Netmask Basics

A netmask is a binary mask that is applied to an IP address in order to determine whether two IP addresses fall into the same subnet. It works by doing a binary AND of the IP address with the netmask to get the network address. If two hosts are in the same network, they are considered to be on the same subnet. To see how this works, let’s take an IP address of 192.168.1.5 with a Classless Inter-Domain Routing (CIDR) mask of /24. The CIDR value is the number of bits that have been set in the netmask, so using CIDR notation is, in many cases, an easier way to express a netmask than using the netmask itself. In this case, 24 bits have been set. Netmasks, like IP addresses, are grouped into four groups of eight bits. We typically represent these in the decimal, base 10, values. When 24 bits are set, we have three groups with all eight bits set in each group.

When all eight bits are set, we have the binary number 11111111, or 255 in decimal. So, a CIDR mask of /24 would equate to 255.255.255.0, and /25 would be 255.255.255.128. Notice that we filled the first three octets and our netmask isn’t 0.255.255.255. This is because when calculating masks we always start at the highest bit first. So, /1 would be 10000000.00000000.00000000.00000000 or 128.0.0.0, and /2 would be 1100000.0000000.00000000.00000000 or 192.0.0.0.

Let’s take the netmask and the IP address and use the binary values of each to determine the network address of the IP address. We are going to calculate the network address by doing a binary AND operation on the two addresses.

When we convert our IP address to binary we have a value of 11000000.10101000.00000001.00000101. We are going to take each bit, starting with the highest bit all the way on the left, and do a binary AND with our netmask value of 11111111.11111111.11111111.00000000 and determine the result.

When we AND each value, both numbers must have 1s in the same place for them to have 1s in the final value. Everywhere that we see a 1 in each value, we transfer the 1 down to the final answer and we end up with 192.168.1.0 for our network address.

The host bits are what are left over when we subtract our CIDR from all possible values (32). We determine our broadcast address by taking the maximum value of our host bits, and adding it to our network address. This tells us the last valid IP address in the range.

For this example, our netmask has 24 bits, so 32 − 24 = 8 bits. The value of 11111111 is 255, so the broadcast address is 192.168.1.255.

The number of possible hosts on a network is the number of hosts between the network address and the host address. One easy way to determine the number of hosts in a network is to set all the host bits, except for the last bit, to 1. In our case, we had eight host bits, so we set our value to 11111110, or 254. This tells us we can have 254 hosts in our subnet.

What have we learned? If we have a CIDR address of 192.168.1.5/24, we now know how to determine the netmask, 255.255.255.0, the network address, 192.168.1.0, the broadcast address, 192.168.1.255, and the number of hosts, 254. Knowing this information, when we are given a scope of 10.11.12.13/30 we know how to easily figure out our scope so that we know what area of the network we should be testing.