Subnet Calculator & CIDR Notation: How to Read /24, /16 and /32 in Plain English
A subnet calculator turns CIDR notation like 192.168.1.0/24 into a usable subnet mask, network address, broadcast address, and host range. The number after the slash counts how many bits identify the network. /24 leaves 256 addresses, /16 leaves 65 536, and /32 points at exactly one host. Once that rule clicks, the rest of subnetting becomes arithmetic.
Network engineers throw around phrases like "just give me a /29" or "route the whole /22 to that VLAN" as if everyone learned binary in primary school. They did not. CIDR notation is short, dense, and unforgiving ๐งฎ. A subnet calculator hides the math but it does not hide the logic, and the logic is what matters when a firewall rule blocks half a building.
This article unpacks the slash. It covers what the prefix length actually does to the address space, how to count usable hosts, why /32 is useful even though it points at a single machine, and how to read any block at a glance. Examples use IPv4 throughout because that is where most people meet CIDR first, though the same idea extends to IPv6 with longer prefixes.
What CIDR notation replaced
Before 1993, IPv4 addresses were carved into rigid classes. Class A covered 1.0.0.0 to 126.255.255.255 with a fixed /8 mask. Class B used /16, Class C used /24. A small business that needed 300 addresses had to take a full /16 with 65 534 usable hosts and waste 65 000 of them. The IETF buried that scheme with RFC 1519 and finalised the modern version in RFC 4632. The new approach is Classless Inter-Domain Routing, abbreviated CIDR and pronounced like the apple drink.
The change was simple. Instead of fixed boundaries at 8, 16 and 24 bits, any number from 0 to 32 became a valid prefix length. Now that business gets a /23, which is exactly 512 addresses, and the rest stays in the pool. ARIN, RIPE and the other regional registries hand out blocks in CIDR form by default. If you ever pulled a WHOIS record and saw NetRange: 203.0.113.0 - 203.0.113.255 next to CIDR: 203.0.113.0/24, that is the new world meeting the old.
Reading the slash, one bit at a time
An IPv4 address is 32 bits long. The number after the slash is how many of those bits are locked as the network identifier. The bits left over identify hosts inside that network. The rule is mechanical:
- Host bits = 32 minus prefix length
- Total addresses in the block = 2 raised to the host bits
- Usable hosts on a normal subnet = total minus 2 (network address and broadcast)
That last subtraction does not apply to /31 point-to-point links per RFC 3021, nor to /32 host routes, but it holds everywhere else. A /24 has 8 host bits, so 256 addresses, 254 usable. A /16 has 16 host bits, so 65 536 addresses. A /28 has 4 host bits, so 16 addresses and 14 usable hosts which is a popular size for a small DMZ.
The prefix table that lives on every engineer's whiteboard
Most people memorise the slash-to-mask conversion eventually. Until then, this table answers ninety percent of subnetting questions in production:
| CIDR | Subnet mask | Total IPs | Usable hosts | Typical use |
|---|---|---|---|---|
| /8 | 255.0.0.0 | 16 777 216 | 16 777 214 | Legacy class A, large ISPs |
| /16 | 255.255.0.0 | 65 536 | 65 534 | Large enterprise, RFC 1918 10.x slice |
| /20 | 255.255.240.0 | 4 096 | 4 094 | Mid-size campus segment |
| /22 | 255.255.252.0 | 1 024 | 1 022 | Branch office |
| /24 | 255.255.255.0 | 256 | 254 | Office LAN, default home extended |
| /27 | 255.255.255.224 | 32 | 30 | VLAN for printers or APs |
| /29 | 255.255.255.248 | 8 | 6 | Small WAN link |
| /30 | 255.255.255.252 | 4 | 2 | Point-to-point router link |
| /31 | 255.255.255.254 | 2 | 2 | Modern P2P (RFC 3021) |
| /32 | 255.255.255.255 | 1 | 1 | Single host route, loopback, ACL entry |
๐ก The pattern doubles every step. Each time the prefix shrinks by one bit, the block size doubles. /24 to /23 goes from 256 to 512. /16 to /15 goes from 65 536 to 131 072. Memorise the doubling and you can rebuild the whole table in your head.
