

Those nine numbers are the only values you'll ever see in a legal subnet mask octet. If someone hands you a mask with a 255.255.100.0 in it, you know immediately it's invalid, because 100 isn't in the list. Memorizing this short table saves time and prevents you from second-guessing yourself during a timed exam.

The reason the mask can't mix 1s and 0s is that the network portion has to be a solid block on the left. You can't scatter network bits through the address. This is also why every mask can be described by a single number: how many 1s it has from the left. That number is the foundation of CIDR notation.

CIDR notation is just the count of network bits

Writing 255.255.255.0 every time gets tedious, and it hides what's really going on. CIDR (Classless Inter-Domain Routing) notation replaces the dotted mask with a slash and a number. That number is simply how many bits, counting from the left, belong to the network.

A mask of 255.255.255.0 sets the first 24 bits to 1, so its CIDR form is /24. A mask of 255.255.0.0 sets the first 16 bits, so it's /16. A mask of 255.0.0.0 sets the first 8 bits, so it's /8. When you see 192.168.1.10/24, that slash-24 is telling you the same thing as the long mask, in fewer characters.

Here are the three most common masks side by side, which cover the majority of what you'll encounter on a SOHO network and on the exam:

CIDR Dotted mask Network bits Host bits
/8 255.0.0.0 8 24
/16 255.255.0.0 16 16
/24 255.255.255.0 24 8

The more network bits you have, the fewer host bits remain, and the fewer devices each network can hold. A /24 leaves 8 host bits, which is enough for a small network. A /8 leaves 24 host bits, which is an enormous range. Being fluent in translating between the dotted mask and the CIDR count is one of the highest-value skills for this objective, because questions freely switch between the two forms.

The mask lets you find the network address, broadcast, and usable host range

Once you can read a mask, you can answer the practical question every technician eventually faces: what addresses are actually valid for hosts on this network? Three values define any subnet.

The network address is the first address in the range, where all host bits are 0. This address names the network itself and is never assigned to a device. The broadcast address is the last address in the range, where all host bits are 1. Anything sent to the broadcast address goes to every host on that network, so it also can't belong to a single device. Everything between those two is the usable host range.

Take 192.168.1.0/24 as an example. The network address is 192.168.1.0. The broadcast address is 192.168.1.255. That leaves 192.168.1.1 through 192.168.1.254 as usable host addresses, which is 254 hosts. The formula is straightforward: with h host bits, you get 2 to the power of h total addresses, minus 2 for the network and broadcast. For 8 host bits, that's 256 minus 2, or 254 usable addresses.

This is exactly why a device configured with 192.168.1.0 or 192.168.1.255 as its own address will fail.

This lesson is part of ExamWizardz Pro

Unlock every lesson, unlimited practice tests, and the AI tutor.

See Pro pricing

or start with a free account