Subnetting and CIDR, demystified
What the /24 really means, and how to split a network without fear.
Explain like I'm 5
An IP address is like a postal address that has two parts: which street you're on, and which house on that street. Everyone on the same street can shout to each other directly. To reach another street, you go through the router at the corner.
The subnet mask is just the rule that says “this much of the address is the street name, and the rest is the house number.” Change the rule and you make streets bigger (more houses) or smaller (fewer houses, but more streets).
Subnetting is deciding where to draw the line between the network part of an address (the street) and the host part (the house).
Beginner
An IPv4 address is 32 bits, which we write as four 8-bit numbers (octets) for readability: 192.168.1.10. Each octet is 0–255.
Those 32 bits split into a network portion (shared by everyone on the subnet) and a host portion (unique to each device). The subnet mask marks the boundary: a 1 bit means network, a 0 bit means host.
CIDR notation is just the count of network bits written after a slash. /24 means “the first 24 bits are network”, which is the mask 255.255.255.0.
Smaller broadcast domains (less noise), security segmentation (keep finance away from guest Wi-Fi), and efficient address use. One flat network of thousands of hosts is a performance and security headache.
Intermediate
Given a CIDR block you can derive everything with simple math. For a /24 (8 host bits):
- Total addresses = 2^(host bits) = 2^8 = 256.
- Network address — all host bits
0(192.168.1.0). Identifies the subnet itself. - Broadcast address — all host bits
1(192.168.1.255). Reaches every host at once. - Usable hosts = total − 2 = 254 (you can't assign the network or broadcast address to a device).
- Usable range =
192.168.1.1to192.168.1.254.
| CIDR | Mask | Total | Usable hosts |
|---|---|---|---|
| /30 | 255.255.255.252 | 4 | 2 |
| /29 | 255.255.255.248 | 8 | 6 |
| /28 | 255.255.255.240 | 16 | 14 |
| /24 | 255.255.255.0 | 256 | 254 |
| /16 | 255.255.0.0 | 65,536 | 65,534 |
| /8 | 255.0.0.0 | 16,777,216 | 16,777,214 |
Where the network address comes from. The router finds it by a bitwise AND of the address and the mask — wherever the mask bit is 1, the address bit is kept; wherever it's 0, the bit is zeroed. That's the whole trick:
address 150 = 1001 0110
mask 192 = 1100 0000 (the /26 covers 2 bits of this octet)
-------------------------- AND
network 128 = 1000 0000 -> 192.168.1.128
# /26 = 64 addresses per block, so the blocks are
# .0 .64 .128 .192 -> 150 falls in the .128 block (.129-.190 usable)Every bit you add to the prefix halves the subnet; every bit you remove doubles it. A /25 is half a /24 (128 addresses); a /23 is two /24s (512).
Classful vs classless. The old system fixed the split at octet boundaries (Class A = /8, B = /16, C = /24), which wasted enormous numbers of addresses. CIDR (1993) let the boundary fall anywhere, so you can right-size a subnet to its need.
10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 are reserved for internal use and never routed on the public internet — which is why you see them behind every home router and in every data centre.
Rather than do this by hand each time, the subnet calculator gives you network, broadcast, range and mask instantly.
Advanced
VLSM (Variable-Length Subnet Masking) means using different prefix lengths within one address plan, sizing each subnet to its actual need instead of one-size-fits-all. A point-to-point link needs only a /30 (or /31); a user VLAN might want a /23.
Worked example: carve 192.168.10.0/24 into right-sized pieces:
| Need | Subnet | Range | Usable |
|---|---|---|---|
| 120 hosts | 192.168.10.0/25 | .1–.126 | 126 |
| 60 hosts | 192.168.10.128/26 | .129–.190 | 62 |
| 10 hosts | 192.168.10.192/28 | .193–.206 | 14 |
| Router link | 192.168.10.208/30 | .209–.210 | 2 |
Supernetting / route aggregation is the reverse: combining contiguous blocks into one shorter prefix to shrink routing tables. 192.168.0.0/24 + 192.168.1.0/24 aggregate to 192.168.0.0/23. This is what keeps the global BGP table from exploding.
