An IPv4 address is 32 bits. A subnet mask is 32 bits. CIDR notation (192.168.1.0/24) is just a compact way of saying "the first 24 bits are the network, the last 8 are hosts." If that one sentence clicks, you already understand 80% of subnetting — everything else is mechanics. The mystique comes from how networking certifications teach the topic (memorize dotted-decimal masks like 255.255.255.224, drill the magic-number trick, repeat) when the underlying operation is a single bitwise AND. This guide walks the math from first principles, explains why VLSM exists (right-sizing subnets), shows the wildcard mask trick that ACLs and OSPF use, and covers what changes for IPv6 — where the /64 boundary is doing more work than most engineers realize.
The 32-bit Picture
An IPv4 address 192.168.1.55 is just four bytes:
192.168.1.55
= 11000000.10101000.00000001.00110111
= 0xC0A80137
= 3232235831 (decimal)
A /24 mask is 24 ones followed by 8 zeros:
/24
= 11111111.11111111.11111111.00000000
= 255.255.255.0
The network address is address AND mask:
11000000.10101000.00000001.00110111 (192.168.1.55)
& 11111111.11111111.11111111.00000000 (/24 mask)
= 11000000.10101000.00000001.00000000 (192.168.1.0)
The broadcast address is network OR (NOT mask) — flip the mask to find host bits, then set them all to 1:
11000000.10101000.00000001.00000000 (network)
| 00000000.00000000.00000000.11111111 (~mask = host bits)
= 11000000.10101000.00000001.11111111 (192.168.1.255)
Usable hosts = 2^h - 2 where h is the number of host bits, minus 2 because the all-zeros host (network address) and all-ones host (broadcast address) are reserved. For /24 with 8 host bits: 2^8 - 2 = 254 usable hosts.
The IP Calculator does all of this for any CIDR you paste in. The point of doing it by hand once is to recognize that the operations are trivial — a single AND, a single OR, two decimals — and the only thing that varies is where the bit boundary sits.
The /31 and /32 Exceptions
The "subtract 2" rule has two exceptions worth knowing:
- /32 is a host route — a single address, no subnet. Used in loopback interfaces, DNS A records pointing at a specific endpoint, and BGP host-route advertisements.
- /31 is a point-to-point link with 2 usable hosts instead of 0. RFC 3021 (2000) explicitly redefined the /31 case for point-to-point links because the original "subtract 2" rule wastes half your addresses on a serial link that only has two endpoints. Cisco, Juniper, and Arista all honor RFC 3021; you can configure
ip address 10.0.0.1 255.255.255.254on one end and10.0.0.0on the other and it just works. Use this for every router-to-router link in a service provider network and you cut your point-to-point IP consumption by 50%.
CIDR Replaced Classes — Why
Pre-1993, IPv4 was split into "classes" based on the leading bits:
| Class | Leading bits | First octet | Implied mask | Usable hosts |
|---|---|---|---|---|
| A | 0... | 1–126 | /8 (255.0.0.0) | 16,777,214 |
| B | 10... | 128–191 | /16 (255.255.0.0) | 65,534 |
| C | 110... | 192–223 | /24 (255.255.255.0) | 254 |
| D | 1110... | 224–239 | (multicast) | — |
| E | 1111... | 240–255 | (reserved) | — |
This was catastrophic for address waste. A company with 300 hosts couldn't fit in a Class C (254 hosts) so it got a Class B (65,534 hosts) and wasted 65,234 of them. A company with 70,000 hosts had to chain together Class Bs. By 1992, IANA was projecting IPv4 exhaustion in 1995 driven mostly by Class B starvation.
CIDR (Classless Inter-Domain Routing, RFC 1519, 1993) threw out the classes. Any prefix length from /1 to /32 became valid. A 300-host company gets a /23 (510 usable). A 70,000-host company gets a /16 (65,534) or a couple of /17s. The waste collapsed and IPv4 exhaustion was pushed back ~15 years. The classes still exist nominally — RFC 791 was never withdrawn — but every routing protocol since 1995 has been classless.
