Subnetting and CIDR Explained
Subnetting is dividing one big network into smaller logical pieces. CIDR (Classless Inter-Domain Routing) is the modern notation for it. Together, they’re the most useful skill in networking — you’ll use them every time you design a VPC, configure a firewall, or troubleshoot a route.
The notation: /N means N network bits
192.168.1.0/24
Means: the first 24 bits are the network portion.
The remaining 32 - 24 = 8 bits are for hosts.
2^8 = 256 addresses (254 usable, after subtracting network + broadcast).Common subnet sizes (memorize these)
| CIDR | Subnet mask | Total IPs | Usable | Use case |
|---|---|---|---|---|
| /8 | 255.0.0.0 | 16,777,216 | ~16M | Whole 10.x.x.x |
| /16 | 255.255.0.0 | 65,536 | 65,534 | Big VPC |
| /24 | 255.255.255.0 | 256 | 254 | Office / home |
| /27 | 255.255.255.224 | 32 | 30 | Small subnet |
| /30 | 255.255.255.252 | 4 | 2 | Point-to-point links |
| /32 | 255.255.255.255 | 1 | 1 | Single host (firewall rule) |
The “minus 2” rule
In a subnet, two addresses are reserved:
- Network address (first IP) — represents the subnet itself, not a host
- Broadcast address (last IP) — sends to all hosts on the subnet
So a /24 with 256 addresses gives you 254 usable host IPs.
Reading a subnet
10.0.5.0/24
Network address: 10.0.5.0
First usable host: 10.0.5.1
Last usable host: 10.0.5.254
Broadcast: 10.0.5.255
Total host IPs: 254Subnetting a /24 into smaller pieces
Say you have 192.168.1.0/24 and want 4 separate subnets.
You “borrow” 2 bits from the host portion (because 2^2 = 4 subnets):
/24 + 2 borrowed bits = /26
Each /26 has 2^(32-26) = 64 addresses (62 usable).
Subnet 1: 192.168.1.0/26 (.0–.63)
Subnet 2: 192.168.1.64/26 (.64–.127)
Subnet 3: 192.168.1.128/26 (.128–.191)
Subnet 4: 192.168.1.192/26 (.192–.255)The fast subnet math trick
For /24 to /30 subnets, you only need to know the “block size” of each prefix:
/24 = 256
/25 = 128
/26 = 64
/27 = 32
/28 = 16
/29 = 8
/30 = 4
To find a subnet boundary: round DOWN the address to a multiple of the block size.
Example: 192.168.1.130 in a /27 network
Block size = 32, so multiples are 0, 32, 64, 96, 128, 160, 192, 224.
130 is in the 128 block.
→ Subnet: 192.168.1.128/27 (range .128 to .159)Tools that do the math for you
# Linux: ipcalc or sipcalc
ipcalc 192.168.1.0/26
# Online calculators
# - jodies.de/ipcalc (the original)
# - cidr.xyz (visual)
# - subnet-calculator.com
# Python
python3 -c "
import ipaddress
n = ipaddress.ip_network('192.168.1.0/26')
print(f'{n.network_address} - {n.broadcast_address}, {n.num_addresses} IPs')
"Why this matters
- Cloud VPC design — you’ll plan ranges like /16 for the VPC, /24 per subnet.
- Firewall rules — “allow 10.0.0.0/8” lets in your whole corporate range.
- Routing — routes are written as CIDR prefixes.
- VPN config — you specify which CIDRs route through the tunnel.
What to learn next
IPv6 — the addressing system designed when we realized 4.3 billion wasn’t enough. Up next.