Subnet and CIDR Notation: A Networking Guide for Developers
If you've ever configured a cloud server, set up a Docker network, or worked with Kubernetes, you've almost certainly encountered terms like subnet mask, CIDR notation, and /24. These concepts form the backbone of how devices communicate on the internet and within private networks. Yet many developers treat networking as a black box — copying subnet values from tutorials without truly understanding what they mean.
This guide will demystify IP subnetting and CIDR notation from the ground up. By the end, you'll be able to calculate subnets by hand, understand why your VPC uses a /16 block, and confidently design network architectures for your applications.
What is Subnetting?
Every device on a network is identified by an IP address — a 32-bit number (in IPv4) typically written as four decimal octets separated by dots, such as 192.168.1.10. This address is logically divided into two parts:
- Network portion: Identifies the specific network (like a street name).
- Host portion: Identifies a specific device within that network (like a house number).
Subnetting is the practice of dividing a larger network into smaller, more manageable segments called subnets (subnetworks). Think of it as splitting a large office building into separate floors — each floor is its own subnet with its own range of addresses, yet all floors belong to the same building.
Why do we need subnetting? There are several compelling reasons:
- Efficient address allocation: Instead of wasting thousands of IP addresses on a small department, you can assign exactly the right-sized block.
- Improved security: Subnets create logical boundaries, allowing you to isolate sensitive systems (e.g., database servers) from public-facing services.
- Reduced broadcast traffic: Broadcasts are confined to a subnet, preventing network-wide congestion.
- Simplified management: Smaller networks are easier to monitor, troubleshoot, and secure.
IP Address Classes
Before CIDR was introduced, IP addresses were organized into classes. This classful addressing system defined fixed boundaries between the network and host portions. While largely historical, understanding classes helps you grasp why CIDR was created as a more flexible alternative.
| Class | First Octet Range | Default Subnet Mask | Networks | Hosts per Network |
|---|---|---|---|---|
| A | 1–126 | 255.0.0.0 (/8) | 128 | 16,777,214 |
| B | 128–191 | 255.255.0.0 (/16) | 16,384 | 65,534 |
| C | 192–223 | 255.255.255.0 (/24) | 2,097,152 | 254 |
| D | 224–239 | N/A (Multicast) | — | — |
| E | 240–255 | N/A (Reserved) | — | — |
Class A networks are massive — a single Class A block can hold over 16 million hosts. Class C networks, on the other hand, only support 254 hosts. The problem? There was no middle ground. An organization needing 500 addresses would have to request an entire Class B block (65,534 addresses), wasting tens of thousands of IPs. This inflexibility led to the adoption of CIDR.
Understanding Subnet Masks
A subnet mask is a 32-bit number that tells a device which portion of an IP address refers to the network and which portion refers to the host. The mask works by setting all network bits to 1 and all host bits to 0.
For example, the common subnet mask 255.255.255.0 looks like this in binary:
Decimal: 255 . 255 . 255 . 0
Binary: 11111111 11111111 11111111 00000000
|--------- Network ----------|-- Host --|To determine the network address from any IP, you perform a bitwise AND operation between the IP address and the subnet mask. Here is a concrete example:
IP Address: 192.168.1.45 → 11000000.10101000.00000001.00101101
Subnet Mask: 255.255.255.0 → 11111111.11111111.11111111.00000000
──────────────────────────────────────────────────────
Network Addr: 192.168.1.0 → 11000000.10101000.00000001.00000000The AND operation preserves the network bits (where the mask is 1) and zeros out the host bits (where the mask is 0). This reveals that 192.168.1.45 belongs to the network 192.168.1.0.
Tip: A quick way to check if two devices are on the same subnet is to AND both IP addresses with the subnet mask. If the results are identical, the devices can communicate directly without a router.
CIDR Notation Explained
CIDR(Classless Inter-Domain Routing, pronounced "cider") was introduced in 1993 to replace the rigid classful addressing system. Instead of being locked into Class A, B, or C boundaries, CIDR allows you to specify the exact number of network bits using a prefix length.
CIDR notation appends a forward slash and a number to an IP address, like 192.168.1.0/24. The number after the slash indicates how many of the 32 bits are dedicated to the network portion:
/24means the first 24 bits are the network part, leaving 8 bits for hosts (28 - 2 = 254 usable hosts)./16means the first 16 bits are the network part, leaving 16 bits for hosts (216 - 2 = 65,534 usable hosts)./28means the first 28 bits are the network part, leaving 4 bits for hosts (24 - 2 = 14 usable hosts).
The beauty of CIDR is variable-length subnet masking (VLSM). You are no longer forced to use /8, /16, or /24. Need exactly 30 hosts? Use a /27 (which gives you 30 usable addresses). Need just 2 hosts for a point-to-point link? Use a /30. This flexibility dramatically reduces IP address waste and is the foundation of modern internet routing.
