Skip to main content
CodeLint.Dev Dev Tools
Developer Tools 10 min read By CodeLint.Dev Team

CIDR and Subnetting Explained: What /24 Actually Means

Sooner or later every developer meets a string like 10.0.0.0/16 — in a VPC console, a firewall rule, a Kubernetes config — and quietly wonders what the slash-number really does. CIDR is just binary arithmetic on 32-bit integers, and once you see it that way, subnet masks, "usable hosts minus two," and VPC planning all stop being folklore. This guide builds it up from the bits.

Try the tool
CIDR Calculator
Calculate any subnet →

An IP Address Is Just a 32-Bit Number

An IPv4 address like 192.168.1.10 is a single 32-bit integer, written as four 8-bit chunks (octets) for human convenience:

192.168.1.10 = 11000000.10101000.00000001.00001010

Every piece of CIDR machinery is an operation on those 32 bits. The core idea: split the address into a network part (the high bits, shared by every host on the same network) and a host part (the low bits, unique per device). CIDR — Classless Inter-Domain Routing, from RFC 4632 — says exactly where that split falls.

The historical alternative was "classful" addressing: Class A (/8), B (/16), and C (/24) networks with the split fixed by the first octet. It wasted enormous address space (the jump from a Class C's 254 hosts to a Class B's 65,534 left no middle ground) and was replaced by CIDR in 1993. Class names survive only as slang for /8, /16, and /24.

What the Slash Number Means

The prefix length after the slash is simply how many leading bits belong to the network part:

  • 10.0.0.0/8 — first 8 bits are network, 24 bits for hosts: 16,777,216 addresses
  • 10.1.0.0/16 — 16 network bits, 16 host bits: 65,536 addresses
  • 10.1.2.0/24 — 24 network bits, 8 host bits: 256 addresses
  • 10.1.2.128/26 — 26 network bits, 6 host bits: 64 addresses

The address count is always 2^(32 − prefix), so every step of the prefix halves or doubles the block: a /24 is two /25s, four /26s, eight /27s. Subnetting is nothing more than borrowing host bits to create more, smaller networks — the arithmetic is entirely powers of two, which is why subnet boundaries land on those slightly odd-looking numbers like .64, .128, and .192.

The subnet mask is the same information in a different costume: a /26 is 26 ones followed by 6 zeros, i.e. 11111111.11111111.11111111.11000000 = 255.255.255.192. A router decides "is this address on my network?" by ANDing the address with the mask and comparing the result to the network address — one bitwise operation, which is precisely why CIDR is built this way.

A Worked Example: Dissecting 192.168.1.100/26

Take 192.168.1.100/26 and derive everything a CIDR calculator would tell you:

  • Mask: 26 ones → 255.255.255.192. Host bits: 6, so the block holds 2^6 = 64 addresses.
  • Network address: zero out the 6 host bits of .100 (binary 0110010001000000 = 64): the block is 192.168.1.64/26.
  • Broadcast address: set all host bits to one: 192.168.1.127.
  • Usable host range: 192.168.1.65 through 192.168.1.126 — 62 hosts.

Why 62 and not 64? Two addresses in every conventional subnet are reserved: the network address (all host bits zero — identifies the subnet itself) and the broadcast address (all host bits one — reaches every host on the subnet). Hence the "minus 2" in every subnetting cheat sheet.

The exceptions prove the rule: a /31 (2 addresses) has no room for reservations, and RFC 3021 permits using both addresses on point-to-point links — routers do this routinely. A /32 is a single address, used to pin down one exact host in firewall rules and routing tables: 203.0.113.7/32 means "this machine and nothing else."

Private Ranges: The Addresses That Never Leave Home

RFC 1918 reserves three blocks that are never routed on the public internet, for use inside private networks:

  • 10.0.0.0/8 — 16.7 million addresses; the standard choice for corporate networks and cloud VPCs
  • 172.16.0.0/12 — about 1 million addresses (172.16.x.x through 172.31.x.x); Docker's default bridge networks live here
  • 192.168.0.0/16 — 65,536 addresses; the home-router universe

Three neighbors are worth recognizing on sight: 127.0.0.0/8 is loopback (localhost); 169.254.0.0/16 is link-local — the range a machine self-assigns when DHCP fails, so an unexpected 169.254 address is a diagnostic clue, and cloud metadata services famously live at 169.254.169.254; and 100.64.0.0/10 is carrier-grade NAT space, increasingly familiar from Tailscale and ISP networks.

