Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now


Let’s Talk About the “Mask”

Here’s a brief tutorial on IPV4 addressing

In recent days, I’ve had a couple of engineers express some confusion about the “mask” part of IP addressing. It is a little arcane, being sort of a bolt-on fix for limitations of the original dotted quad addressing scheme. The values seem not to have much to do with the actual IP “address” of a given device. But trust me, mask performs an essential role. Here’s a mildly wordy tutorial.


Once upon a time, the internet was small and there seemed to be no need to subdivide it into more than four layers of hierarchy. So, addresses were formed of four 8-bit values. Because typing 32 ones or zeros was tedious, the notation convention became ###.###.###.### with each ### being an integer between 0 and 255. It was roughly:

ENTITY [govt agency, college, etc.] (dot) LOCALITY [campus, military base, etc.] (dot) DEPARTMENT (dot) MACHINE

When the internet grew up a bit, it was obvious that four hard boundaries in the addressing scheme was just not workable. What if only a handful of machines need to talk to each other directly? The hard boundary wastes the remaining addresses since it assumes 254* machines. (See * box at the end of article.)

So the idea was abandoned in favor of a movable boundary between the “network” address and the “host” address. But the ###.###.###.### was already standardized, so it was kept. This was probably a mistake, but I suppose it’s too late to change it.


The “mask” defines the boundary between the “network segment address” shared by multiple hosts and the “host address” on the particular larger network. Upstream routers look at the “segment” part and hand packets off to a switch at the interface associated with the “segment” to be read by the host device whose address completes the entire ###.###.###.### unique address assignment. Using this approach, it is now possible to create any size of segment, theoretically without wasting addresses.

Mask tells the host machine two things: What is my unique address number on the segment I am connected to, and where should I look for packets sent to all the machines on my segment? A wrong mask means the host will be looking for messages from its neighbors and from its upstream gateway in the wrong place. Coincidentally, network connectivity won’t work. From the location of the boundary between the string of ones to the left and zeros to the right in the binary representation of the mask, the machine knows where to put the divide. That’s why the possible values for each mask number in the ###.###.###.### are limited to the sum of powers of two. turns on the leftmost bit and creates a subnet with 126* possible hosts. (128+64=192) turns on the leftmost two bits and creates a subnet with 62* possible hosts. (128+64+32=224) turns on the leftmost three bits and creates a subnet with 30* possible hosts and so on, down to, which turns on all but two bits and creates a network of 2* possible hosts. This is a network that connects two and only two devices.

0, 192, 224, 240, 248, 252 are the valid values for the rightmost mask number. 254 and 255 can be used in the others so as to create a binary that is all ones to the left and all zeros to the right. Why can’t 254 and 255 be used in the rightmost value? Because those create subnets with no host addresses at all. I use “segment” and “subnet” interchangeably here. A segment with 510* hosts can be created by a mask of (all the bits in the rightmost byte plus the last bit in the next to last byte. The binary looks like:


The first address on this subnet might look like and the last like In the middle we’d find consecutive addresses of and This is just counting up the binary for the rightmost nine bits of the unique host address range. It could just as easily be to

The mask for a subnet with 4094 hosts might look like with a binary representation of


That’s a big subnet!

There’s an alternative notation to the four dotted quads for the mask value which you may have seen. CIDR notation follows a complete host or network address with a /## where ## is the number of bits set to one in the binary representation of the mask. CIDR stands for Classless Inter-domain Routing. We abandoned the old A, B and C classes of internet addresses when the mask parameter was adopted.

Frank McCoy is chief engineer for Salem Media’s cluster in Chicago, what he describes as his “retirement job.” He has held a variety of corporate roles in engineering and broadcast equity development.


* The 2n-2  number of possible hosts on a segment (where n is the number of host bits — those rightmost address bits — is because the lowest address in the segment is the “network number” and the highest number is the “broadcast address” to which all hosts on the segment listen and communicate with one another.