CIDR Subnet Mask Binary Mask /8 255.0.0.0 11111111.00000000.00000000.00000000 /16 255.255.0.0 11111111.11111111.00000000.00000000 /24 255.255.255.0 11111111.11111111.11111111.00000000 /28 255.255.255.240 11111111.11111111.11111111.11110000 /32 255.255.255.255 11111111.11111111.11111111.11111111
How to Calculate Subnets
Let's walk through a complete subnet calculation using the network 10.0.1.0/26 as our example.
Step 1: Determine the Subnet Mask
A /26 prefix means 26 network bits and 6 host bits. The subnet mask in binary is 26 ones followed by 6 zeros:
11111111.11111111.11111111.11000000 = 255.255.255.192
Step 2: Calculate the Number of Hosts
With 6 host bits, the total number of addresses is 26 = 64. However, two addresses are reserved: the network address (all host bits are 0) and the broadcast address (all host bits are 1). So the number of usable hosts is:
Usable hosts = 2^6 - 2 = 62
Step 3: Find the Network Address, Broadcast Address, and Host Range
Given: 10.0.1.0/26 Network Address: 10.0.1.0 (모든 호스트 비트가 0) First Host: 10.0.1.1 (네트워크 주소 + 1) Last Host: 10.0.1.62 (브로드캐스트 주소 - 1) Broadcast: 10.0.1.63 (모든 호스트 비트가 1) Usable Hosts: 62
Step 4: Identify All Subnets in the Block
Since a /26 splits a /24 into four equal subnets (each with 64 addresses), the subnets within 10.0.1.0/24 are:
Subnet 1: 10.0.1.0/26 (hosts: 10.0.1.1 – 10.0.1.62) Subnet 2: 10.0.1.64/26 (hosts: 10.0.1.65 – 10.0.1.126) Subnet 3: 10.0.1.128/26 (hosts: 10.0.1.129 – 10.0.1.190) Subnet 4: 10.0.1.192/26 (hosts: 10.0.1.193 – 10.0.1.254)
Tip:The "magic number" shortcut — subtract the last non-zero octet of the subnet mask from 256 to get the subnet increment. For /26: 256 - 192 = 64, so subnets start at 0, 64, 128, and 192.
Common CIDR Blocks
Here is a reference table of the most commonly used CIDR prefixes, the number of addresses and usable hosts they provide, and their typical use cases:
| CIDR | Subnet Mask | Total Addresses | Usable Hosts | Common Use Case |
|---|---|---|---|---|
| /8 | 255.0.0.0 | 16,777,216 | 16,777,214 | Large enterprise / ISP |
| /16 | 255.255.0.0 | 65,536 | 65,534 | AWS VPC default |
| /24 | 255.255.255.0 | 256 | 254 | Small office / home LAN |
| /28 | 255.255.255.240 | 16 | 14 | Small DMZ / server group |
| /30 | 255.255.255.252 | 4 | 2 | Point-to-point link |
| /32 | 255.255.255.255 | 1 | 1 | Single host route / loopback |
Tip: Every time you increase the prefix length by 1, you halve the number of available addresses. A /23 has 512 addresses, a /24 has 256, a /25 has 128, and so on.
Private vs Public IP Ranges
RFC 1918 defines three blocks of IP addresses reserved for private use. These addresses are not routable on the public internet — they are used exclusively within internal networks. Any organization can use these ranges without coordination with an internet registry.
| CIDR Block | Address Range | Total Addresses | Class Equivalent |
|---|---|---|---|
| 10.0.0.0/8 | 10.0.0.0 – 10.255.255.255 | 16,777,216 | Class A |
| 172.16.0.0/12 | 172.16.0.0 – 172.31.255.255 | 1,048,576 | Class B (16 blocks) |
| 192.168.0.0/16 | 192.168.0.0 – 192.168.255.255 | 65,536 | Class C (256 blocks) |
Public IP addresses are everything outside of these reserved ranges. They are assigned by Regional Internet Registries (RIRs) such as ARIN, RIPE, and APNIC. When your device communicates over the internet, your router performs NAT (Network Address Translation) to translate your private IP into a public one.
You can quickly look up whether an IP address is public or private using our IP Address Lookup tool.
Subnetting in Practice
Understanding subnets on paper is one thing — seeing them in real-world infrastructure is another. Here are three common scenarios where developers encounter subnetting daily.
