BLOG
Subnet Calculator Guide: CIDR, IP Ranges, and Network Planning
An engineer at a startup I know was setting up a new AWS VPC. He typed 10.0.0.0/8 as the CIDR block—giving himself 16.7 million IP addresses for a team of twelve. The VPC worked fine, but when they later needed to peer with another team's VPC that also used 10.0.0.0/8, the overlapping ranges made peering impossible. They had to rebuild the entire network from scratch. A five-second decision in a subnet calculator would have prevented weeks of rework.
Subnetting isn't just for network engineers anymore. Anyone deploying to AWS, Azure, or GCP needs to understand CIDR notation. Anyone configuring a firewall, setting up a VPN, or debugging a connectivity issue needs to know how IP ranges work. This guide covers the practical knowledge you need without the CompTIA textbook filler.
IP Addresses: The Basics You Already Know (Mostly)
An IPv4 address is four numbers separated by dots: 192.168.1.100. Each number ranges from 0 to 255, which means it's stored as one byte (8 bits). Four bytes = 32 bits total = about 4.3 billion possible addresses. That sounded like enough in 1981. It hasn't been enough since the early 2000s.
Every IP address has two parts: the network portion (which network the device belongs to) and the host portion (which specific device on that network). The subnet mask defines where the split happens. That's the fundamental concept behind subnetting.
Take 192.168.1.100 with a subnet mask of 255.255.255.0. The first three octets (192.168.1) are the network portion. The last octet (100) is the host portion. Any device with an IP starting with 192.168.1.x is on the same network. Devices with 192.168.2.x are on a different network and need a router to communicate.
CIDR Notation: The Shorthand That Replaced Classes
The old class-based system (Class A, B, C) divided the IP address space into rigid blocks: Class A got 16.7 million addresses, Class B got 65,536, Class C got 256. Nothing in between. Need 500 addresses? You'd get a Class C (256—not enough) or a Class B (65,536—wildly wasteful).
CIDR (Classless Inter-Domain Routing, pronounced "cider") replaced this with variable-length subnet masks. Instead of fixed classes, you specify exactly how many bits are the network portion using slash notation: 10.0.0.0/24.
The number after the slash is the prefix length—how many bits are locked as the network portion. The remaining bits are available for host addresses.
| CIDR | Subnet Mask | Total Addresses | Usable Hosts | Common Use |
|---|---|---|---|---|
| /32 | 255.255.255.255 | 1 | 1 | Single host (loopback, ACL) |
| /30 | 255.255.255.252 | 4 | 2 | Point-to-point link |
| /28 | 255.255.255.240 | 16 | 14 | Small office |
| /24 | 255.255.255.0 | 256 | 254 | Typical LAN, small subnet |
| /20 | 255.255.240.0 | 4,096 | 4,094 | Medium network, AWS subnet |
| /16 | 255.255.0.0 | 65,536 | 65,534 | Large corporate network, VPC |
| /8 | 255.0.0.0 | 16,777,216 | 16,777,214 | Massive (avoid in cloud) |
The "usable hosts" column is always total addresses minus 2. The first address (all host bits zero) is the network address. The last address (all host bits one) is the broadcast address. Neither can be assigned to a device. In a /24 network, that means 254 usable addresses out of 256.
A CIDR calculator computes all of this instantly: enter a CIDR block and it shows the network address, broadcast address, usable range, total hosts, subnet mask, and wildcard mask. No binary math required.
Subnet Calculator: What It Tells You and Why It Matters
A subnet calculator takes an IP address and a prefix length (or subnet mask) and returns the complete network breakdown. Here's what each output means in practical terms:
- Network Address: The first address in the range. Identifies the network itself. You'll see this in routing tables and firewall rules. Example:
192.168.10.0 - Broadcast Address: The last address in the range. Packets sent to this address reach all devices on the network. Example:
192.168.10.255 - Usable Host Range: The addresses between network and broadcast that you can assign to devices. Example:
192.168.10.1through192.168.10.254 - Subnet Mask: The traditional dot-decimal notation.
255.255.255.0means "the first 24 bits are the network, the rest are hosts." - Wildcard Mask: The inverse of the subnet mask. Used in Cisco ACLs and OSPF configurations.
0.0.0.255for a /24 network.
Practical Subnetting: Cloud VPC Design
If you're deploying to AWS, Azure, or GCP, subnetting is no longer optional. Every cloud VPC requires you to specify a CIDR block, and every subnet within the VPC needs its own non-overlapping CIDR range.
