Anyone who has touched a firewall rule, configured a VPC, or read a routing table has run into something like 10.0.0.0/16 or 255.255.255.0. These are subnet masks and CIDR notation — two ways of expressing the same idea: “this IP address belongs to a group of addresses defined by a prefix.”
This post is a no-fluff explanation for developers who keep nodding along when network people throw around /24 and /16 without ever feeling sure what those numbers actually mean. We’ll cover what subnet masks are, how CIDR works, the mental shortcuts that make it click, and the practical places you’ll use this.
The Core Idea
An IPv4 address is 32 bits. Like 192.168.1.42 — but really it’s the 32-bit binary number 11000000.10101000.00000001.00101010.
A subnet is a contiguous range of IPs that share a common prefix. The subnet mask (or CIDR prefix length) is how you say “the first N bits are the network part; the remaining bits identify hosts within the subnet.”
192.168.1.0/24means: the network part is the first 24 bits. The remaining 8 bits (the last octet) identify individual hosts. So this subnet contains192.168.1.0through192.168.1.255— 256 addresses, of which ~254 are usable (with the first and last reserved for network/broadcast purposes).
That’s it. The whole subnet concept is “how many bits of this IP are the network, and how many are the host.”
CIDR Notation
CIDR — Classless Inter-Domain Routing — is the modern way of writing subnet boundaries. 192.168.1.0/24 is CIDR notation. The /24 is the prefix length: how many of the leading bits define the network.
A quick translation table:
| CIDR | Subnet Mask | Hosts (usable) | Typical use |
|---|---|---|---|
| /8 | 255.0.0.0 | 16,777,214 | Very large network (whole IANA blocks) |
| /16 | 255.255.0.0 | 65,534 | Large network / VPC region |
| /20 | 255.255.240.0 | 4,094 | Medium network |
| /24 | 255.255.255.0 | 254 | Small office / home subnet |
| /27 | 255.255.255.224 | 30 | Very small subnet |
| /29 | 255.255.255.248 | 6 | Point-to-point link |
| /30 | 255.255.255.252 | 2 | Two-host network |
| /32 | 255.255.255.255 | 1 | Single host (firewall rules) |
The pattern: the prefix length increases as the subnet gets smaller. A /24 is bigger than a /27. This trips people up — bigger number ≠ bigger range.
The Mental Shortcut
Here’s the trick that makes CIDR click. Look at the prefix length as “how many bits of the address are fixed.”
/24= 24 bits are fixed = the network part is the first 3 octets =192.168.1.xfor any x./16= 16 bits are fixed = the network part is the first 2 octets =10.0.x.xfor any x./32= all 32 bits are fixed = a single address (192.0.2.1/32is just192.0.2.1)./0= zero bits are fixed = literally every IPv4 address (0.0.0.0/0).
Total addresses in a subnet = 2^(32 - prefix length).
/24has 2^8 = 256 addresses./16has 2^16 = 65,536 addresses./30has 2^2 = 4 addresses./0has 2^32 = 4.3 billion addresses (the entire IPv4 space).
When you see /24, you immediately know “256 addresses.” When you see /16, “65,536 addresses.” This is enough for most practical purposes.
Subnet Masks (the Old Way)
Before CIDR, the same information was expressed as a subnet mask — a 32-bit number where the bits are 1 for the network part and 0 for the host part.
/24= subnet mask255.255.255.0(24 ones followed by 8 zeros)./16= subnet mask255.255.0.0(16 ones followed by 16 zeros)./30= subnet mask255.255.255.252(30 ones followed by 2 zeros —11111100for the last octet).
The subnet mask and the prefix length are the same information in two different formats. Routers care about the bits; humans usually prefer the prefix length.
Some older tools and legacy configurations only accept subnet masks, not CIDR. Knowing the correspondence is necessary for those cases.
Why This Matters in Code
You’ll encounter subnets in several real engineering contexts:
Firewall and security group rules
“Allow inbound from 10.0.0.0/16” means: allow any traffic where the source IP starts with 10.0.x.x. The /16 defines how broad the allowlist is. A /32 means just one IP; a /8 means a huge swath.
Getting the prefix length wrong is a common source of security incidents. “I meant to allow our office network (one specific IP) but I wrote /16 and accidentally allowed 65,536 addresses including half the public internet.” Pay attention to the prefix length.
Cloud networking (VPC, subnet)
When you create a VPC on AWS, GCP, or Azure, you specify the address range (typically /16 for the whole VPC) and then subdivide it into subnets (typically /24 per availability zone). The CIDR ranges have to be chosen carefully because changing them later requires recreating the VPC.
Routing tables
A router’s table is a list of (CIDR prefix → next hop) entries. Longer prefixes are preferred (more specific). If a router has 10.0.0.0/16 → routerA and 10.0.5.0/24 → routerB, traffic to 10.0.5.7 goes to routerB (the more specific match wins).
This is called longest prefix match and is fundamental to how routers work.
BGP and the global routing table
Every prefix announced via BGP on the public internet is a CIDR block. The smallest typically accepted in the global table is /24 for IPv4 (about 256 addresses). Smaller announcements (“more specific”) are often filtered to keep the table size manageable.
IP allowlisting
Allowing access by IP often involves CIDR ranges. “Allow our VPN exit point: 198.51.100.0/29” defines a range of 8 IPs (one of which is the VPN exit, others are headroom for future expansion).