Because private ranges are reused everywhere, overlap is the classic private-network disease: two offices both numbered 192.168.1.0/24 cannot be VPN-connected without ugly NAT workarounds. This is why network engineers pick obscure blocks like 10.173.0.0/16 instead of defaults.

Subnetting a Cloud VPC Without Regret

Cloud networking made CIDR every developer's problem: creating a VPC starts with choosing a CIDR block, and the choice is hard to change later. The working rules:

  • Start bigger than you think you need. A /16 VPC (65k addresses) costs nothing more than a /24; running out and re-addressing later costs weeks. Kubernetes clusters in particular devour IPs — with VPC-native networking every pod takes one.
  • Carve subnets on power-of-two boundaries with room between them. A common pattern for a 10.0.0.0/16 VPC: public subnets at 10.0.0.0/24, 10.0.1.0/24, 10.0.2.0/24 (one per availability zone), private subnets at 10.0.16.0/20 per zone, leaving large unallocated gaps for whatever comes next.
  • Expect the provider tax. AWS reserves 5 addresses in every subnet (network, broadcast, plus three for the router, DNS, and future use) — a /28 gives you 11 usable, not 14. Azure reserves the same 5.
  • Avoid overlapping anything you might ever peer with. VPC peering and VPNs require non-overlapping CIDRs. Coordinate ranges across teams up front — a shared spreadsheet of allocated blocks beats a migration project.

For completeness: IPv6 uses the same prefix notation on 128-bit addresses (2001:db8::/32), the standard LAN subnet is a /64, and the address space is vast enough that the scarcity-driven arithmetic above mostly disappears — but the bitwise model transfers unchanged.

Frequently Asked Questions

What does /24 mean in an IP address?
The /24 is the prefix length: the first 24 of the address's 32 bits identify the network, leaving 8 bits for hosts. That gives 2^8 = 256 addresses, of which 254 are usable after reserving the network and broadcast addresses. Its subnet-mask equivalent is 255.255.255.0. A /24 like 192.168.1.0/24 covers 192.168.1.0 through 192.168.1.255.
Why are there always 2 fewer usable hosts than total addresses?
Every conventional subnet reserves two addresses: the network address (all host bits zero), which identifies the subnet itself, and the broadcast address (all host bits one), which addresses every host at once. So a /26 with 64 addresses has 62 usable. The exceptions are /31 point-to-point links (RFC 3021 allows both addresses to be used) and /32 single-host routes.
How do I convert a CIDR prefix to a subnet mask?
Write the prefix as that many binary ones followed by zeros to fill 32 bits, then read it as four octets. /26 is 26 ones: 11111111.11111111.11111111.11000000 = 255.255.255.192. Common values: /8 = 255.0.0.0, /16 = 255.255.0.0, /24 = 255.255.255.0, /27 = 255.255.255.224, /30 = 255.255.255.252. Prefix and mask carry identical information in different notation.
What are the private IP ranges?
RFC 1918 defines three: 10.0.0.0/8 (16.7M addresses, standard for corporate networks and cloud VPCs), 172.16.0.0/12 (about 1M, covering 172.16–172.31, used by Docker defaults), and 192.168.0.0/16 (65k, typical for home routers). These are never routed on the public internet. Related special ranges: 127.0.0.0/8 for loopback, 169.254.0.0/16 for link-local self-assignment, and 100.64.0.0/10 for carrier-grade NAT.
What CIDR block should I use for a cloud VPC?
Pick a large block from RFC 1918 space — a /16 such as 10.x.0.0/16 is the common choice — and choose an x that no other VPC, office network, or partner you might peer with is using, since peering and VPNs require non-overlapping ranges. Inside it, allocate subnets on power-of-two boundaries with deliberate gaps for growth, and remember cloud providers reserve extra addresses per subnet (AWS and Azure each take 5).
Can two subnets overlap?
Within one routing domain, no — a router cannot unambiguously decide where to send a packet destined for an address that matches two subnets, although a more specific (longer) prefix legitimately overrides a broader one under longest-prefix-match routing. Between separate private networks, overlap is common (everyone uses 192.168.1.0/24) and only becomes a problem when the networks must interconnect via VPN or peering — at which point one side has to renumber or NAT.

Ready to try CIDR Calculator?

Free, private, and runs entirely in your browser — no sign-up, no server, no data sent anywhere.

Open CIDR Calculator