CIDR is one of those things you re-learn every six months because you don't use it often enough to keep it fresh. The maths is simple, but it's bit-counting maths, and bit-counting maths is exactly the kind of thing your brain refuses to retain.
This is the cheat sheet worth printing. After this, you should be able to look at a /26 and know what it means without reaching for a calculator.
The structure of a CIDR
10.0.0.0/24 says two things:
- The network address is
10.0.0.0. - The first 24 bits of any IP in that network are fixed — they are the "network bits" — and the remaining 8 bits are free for hosts.
That's it. Everything else falls out of those two facts.
An IPv4 address is 32 bits total. If /24 of those are the network, then 32 - 24 = 8 bits are host. 2^8 = 256 addresses in the network. Subtract two (network address + broadcast) for the usable host count: 254.
Once you internalise that one calculation — prefix length → number of addresses — the rest of subnetting follows.
The four prefix lengths worth memorising
You don't need to know every prefix length. You need to know four, and you can derive the rest by doubling or halving.
| Prefix | Addresses | Usable hosts | What it's used for |
|---|---|---|---|
/30 | 4 | 2 | Point-to-point links between routers |
/29 | 8 | 6 | Small VLAN, IoT cluster |
/24 | 256 | 254 | Classic office subnet, one per floor or department |
/16 | 65,536 | 65,534 | Whole datacenter, large campus |
Memorise those four. Every other prefix length is just one of these halved or doubled:
/25is half a/24→ 128 addresses/26is a quarter of/24→ 64 addresses/23is two/24s → 512 addresses/17is half a/16→ 32,768 addresses
When someone says "the new branch office gets a /22," your mental shortcut is: that's four /24s, so about 1,000 hosts. Probably right-sized for a few hundred employees plus IoT.
The fast way to read any CIDR
The shortcut for any IPv4 CIDR:
- Subtract the prefix length from 32. That's how many host bits there are.
2^(host bits)= total addresses.- Subtract 2 for the usable count (unless
/31or/32, which are special cases for point-to-point).
/27: 32-27 = 5 host bits. 2^5 = 32 addresses. 30 usable hosts. About the size of a small office subnet.
/19: 32-19 = 13 host bits. 2^13 = 8,192 addresses. 8,190 usable. A medium-sized site.
You'll get fast at this with practice. Until then, use a subnet calculator — it gives you network address, broadcast, range, wildcard mask, and binary mask in one shot.
Subnet boundaries are not arbitrary
A common mistake when designing subnets is choosing boundaries that don't align with the bit boundaries. Subnets must start at an address that is a multiple of the subnet size.
A /24 must start at an address ending in .0. So 10.0.0.0/24 works but 10.0.0.128/24 does not exist — it's a malformed subnet.
A /25 must start at an address ending in .0 or .128 (the two halves of a /24). So 10.0.0.0/25 and 10.0.0.128/25 are both valid.
A /26 must start at .0, .64, .128, or .192. And so on, halving each time.
This is why you cannot, for example, allocate a /24 "starting at 10.0.0.10." Subnet boundaries have to fall on natural divisions. If you need 50 hosts and you want to start at .10, you can't — you'd have to choose either a /26 starting at .0 (which fits 62 hosts, including .10) or accept that your subnet starts at .0, not at .10.
Network and broadcast addresses
In every subnet, the first and last addresses are reserved.
- The first address (all host bits zero) is the network address. This is the address you write the subnet as.
- The last address (all host bits one) is the broadcast address. Sending a packet here delivers it to every host in the subnet.
So in 10.0.0.0/24:
- Network:
10.0.0.0 - Broadcast:
10.0.0.255 - First usable host:
10.0.0.1 - Last usable host:
10.0.0.254
This is why "usable hosts" is always two fewer than "total addresses" for any subnet /30 or larger.
/31 and /32 are special:
/32is a single address — used for loopback interfaces, anycast points, or specific host routes./31is two addresses with no reserved network/broadcast — used for point-to-point links between routers (RFC 3021). Both addresses are usable.
Common production mistakes
These are the subnetting mistakes that cause real outages.
Overlapping subnets
You allocate 10.0.0.0/22 to office A and 10.0.0.0/24 to office B. These overlap — 10.0.0.0/24 is a subset of 10.0.0.0/22. Routing tables become non-deterministic and packets land at the wrong destination.
Fix: maintain a single source of truth for allocations. Most teams use a simple spreadsheet for small networks, or a proper IPAM tool (phpIPAM, NetBox, Infoblox) for larger ones.
Subnet too small for growth
You allocate a /29 (6 hosts) for "this small IoT deployment" and a year later there are 14 IoT devices that need to share that subnet. Now you're renumbering.
Fix: when in doubt, size up. Address space is cheap. A /26 (62 hosts) for a deployment that might grow to 30 is not waste; it's room to breathe.
Misaligned boundaries in firewall rules
You write a firewall rule that allows 10.0.0.0/24 to talk to 10.0.1.0/24 but you actually meant the whole "office network." Now you're missing 10.0.2.0/24 and 10.0.3.0/24 because someone allocated those later.
Fix: allocate larger umbrella subnets up front and write firewall rules against the umbrella. If "office network" should mean 10.0.0.0/22, use that in firewall rules and let individual offices live as /24s within it.
Forgetting IPv6 entirely
This isn't a subnetting mistake so much as a planning mistake, but it shows up the same way. You design your network for IPv4 and IPv6 is "we'll add it later." Two years later you're trying to add IPv6 to a network that wasn't designed for it.
Fix: every new subnet allocation should have a corresponding IPv6 prefix planned at the same time, even if you don't deploy it immediately. IPv6 subnets are typically /64 per VLAN and the math is trivial because you always have so much address space.
Reading routing tables
Once you can read CIDR notation comfortably, routing tables become readable too. A line like:
10.0.0.0/16 via 192.168.1.1 dev eth0
means "anything in the 10.0.0.0/16 network (65,536 addresses) should go to 192.168.1.1 via the eth0 interface." When troubleshooting a routing issue, the question is always "which is the most specific matching route?" 10.0.0.0/24 is more specific than 10.0.0.0/16 — if both routes exist, the /24 wins for any address in its range.
The takeaway
Subnetting is bit-counting plus three reserved-address rules. Memorise four prefix lengths (/30, /29, /24, /16), learn the halving/doubling shortcut, respect subnet boundaries, and use a subnet calculator when you need to triple-check.
Get good enough that you can read /27 and immediately know it means about 30 hosts. That alone will save you from 80% of the subnetting mistakes you'd otherwise make.