Tagging IP ranges in logs / analytics
When grouping log entries by network owner, you typically aggregate by CIDR prefix. “Show me all traffic from 203.0.113.0/24” gives you a manageable group, where individual IPs in that range would be noise.
Subnets in Private Address Space
There are reserved ranges that are only valid inside private networks. They never appear on the public internet:
| Range | CIDR | Common name |
|---|---|---|
| 10.0.0.0 – 10.255.255.255 | 10.0.0.0/8 | Class A private |
| 172.16.0.0 – 172.31.255.255 | 172.16.0.0/12 | Class B private |
| 192.168.0.0 – 192.168.255.255 | 192.168.0.0/16 | Class C private |
| 100.64.0.0 – 100.127.255.255 | 100.64.0.0/10 | CGNAT shared address space |
| 127.0.0.0 – 127.255.255.255 | 127.0.0.0/8 | Loopback (mostly 127.0.0.1) |
| 169.254.0.0 – 169.254.255.255 | 169.254.0.0/16 | Link-local |
Home routers use these ranges by default. Corporate networks carve them up into smaller subnets for different floors, departments, or security zones. Cloud VPCs use them for internal addressing.
If you see an IP in any of these ranges in production logs, it’s a private/internal IP — usually meaning the user’s traffic was misconfigured or your log is capturing internal traffic.
Worked Examples
”Allow our office (192.0.2.10) to SSH”
A /32 allows exactly one IP:
allow tcp 22 from 192.0.2.10/32You could also write 192.0.2.10 (omitting the prefix length, implicit /32), but being explicit is better.
”Allow our datacenter range to access this database”
If your datacenter has 203.0.113.0 through 203.0.113.255, that’s a /24:
allow tcp 5432 from 203.0.113.0/24This covers 254 usable hosts in the datacenter.
”VPC has 65,536 addresses; carve into 4 subnets”
A /16 VPC subdivided into four /18 subnets:
10.0.0.0/18(16,384 addresses)10.0.64.0/18(16,384 addresses)10.0.128.0/18(16,384 addresses)10.0.192.0/18(16,384 addresses)
Total = 65,536. Each subnet has plenty of room. This is a common AWS pattern.
”Look up the AS this IP belongs to”
ASN lookups return both the IP and the announced prefix. So for 1.1.1.1, you’ll see AS13335 — 1.1.1.0/24, meaning Cloudflare announces the /24 containing that IP. The prefix tells you how big a chunk Cloudflare owns at that location.
IPv6 Subnetting
IPv6 uses the same CIDR concept but on 128-bit addresses. Some practical differences:
- Subnets are huge. A standard IPv6 subnet is
/64— that’s 2^64 = 18 quintillion addresses per subnet. - Networks are typically
/48for an organization, leaving 16 bits for subnetting (65,536 possible subnets). - Don’t subdivide below
/64. IPv6 systems assume/64subnets for automatic configuration; smaller subnets break things. - The math is the same: prefix length = number of fixed bits, hosts = 2^(128 - prefix).
For IPv6, you mostly think in /64 and /48 — much simpler than the IPv4 zoo of /24, /27, /29, etc.
Common Mistakes
Confusing direction
/16 is bigger than /24. Smaller number = bigger range. Mnemonic: “the prefix length is how strict the rule is. Stricter rule = fewer matches.”
Forgetting network and broadcast addresses
In an IPv4 subnet like 192.168.1.0/24, the addresses 192.168.1.0 (network) and 192.168.1.255 (broadcast) are reserved. You can’t assign them to hosts. So a /24 has 254 usable host addresses, not 256.
For /30, only 2 of the 4 are usable (one is network, one is broadcast). For /31 (RFC 3021), both are usable in point-to-point links. For /32 it’s just the one address.
Overlapping subnets
You can’t have two subnets that overlap. If your VPC defines 10.0.0.0/16 and you try to peer it with another VPC that also uses 10.0.0.0/16, the peering will fail or behave unpredictably. Coordinating IP plans across organizations is a real concern.
Forgetting the implicit /32
A firewall rule with a bare IP like 203.0.113.5 is usually interpreted as /32 (single host). If you meant to allow the whole /24 containing that IP, the rule is wrong. Be explicit.
Quick Reference Card
/32= 1 host. Single IP./29= 6 usable hosts. Small group (VPN endpoints, etc.)./24= 254 usable hosts. Office network, AWS subnet./16= 65,534 usable hosts. Whole VPC, large corporate network./8= 16M+ hosts. Whole legacy class A block./0= everything. The default route.
For IPv6:
/128= 1 host. Single IP./64= standard subnet (don’t go smaller)./48= standard organizational allocation./32= ISP-level allocation./0= everything.
TL;DR
- CIDR is just “how many leading bits are fixed.”
- Smaller prefix length = bigger range.
/16>/24>/29. - 2^(32 - prefix) = number of IPv4 addresses. Memorize a few common ones.
- Subnet masks are the old equivalent. Same information, different format.
- Longest prefix match wins in routing — more specific routes override broader ones.
- Private ranges (
10/8,172.16/12,192.168/16) are for internal use; you’ll see them in home/office/VPC networks but never on the public internet.
Once CIDR clicks, every firewall rule, VPC plan, and routing table becomes much easier to read. The math isn’t hard — there’s just a small mental model that has to load once. After that, /24 and /16 are as familiar as “byte” and “kilobyte.”
If you’re working with real IP data — looking up which AS owns a given address, or checking what prefix a given IP falls inside — try our IP lookup tool or ASN directory. Both show the relevant CIDR prefixes alongside the addresses.