IP Subnet & CIDR Explained: Masks, Hosts and Aggregation

What CIDR is, and why classful subnets had to die

CIDR — Classless Inter-Domain Routing — is the system every modern IPv4 network uses to describe a block of addresses. It is written as an address followed by a slash and a number from 0 to 32, like 192.168.1.0/24 or 10.0.0.0/8. The number after the slash is the prefix length: it says how many of the leading 32 bits identify the network, leaving the rest for individual hosts. A /24 keeps the first 24 bits as network and gives you the remaining 8 bits — 256 addresses — to allocate to devices.

CIDR replaced "classful" addressing with RFC 1519 in 1993, updated by RFC 4632 in 2006. Before CIDR, the internet used three fixed sizes: Class A (/8, 16 million hosts), Class B (/16, 65,536 hosts) and Class C (/24, 256 hosts). The boundaries were not chosen because they matched real networks. They were chosen because the first few bits of the first octet selected the class, and the splits fell tidily on octet edges. By the late 1980s the design was in trouble. A company that needed 500 addresses either took a Class C and ran out of room, or took a Class B and burned 65,000 addresses on a network with 500 devices. Address space was vanishing faster than anyone had projected and the routing tables were ballooning. CIDR let allocators carve out exactly the right-sized block on any bit boundary, and the address space stretched another two decades because of it.

Use the IP subnet calculator at the top of this page to follow along: type any address and prefix into it and the same maths described in this article runs in your browser.

How the CIDR formula works

Every IPv4 address is a 32-bit number, traditionally written as four decimal octets separated by dots so humans can read it. 192.168.1.10 is the same number as 11000000.10101000.00000001.00001010 in binary, or 3232235786 in decimal. The CIDR prefix splits that 32-bit value into two halves:

Network part — the first N bits, identifying which subnet the address belongs to.
Host part — the remaining 32 − N bits, identifying the device within that subnet.

The subnet mask is the prefix expressed as a 32-bit pattern: N ones followed by 32 − N zeros. For /24 the mask is 11111111.11111111.11111111.00000000, which converts to 255.255.255.0 in dotted decimal.

network address   = IP AND mask
broadcast address = network OR (NOT mask)
total addresses   = 2^(32 - prefix)
usable hosts      = total - 2   (except /31 and /32)

The network address is what you get by ANDing the IP with the mask — every host bit forced to zero. The broadcast address is the network ORed with the inverted mask (the "wildcard") — every host bit forced to one. The usable host range sits between them: 192.168.1.1 through 192.168.1.254 for the /24 example, with 192.168.1.0 reserved as the network address and 192.168.1.255 reserved for subnet broadcast.

Two exceptions matter. RFC 3021 lets a /31 prefix use both of its addresses for point-to-point links — no network, no broadcast, two usable hosts. RFC 4632 confirms /32 as a single host with no separate network or broadcast at all. Every other prefix between /0 and /30 obeys the "subtract two" rule.

Worked example: a /24, a /30 and a /16

Start with 192.168.1.10/24. Mask is 255.255.255.0 (binary 11111111.11111111.11111111.00000000), wildcard is 0.0.0.255. Network address: 192.168.1.10 AND 255.255.255.0 = 192.168.1.0. Broadcast address: 192.168.1.0 OR 0.0.0.255 = 192.168.1.255. Total addresses: 2^(32−24) = 256. Usable hosts: 256 − 2 = 254, running from 192.168.1.1 through 192.168.1.254. The first octet 192 makes it (legacy) Class C, and the whole block falls inside 192.168.0.0/16 — RFC 1918 private space.

Now take 10.0.0.5/30. The mask becomes 255.255.255.252, the wildcard 0.0.0.3, the network 10.0.0.4 and the broadcast 10.0.0.7. Two usable hosts only: 10.0.0.5 and 10.0.0.6. /30 is the classic four-address point-to-point sliver from before RFC 3021 — used to wire two routers together with the minimum classful waste.

Finally a corporate slice: 172.16.0.0/16. The mask is 255.255.0.0. Total addresses 65,536, usable hosts 65,534, host range 172.16.0.1 through 172.16.255.254. That is more devices than any single broadcast domain should ever hold; in real deployments a /16 gets sub-divided into smaller subnets per floor, VLAN or building, with routing between them.

The IP subnet calculator does all three computations in one click. The arithmetic relies on a single primitive — 32-bit AND and OR — so any tool that handles it correctly for /24 is also correct for /9 or /17 or any other prefix length.

Factors that affect how you choose a subnet size

Host count

The first instinct is to pick the smallest prefix that fits the number of devices. Eight hosts? /29 (six usable). Thirty hosts? /27 (thirty usable). Two hundred? /24 (254 usable). This is the right starting point — but only the starting point. Always size with growth headroom; resizing a subnet later means renumbering every device on it.