VLSM — The Trick That Makes Subnetting Useful
You have a /24 (10.0.0.0/24, 256 addresses) and you need to allocate:
- A LAN with 100 hosts
- A LAN with 50 hosts
- A LAN with 20 hosts
- A LAN with 6 hosts
- Three point-to-point links with 2 hosts each
Fixed-size subnetting forces you to pick one prefix and stamp it everywhere. The cheapest mask that fits 100 hosts is /25 (126 usable) — but you only have room for two /25s in your /24, not seven networks. You're out of addresses before you've even started.
VLSM (Variable Length Subnet Masking) lets you size each subnet to its actual need. Sort the requirements largest-first, allocate the biggest block first to minimize fragmentation:
| Network | Hosts needed | Subnet | Range | Usable |
|---|---|---|---|---|
| LAN A | 100 | 10.0.0.0/25 | .0 – .127 | .1 – .126 (126 hosts) |
| LAN B | 50 | 10.0.0.128/26 | .128 – .191 | .129 – .190 (62 hosts) |
| LAN C | 20 | 10.0.0.192/27 | .192 – .223 | .193 – .222 (30 hosts) |
| LAN D | 6 | 10.0.0.224/29 | .224 – .231 | .225 – .230 (6 hosts) |
| P2P 1 | 2 | 10.0.0.232/30 | .232 – .235 | .233 – .234 (2 hosts) |
| P2P 2 | 2 | 10.0.0.236/30 | .236 – .239 | .237 – .238 |
| P2P 3 | 2 | 10.0.0.240/30 | .240 – .243 | .241 – .242 |
You've used 244 of your 256 addresses across seven distinct subnets. 12 addresses remain — enough for one more /29 if you need it. This is "binary packing" and it's why VLSM is fundamental to enterprise networking.
The trap: VLSM requires a routing protocol that carries the prefix length per route. RIP version 1 doesn't (it's classful). RIP version 2, OSPF, EIGRP, BGP, IS-IS all do. If you find yourself unable to use VLSM in 2026, you're running RIPv1 — which has bigger problems than subnetting.
Wildcard Masks — Where Cisco's Inverted Logic Bites
Cisco ACLs and OSPF network statements take a wildcard mask instead of a subnet mask. A wildcard mask is the bitwise complement of the subnet mask:
Subnet mask /24: 255.255.255.0
= 11111111.11111111.11111111.00000000
Wildcard: 0.0.0.255
= 00000000.00000000.00000000.11111111
Where the wildcard bit is 0, the address bit must match exactly. Where the wildcard bit is 1, the address bit can be anything. This is the same information as a subnet mask, just inverted.
ACLs:
access-list 10 permit 192.168.1.0 0.0.0.255 ! all of 192.168.1.0/24
access-list 10 permit 10.0.0.0 0.255.255.255 ! all of 10.0.0.0/8
access-list 10 permit 10.1.2.3 0.0.0.0 ! exactly host 10.1.2.3
The wildcard mask isn't required to be contiguous. 0.0.0.254 is a legal wildcard that matches all even-numbered hosts in the last octet — bits in the wildcard are 11111110, so the low bit must be 0 (i.e., even). This is occasionally clever for ACL compression but mostly a source of bugs because most engineers stopped thinking about non-contiguous masks years ago. OSPF, in contrast, only accepts contiguous wildcards (it derives the prefix length from the leading zero count).
The IP Calculator outputs both the subnet mask and the wildcard mask for every CIDR, so you can copy-paste into either Cisco or Linux/iptables syntax without re-doing the inversion in your head.
The Magic-Number Trick (For When You Don't Have a Calculator)
If you only need the subnet boundary in the relevant octet, the shortcut is:
- Pick the octet where the prefix length falls (for /25-/30 that's octet 4, for /17-/24 that's octet 3, etc.).
- Compute
magic = 256 - (mask value in that octet). - Subnets in that octet start at multiples of
magic.
