Netmasks, Routing, and Subnetting

Netmasks need to be understood in several ways. They are the device that splits an IP address into network and host components. This plays a central role in the routing process. And is the basis of the important practice of breaking a block of addresses into sub-blocks, or subnetting. 


Operation and purpose of netmasks

Netmasks are applied to IP addresses. An IP address actually represents the addresses for two things. Applying the mask to the IP extracts them. The first, called the "network address," is the address of a subnetwork within the internet's address space. A subnetwork is some range of IPs, a subset of the whole space. This IP falls in that range. The second, called the "host address," tells exactly which host this is within the subnetwork.



For example the network address might identify a certain set of, say, 16 consecutive addresses while the host address indicates this IP is the 13th. Or the IP might belong to a set of 128, being the 3rd. Given an IP, how do we know? We can't tell from the IP alone. We need to combine it with a netmask to derive these 2 items.

An IP is a 32-bit binary number. So is a netmask. Netmasks have a special property. They consist of some number of 1 bits, followed entirely by 0 bits. 1s and 0s are not interspersed; the mask holds a solid block of 1s followed by a solid block of 0s (totaling 32 bits in all). The reason it's called a mask is that it is applied to the IP address as part of a binary masking operation. Specifically, a binary bitwise AND is performed between the mask and the IP.

The binary AND operation takes two bits as input and produces one bit as output. The output bit is 1 if the input bits are both 1, and is 0 otherwise:

1 AND 1 is 1
1 AND 0 is 0
0 AND 1 is 0
0 AND 0 is 0

When we talk about a "bitwise" AND between two 32-bit numbers, we mean we line up the numbers and do 32 separate AND operations, taking the bits from the first position in each number as inputs, then those from the second position, third, and so on. Notice that when you AND any bit with 0 you always get 0, and when you AND any bit with 1 you always get the input bit itself. So ANDing with 1 preserves the input bit, and ANDing with 0 nullifies it.

Therefore, when we bitwise AND an IP with a netmask, we end up preserving the bits on the left and nullifying those on the right. The boundary between "left" and "right" within the IP is set by the mask, at the bit boundary between its 1s and 0s.

Here are two examples:

IP:                             and     IP:
Netmask:                         Netmask:

To AND these, we have to write them in their binary form. The first example:

11001000 00000010 00000010 11111110
11111111 11111111 11111111 00000000
11001000 00000010 00000010 00000000

First line above is written in binary, second is in binary. Third line is the result. It's the bitwise AND of the first two (ANDing vertically by column).

The second example:

11001000 00000010 00000010 11111110
11111111 11111111 11111111 11111000
11001000 00000010 00000010 11111000

I started this discussion advertising that we would get a "network address" and "host address" out of the IP. Where do these come in? For the second example:


The network address is the left portion of the IP fleshed out with 0s, while the host address is its remaining righthand portion. In this case with the given netmask,'s network address is 3,355,575,032 and its host address is 6. Nobody uses decimal notation for network addresses. Instead of  3,355,575,032 you'll see the alternative representation of the same thing,

This subnetwork's size (number of IPs it contains) must be 8 because you have 3 bits by which to count them and that lets you count 8 (0 to 7 inclusive). This host is host number 6 in a subnet numbered 0 to 7, so the 7th of the 8 addresses. This subnet as a whole, within internet address space, lies 78 percent of the way from the beginning of the space to the end (the above binary network address in decimal is 3,355,575,032; the whole internet space consists of the binary number consisting of 1 followed by thirty-two 0s which is 4,294,967,296; and 3,355,575,032 divided by  4,294,967,296 is 78.13%).

It's important to notice that this all depends on the netmask you apply to the IP. Apply a different netmask to the same IP, you get a different result. Suppose for example I use the netmask (four 1s followed by twenty-eight 0s). In that case, this IP is interpreted as being number 134,349,566 in a subnet of size 268,435,456 lying 75.00% of the way from the beginning to the end of the internet.

To summarize, applied to a host IP address (by being bitwise binary AND'ed with it), a netmask serves to derive two things. First, the address of the network to which this IP belongs within the internet's address space. Second, the address of the host to which this IP belongs within that particular network's space. The address, as a 32-bit binary number, is splittable into left and right portions. Given a netmask, the IP's left portion is as many bits as the number of 1 bits in the mask. Using the netmask to mask off (nullify) the right portion, only the left portion of the IP remains and this is the address of the network to which it belongs. Which network an IP belongs to is therefore a matter of interpretation; the netmask supplies the interpretation. Use one netmask on the IP, and you get one result; use another, and you get a different one. Similarly, depending which terms of interpretation are superimposed on the discussion, it could be said you live in the United States. Or instead, in Los Angeles. Or instead, in California. Are these mutually exclusive? Are you 3 people? You are the same person, in the same place, either way. The scale of the larger domain to which you belong is decided by applying to you either the nation, city, or state mask conceptually. Taking a grouping of larger scale and breaking in into subgroupings of smaller scale (nation into states, state into cities) is done in networks (corporate into branch office, branch office into departmental). It is called subnetting. It is done by choosing, then applying (to interfaces and route tables), appropriate netmasks.

