networking
CIDR & Subnetting Explained: Reading /24, Masks, and Host Counts
A no-memorization guide to CIDR notation and subnetting — what the slash number really means, how to count hosts in a /24 or /20, why the network and broadcast addresses are reserved, how subnet masks work in binary, and the quick mental math for everyday networking.
You see 10.0.0.0/24 in a config file or a firewall rule and nod along, but if someone asked “how many hosts is that?” you’d reach for a calculator. CIDR isn’t hard — it’s just one idea applied consistently. Once the /number clicks, you can read any range at a glance.
An IP address is just 32 bits
An IPv4 address like 192.168.1.10 is four numbers, each 0–255, which is each 8 bits — 32 bits total. Writing it in binary makes everything that follows obvious:
192.168.1.10
11000000.10101000.00000001.00001010
└─8 bits─┘└─8 bits─┘└─8 bits─┘└─8 bits─┘Every networking concept below is just “which of these 32 bits identify the network, and which identify the host inside it.”
What the slash actually means
CIDR notation — the /24 part — says how many leading bits are fixed as the network. The rest are free for hosts.
/24→ the first 24 bits are the network, the last 8 are hosts./16→ first 16 network, last 16 hosts./8→ first 8 network, last 24 hosts.
So 10.0.0.0/24 means “every address from 10.0.0.0 to 10.0.0.255 shares the network part 10.0.0, and the last octet is free.” That’s the whole concept.
Counting hosts (the part everyone wants)
If h bits are left for hosts, there are 2^h addresses in the block. But two are reserved, so usable hosts = 2^h − 2:
- The network address (all host bits
0) names the subnet itself. - The broadcast address (all host bits
1) sends to everyone on it.
| CIDR | Host bits | Total addresses | Usable hosts |
|---|---|---|---|
| /30 | 2 | 4 | 2 |
| /29 | 3 | 8 | 6 |
| /24 | 8 | 256 | 254 |
| /20 | 12 | 4,096 | 4,094 |
| /16 | 16 | 65,536 | 65,534 |
The quick mental trick: host bits = 32 − the slash number, then it’s 2^(that) − 2. A /26 → 32 − 26 = 6 host bits → 2^6 − 2 = 62 usable hosts. (The −2 doesn’t apply to /31 point-to-point links or /32 single hosts, which have special rules.)
To expand a block into its actual address list without the binary gymnastics, drop it into the subnet calculator or the IP range expander.
The subnet mask is the same idea, written differently
A subnet mask like 255.255.255.0 is just the CIDR prefix drawn out as a full address: a 1 for every network bit, a 0 for every host bit.
/24 = 11111111.11111111.11111111.00000000
= 255 .255 .255 .0So /24 and 255.255.255.0 are two notations for the exact same thing. Older tools and OS configs use the dotted mask; modern configs use CIDR. Common equivalents worth recognizing:
| CIDR | Mask |
|---|---|
| /8 | 255.0.0.0 |
| /16 | 255.255.0.0 |
| /24 | 255.255.255.0 |
| /25 | 255.255.255.128 |
| /26 | 255.255.255.192 |
The “weird” masks (128, 192, 224, 240…) appear when you split an octet — each is the high bits of that byte set to 1.
Why /20 looks bigger than /24
A smaller slash number means fewer network bits, so more host bits, so a bigger block. This trips people up because “bigger number = smaller network” feels backwards. Anchor on it once:
/24= 256 addresses (one classic “Class C” sized network)./20= sixteen/24s stacked together = 4,096 addresses./28= a sixteenth of a/24= 16 addresses.
Each step of the slash by 1 halves or doubles the block. /25 is half a /24; /23 is two /24s.
Where this shows up day to day
- Firewall / security-group rules —
0.0.0.0/0means “the entire internet” (zero network bits fixed). Seeing that on an inbound rule should make you nervous. - VPC and cloud networking — you carve a big block like
10.0.0.0/16into subnets like10.0.1.0/24per availability zone. - Private ranges —
10.0.0.0/8,172.16.0.0/12, and192.168.0.0/16are the reserved private spaces you’ll live in. - IPv6 — same CIDR idea, just 128 bits instead of 32; a
/64is the standard subnet size. Expand the long-form addresses with the IPv6 expander.
The 30-second recap
- An IP is 32 bits; the
/nsays how many lead bits are the network. - Host bits =
32 − n; addresses =2^(host bits); usable = that− 2. - A subnet mask is the same
/nwritten as a dotted-decimal address. - Smaller slash = bigger network. Each ±1 doubles or halves the block.
Memorize the /24 = 254 hosts anchor and the doubling rule, and you can reason about any block without a chart. When you need the exact ranges, gateway, and broadcast address, let the subnet calculator do the arithmetic.