Variable Length Subnet Masks
Consider the XYZ Corporation which has been assigned the network number 184.108.40.206 from the InterNIC. The world sees this company as 220.127.116.11. Within the XYZ Corporation, however, the division of the network is very different. They could use Variable Length Subnet Masks to divide their world into a multi-level hierarchy.
The term Variable Length Subnet Mask (VLSM) refers to a design practice of creating sub-subnets in a tree-structured network. XYZ Corp has an office in many states, 23 field offices in all. The designers of the XYZ Corp network decide to divide their network into 32 subnets using a mask of 255.255.252.0. In binary, the mask bits are:
11111111  11111111  11111100  00000000
The six bits of "1" in the third octet are the subnet bits (since the first 16 bits represent the network). These six bits can differentiate between up to 64 different subnetworks. This is the same logic as would be applied to any subnet mask.
Now, however, it is realized that at each site there is a sales division, an accounting department, a marketing group, and a technical support group. The designers want to further subdivide each site with a router. This would require further division of the address field. No problem. The main, central routers are subnetted 255.255.252.0 and they differentiate between field offices. The field office routers, however, are subnetted with 255.255.255.128. Think about this in the binary representation.
Main Router:    11111111    11111111    11111100    00000000    Field Router: 11111111 11111111 11111111 10000000
Notice that the field router defines an additional three bits in the mask. These three bits can be used to differentiate between 7 more subnet numbers (Since 2 raised to the 3rd power = 8). Of these eight possible values, the 000 and 111 value are not available for use in identifying a specific subnet. Refer to the Reserved IP Address List for more information on these restrictions. These are going to be used to route between the sales, accounting, marketing, and tech support groups at each field site. Perhaps the assignment is like this:
Sales = 001 Accounting = 010 Marketing = 011 Tech Support =    100
So, at a particular location, we discover that the bit sequence "000011" has been used to represent the site, say the network at the field office in Palo Alto, California. Here are the four divisions:
Sales = 000011 001 XXXXXXX Accounting = 000011 010 XXXXXXX Marketing = 000011 011 XXXXXXX Tech Support =    000011    100    XXXXXXX
The "X"s represent the bits that are available to differentiate between individual stations (hosts) in each department. When viewed in the binary sense this scheme identifies FOUR fields. The NETWORK PORTION (in each case this is 18.104.22.168), the SUBNET (which is 000011), a "sub"-subnet (001,010,011, and 100) and the node portion (the "X"s). The routers understand how to divide the address based on the subnet mask. The world, in our example, sees 255.255.0.0. The company sees 255.255.252.0. Each field office sees 255.255.255.128. The router masks the address and looks up the result in its table to determine how to forward the frame. Since the router "thinks" in binary there is no confusion, no problem. We, however, don't think in binary. Consider these three stations shown with their dotted decimal and binary representations:
22.214.171.124    10100000 . 00000110 . 00001100 . 10000001 126.96.36.199 10100000 . 00000110 . 00001110 . 00000001 188.8.131.52    10100000 . 00000110 . 00001110 . 10000001
When looking at the dotted-decimal notation there is nothing immediately obtuse. In fact, when looking at the binary you don't necessarily see the conflict immediately. To understand any subnet masking it is necessary to break the 32-bit address into the fields defined by the variable length masks.
First, mask the addresses with the 255.255.0.0 used by the world at large:
Mask = 11111111 . 11111111 . 00000000 . 00000000 184.108.40.206 =    10100000 . 00000110 . 00001100 . 10000001 ------------------------------------------------------------ Result = 10100000 . 00000110 . 00000000 . 00000000
You can see that all three address mask back to 220.127.116.11; they are all on the same network as far as the world is concerned. Now lets just consider the last 16 bits of each address (since we know the first 16 are the same in all three cases).
The next router uses that mask 255.255.252.0; we are considering the 252.0 part. The masking now continues as follows:
Mask = 11111100 . 00000000 (160.6).12.129 00001100 . 10000001 (160.6).14.1 00001110 . 00000001 (160.6).14.129    00001110 . 10000001
Do you see that all three station are identified with 000011 as the bit pattern included in the masked portion? This means that the next router in line (the one masked as 255.255.252.0) will direct frames to all three of these stations to the same destination router according to its routing table.
The last router in this hierarchy is using the mask 255.255.255.128. Here is the masking:
Result Of Masking   ----------------- Mask = 11111111 . 10000000   (160.6).12.129 00001100 . 10000001 00001100 . 10000000 (160.6).14.1 00001110 . 00000001 00001110 . 00000000 (160.6).14.129    00001110 . 10000001    00001110 . 10000000
It is critical that you understand this last step. Do you see that the bits included by the mask have been included in the result? Do you see the three additional bits used as the mask went from 255.255.252.0 to 255.255.255.128? Now we can assess the validity of the addresses. We know that the design intent called for four "sub"-subnetworks (001, 010, 011, and 100). Don't be confused because these bits "span" the dot in the dotted-decimal notation. This is the confusing aspect of using anything other than "255"s in a subnet mask; the actual fields don't break at the dots. The fields break as defined by the mask bits.
In this example, we know that all three stations are on the subnet defined with the leading bits "000011". This leaves the "other" three bits to further differentiate between sub-subnets. (By the way, the term "sub"-subnet is being used only in the context of this document. The real world simply calls all of them "subnets" without regard for their level of hierarchical differentiation.) The remaining three bits may be broken out as follows (this is the table above simply repeated and clarified):
Result Of Masking   ----------------- Mask = 11111111 . 10000000   (160.6).12.129 00001100 . 10000001 000011 [ 00 . 1 ] 0000000 (160.6).14.1 00001110 . 00000001 000011 [ 10 . 0 ] 0000000 (160.6).14.129    00001110 . 10000001    000011 [ 10 . 1 ] 0000000
Compare this to the design document which defined:
Sales = 000011 001 XXXXXXX Accounting = 000011 010 XXXXXXX Marketing = 000011 011 XXXXXXX Tech Support =    000011 100 XXXXXXX
What we now see is that the address 18.104.22.168 has the subnet bits 101 at the mask point 255.255.255.128. This is an address which is not defined by the design of the network. Herein lies the danger with variable length masking: it's awfully confusing to our decimal brains.