Free IP / CIDR Subnet Calculator Online

What is CIDR notation — and why it replaced IP address classes

CIDR (Classless Inter-Domain Routing) is the standard method for specifying IP address ranges and routing prefixes. Introduced in RFC 1519 in 1993, it replaced the rigid class-based system that was rapidly exhausting the IPv4 address space. In CIDR notation, a network is written as an IP address followed by a slash and the prefix length: 192.168.1.0/24. The number after the slash specifies how many leading bits are the network portion — the remaining bits identify individual hosts within that network.

Before CIDR, IPv4 addresses were divided into rigid classes based purely on the first octet. Class A (/8) had 126 networks with ~16.7 million hosts each. Class B (/16) had 16,384 networks with ~65,000 hosts each. Class C (/24) had 2 million networks with 254 hosts each. This was catastrophically wasteful: a company needing 1,000 IP addresses had to receive a full Class B block with 65,534 usable addresses, leaving 64,534 addresses permanently unused and unavailable to others. By the early 1990s, Class B addresses were nearly exhausted.

CIDR solved this by allowing any prefix length from /0 (the entire internet) to /32 (a single host). Need 1,000 addresses? Take a /22 (1,022 usable hosts). Need 30? Take a /27 (30 usable hosts). CIDR also enabled route aggregation (supernetting): multiple smaller network prefixes can be summarised into a single routing entry, dramatically reducing the size of internet routing tables. The global BGP routing table would be millions of entries without CIDR aggregation; with it, it is managed at a few hundred thousand prefixes.

Subnet masks, network addresses, and broadcast addresses

Every IPv4 address is a 32-bit number, typically written in dotted-decimal notation (four octets of 0–255). A subnet mask is a 32-bit number that has consecutive 1s from the left for the network bits and 0s for the host bits. The prefix length and subnet mask are two representations of the same concept: /24 and 255.255.255.0 are identical.

Network address

The network address is computed by performing a bitwise AND of the host IP address with the subnet mask. All host bits are set to zero. For example, with IP 192.168.10.50 and prefix /26 (mask 255.255.255.192): the bitwise AND yields 192.168.10.0 as the network address. This address identifies the subnet itself and cannot be assigned to any host.

Broadcast address

The broadcast address is computed by setting all host bits to 1. For the /26 example, the host portion is 6 bits, so the broadcast is 192.168.10.63 (network address OR wildcard mask: 192.168.10.0 OR 0.0.0.63). Packets sent to the broadcast address are delivered to every host on the subnet. Routers do not forward broadcast packets between subnets — one of the primary reasons to segment large networks into smaller subnets.

Usable host range

Usable hosts are all addresses between the network address (exclusive) and the broadcast address (exclusive). For a /26 subnet: 192.168.10.1 through 192.168.10.62 — 62 usable hosts. The general formula is 2^(32 − prefix) − 2. Exceptions: /31 (RFC 3021, point-to-point links, 0 reserved addresses, 2 usable) and /32 (single host route, 1 "usable" address representing itself).

Private IP address ranges — RFC 1918 and beyond

RFC 1918 (1996) reserves three IP ranges exclusively for private use — they are never routed on the public internet, and any router receiving a packet destined for these addresses will drop it unless it is on a local private network. NAT (Network Address Translation) allows entire private networks to share a single public IP address for internet access.

Beyond RFC 1918, several other important ranges are reserved. 127.0.0.0/8 is the loopback range — 127.0.0.1 is localhost, always pointing to the local machine regardless of network configuration. 169.254.0.0/16 is the link-local (APIPA) range — Windows and macOS auto-assign addresses here when DHCP fails. 100.64.0.0/10 (RFC 6598) is reserved for ISP Carrier-Grade NAT (CGNAT), which allows ISPs to share fewer public IPs among many customers.

