An IP Address Is Just a 32-Bit Number
An IPv4 address like 192.168.1.10 is a single 32-bit integer, written as four 8-bit chunks (octets) for human convenience:
192.168.1.10 = 11000000.10101000.00000001.00001010
Every piece of CIDR machinery is an operation on those 32 bits. The core idea: split the address into a network part (the high bits, shared by every host on the same network) and a host part (the low bits, unique per device). CIDR — Classless Inter-Domain Routing, from RFC 4632 — says exactly where that split falls.
The historical alternative was "classful" addressing: Class A (/8), B (/16), and C (/24) networks with the split fixed by the first octet. It wasted enormous address space (the jump from a Class C's 254 hosts to a Class B's 65,534 left no middle ground) and was replaced by CIDR in 1993. Class names survive only as slang for /8, /16, and /24.
What the Slash Number Means
The prefix length after the slash is simply how many leading bits belong to the network part:
10.0.0.0/8— first 8 bits are network, 24 bits for hosts: 16,777,216 addresses10.1.0.0/16— 16 network bits, 16 host bits: 65,536 addresses10.1.2.0/24— 24 network bits, 8 host bits: 256 addresses10.1.2.128/26— 26 network bits, 6 host bits: 64 addresses
The address count is always 2^(32 − prefix), so every step of the prefix halves or doubles the block: a /24 is two /25s, four /26s, eight /27s. Subnetting is nothing more than borrowing host bits to create more, smaller networks — the arithmetic is entirely powers of two, which is why subnet boundaries land on those slightly odd-looking numbers like .64, .128, and .192.
The subnet mask is the same information in a different costume: a /26 is 26 ones followed by 6 zeros, i.e. 11111111.11111111.11111111.11000000 = 255.255.255.192. A router decides "is this address on my network?" by ANDing the address with the mask and comparing the result to the network address — one bitwise operation, which is precisely why CIDR is built this way.
A Worked Example: Dissecting 192.168.1.100/26
Take 192.168.1.100/26 and derive everything a CIDR calculator would tell you:
- Mask: 26 ones →
255.255.255.192. Host bits: 6, so the block holds 2^6 = 64 addresses. - Network address: zero out the 6 host bits of .100 (binary
01100100→01000000= 64): the block is192.168.1.64/26. - Broadcast address: set all host bits to one:
192.168.1.127. - Usable host range:
192.168.1.65through192.168.1.126— 62 hosts.
Why 62 and not 64? Two addresses in every conventional subnet are reserved: the network address (all host bits zero — identifies the subnet itself) and the broadcast address (all host bits one — reaches every host on the subnet). Hence the "minus 2" in every subnetting cheat sheet.
The exceptions prove the rule: a /31 (2 addresses) has no room for reservations, and RFC 3021 permits using both addresses on point-to-point links — routers do this routinely. A /32 is a single address, used to pin down one exact host in firewall rules and routing tables: 203.0.113.7/32 means "this machine and nothing else."
Private Ranges: The Addresses That Never Leave Home
RFC 1918 reserves three blocks that are never routed on the public internet, for use inside private networks:
10.0.0.0/8— 16.7 million addresses; the standard choice for corporate networks and cloud VPCs172.16.0.0/12— about 1 million addresses (172.16.x.x through 172.31.x.x); Docker's default bridge networks live here192.168.0.0/16— 65,536 addresses; the home-router universe
Three neighbors are worth recognizing on sight: 127.0.0.0/8 is loopback (localhost); 169.254.0.0/16 is link-local — the range a machine self-assigns when DHCP fails, so an unexpected 169.254 address is a diagnostic clue, and cloud metadata services famously live at 169.254.169.254; and 100.64.0.0/10 is carrier-grade NAT space, increasingly familiar from Tailscale and ISP networks.
Because private ranges are reused everywhere, overlap is the classic private-network disease: two offices both numbered 192.168.1.0/24 cannot be VPN-connected without ugly NAT workarounds. This is why network engineers pick obscure blocks like 10.173.0.0/16 instead of defaults.
Subnetting a Cloud VPC Without Regret
Cloud networking made CIDR every developer's problem: creating a VPC starts with choosing a CIDR block, and the choice is hard to change later. The working rules:
- Start bigger than you think you need. A /16 VPC (65k addresses) costs nothing more than a /24; running out and re-addressing later costs weeks. Kubernetes clusters in particular devour IPs — with VPC-native networking every pod takes one.
- Carve subnets on power-of-two boundaries with room between them. A common pattern for a 10.0.0.0/16 VPC: public subnets at 10.0.0.0/24, 10.0.1.0/24, 10.0.2.0/24 (one per availability zone), private subnets at 10.0.16.0/20 per zone, leaving large unallocated gaps for whatever comes next.
- Expect the provider tax. AWS reserves 5 addresses in every subnet (network, broadcast, plus three for the router, DNS, and future use) — a /28 gives you 11 usable, not 14. Azure reserves the same 5.
- Avoid overlapping anything you might ever peer with. VPC peering and VPNs require non-overlapping CIDRs. Coordinate ranges across teams up front — a shared spreadsheet of allocated blocks beats a migration project.
For completeness: IPv6 uses the same prefix notation on 128-bit addresses (2001:db8::/32), the standard LAN subnet is a /64, and the address space is vast enough that the scarcity-driven arithmetic above mostly disappears — but the bitwise model transfers unchanged.