Netmasks, Subnetting, and CIDR

Because the IP protocol was specifically designed to link multiple networks together, and because routers route information between networks, there must be some method to indicate what network an IP packet is destined for. In other words, we cannot simply identify a computer, we must also be able to identify what network that computer is on.

IPX, used by Novell, solves this problem very simply. Every computer is uniquely identified by a node number and a network number. Every IPX packet contains this information. Unfortunately, this turns out to be rather inefficient. IPX routers must keep a large list of network numbers in a network table, and search the table for the network number we seek. There is no way to group networks together and treat them as a single unit.

IP solves this by combining the network number and the node number into one number (one address). Every IP address in use indentifies not on a computer, but the network which the computer is connected to. This is done by splitting the number into two parts, the network and the node.

For a simple example, we will use my network at home. The ip address of my unix system at home (198.140.175.1) has two parts. The 198.140.175 part is the network, and every device connected to that network starts with that network number. The .1 part indicates the node, and every device connected to that network has a different node. My router is 198.140.175.2 and my windows workstation is 198.140.175.3.

So far, this doesn't sound any different than keeping two different numbers. Here is the difference: IP networks come in all different sizes, and large supernets can be built out of smaller subnets.

Let's use Ralston Purina for our next example. They were assigned a Class B network by the InterNIC, 170.73.0.0. This gives them approximately 65,000 addresses to use. They advertize one route for the entire block of addresses. Internally, they can divide that block into smaller blocks. The network administrator could assign 170.73.50.* to human resources, and 170.73.13.* to the mail room, each of those departments having their own network. Even though Ralston may have 100 networks in their building, the rest of the Internet needs only one entry in their routing tables.

Networks come in all different sizes, and network blocks must also be available in different sizes, to make efficient use of available address space. The question is, how do you indicate how big that block is? How do you indicate how much of an IP address is the network number and how much is the node number? The answer is a netmask (also known as a prefix length).

A netmask is a bit pattern that is used to indicate which bits in an IP address are for the network and which are for the node. Every device on an IP network must know the netmask of the network it is connected to, and every router must know the netmask or prefix length of each route in its routing table.

In the exaple above, the netmask for my network at home is 255.255.255.0, which can be described as a prefix length of 24 bits (written as /24 in the CIDR tradition). In binary, this works out as follows:

  Address: 198.140.175.1 - 1 1 0 0 0 1 1 0 1 0 0 0 1 1 0 0 1 0 1 0 1 1 1 1 0 0 0 0 0 0 0 1
  Netmask: 255.255.255.0 - 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 
                         |--------------------NETWORK--------------------|-----NODE------|
In other words, this is node 1 on the 198.140.175.0/24 network. My workstation at the office is 208.236.160.88, with a netmask of 255.255.255.192 (/26).
 Address: 208.236.160.88 - 1 1 0 1 0 0 0 0 1 1 1 0 1 1 0 0 1 0 1 0 0 0 0 0 0 1 0 1 1 0 0 0
Netmask: 255.255.255.192 - 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 
                         |-----------------------NETWORK----------------------|----NODE---|
This would be node 24 on the 208.236.160.64/26 network. Obviously, this can result in some strange combinations when displayed in decimal, but it looks quite clear in binary. The trick is being able to convert between the two. Since there are only 33 possible netmasks, and really only 9 combinations per octet, it is possible to memorize them. I don't feel like typing them in here, but there is a table inside the front cover of Internet Routing Architectures, by Bassam Halabi.


Class A, B, and C networks no longer officially exist. This concept has been replaced by CIDR.

Check out the CIDR Conversion Table.

IP addresses are now assigned by Internet Access Providers, who now get their address space from ARIN.

There are 32 bits in an IP address, yielding just over 4 billion possible addresses. However, because address space is allocated in blocks, there is a fair amount of waste, causing the Internet to face a crunch on available address space. A new IP protocol, called IPv6, uses 128 bit addresses, which is hoped to eliminate this problem (for a long while).