How to Calculate an IP Subnet Mask

Companies, universities and other organizations often have a set of Internet protocol addresses that they can assign to computers and other devices on their networks. For security and efficiency purposes, it often makes sense to divide these networks into units called subnets rather than maintain one sprawling and unified network. One way to do this is by using mathematical tools called subnet masks, where a router can use a quick subnet mask calculation to determine which subnet a particular IP belongs to.

How to Calculate an IP Subnet Mask
Image Credit: anyaberkut/iStock/GettyImages

How IP Addresses Work

The Internet protocol is a system for routing data between computers on the global Internet or other networks. It divides data such as web page contents, email messages or streaming video transmissions into small units known as packets with a particular structure, including a header with information about where the packets are coming from and where they're going.

Each packet includes a source IP address, identifying the device that sent the message, and a destination IP address, identifying the device that's intended to receive it. Most IP addresses used today are based on the rules in version four of the Internet protocol, abbreviated IPv4. These IP addresses are 32 binary digits, or bits, long. They're often written as four decimal numbers separated by periods, such as or

IP addresses are assigned to various organizations by a group called the Internet Assigned Numbers Authority, or IANA. Generally, numerically contiguous blocks of IP addresses are assigned to a single organization. Many organizations also have internal IP addresses that can be accessed only internally. Certain blocks of IP addresses are reserved for internal use within networks.

Devices known as routers are responsible for taking IP packets and determining where to send them, either sending them directly to a destination machine if they are connected to one another or forwarding them to another router on a path to that device. They store routing tables that they use to determine where to send a packet based on its destination address.

IP Address Blocks and Classes

Traditionally, IP address blocks were divided into classes, with the class determining how many addresses were in the block and what their format looked like.

Class A addresses begin with a "0" bit. The next seven bits identify the individual network block, and the subsequent 24 bits identify individual computers within that network. Class B addresses began with a "1" bit followed by a "0" bit, where the next 14 bits identify the network block and the subsequent 16 bits identify individual computers. Class C addresses began with two "1" bits followed by a "0" bit, with the next 21 bits identifying the network block and the last 8 bits identifying specific devices within the network.

IP address classes made it easy for routers to build tables specifying where packets destined for particular IP addresses should be sent, since they could store information for each network identified by the prefix of a particular IP address.

Classless Interdomain Routing

The downside is that they are inefficient in allocating IP addresses to networks, especially in cases where a network needs more IP addresses than a class C network would afford but fewer than a class B would provide, or more than a class B permits but fewer than a class A provides. That can lead to wasted IP addresses, when organizations use a bigger IP address class than they actually require, or routing inefficiencies if organizations have to patch together many unrelated class C IP address blocks within a single actual network to get the number of addresses they need.

To make things more efficient, many routers and organizations have adopted what is called classless interdomain routing, or CIDR (often pronounced like the word "cider.") This allows IP addresses to be divided into more flexibly-sized IP address blocks, where a prefix of any length identifying the network can be followed by the remainder of an IP address identifying individual devices.

The prefix is usually written as a decimal number or set of decimal numbers separated by periods, followed by a forward slash and the number of bits in that prefix. For example, "017/8" is an IP address block assigned to Apple, including all IP addresses beginning with the binary digits corresponding to the decimal number 17. Similarly, "" is an IP address block allocated to Amazon, consisting of addresses where the first 18 binary digits match the first 18 binary digits in the IP address

Understanding Subnet Masks

One way of indicating the part of an IP address that corresponds to a network and that part that identifies individual machines is by using what's called a subnet mask. Simple IP calculator tools can then map an IP address into its two parts.

A subnet mask looks like an IP address, in that it's typically written as a dotted set of four decimal numbers, such as or The chief restriction on subnet masks is that the leftmost binary digits, up to a certain point, must all be 1, and the subsequent digits must all be 0. When an IP address is being processed, a router takes the binary "and" of the subnet mask and the IP address, meaning that any bit that is 1 in both the mask and the address is 1 in the result, and any other digit is 0. The result is the network or subnet in which the IP address belongs.

If you want to calculate the number of subnets and hosts (or devices) that match a given subnet mask, it is relatively easy. The total number of subnets is the possible number of variations in an IP address for the portion of the mask that is all ones, which is two raised to the power of the number of ones in the mask. For example, written in binary begins with 23 ones, so there are 2^(23) or 8,388,608 possible subnets. Each subnet contains all IP addresses with its valid prefix, but can vary in the remaining 9 binary digits, so there are 2^9 = 512 IP addresses available to hosts in each subnet.

You can find numerous netmask calculator tools online to do these calculations for you and to map IP addresses and subnet masks to subnets. Hardware and software to do these calculations quickly is built into modern routers.

Private IP Address Ranges

Certain IP address ranges are specifically reserved for private IP addresses within a network. These can be used by different computers in different networks, since they can't be routed across the global Internet, so a computer in your home network, a printer on your office network and a smart phone on your university's network could all have the same private IP address without creating any kind of conflict.

The private IP ranges are to, to and to In CIDR terms, that's, and

Except in unusual circumstances, routers and computers should be configured not to route packets addressed to private IP addresses outside their networks and not to use private IP addresses not assigned to their networks to identify computers within the network.

Loopback IP Addresses

Another special type of IP address is the loopback address. This is an IP address in the range In CIDR terms, that's the range, which is also a class A IP address block.

Those IP addresses refer to the current computer on which a packet is being processed. The loopback addresses are often used for testing and development, when programmers and IT people want to verify that a service works on the current computer. In some cases where programs running on a computer are set to respond only to messages from the same machine, the loopback addresses can be used for security purposes, since messages can be received only with a loopback destination address from the same computer.

The address "" is by far the most commonly used IP address for loopback and should generally be used unless there's an important reason to use another, since users and software alike are more likely to understand it.

The special purpose domain name "localhost" is also used to refer to the current computer.