Broadcast domain size

Every device in a subnet receives every broadcast packet. ARP requests, DHCP discovery and many service-discovery protocols rely on broadcast, and the noise scales with the number of hosts. A /16 with 65,000 devices is operationally unmanageable for this reason alone — even if the address space fits, the broadcast traffic does not. Most network design guides put a soft cap of 250 to 500 devices per subnet, which is why /24 became the default LAN size.

Routing aggregation

Smaller, contiguous CIDR blocks aggregate cleanly into larger ones. An ISP that owns 198.51.100.0/24, 198.51.101.0/24 and 198.51.102.0/24 cannot summarise them into a single route. An ISP that owns 198.51.100.0/22 can advertise one prefix and shrink the global routing table by two entries. CIDR aggregation is why IANA hands out address space in powers of two starting on aligned boundaries — every level of the routing hierarchy depends on the property.

IPv4 scarcity

The unallocated IPv4 pool ran out at IANA in 2011 and at every regional registry by 2019. Public IPv4 addresses are now bought and sold on a secondary market at roughly $30 to $50 per address. This is why every greenfield deployment uses RFC 1918 private space (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) internally and translates to a small public pool at the edge with NAT. The choice of which private block to use is almost entirely about avoiding overlap with the other networks your devices might end up on — cafés, hotels and corporate VPNs all default to 192.168.x.x, which is why most enterprise sites pick somewhere inside 10.0.0.0/8 instead.

Future growth

The cost of resizing is asymmetric: growing a /24 into a /23 means adding a new contiguous block and renumbering one of the halves; growing a /24 by absorbing a non-contiguous /24 leaves you with two routes instead of one. Picking one prefix length larger than you think you need at design time is almost always cheaper than re-addressing in production. Address space is the one resource where over-provisioning has no operational cost.

How to design subnets that age well

Document your scheme. Write down which RFC 1918 block belongs to which site, region or function. Spreadsheets are fine. IP address management tools like NetBox or phpIPAM are better.
Reserve room for growth. A /24 in a campus where 40 devices live today will fill up. Sizing to /23 the first time is cheaper than the migration.
Use /31 for point-to-point. The four-address /30 wasted half its addresses on a network and broadcast that a router-to-router link never used. RFC 3021 /31 is supported on every modern router and reclaims the loss.
Pick aligned boundaries. A /24 starting at 192.168.5.0 aggregates; a /24 starting at 192.168.5.128 is illegal — that address is the start of a /25, not a /24. The IP subnet calculator always returns the canonical network address from your input, which is the easiest way to confirm an allocation sits on the right boundary.
Match VLAN to subnet 1:1. Two subnets on one VLAN is a recipe for asymmetric routing and ARP confusion. Most modern designs assume one subnet per VLAN and let layer-three switching handle inter-VLAN traffic.
Plan IPv6 alongside IPv4. Dual-stack networks need parallel IPv6 prefixes. The default for an end-user site is a /48 from your ISP, sliced into /64s per VLAN — vastly more space per subnet than IPv4 ever offered.

Common mistakes

Off-by-one on host count

A /27 has 32 addresses, but only 30 usable hosts because the network and broadcast addresses are reserved. The classic mistake is to provision a DHCP pool that covers all 32 and to be surprised when the device with the .31 address cannot communicate. Always subtract two for any prefix between /0 and /30. The exponent calculator is useful here for working out the 2^N figure quickly when the prefix gets large.

Confusing the subnet mask with the wildcard mask

255.255.255.0 and 0.0.0.255 carry the same information but for opposite purposes. End hosts and routing tables use subnet masks. Cisco access-control lists and OSPF area definitions use wildcard masks. Pasting a subnet mask into an ACL is a common, silent way to break a firewall rule — it will match nothing because the bit pattern is inverted from what the ACL parser expects. The binary calculator makes it easier to verify the bit-by-bit inversion when in doubt.

Classful thinking on a CIDR network

The class of the first octet has no bearing on routing. 10.0.0.0/24 is a perfectly valid /24 even though it sits inside a "Class A" range. Treating 172.16.0.0 as Class B and assuming a /16 is implied — the kind of thing older equipment did automatically — leads to allocations that overlap with neighbouring subnets and break routing. Always write and read the prefix explicitly.

Forgetting that addresses are 32-bit integers

A /24 plus another /24 starting at the next contiguous block is not the same as a /23. To aggregate, the lower /24 must start on a /23 boundary — meaning its third octet must be even. 192.168.4.0/24 and 192.168.5.0/24 aggregate to 192.168.4.0/23. 192.168.5.0/24 and 192.168.6.0/24 do not, because 192.168.5.0 is not on a /23 boundary. Boundary errors are among the most common subnet bugs and are the reason the subnet calculator reports the canonical network address rather than echoing the IP back.

