Reading CIDR notation: subnets, masks, and host counts
How to read CIDR notation: what /n means, converting prefixes to netmasks, computing usable host counts, finding network and broadcast addresses, and the /31 and /32 edge cases.
英語版を表示しています。翻訳は準備中です。
A CIDR block like 192.168.1.0/24 packs two facts into one string: a
starting address and a prefix length. The number after the slash is
the only part most people misread. It is not a host count, not an
address, and not a power of two you multiply by — it is the number of
leading bits that are fixed as the network portion. Everything else
follows from that single number. CIDR (Classless Inter-Domain
Routing) is defined in RFC 4632.
What /n means
An IPv4 address is 32 bits. The prefix length /n says the first n
bits identify the network and are the same for every address in the
block; the remaining 32 − n bits are host bits and are free to vary.
192.168.1.0/24 fixes the first 24 bits. The first three octets
(192.168.1) are locked; the last octet is the host portion and ranges
over its 256 possible values. A larger prefix means more fixed bits,
fewer host bits, and a smaller block. /25 is half the size of /24,
not double — this is the part that trips people up. Counting up the
prefix counts down the address space.
Prefix to netmask
The dotted-decimal netmask is just the prefix written out as 32 bits:
n ones followed by 32 − n zeros, grouped into four octets.
| Prefix | Netmask | Host bits | Total addresses |
|---|---|---|---|
/8 |
255.0.0.0 |
24 | 16,777,216 |
/16 |
255.255.0.0 |
16 | 65,536 |
/24 |
255.255.255.0 |
8 | 256 |
/25 |
255.255.255.128 |
7 | 128 |
/26 |
255.255.255.192 |
6 | 64 |
/27 |
255.255.255.224 |
5 | 32 |
/28 |
255.255.255.240 |
4 | 16 |
/29 |
255.255.255.248 |
3 | 8 |
/30 |
255.255.255.252 |
2 | 4 |
/31 |
255.255.255.254 |
1 | 2 |
/32 |
255.255.255.255 |
0 | 1 |
The non-obvious octet values come from filling bits left to right.
/26 has two host bits stolen from the last octet, leaving six fixed:
11000000 = 192. /30 leaves only two host bits: 11111100 = 252.
If you ever need to derive a netmask octet by hand, write the fixed
bits as 1s from the left and convert: 128, 192, 224, 240, 248, 252,
254, 255 are the only values a partial octet can take.
Computing usable host counts
Total addresses in a block is 2^(32 − n). In a normal subnet two of
those are not usable as host addresses: the first is the network
address and the last is the broadcast address. So usable hosts is
2^(32 − n) − 2.
/24 — 2^8 = 256 total, 256 − 2 = 254 usable. The classic
home and small-office subnet. .0 is the network, .255 is broadcast,
.1 through .254 go to hosts.
/26 — 2^6 = 64 total, 64 − 2 = 62 usable. A /24 splits
cleanly into four /26 blocks (64 + 64 + 64 + 64 = 256), each with 62
usable addresses. Common when you carve a single subnet into four
VLANs.
/30 — 2^2 = 4 total, 4 − 2 = 2 usable. Four addresses,
two of them usable, traditionally used for point-to-point links
between two routers where you only need an address at each end. The
"wasted" two addresses (network + broadcast) are half the block, which
is why /31 exists.
Network address vs broadcast address
The network address is the block with all host bits set to 0; the broadcast address has all host bits set to 1. Together they bound the range.
To find which block a given IP falls in, mask the address with the
netmask. Take 192.168.1.137/26. The block size is 2^6 = 64, so
blocks start at multiples of 64 in the last octet: .0, .64,
.128, .192. The address .137 falls between .128 and .191, so:
- Network address:
192.168.1.128 - First usable host:
192.168.1.129 - Last usable host:
192.168.1.190 - Broadcast address:
192.168.1.191 - Next block starts at:
192.168.1.192
The shortcut: the block size in the relevant octet is 256 − (netmask octet). For /26 that is 256 − 192 = 64, confirming blocks every
64 addresses. The network address is the highest multiple of the block
size at or below the host octet.
/31 and /32: the edge cases
/31 has one host bit, so 2^1 = 2 total addresses. By the normal
rule that would leave zero usable hosts after subtracting network and
broadcast — useless. RFC 3021 redefines /31 for point-to-point
links: both addresses are usable as host addresses, with no network or
broadcast reserved. This recovers the two addresses a /30
wastes and is now standard for router-to-router links on hardware that
supports it. Two usable addresses, exactly the two endpoints of the
link.
/32 has zero host bits, so 2^0 = 1 address — the block is a
single host. You see /32 in host routes, firewall rules that match
one machine, loopback addresses, and access lists. 203.0.113.5/32
means exactly 203.0.113.5 and nothing else.
These two are where the "minus 2 for network and broadcast" rule stops applying. Memorize them as exceptions rather than trying to make the general formula cover them.
Private ranges
Three IPv4 ranges are reserved for private use by RFC 1918 and are not routable on the public internet:
| CIDR | Range | Addresses |
|---|---|---|
10.0.0.0/8 |
10.0.0.0 – 10.255.255.255 |
16,777,216 |
172.16.0.0/12 |
172.16.0.0 – 172.31.255.255 |
1,048,576 |
192.168.0.0/16 |
192.168.0.0 – 192.168.255.255 |
65,536 |
The 172.16.0.0/12 block is the one people get wrong. The prefix is
/12, not /16, so it covers 172.16 through 172.31 — sixteen
/16 blocks, not just 172.16. The four fixed bits of the third-octet
nibble are why it stops at 31 and not at, say, 255.
A note on IPv6 CIDR
IPv6 uses the same slash notation, but the address is 128 bits instead
of 32, so the host-count math changes scale entirely. A typical end-site
subnet is /64, which leaves 64 host bits — 2^64, roughly 18
quintillion addresses in a single subnet. Nobody computes "usable
hosts" for a /64; the number is large enough that address
exhaustion within a subnet is not a planning concern, and IPv6 does
not have broadcast addresses to subtract anyway.
The convention worth knowing: the first 64 bits are the network prefix
(allocated to you by an ISP or registry, often as a /48 or /56),
and the lower 64 bits are the interface identifier. Subnetting in IPv6
is usually about how you slice the prefix above /64, not about
squeezing host counts out of a tight block the way IPv4 forces you to.
Doing it by hand vs. by tool
The arithmetic above is worth understanding because it tells you
why a block has the range it does — but for day-to-day work,
computing the network address, broadcast, usable range, and host
count of an arbitrary block is exactly the kind of fixed-width binary
math better left to a tool than done in your head at 2 a.m. during an
incident. Our CIDR Calculator takes a block
like 192.168.1.137/26 and returns the network address, broadcast,
first and last usable host, total and usable counts, and the
dotted-decimal netmask in one step, including the /31 and /32
special cases.
When you do work it out manually, the three things to keep straight
are: the prefix counts network bits not hosts, total addresses is
2^(32 − n), and the minus-2 rule applies everywhere except /31 and
/32. Everything else is bookkeeping on those three facts.