For /27 (mask 255.255.255.224): magic = 256 - 224 = 32. Subnets are .0, .32, .64, .96, .128, .160, .192, .224. An address like 192.168.1.100/27 sits in the .96 subnet (because 96 ≤ 100 < 128), with broadcast .127, usable range .97 – .126. You can do this in your head in 5 seconds with practice; CCNA exams test this exclusively for a reason.
The trick stops being useful past /24 because once the boundary crosses an octet you have to think about two octets at once, at which point a calculator beats mental arithmetic.
IPv6 — What Actually Changes
IPv6 addresses are 128 bits, written as eight 16-bit hex groups: 2001:0db8:0000:0000:0000:0000:0000:0001. Compressed: 2001:db8::1 (leading zeros dropped, longest run of all-zero groups replaced with ::, exactly once per address).
The math is identical to IPv4 — bitwise AND for network, bitwise OR with inverted mask for broadcast, except IPv6 has no broadcast. Multicast covers the broadcast use cases (ff02::1 is "all nodes on this link"). This means the "subtract 2 for network + broadcast" rule disappears: in IPv6, every address in a subnet is usable, including the all-zeros host (the subnet-router anycast address, defined by RFC 4291) and the all-ones host.
The big practical difference is the /64 boundary. RFC 4291 mandates that the lower 64 bits of every "regular" IPv6 subnet are reserved for the Interface Identifier (the host portion). SLAAC (Stateless Address Autoconfiguration), EUI-64, and privacy extensions all assume /64. If you allocate a /80 or /96 thinking you're conserving addresses, you break SLAAC on that subnet. The conservation argument doesn't apply anyway — your ISP gives you a /48 or /56, which is 65,536 or 256 /64 subnets respectively. You have so much address space that subnet-level conservation is meaningless.
The exception: point-to-point links between routers can use /127, because there's no host on a router-to-router link to autoconfigure. RFC 6164 (2011) blessed this explicitly. Don't use /127 on a LAN; do use it on a serial link.
The Honest Limitations
The IP Calculator handles IPv4 and IPv6 CIDRs, computes network/broadcast/wildcard/usable hosts, splits a subnet into N equal smaller subnets (VLSM by power-of-2), and converts an arbitrary IP range to its minimum CIDR set. It does not do VLSM-by-host-count planning — i.e., "here's a /22 and a list of subnets I need; lay them out for me." That's a knapsack problem and the answer is usually obvious enough by hand for typical 5-10 subnet plans. It also doesn't validate against private vs public ranges or check for collisions with reserved blocks (0.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16 link-local, 224.0.0.0/4 multicast, 240.0.0.0/4 reserved); the tool computes what you ask, not what you should be asking.
For IPv6, the calculator handles standard global unicast and ULA (fc00::/7) but doesn't decode the embedded fields in 6to4 (2002::/16), Teredo (2001::/32), or ISATAP — those are essentially obsolete migration technologies and rarely come up.
Related Tools
- IP Calculator — CIDR math, VLSM split, range-to-CIDR, IPv4 + IPv6
- Cron Builder — for the other half of network ops (scheduled jobs)
- JWT Decoder — for inspecting the tokens that traverse those subnets
- Regex Tester — when you're parsing access logs by IP pattern
- Hash Generator — for integrity checks on config dumps
TL;DR
A CIDR prefix /n says "first n bits are network, last (32-n) are host." Network address = addr AND mask. Broadcast = network OR ~mask. Usable hosts = 2^(32-n) - 2, except /31 (which is 2 hosts per RFC 3021) and /32 (host route). VLSM lets you right-size each subnet by sorting largest-first and packing binary boundaries — fundamental for any allocation past 5 subnets. Wildcard masks are subnet masks with the bits flipped; Cisco ACLs and OSPF want them in this form. The magic-number trick (256 - mask-octet) gives you subnet boundaries in your head. IPv6 keeps the math but drops broadcast and mandates /64 for any subnet running SLAAC. Use the IP Calculator when you're tired of doing this in your head.