CIDR in cloud environments, Kubernetes, and Docker

CIDR notation is fundamental to modern cloud networking. Every major cloud provider uses CIDR to define VPC (Virtual Private Cloud) networks, subnets, security groups, and routing tables. Understanding CIDR is a prerequisite for any work involving cloud infrastructure.

AWS VPC

When you create an AWS VPC, you assign a CIDR block — typically a /16 (65,536 addresses) from the 10.0.0.0/8 space, such as 10.0.0.0/16. You then divide this into subnets across availability zones: a /24 per AZ is common, giving 254 usable hosts per AZ. Security groups use CIDR notation to specify allowed source/destination ranges: 10.0.0.0/8 for all internal traffic, or 0.0.0.0/0 for any address (used cautiously for internet-facing services).

Kubernetes pod and service CIDRs

Kubernetes assigns CIDR ranges to pods and services separately. A typical cluster configuration might use 10.244.0.0/16 for pod IPs (assigned by CNI plugins like Flannel or Calico) and 10.96.0.0/12 for service ClusterIPs. Each node receives a /24 slice of the pod CIDR: node 1 gets 10.244.0.0/24, node 2 gets 10.244.1.0/24, and so on. These CIDRs must not overlap with the host network or VPC subnets.

Docker networking

Docker creates a default bridge network at 172.17.0.0/16 and assigns each container an IP from that range. When you create a custom Docker network, you can specify the CIDR: docker network create --subnet=192.168.100.0/24 mynet. Docker Compose assigns subnets automatically from the 172.16.0.0/12 range. Understanding these CIDRs is important when containers need to communicate with host services or when debugging connectivity issues.

VLANs vs subnets — network segmentation strategies

VLANs (Virtual LANs, IEEE 802.1Q) and IP subnets are two different but complementary mechanisms for network segmentation. VLANs operate at Layer 2 (the data link layer) and segment broadcast domains at the Ethernet level. IP subnets operate at Layer 3 (the network layer) and define IP routing boundaries. In practice, each VLAN is almost always mapped 1:1 to an IP subnet.

A typical enterprise network might have: VLAN 10 → 192.168.10.0/24 (employee workstations), VLAN 20 → 192.168.20.0/24 (IP phones and video conferencing), VLAN 30 → 192.168.30.0/24 (servers), VLAN 40 → 192.168.40.0/24 (guest Wi-Fi — isolated from internal). Traffic between VLANs requires routing (typically by a Layer 3 switch or firewall), which allows access control policies to be enforced between segments.

VLSM (Variable Length Subnet Masking) takes CIDR further by using different prefix lengths within the same address space. For example, a /24 allocated to an office might be divided into a /26 for servers (62 IPs), two /27s for workstations (30 IPs each), and a /28 for printers (14 IPs) — allocating exactly as many addresses as each segment needs without wasting IP space.

IPv6 and CIDR — the next generation

IPv6 uses 128-bit addresses (compared to IPv4's 32 bits), providing approximately 340 undecillion (3.4 × 10³⁸) addresses — enough for every grain of sand on Earth to have its own address multiple times over. IPv6 also uses CIDR notation, but with different typical prefix sizes.

A typical IPv6 allocation hierarchy: an ISP receives a /32 from a Regional Internet Registry. The ISP allocates /48 blocks to customers. A customer's /48 provides 2¹⁶ = 65,536 possible /64 subnets. Each /64 subnet can hold 2⁶⁴ ≈ 18 quintillion addresses. The convention is to assign entire /64 subnets even to point-to-point links (where IPv4 would use a /30 with just 4 addresses). Storage is abundant enough that conservation is no longer the primary concern.

IPv6 addresses use colon-separated hexadecimal groups: 2001:db8::/32 is the documentation range (like 192.168.0.0/16 for IPv4). ::1 is the IPv6 loopback (like 127.0.0.1). fe80::/10 is the link-local range. fc00::/7 is the Unique Local Address (ULA) range — the IPv6 equivalent of RFC 1918 private addresses.