All posts
June 6, 20265 min read

CIDR notation and subnetting explained: what /24 actually means

CIDR notation is the /24 you see after an IP address, as in 10.0.0.0/24. It looks cryptic until you know the one rule behind it: the number is how many bits, counting from the left, are fixed as the network. Everything after those bits is free to vary across hosts.

Reading the slash

An IPv4 address is 32 bits. The number after the slash is the prefix length, the count of leading bits that identify the network. The remaining bits identify hosts inside it.

  • /24 fixes 24 bits, leaving 8 host bits. That is 2^8 = 256 addresses.
  • /16 fixes 16 bits, leaving 16 host bits, which is 2^16 = 65,536 addresses.
  • /32 fixes all 32 bits: a single address, often used in firewall rules to mean "exactly this host".

The shortcut: usable size is 2^(32 - prefix). A smaller number after the slash means a bigger network. The Subnet Calculator does this instantly and also shows the mask, range, and host count.

Network, broadcast, and usable hosts

Inside a subnet, the first and last addresses are special. The network address (all host bits zero) names the subnet itself; the broadcast address (all host bits one) reaches every host at once. Neither is assignable to a machine, so a /24 with 256 total addresses gives you 254 usable hosts. For a /30, four addresses minus those two leaves just two usable hosts, which is exactly why point-to-point links use /30 or the host-route /31.

The subnet mask is the same thing

A subnet mask like 255.255.255.0 is just the prefix written in dotted decimal: 24 one-bits followed by 8 zero-bits. /24 and 255.255.255.0 are two notations for the identical boundary. Older equipment wants the mask; cloud consoles and routing tables want CIDR. Convert between them rather than memorising the table.

Where this bites in practice

  • Cloud VPCs: you pick a CIDR block like 10.0.0.0/16 for the VPC, then carve subnets such as 10.0.1.0/24 out of it. Overlapping ranges between a VPC and a peer break routing.
  • Firewall and security group rules: 0.0.0.0/0 means "the entire internet". Narrowing it to a real range is one of the cheapest security wins there is.
  • Allowlists: 203.0.113.0/24 allows a whole office block in one line instead of 254 separate rules.

When you are sizing a network, splitting a block, or sanity-checking that two ranges do not overlap, the Subnet Calculator shows the network address, broadcast address, mask, and exact host count for any CIDR. To go the other way and check what is actually reachable at an address, the IP Lookup and Reverse DNS tools fill in the rest.