Why isn't 255.255.249.0 a valid subnet mask?

networking subnet window desktop-computer mask

I was just wondering about this question above and I would greatly appreciate it if someone can explain why 255.255.249.0 isn't a valid subnet mask.


It's not a valid subnet mask because it doesn't define a prefix. If you convert it to binary, you'll see that its '1'-bits (and/or its '0'-bits) are not all contiguous. This is explicitly forbidden by RFC 4632 (part of the CIDR specification).

The only outstanding constraint is that the mask must be left contiguous

For example, convert a valid netmask 255.255.248.0 to binary:

|    255    |    255    |    248    |     0     |
  1111 1111   1111 1111   1111 1000   0000 0000

All the "1"-bits are at the beginning, which means the mask always matches a prefix – the first 21 bits define the network. (This means the whole 255.255.248.0 netmask can be written as "/21" for short.)

Among other things, allows networks to be easily ordered by their netmask – a /24 route is always more specific than a /21 route.

Now convert your 255.255.249.0 to binary:

|    255    |    255    |    249    |     0     |
  1111 1111   1111 1111   1111 1001   0000 0000
                                  ↑

This one has some 1-bits, some 0-bits, and then some 1-bits again. It has 22 "network" bits, but so does 255.255.250.0, and so does 255.255.252.0 – if an address matches routes with all those netmasks, it's unclear which one of them has higher priority.

As people in the comments mention, this used to be allowed, but not for very long.

From: David Edelman on NANOG

You could be sure of two things when there were ambiguities in the routing tables:
1 - Every manufacturer knew how to handle them.
2 - Every manufacturer did it a different way.

Note: There is another thing often called filter or ACL masks, where this restriction doesn't apply because filter masks don't have the "subnet" semantics associated with them (e.g. longest-prefix match) – they only either match or don't. For example, iptables would accept a filter mask 255.255.249.0 just fine.


The mask needs to contiguously have high order bits on to mask the network address under which the subnet addresses are. 249 does not have this property, as it is 11111001 in binary, there are zeroes between the ones.

Related

How does one manually restart graphics drivers?
Error adding cronjobs in Mac OS X Lion
If FAT32 has a 4 GB file size limit how was I able to copy my 13 GB iPhoto Library file onto this drive?
Why is unzipped directory much smaller (4.0 K) than zipped (73.0 G)?
How to reduce the pain of the command prompt
OS X Lion desktop switching speed
How do I press the Fn key using a PC keyboard on a Mac?
Shift and Control keys out of sync with normal keys over RDP
How to disable the close (X) button on Google Chrome tabs?
How to diff large files on Linux
Setting mouse sensitivity per device in Windows 7?
How do I perform a case-sensitive search in Google Chrome? [duplicate]