When the calculator is not enough

The maths above is mechanical: any tool that understands 32-bit AND will get it right. Where you genuinely need a human or a vendor is at the level above the maths:

BGP and global routing, where prefix length, AS-path policy and route filtering interact in ways no calculator captures.
Large IP address management migrations, where every renumber risks breaking ACLs, monitoring rules, certificate subject alternative names and hard-coded application config that nobody documented.
Dual-stack IPv4/IPv6 designs, where the prefix lengths are different and the operational practices diverge.
Regulatory or audit contexts — finance, healthcare, government — where the address plan must align with a documented segmentation policy and a third party will inspect the result.

For an everyday LAN, a home network or a cloud VPC, the calculator and the rules in this article are enough. For anything that touches a public AS number, get a network engineer. If the bandwidth side of the question matters as much as the address plan, the companion article on how bandwidth and download time work is a useful next read.

Frequently asked questions

What does /24 actually mean in an IP address?

The number after the slash is the CIDR prefix length: how many of the leading 32 bits identify the network. /24 means the first 24 bits are the network and the last 8 are the host part, giving 256 addresses (254 usable). It is the modern equivalent of the old "Class C" allocation and is the default size for home and small-office LANs because the address range and the broadcast traffic both stay manageable.

How do I work out the subnet mask from a CIDR prefix?

Write N ones followed by 32 − N zeros, group into four octets and convert each to decimal. /24 = 11111111.11111111.11111111.00000000 = 255.255.255.0. /27 = 11111111.11111111.11111111.11100000 = 255.255.255.224. /16 = 255.255.0.0. /8 = 255.0.0.0. Anything that does not fall on an octet boundary gives a "weird" third or fourth octet from the set 128, 192, 224, 240, 248, 252, 254, 255.

Why do you subtract 2 from the address count to get usable hosts?

For prefixes /0 through /30, the lowest address in the subnet is reserved as the network address (every host bit set to zero) and the highest is reserved as the broadcast address (every host bit set to one). Neither can be assigned to a device. So usable hosts = 2^(host bits) − 2. A /24 has 256 addresses but 254 usable hosts. The exceptions are /31, where RFC 3021 lets both addresses be usable for point-to-point links, and /32, which is a single host with no network or broadcast distinction.

What is the difference between a subnet mask and a wildcard mask?

They are bit-by-bit inverses of each other. The subnet mask has the network bits set to 1 and the host bits set to 0; for /24, 255.255.255.0. The wildcard mask flips that: host bits set to 1 and network bits set to 0; for /24, 0.0.0.255. End hosts and routing tables use subnet masks; Cisco access-control lists and OSPF area definitions use wildcard masks. Pasting one in place of the other is a silent way to break a firewall rule.

Which private IP ranges should I use on my internal network?

RFC 1918 reserves three blocks that are never routed on the public internet: 10.0.0.0/8 (16.7 million addresses), 172.16.0.0/12 (1 million addresses), and 192.168.0.0/16 (65,536 addresses). Home routers default to 192.168.x.x; medium-to-large enterprise sites prefer 10.x.x.x because it has the most room and avoids the home/café collisions. The 172.16/12 range is the least-used and the safest pick if you need a third non-overlapping block.

Are IP address classes still relevant?

No, not for routing. Classes A, B, C, D and E were the original IPv4 allocation scheme from RFC 791 in 1981, with fixed boundaries at /8, /16 and /24. CIDR replaced classful routing in 1993 (RFC 1519, updated by RFC 4632). The class label is still printed by every subnet tool out of habit and because some firewall rule generators and academic textbooks reference it, but it has no operational meaning on the modern internet — a /27 inside 10.0.0.0/8 is still a /27, regardless of what "class" the first octet would imply.

How many devices fit in a /16, /24 or /29 subnet?

/16 holds 65,536 addresses with 65,534 usable hosts, far more than any single broadcast domain should ever hold. /24 holds 256 addresses with 254 usable hosts and is the default LAN size. /29 holds 8 addresses with 6 usable hosts and is the common pick for small DMZ subnets or a router-to-firewall handoff. As a quick rule, usable hosts = 2^(32 − prefix) − 2 for any prefix between /0 and /30.

What does /32 mean and where is it used?

A /32 has all 32 bits as network and zero host bits, so it describes exactly one address. It is the form a firewall uses when allowing a single source IP, the form BGP uses to advertise a loopback for router-ID purposes, and the form Kubernetes services use for ClusterIP rules. There is no network address, no broadcast address, and exactly one "usable host" — the address itself.

Does the same maths apply to IPv6?

The principle is identical — a CIDR prefix splits the address into network and host bits — but the arithmetic is over 128 bits instead of 32, and IPv6 has no broadcast address at all. The standard end-site allocation is a /48 sliced into /64 subnets, which means every subnet contains 18 quintillion addresses. Most of that is never used; the /64 boundary exists because stateless address autoconfiguration assumes 64 interface-identifier bits. A dedicated IPv6 calculator is the right tool there; the IPv4 logic above does not transfer directly.

Related calculators

Informational only. Not personalised financial, legal, or tax advice.