AWS VPC Architecture
When you create an AWS VPC (Virtual Private Cloud), you must specify a CIDR block. A typical setup might look like this:
VPC CIDR: 10.0.0.0/16 (65,536 주소) Public Subnet AZ-a: 10.0.1.0/24 (웹 서버, 로드 밸런서) Public Subnet AZ-b: 10.0.2.0/24 (웹 서버, 로드 밸런서) Private Subnet AZ-a: 10.0.10.0/24 (애플리케이션 서버) Private Subnet AZ-b: 10.0.11.0/24 (애플리케이션 서버) Database Subnet AZ-a: 10.0.20.0/24 (RDS 인스턴스) Database Subnet AZ-b: 10.0.21.0/24 (RDS 인스턴스)
The /16 VPC gives you room for 256 subnets of /24 each. By organizing subnets into tiers (public, private, database) across availability zones, you get both high availability and network isolation.
Docker Networking
Docker automatically creates a bridge network with a default subnet, typically 172.17.0.0/16. You can create custom networks with specific CIDR blocks:
# 커스텀 브리지 네트워크 생성 (28비트 프리픽스, 호스트 14개) docker network create \ --subnet=172.20.0.0/28 \ --gateway=172.20.0.1 \ my-app-network # 특정 IP로 컨테이너 실행 docker run --network=my-app-network \ --ip=172.20.0.5 \ my-app:latest
Kubernetes Pod CIDR
Kubernetes assigns each pod a unique IP address from a cluster-wide CIDR block. When initializing a cluster with kubeadm, you specify the pod network CIDR:
# 클러스터 초기화 시 Pod CIDR 지정 kubeadm init --pod-network-cidr=10.244.0.0/16 # 각 노드는 /24 서브넷을 할당받음 # Node 1: 10.244.0.0/24 (최대 254 파드) # Node 2: 10.244.1.0/24 (최대 254 파드) # Node 3: 10.244.2.0/24 (최대 254 파드)
The /16 block allows up to 256 nodes, each receiving a /24 subnet. This hierarchical allocation ensures that pods across different nodes never have IP conflicts while keeping routing tables manageable.
Try BeautiCode Subnet Calculator
Manually calculating subnets is a valuable skill, but in day-to-day work you need quick, accurate results. The BeautiCode Subnet Calculator lets you instantly compute network addresses, broadcast addresses, host ranges, and usable host counts for any CIDR block — all processed right in your browser with zero data sent to any server.
Simply enter an IP address with a CIDR prefix (e.g., 192.168.10.0/22) and get a full breakdown including:
- Network address and broadcast address
- First and last usable host IP
- Total number of addresses and usable hosts
- Subnet mask in decimal and binary notation
- Wildcard mask for ACL configurations
Need to check who owns a specific public IP? Try our IP Address Lookup tool to get geolocation, ISP information, and more.
Frequently Asked Questions
What is the difference between a subnet mask and CIDR notation?
They represent the same information in different formats. A subnet mask like 255.255.255.0 is the dotted-decimal form, while /24 is the CIDR shorthand that simply counts the number of 1-bits in the mask. CIDR notation is more compact and is the modern standard used in routing tables, cloud configurations, and firewall rules.
Why are two addresses always "lost" in a subnet?
Every subnet reserves two addresses: the network address (the lowest address, where all host bits are 0) and the broadcast address (the highest address, where all host bits are 1). The network address identifies the subnet itself, and the broadcast address is used to send packets to all hosts in the subnet simultaneously. Neither can be assigned to a device.
Can I use a /31 or /32 subnet?
Yes. A /31 subnet provides exactly 2 addresses with no network or broadcast address — it is defined in RFC 3021 specifically for point-to-point links between two routers. A /32 subnet represents a single host and is commonly used in routing tables to identify a specific machine (e.g., a loopback address or a host route in a firewall rule).
How do I choose the right subnet size for my project?
Start by estimating the maximum number of devices or services that will need IP addresses, then add a buffer for future growth (typically 50–100%). Find the smallest CIDR block that accommodates this number. For example, if you need 100 hosts, a /25 (126 usable hosts) is tight — a /24 (254 usable hosts) gives comfortable room. In cloud environments like AWS, remember that some addresses are reserved by the platform (typically 5 per subnet).
What is a supernet and how does it relate to CIDR?
Supernetting (also called route aggregation or summarization) is the opposite of subnetting — it combines multiple smaller networks into a single larger block. For example, four /24 networks (192.168.0.0/24 through 192.168.3.0/24) can be summarized as a single 192.168.0.0/22 route. This reduces the size of routing tables and is a key technique used by ISPs to manage the global routing table efficiently. CIDR makes supernetting possible by removing the classful boundaries that previously prevented this kind of aggregation.
Related Articles
How to Generate Secure Passwords in 2026: A Complete Guide
Learn why strong passwords matter and how to generate secure passwords using entropy, length, and complexity. Includes practical tips and free tools.
2026-03-23 · 8 min readData FormatsJSON vs YAML: When to Use What — A Developer's Guide
Compare JSON and YAML formats with syntax examples, pros and cons, and use case recommendations for APIs, configs, and CI/CD pipelines.
2026-03-23 · 10 min read