Reading CIDR notation: what /24 and /16 actually mean
CIDR notation like 192.168.1.0/24 shows up everywhere — router config, AWS VPC subnet design, firewall rules. The basics are quick, but /27 and /19 are the kind of thing you keep recalculating. This article walks through CIDR with the prefix sizes you actually deal with.
CIDR in context: replacing class-based addressing
CIDR (Classless Inter-Domain Routing) was introduced in RFC 1519 in 1993 to express IP allocations by prefix length.
Before CIDR, addresses were classful: the first bits of the address fixed the network portion size:
- Class A — 8-bit network (about 16.7 million hosts max)
- Class B — 16-bit network (about 65 thousand hosts max)
- Class C — 24-bit network (254 hosts max)
This was too coarse. Organizations with a few thousand hosts that received a Class B wasted most of their 65k-address allocation. CIDR fixes this by allowing any prefix length between 0 and 32.
Notation: <address>/<prefix length>
192.168.1.0/24
└──────┬──┘ └┬┘
starting prefix length
address (network bits)- IPv4 addresses are 32 bits.
/24means “the first 24 bits are the network portion, the last 8 are for hosts”.- Host bits = 32 − 24 = 8, so 2^8 = 256 candidate addresses.
Mapping to subnet masks
CIDR prefix length is equivalent to the older subnet mask form:
| CIDR | Subnet mask | Network bits | Host bits | Candidate hosts |
|---|---|---|---|---|
| /8 | 255.0.0.0 | 8 bit | 24 bit | 16,777,216 |
| /16 | 255.255.0.0 | 16 bit | 16 bit | 65,536 |
| /24 | 255.255.255.0 | 24 bit | 8 bit | 256 |
| /27 | 255.255.255.224 | 27 bit | 5 bit | 32 |
| /30 | 255.255.255.252 | 30 bit | 2 bit | 4 |
| /32 | 255.255.255.255 | 32 bit | 0 bit | 1 |
A mask like 255.255.255.224 arises because:
/27= 27 leading 1s, 5 trailing 0s.- 27 = 24 + 3, so the last octet is
11100000= 224.
Usable hosts: subtract two
“Candidate” and “usable” host counts differ by two. Each subnet reserves two addresses for special meaning:
- Network address (all-zero host bits) — names the subnet itself.
- Broadcast address (all-one host bits) — broadcasts to every host in the subnet.
For 192.168.1.0/24:
192.168.1.0 ← network address (cannot assign)
192.168.1.1 ← first usable host
...
192.168.1.254 ← last usable host
192.168.1.255 ← broadcast (cannot assign)
Usable hosts: 256 − 2 = 254Two exceptions: /31 and /32. /31 reserves both addresses for point-to-point links, and /32 is a single-host designation.
Prefix size cheat sheet
Sizes you will run into in practice:
| CIDR | Where you see it |
|---|---|
| /8 | ISP-scale; the entire 10.0.0.0/8 private range |
| /16 | Whole organization; 192.168.0.0/16 private range; default AWS VPC size |
| /20 | Large subnet; ~4096 addresses |
| /24 | Department or VLAN; 256 addresses (254 usable) |
| /27 | Small LAN or VPN; 32 addresses (30 usable) |
| /29 | Endpoints of a leased line; 8 addresses (6 usable) |
| /30 | Point-to-point link; 4 addresses (2 usable) |
| /32 | Single host; common in firewall ACLs |
The mental shortcut: /24 has 254 hosts; each step down doubles the count. Each step up halves it.
Subnet design pitfalls
1. Boundaries must align with the prefix
A /27 (32 addresses) must start at an octet ending that is a multiple of 32:
192.168.1.0/27→ fine (boundaries at 0, 32, 64, …)192.168.1.16/27→ invalid (16 is not a multiple of 32)
CIDR assumes the address aligns with the prefix length.
2. AWS VPC reserves five addresses, not two
Inside an AWS VPC subnet, five addresses are reserved (the first four and the last one):
For 10.0.0.0/24 in AWS:
10.0.0.0 network
10.0.0.1 VPC router
10.0.0.2 DNS
10.0.0.3 future use
10.0.0.255 broadcast
→ usable hosts: 256 − 5 = 251A /24 that gives you 254 hosts on-prem gives you 251 in AWS. Cutting /29 or smaller in AWS leaves only 3 usable addresses, which is rarely workable. AWS’s practical floor is /28 (16 addresses, 11 usable).
3. You typically can’t resize a subnet
In most cloud environments, changing a subnet’s prefix length means recreating it. Size with some headroom up front rather than expecting to grow.
Summary
CIDR is “how many leading bits are network bits”. Once that’s internalized, the rest is mental arithmetic.
When you actually need address ranges, host counts, and subnet masks computed for an arbitrary CIDR, the calculator on this site does it instantly. Especially useful for /27 and below, where the math is easy to get wrong.