Here's a real-world VPC design for a mid-size application:
VPC: 10.0.0.0/16 (65,536 addresses)
Public subnets (internet-facing):
10.0.1.0/24 (AZ-a) - 254 hosts - load balancers, NAT gateway
10.0.2.0/24 (AZ-b) - 254 hosts - load balancers (redundant)
Private subnets (application tier):
10.0.10.0/24 (AZ-a) - 254 hosts - app servers
10.0.11.0/24 (AZ-b) - 254 hosts - app servers (redundant)
Database subnets (isolated):
10.0.20.0/24 (AZ-a) - 254 hosts - RDS, ElastiCache
10.0.21.0/24 (AZ-b) - 254 hosts - RDS (multi-AZ)This layout uses 6 of the 256 available /24 blocks in the /16 VPC, leaving plenty of room for future services without re-architecting the network. The gaps between ranges (1-2, 10-11, 20-21) are intentional—they leave space for additional subnets in each tier.
Rules for cloud subnetting:
- Never use /8 for a VPC. It wastes addresses and prevents VPC peering with any network in the same /8 range.
- /16 is the sweet spot for most VPCs. 65,536 addresses is enough for almost any application, and it divides cleanly into /24 subnets.
- Use /24 for individual subnets unless you have a specific reason for smaller or larger. 254 hosts per subnet handles most workloads.
- Don't overlap with your office network. If your office uses
192.168.0.0/16and your VPC also uses it, VPN connectivity becomes impossible without NAT. - Reserve private address space. Use RFC 1918 ranges:
10.0.0.0/8,172.16.0.0/12, or192.168.0.0/16.
IP Address Lookup: What an IP Tells You
Every public IP address carries metadata: the approximate geographic location, the ISP or hosting provider, the Autonomous System Number (ASN), and sometimes the organization that owns the IP range.
An IP address lookup tool reveals this information. Common uses:
- Identifying bot traffic. If your web server logs show suspicious requests from an IP, looking it up might reveal it belongs to a known VPN service, a data center (automated bot), or a residential ISP (real user).
- Geolocation. IP-based location isn't precise (city-level at best, often just country), but it's useful for content localization, fraud detection, and analytics.
- Debugging connectivity. If a user reports they can't reach your server, checking their IP's geolocation and ISP can reveal regional routing issues or ISP-level blocks.
- Security investigation. When reviewing firewall logs, IP lookup helps distinguish between legitimate traffic and known malicious ranges.
DNS Lookup: Translating Names to Numbers
DNS (Domain Name System) is the internet's phone book. When you type google.com, DNS translates that to 142.250.80.46 (or one of Google's many IP addresses). Without DNS, we'd need to memorize IP addresses for every website.
A DNS lookup tool queries DNS records for a domain and shows you what the internet knows about it. Key record types:
| Record Type | Purpose | Example Value |
|---|---|---|
| A | Maps domain to IPv4 address | 93.184.216.34 |
| AAAA | Maps domain to IPv6 address | 2606:2800:220:1:248:... |
| CNAME | Alias to another domain | www.example.com |
| MX | Mail server for the domain | 10 mail.example.com |
| TXT | Verification, SPF, DKIM | v=spf1 include:... |
| NS | Nameservers for the domain | ns1.example.com |
DNS debugging is one of the most common networking tasks. "The website is down" is often "DNS is misconfigured." A DNS lookup can quickly answer: does the domain resolve? Does it point to the right IP? Are the MX records correct (email delivery issues)? Is the TTL appropriate (caching issues)?
Subnet Cheat Sheet: Quick Reference for Common Scenarios
| Scenario | Recommended CIDR | Why |
|---|---|---|
| Home network | /24 (e.g., 192.168.1.0/24) | 254 devices; far more than any household needs |
| Small office (20-50 people) | /24 | Room for devices, printers, phones, IoT |
| AWS/Azure VPC | /16 for VPC, /24 for subnets | Room to grow without re-architecture |
| Point-to-point link | /30 or /31 | 2 devices, minimum waste |
| Kubernetes pod network | /16 or larger | Pods are ephemeral; need large pool |
| Firewall ACL (single host) | /32 | Matches exactly one IP address |
The Binary Math You Can Skip
Traditional networking courses spend hours on binary AND operations, converting subnet masks to binary, and manually calculating network boundaries by hand. That knowledge is valuable for deep understanding, but for practical work in 2026? A CIDR calculator and subnet calculator handle the binary math in milliseconds.
What you should understand conceptually: each additional bit in the prefix length halves the number of available addresses. /24 has 256 addresses. /25 has 128. /26 has 64. /27 has 32. Each step splits the network in half. You don't need to do the binary conversion manually to apply this principle when designing networks.
What you should use tools for: determining exact network boundaries, usable ranges, broadcast addresses, and verifying that two subnets don't overlap. These calculations are tedious and error-prone by hand, and a single mistake in a firewall rule or routing table can take down production. Let the calculator handle the arithmetic while you focus on the design decisions that actually require human judgment.