What Is a Subnet Mask and What Does It Actually Do?

This is a high-yield concept for the CompTIA A+ exam and real-world troubleshooting. Understanding subnet masks is what makes sense of why some devices can talk to each other and others can't.

"Which part of this IP address is the network, and which part is the device?"

What Does a Subnet Mask Do?

A subnet mask works alongside an IP address to determine two things:

Which devices are on the same local network
Whether traffic should go directly to a device, or out to the default gateway (router)

Think of it as the "local neighborhood boundary" for your IP address — anything inside the boundary is local, everything outside goes through the router.

Most Common Subnet Mask

The most common subnet mask you'll see on home and small office networks is 255.255.255.0. Here's a typical IP configuration:

Example — ipconfig output

IP Address:   192.168.1.50
Subnet Mask:  255.255.255.0
Gateway:      192.168.1.1

On a /24 network like this, all devices sharing the first three octets are on the same local network:

192.168.1.X  ← all on the same subnet

How Your PC Decides Where to Send Traffic

Same Subnet

Send directly on the LAN

The device is "local" — traffic goes straight to it without passing through the router.

Different Subnet

Send to default gateway

The device is "remote" — traffic is forwarded to the router, which handles delivery.

⚡ CompTIA A+ Exam Tip

Wrong subnet mask causes classic "partial connectivity" symptoms: local works but internet fails, or internet works but local devices are missing.

If a device can ping its gateway but not local hosts — or vice versa — suspect the subnet mask first.

How to View Your Subnet Mask in Windows

Open Command Prompt and run either of these commands:

Command Prompt

ipconfig          ← shows basic IP info
ipconfig /all     ← shows full details including subnet mask

Look for the line labeled Subnet Mask in the output.

Common Subnet Masks to Recognize

Subnet Mask	CIDR	Typical Use
255.255.255.0	/24	Home networks, small offices — most common
255.255.0.0	/16	Larger internal networks
255.0.0.0	/8	Very large enterprise networks

Quick mental shortcut: More 255s at the start = a bigger network portion, fewer available host addresses. More zeros = more device addresses available.

Real-World Troubleshooting Example

🔧 Scenario: Student laptop can't print, but internet works

⚠ Laptop (wrong mask)

IP:   192.168.1.55
Mask: 255.255.0.0

✓ All other devices

IP:   192.168.1.X
Mask: 255.255.255.0

Result: The laptop treats a much wider range of addresses as "local," causing ARP and routing confusion. Local devices may be unreachable despite internet working fine.

Fix: Correct the subnet mask — usually done automatically by DHCP. Check if the laptop was manually configured.

Subnet Mask vs Default Gateway

Subnet Mask

Defines "local"

Tells your device which addresses are on the same network and can be reached directly.

Default Gateway

The exit ramp

Where traffic goes when the destination is outside the local subnet — usually your router.

If either is wrong, you may get: no internet, inability to reach printers or servers, or intermittent unexplained connectivity issues.

Final Summary

A subnet mask defines what your device considers "local"

The most common mask is 255.255.255.0 (/24)

Wrong subnet masks cause partial connectivity — local OR internet works, but not both

Subnet mask works alongside the default gateway and DHCP

📚 Recommended Study Tools

Subnet Masks Show Up on Every A+ Exam

Practice exams make "why can't this device communicate?" questions automatic.

🧪 Take FREE Practice Exams 📖 Bestselling A+ Study Guide

CIDR Notation — The Network+ Way to Write Subnet Masks

The A+ exam uses dotted-decimal subnet masks like 255.255.255.0. The Network+ exam adds CIDR notation (Classless Inter-Domain Routing), which expresses the same mask as a prefix length — a slash followed by the number of network bits.

