CIDR Notation Explained

Where CIDR came from

Before 1993 the IPv4 world was carved into fixed classes: Class A (/8), Class B (/16), Class C (/24). If your company outgrew a Class C, your only option was a full Class B — 65,536 addresses, far more than most needed. CIDR (RFC 4632, "Classless Inter-Domain Routing") replaced the rigid classes with arbitrary prefix lengths. Now you can have a /22 (1,024 addresses), a /28 (16 addresses), or anything in between.

The notation, decoded

A CIDR block is just address/prefix:

• The address picks a starting point in the IP space.
• The prefix (the /N) says how many leading bits identify the network. Everything beyond identifies a specific host.

For 192.168.1.0/24:

192.168.1.0
↓ as 32 bits ↓
11000000.10101000.00000001.00000000
└──────── 24 network bits ─────┘└── 8 host bits ──┘

24 network bits + 8 host bits = 32 bits total (IPv4 is always 32 bits). The 8 host bits give you 2⁸ = 256 addresses. Subtract 2 (network address + broadcast) and you get 254 usable hosts.

The subnet mask is just the prefix in disguise

Every CIDR prefix has an equivalent dotted-decimal mask. The first N bits are 1, the rest are 0:

The "usable hosts" formula is 2^{(32 − N)} − 2 for /N ≤ 30. The two reserved addresses are the network address (all host bits 0) and the broadcast (all host bits 1). For /31 and /32 the rules change: /31 was redefined by RFC 3021 to allow 2 usable hosts on point-to-point links (no broadcast needed), and /32 represents a single host route.

Special "wildcard mask"

Some routing platforms (Cisco IOS, ACL syntax) use the inverted mask, called the wildcard mask. A /24's wildcard is 0.0.0.255 (the bits you don't care about). It's the same information; just flipped. Modern Linux iptables and most firewalls use the regular mask.

RFC 1918 — the private ranges everyone uses

Three IPv4 ranges are reserved for private use — they don't route on the public internet, and any organization can use them internally without coordinating with anyone:

• 10.0.0.0/8 — 16.7M addresses. Most enterprise.
• 172.16.0.0/12 — 1M addresses. Includes 172.16.0.0/16 through 172.31.0.0/16. Less common.
• 192.168.0.0/16 — 65,534 addresses. Almost every home router defaults to a /24 inside this.

Plus 100.64.0.0/10 (CGNAT — RFC 6598) for carrier-grade NAT, and 169.254.0.0/16 for link-local autoconfig.

Network address vs. broadcast vs. usable

For 192.168.1.0/24:

• Network address: 192.168.1.0 (all host bits 0). Identifies the network. Don't assign to a host.
• Broadcast address: 192.168.1.255 (all host bits 1). Sends to every host on the subnet. Don't assign to a host.
• Usable host range: 192.168.1.1 through 192.168.1.254. Hosts go here.

IPv6 — same idea, much bigger numbers

IPv6 addresses are 128 bits, written in 8 groups of 4 hex digits. Common prefix lengths:

• /48 — site-level allocation. Common for organizations.
• /56 — smaller site (some ISPs hand out /56 to home customers).
• /64 — single LAN. The default for SLAAC autoconfiguration. Most LANs use this.
• /128 — single host.

IPv6 has no broadcast address. The all-ones-host pattern is just a regular unicast address. Multicast handles "send to many" needs differently. So the math for usable hosts in IPv6 is just 2^{(128 − N)} with no -2 deduction.

VLSM and supernetting

Two CIDR-era concepts worth knowing:

• VLSM (Variable Length Subnet Masking): using different prefix lengths within the same parent network. E.g. give one team a /24 and another a /27 within a /16. Pre-CIDR you couldn't.
• Supernetting (route aggregation): announcing a single short prefix to cover many longer ones. Instead of advertising 256 /24 routes, advertise one /16. Crucial for keeping internet routing tables small.

JustKit's role

The JustKit CIDR calculator takes a CIDR block and returns the network/broadcast/host range, mask, wildcard, and binary breakdown — handy when you're staring at a network diagram or a firewall rule. Works for IPv4 and IPv6.