Subnet Mask Calculator (CIDR)

What CIDR and the subnet mask describe

A CIDR block like 192.168.1.0/24 describes a range of IP addresses by splitting the 32 bits of an IPv4 address into a "network" part (the first N bits, set in the mask) and a "host" part (the remaining 32-N bits, free to vary). The subnet mask is the same information expressed as a dotted-decimal: /24 becomes 255.255.255.0 because the first 24 bits are 1 and the last 8 are 0. Both forms are interchangeable; networking tools accept whichever you prefer.

The wildcard mask (Cisco ACL syntax) is the bitwise inverse — 0.0.0.255 for a /24. It lists which bits are "wildcard" (any value). Same information, different convention. ACL rules historically used wildcard masks; modern firewalls usually accept CIDR.

How to read the numbers

• Total addresses in a /N is 2^(32-N). A /24 has 256 (2^8); a /16 has 65,536; a /29 has 8.
• Usable hosts is 2 less: the first address is the network identifier (the "name" of the subnet), the last is the broadcast address. Hosts use everything in between. The exception: /31 and /32 are special — /31 has 2 usable hosts (RFC 3021, used for point-to-point links), /32 has 1 (a single host, often used for loopback or VPN endpoints).
• Network address — the first IP in the range, used to refer to the subnet itself.
• Broadcast address — the last IP, used to send a packet to all hosts in the subnet at once.
• First/Last usable — what you can actually assign to devices.

Common sizes to remember

/32   1 host          one IP / point address (loopback, VPN endpoint)
/31   2 hosts         point-to-point link (RFC 3021, no broadcast)
/30   2 usable        4 total; classic small p2p link
/29   6 usable        small server farm; common AWS subnet floor
/28   14 usable
/27   30 usable       small office subnet
/24   254 usable      classic LAN; one octet for hosts
/23   510 usable      twice a /24
/22   1022 usable
/16   65,534 usable   classic class B; one octet split point
/8    16,777,214      classic class A; entire 10/8 private space

Private and reserved ranges

• Private (RFC 1918): 10.0.0.0/8, 172.16.0.0/12 (note: not 172.16.0.0/16 — the /12 covers 172.16 through 172.31), 192.168.0.0/16.
• CGNAT (RFC 6598): 100.64.0.0/10 — used by ISPs for carrier-grade NAT.
• Loopback: 127.0.0.0/8 — entire range is loopback, not just 127.0.0.1.
• Link-local: 169.254.0.0/16 — auto-assigned when DHCP fails (APIPA on Windows).
• Multicast: 224.0.0.0/4 — group communication, not assigned to hosts directly.
• "This network": 0.0.0.0/8 — placeholders and unspecified addresses.

Common subnetting mistakes

• Forgetting the -2 for network and broadcast. A /29 has 8 addresses but only 6 usable hosts. Cisco interviewers love this one.
• Putting the wrong address inside a CIDR block. 10.0.0.5/24 is technically valid notation, but the network address is 10.0.0.0/24. Tools accept both; for clarity, write the network address.
• Off-by-one in /23 and similar. A /23 contains two adjacent /24s. The network spans x.0.0/23 through x.1.255. Easy to mis-count.
• Confusing /24 and 24-bit IP. /24 means the first 24 bits are the network; not "24 bits are available for hosts". Easy slip when explaining to non-network people.
• Treating 172.16/16 as private. The private range is 172.16/12 (172.16 through 172.31). 172.32 and above are public.