Netmasks' role in routing

What is the operational role of a netmask? What does it actually do in the computer?

In any computer when a packet is presented to the IP software by an application, the software reads the destination address. To send out the packet, it must go through an interface. So among the interfaces available to it, it must choose one. For this it turns to the routing table. It compares the destination address with each routing table entry. It tries to determine if the address and the entry match each other. Each entry contains several fields: a network address, a netmask to go with it, and a corresponding destination in the form or an interface or gateway specification. The software applies the mask in the entry to the destination address (binary AND), yielding a network address derived from the destination address. It compares the derived network address with the one in the entry. If they are the same, then the destination address and the table entry match each other. This computation to examine the table's ith entry couild be written as:

    if ( ( netmask[i] AND DestAddr ) = = network[i] ) then forward via destination-interface[i]

Possibly two or more entries could match the destination address. In that case the one that matches it more "narrowly" is selected. Thus a network route (multiple) trumps a default route (universal). A host route (singular) trumps a network route (multiple).


We said an IP-plus-netmask pair implies a network address, which describes some particular network. We viewed it as a "piece of the internet," a segment of the number line representing the entire internet address space. In practice this is an unusual way of viewing things at such a large scale, but very commonly done on a smaller scale. Specifically, people commonly acquire a (much smaller) network from an ISP then treat that as two or more (still smaller) networks internal to their organization or site. They break their ISP block into internal sub-blocks by deliberate application of netmasks. This is called subnetting.

Suppose a company receives an address block within the internet from an ISP. The ISP designates it by communicating two values to the company:

1) network's address (where it lies in internet address space),
2) network's netmask (how many addresses it consists of).

Suppose those values are:


The network lies at within the internet-- on a scale of to That's at about the 55% mark from beginning to end of the global address number line ( 141/256 = 55% ). The network consists of 65536 addresses. That's because its netmask consists of sixteen 1 bits followed by sixteen 0 bits. The number of 0 bits, specifically how many you can count with them, determines the size of the block. And sixteen bits gives countability from 0 to 65535. This precisely defines the network that the company bought.

As far as the world is concerned, packets to all addresses in this network are routed to the company's ISP who in turn will route them to the company. There, the incoming wire can plug into a hub or switch. Addresses from the new network are dispensed to computers (via ifconfig) which themselves then plug into the hub. This "places" the new machines into the internet. You get the sense of hierarchy in the internet. To reach a host on the internet, you must first reach its network (the company's building) using the network part of the address, then reach the specific host (the right desk) based on the host part.

As described all hosts stand on uniform footing, each plugging in to the same, single hub. More often the company will appoint a single machine to be "gateway" to all their others. It gives that machine an appropriate address with which to talk to the ISP on the hub. It then gives it a second interface (NIC card #2), gives NIC#2 one of the 65536 addresses, and plugs NIC #2 into a second hub. The rest of the hosts then plug into the second hub from which they can reach the gateway, not the first one from which they could reach the ISP directly.

In either case the netmask the company applies when configuring workstations is always Concretely, for example,

ifconfig netmask

would be the command used to apply an address to a machine. The gatewayed scenario looks like this:




The gateway would have 2 interfaces. By one of them it is a member of the corporate net on the same footing as the workstations. By the other it joins up to a different network, to which a default gateway offered by the ISP also belongs.

Most companies want to subdivide the addresses they get from an ISP, to parallel their existing organizational subdivisions and to permit routing patterns by internal routers among such subdivisions and sublocations. Suppose the company would prefer to split up their large pool into some smaller ones. There are many possible ways to slice it. Maybe 2 subnets of 32768 each. Or 8192 subnets of 8 apiece. Or 1 subnet of 32768 plus another 128 subnets of 256.  As an example let the company define 3 subnets, each 256 in size.



The company would now apply its addresses differently, by using them together with the new netmask value The command form they would use to configure workstation interfaces would now be, for example:

ifconfig netmask

They would use the same netmask in configuring all the workstations in any given subnet, but different masks for subnets of different sizes. Note that where before when was configured it was told it belongs to a group of 65536, it's told here that it falls into a group of 256 instead. Namely the group that includes all the 141.14.2's. But these have now been separated from all the other 141.14's.

The gateway would now have 4 interfaces (with conceptually, 4 hubs). It belongs to each of the 3 subnets on the same footing as the workstations thereof, by having an interface addressed within the subnet's address range. By the 4th interface the gateway joins up to the ISP network as before. Note that the internet is unaware of the internal subdivisions. It, and the ISP, still see a single block of 65536 all to be sent to one place. It is there, once inside the company at its gateway, that the interpretation of addresses changes by applying narrower netmasks by which to split the block and route a particular address to the right sub-block. Also note the whole block need not be put into use. Here, only 3 x 256 of the 65536 are accounted for in our 3 subnets, and within the subnets not all of the 256 addresses have actually been ifconfig'd onto computers.