ACLs and OSPF use a wildcard mask — the bitwise inverse of a subnet mask, where 0 means "must match" and 1 means "don't care". So /24 (mask 255.255.255.0) becomes wildcard 0.0.0.255. Same boundary, flipped bits — a classic exam and config trap.
When a router has several routes that could match a destination, it picks the most specific one — the longest prefix. A /32 host route beats a /24, which beats the /0 default route. This single rule governs how every routing decision is made.
Deep dive
The /31 special case (RFC 3021). Normally you lose two addresses per subnet, which is wasteful on the millions of point-to-point links that only need two endpoints. A /31 repurposes the network and broadcast addresses as the two usable host addresses — perfect for router-to-router links.
The /32 host route. A single address. Used for loopbacks, individual host routes, and identifying one specific machine in firewall and routing rules.
Designing an address plan — principles that save you years of pain:
- Leave room to grow. Allocate on power-of-two boundaries and reserve gaps; renumbering later is miserable.
- Make it summarisable. Group sites/regions into contiguous blocks so they aggregate into a few routes.
- Be consistent. Reserve predictable roles (e.g.
.1= gateway) so humans can reason about it. - Document it. An IPAM tool or even a spreadsheet beats archaeology.
Because RFC 1918 addresses (10/8, 172.16/12, 192.168/16) aren't globally routable, a router performs NAT — rewriting private source addresses to its single public address (and tracking the mappings by port, PAT) so many internal hosts share one public IP. It's both an address-conservation trick and the reason inbound connections need port-forwarding. IPv6's vast space removes the need for NAT entirely.
IPv6 keeps the network/host split idea but with 128 bits, so scarcity vanishes. The host portion is almost always a fixed /64, and subnetting happens in the bits above it. The mental model transfers directly — see the IPv6 expand/compress tool.
# Linux: show interfaces with CIDR prefixes
ip -br addr
# eth0 UP 10.20.30.42/22
# What network is an address in? (ipcalc is handy)
ipcalc 10.20.30.42/22
# Network: 10.20.28.0/22
# Broadcast: 10.20.31.255
# HostMin: 10.20.28.1 HostMax: 10.20.31.254 Hosts/Net: 1022An IP address is 32 bits split by a mask into a network part and a host part; CIDR (/n) just states how many bits are network. From the prefix you derive the network, broadcast, range and host count by halving/doubling powers of two. VLSM right-sizes each subnet, aggregation shrinks routing tables, and longest-prefix match decides where packets go.
Frequently asked questions
What does /24 mean in an IP address?
It's CIDR notation meaning the first 24 of the 32 bits are the network portion, equivalent to the subnet mask 255.255.255.0. That leaves 8 host bits, for 256 total addresses and 254 usable hosts.
Why are two addresses unusable in a subnet?
The first address (all host bits 0) is the network identifier and the last (all host bits 1) is the broadcast address, so neither can be assigned to a device. The exception is a /31, which under RFC 3021 uses both addresses for point-to-point links.
How do I calculate the number of hosts in a subnet?
Take 2 to the power of the number of host bits (32 minus the prefix length), then subtract 2 for the network and broadcast addresses. A /26 has 6 host bits → 2^6 = 64 total → 62 usable.
What is the difference between subnetting and supernetting?
Subnetting splits one network into smaller ones by lengthening the prefix; supernetting (aggregation) combines contiguous networks into a larger one by shortening the prefix, reducing the number of routes.
What are the private IP address ranges?
10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 (RFC 1918). They are reserved for internal networks and are not routed on the public internet, requiring NAT to reach the outside.
ShellQuest turns concepts like this into bite-sized lessons, puzzles and labs you actually practise.
Join the waitlist