Why /32 even exists
A /32 has zero host bits, which sounds useless until you realise it is the most precise way to point at a single machine. Routing tables, firewall ACLs and BGP communities use /32 entries constantly. When a cloud security group says "allow 203.0.113.42/32 on port 22", it is locking access to one address. The same trick works in reverse. A blackhole route to 198.51.100.7/32 drops traffic for one bad actor without touching the rest of the prefix. If you have ever read about a targeted IP block during a DDoS, the operator almost certainly used /32 entries.
IPv6 takes the idea further. A /128 in IPv6 is the same concept and shows up in things like ::1/128, the loopback. The IPv4 equivalent is the entire 127.0.0.0/8 block reserved by RFC 1122, of which only 127.0.0.1 ever gets used in practice. For a deeper dive on address sizes and why IPv6 even matters, the comparison in IPv4 vs IPv6 walks through the bit-length jump from 32 to 128.
Working an example without a calculator
Take 10.20.30.0/26. The prefix is 26, so host bits = 6, total addresses = 64, usable = 62. The subnet mask is 255.255.255.192 because the last octet has 2 network bits set (128 + 64 = 192). The network address is 10.20.30.0 and the broadcast is 10.20.30.63. Host range runs from 10.20.30.1 to 10.20.30.62. The next /26 starts at 10.20.30.64. That is the entire arithmetic, no tool needed.
The trick is recognising the "magic number". For prefixes between /25 and /30, the magic number is 256 minus the last mask octet. /26 has mask 192, so 256 minus 192 equals 64. Subnets start every 64 addresses: .0, .64, .128, .192. Once you see the rhythm, slashes stop feeling arbitrary.
Private ranges and the slash that defines them
The famous RFC 1918 blocks are written in CIDR for a reason. 10.0.0.0/8 covers everything from 10.0.0.0 to 10.255.255.255. 172.16.0.0/12 stretches from 172.16.0.0 to 172.31.255.255, which surprises people who expect a tidy /16 there. The 192.168.0.0/16 block hides the well-known home subnets like 192.168.1.0/24 inside it. The private IP ranges article takes that apart in more detail, including the link-local 169.254.0.0/16 and the IPv6 ULA fc00::/7 equivalent.
One reason CIDR matters for privacy work is that WHOIS allocations show the boundary of who owns what. A residential customer might sit inside a /22 assigned to an ISP, but the ISP itself holds a /16 or larger from the regional registry. The geographic location of an IP often resolves only as accurately as the smallest CIDR block the geolocation provider has data for. If MaxMind only knows the /20, every address in that block reports the same city.
Subnet calculators worth bookmarking
Real calculators do the boring parts in milliseconds. The classics are subnet-calculator.com, the legacy Wikipedia CIDR table for reference, and the built-in ipcalc command on Linux:
ipcalc 192.168.1.0/26prints network, broadcast, host range, mask and wildcard.sipcalc 10.0.0.0/8 -s 16splits a big block into /16 pieces.- Python users can write
import ipaddress; list(ipaddress.ip_network('203.0.113.0/29').hosts())and get a clean list.
โ ๏ธ Online subnet calculators have no idea what is actually deployed on your network. They compute math, not reality. Before changing a mask in production, dump the live config with show ip interface brief on the device. A miscalculated /27 instead of /26 has dropped half a building of phones more than once.
Common mistakes that look fine on paper
Three errors come up repeatedly during network reviews. The first is treating /24 as a hard rule when allocating LANs. There is no reason a guest WiFi needs 254 addresses if only fifteen devices ever join. A /27 with thirty hosts saves space and reduces broadcast traffic. The second mistake is forgetting that /23 and larger blocks cross the third-octet boundary. A /23 starting at 10.0.0.0 covers 10.0.0.0 through 10.0.1.255, not just 10.0.0.x. The third is using overlapping subnets in VPN concentrators, which guarantees routing failures the moment a remote office tries to reach an internal /24 that matches its own LAN.