Subnet Mask	CIDR	Hosts per Subnet	Common Use
`255.0.0.0`	`/8`	16,777,214	Class A private (10.x.x.x)
`255.255.0.0`	`/16`	65,534	Class B private (172.16–31.x.x)
`255.255.255.0`	`/24`	254	Most common — small office LAN
`255.255.255.128`	`/25`	126	Split a /24 into two halves
`255.255.255.192`	`/26`	62	Split a /24 into four quarters
`255.255.255.224`	`/27`	30	Small department or VLAN
`255.255.255.240`	`/28`	14	Server cluster or DMZ
`255.255.255.252`	`/30`	2	Point-to-point WAN links
`255.255.255.255`	`/32`	1	Single host route or loopback

⚡ Network+ exam tip: Hosts per subnet = 2^{host bits} − 2. Subtract 2 because the first address is the network address and the last is the broadcast address. For a /26: 32 − 26 = 6 host bits → 2⁶ − 2 = 62 usable hosts.

Subnet Masks and Network Segmentation — The Security+ Angle

On the Security+ exam, subnet masks aren't just about addressing — they're a security tool. Proper subnetting is one of the primary methods used to implement network segmentation, which limits the blast radius of a breach.

Why Segmentation Matters

If every device on your network shares the same subnet (e.g., 192.168.1.0/24), a compromised device can reach every other device directly at Layer 2. Segmenting the network with different subnets forces all inter-segment traffic through a router or firewall, where it can be inspected and filtered.

Segmentation example: Separating guest Wi-Fi (10.10.20.0/24) from the corporate LAN (10.10.10.0/24) with a firewall between them means a compromised guest device cannot reach internal servers — even on the same physical network. The different subnet forces traffic through the firewall.

Common Segmentation Architectures

Zone	Typical Subnet	What Belongs Here
Internal LAN	`10.0.1.0/24`	Workstations, internal services
DMZ	`10.0.2.0/24`	Public-facing web servers, email gateways
Server VLAN	`10.0.3.0/24`	Database servers, file servers
Guest Wi-Fi	`10.0.4.0/24`	Untrusted devices — internet only
IoT / OT	`10.0.5.0/24`	Cameras, sensors, industrial devices
Management	`10.0.100.0/24`	Network gear management interfaces

⚡ Security+ exam tip: Microsegmentation takes this further — each workload or application gets its own security boundary, enforced by software-defined networking rather than physical subnets. Zero Trust architecture relies heavily on microsegmentation: traffic between segments is always verified, never implicitly trusted regardless of subnet.

Network+ Exam Scenarios

A host at 192.168.1.50/26 tries to communicate with 192.168.1.130. The communication fails. Why?

Different subnets. A /26 mask splits 192.168.1.0 into four subnets: .0–.63, .64–.127, .128–.191, .192–.255. Host .50 is in the .0 subnet; host .130 is in the .128 subnet. They cannot communicate directly — traffic must go through a router.

You need to create a point-to-point link between two routers. Which subnet mask wastes the fewest addresses?

/30 (255.255.255.252). Provides exactly 2 usable host addresses — one for each router interface. A /29 would provide 6 hosts, wasting 4 addresses.

A company needs to split a 192.168.10.0/24 network into subnets of at least 50 hosts each. Which mask should they use?

/26 (255.255.255.192). Provides 62 usable hosts per subnet. A /27 only provides 30 hosts — not enough. A /26 splits the /24 into four equal subnets of 62 hosts each.

What Is a Subnet Mask?

What Does a Subnet Mask Do?

Most Common Subnet Mask

How Your PC Decides Where to Send Traffic

How to View Your Subnet Mask in Windows

Common Subnet Masks to Recognize

Real-World Troubleshooting Example

Subnet Mask vs Default Gateway

Final Summary

Subnet Masks Show Up on Every A+ Exam

CIDR Notation — The Network+ Way to Write Subnet Masks

Subnet Masks and Network Segmentation — The Security+ Angle

Why Segmentation Matters

Common Segmentation Architectures

Network+ Exam Scenarios

Related Networking Articles

Preparing for the A+ Exam?