Networking – Trying to understand the interactions between two different subnets on the same network


I have a network split into two parts. A DHCP server hands out addresses to with a class A mask ( This is my “Guest” portion of the network.

Authorized network users have reservations on the DHCP server with addresses in the to range with a class A mask.
A file server on the network has an IP address of and a class B mask (

  • The devices on both the “Guest” network and the “Authorized” network can all see each other.
  • The “Authorized” network can see the file server.
  • The “Guest” network cannot see the file server.

This has worked out pretty well so far, but my class instructor swears it shouldn’t. I’ve read in several places that PCs with different subnet masks assigned should not be able to communicate with each other.

Can someone please help me understand why the “Authorized” network PCs can access the file server just fine despite the different subnet masks?

Best Answer

The theory of the subnet mask is that it defines what part of the IP address is the network address and what part of the IP address is the host address: - IP address; - Subnet mask;

10 - network address, 100.0.1 - host address.

Hosts within same subnet can talk directly to each other. That means if host A and B are located within the same subnet and A wants to talk to B then A will send it's traffic directly to B. If host A wants to talk to host C which is located in a different subnet then A will have to route this traffic to the gateway which knows (hopefully) how to reach different network. So, it is up to the host to define where to send traffic:

  1. Directly to the host (second host is within the same subnet)
  2. To the gateway (second host belongs to a different subnet)

What happens in your case is that your "Authorized" clients have IP addresses - (I assume the subnet mask is The server has IP address To a host from the "Authorized" range this server is located in the same subnet.

If host from the "Authorized" range wants to talk to the server - it first checks if this server is located within the same subnet or not. For the host with subnet mask same subnet would be all hosts within the range - Server's IP address happens to be in this range. For this reason a host from "Authorized" range makes an attempt to reach the server directly and (assuming they are located on the same Layer 2 network) this attempt succeeds.

In this case even though server has different subnet mask - it happens to be located in the bigger subnet (which is also a subnet for the "Authorized" clients). If your server will have different second byte in the IP address ( for example) it will be unable to reply to the host from "Authorized" range, because from the server's perspective, the "Authorized" range would look like a different subnet and server would need to send traffic to a router. If there would be no router - then there would be no communication.

If you want to separate your network to the "Guests" and "Authorized" parts then you need to make them to be located in the different subnets that do not overlap.

For example:

  1. "Guests" -, subnet mask
  2. "Authorized" -, subnet mask

Server would be located within "Authorized" part of the network having IP address, subnet mask

With this setup these subnets will be effectively separated from each other, since parts of IP addresses representing their subnet will differ:

  1. 10.10 for Guests
  2. 10.20 for Authorized

At this point communication between these subnets will be possible only via router that has interfaces in both subnets.

Also, it is worth mentioning, that while all your computers share same Layer 2 network nothing will prevent a Guests to manually assign themselves IP addresses from the "Authorized" range. This will effectively make them to be part of the Authorized network.

Related Question