None of these show up on a subnet calculator. They show up at three in the morning when a deployment breaks. The fix is to draw the address plan before touching any device and to keep a record of every allocation. Spreadsheets work. IPAM tools work better. Either way, CIDR is the unit, not random ranges.
The IPv6 footnote
IPv6 uses the same slash but the numbers feel weird. A /64 is the standard subnet size and contains 18 quintillion addresses, more than the entire IPv4 internet squared. Service providers usually hand out /48 or /56 to customers, leaving room for thousands of /64 subnets inside one allocation. Reading IPv6 CIDR is identical in logic, only longer in digits. The transition mechanics, and why the slash sizes feel so generous, are unpacked in the IPv4 vs IPv6 deep dive linked earlier.
CIDR is forty years old at this point and shows no sign of retiring. Every routing table on the public internet uses it. Every cloud VPC asks for it. Reading a slash and knowing what comes next is one of those small, durable skills that pays back forever. If you also need to know how an outside observer maps that prefix back to a country or ISP, the piece on how accurate IP geolocation really is covers the limits of that translation.
Reading about IP, VPN and privacy? Lock down yours in 5 minutes
NordVPN ranks first on AV-TEST's privacy benchmark and blocks malware, ads and trackers at the network level. 30-day money-back guarantee, audited no-logs policy.
- 6,400+ servers, 111 countries
- Audited no-logs policy
- Built-in threat protection
- 10 devices per account
Frequently asked questions
What does /24 mean in CIDR notation?
A /24 means the first 24 bits of the IPv4 address identify the network and the remaining 8 bits identify hosts. That leaves 256 total addresses in the block, with 254 usable for hosts because the lowest address is the network identifier and the highest is the broadcast. The matching subnet mask is 255.255.255.0. /24 is the most common size for office LANs and home routers that extend their default. If a router hands out 192.168.1.0/24, the addresses run from 192.168.1.0 to 192.168.1.255, and devices typically receive .1 through .254.
How do I find the subnet mask from a CIDR prefix?
Convert the prefix length into a 32-bit binary string of ones followed by zeros. /20 means twenty 1-bits then twelve 0-bits, which translates to 255.255.240.0 in decimal. For prefixes between /25 and /32 the last octet is the only changing piece. /26 gives 192, /27 gives 224, /28 gives 240, /29 gives 248, /30 gives 252. Running ipcalc on Linux, ipconfig /all on Windows, or any online subnet calculator returns the mask instantly. Memorising the doubling pattern in the table above lets you skip the tool for the common cases.
Why is /32 used for a single host?
A /32 has zero host bits, so the block contains exactly one address: the address itself. Routing protocols, firewalls and ACLs use /32 entries to match a single machine without affecting any neighbouring address. A cloud security group rule that allows SSH from 198.51.100.7/32 only permits that one source. BGP operators announce /32 host routes during blackhole operations to drop traffic at the edge. Loopback interfaces on routers also carry /32 addresses so the address travels with the device rather than with any physical link, which keeps OSPF and BGP sessions stable when interfaces go down.
What is the difference between a subnet mask and CIDR notation?
They express the same thing in different formats. A subnet mask is a 32-bit dotted-decimal value like 255.255.255.0. CIDR notation is the bit count, like /24. Both indicate where the network portion ends and the host portion begins. CIDR is shorter and easier to write, which matters when discussing supernets and route summarisation. Subnet masks remain the legacy format on Windows interface configuration screens and older equipment. Conversion is trivial: count the 1-bits in the mask. 255.255.255.224 has 27 ones, so it equals /27. Modern documentation, RFCs and routing tables prefer CIDR.