If a Slack message containing 10.0.0.0/16 makes you nod and quietly Google "what does /16 mean again," welcome — you're in good company. CIDR (Classless Inter-Domain Routing) notation looks more intimidating than it is. Once you stop trying to do binary math and learn a few key numbers, every /24, /16, and /28 you see becomes legible. This is the explanation I wish someone had given me before I designed my first VPC.
Why CIDR Replaced Classful Addressing
Before CIDR, IPv4 addresses came in three rigid classes:
- Class A: first octet 1-126, networks like
10.0.0.0with 16,777,214 hosts each - Class B: first octet 128-191, networks like
172.16.0.0with 65,534 hosts each - Class C: first octet 192-223, networks like
192.168.1.0with 254 hosts each
Two problems killed this scheme. First, the gaps were absurd — a company needing 1,000 IPs got either a Class C (too small) or a Class B (way too big, ~64,000 addresses wasted). Second, every network appeared as a separate routing-table entry. By 1993 backbone routing tables were exploding faster than routers could handle.
CIDR, defined in RFC 4632, replaced classes with a flexible prefix length. Instead of "this is a Class B," you write 172.16.0.0/16 and the /16 tells you how many bits identify the network. Any prefix from /0 to /32 is valid.
This also enables route aggregation — multiple smaller networks from the same provider get advertised as one larger CIDR block, shrinking the routing table. Cloudflare's networking primer covers how these aggregated routes flow through BGP.
How to Read /24, /16, /8
The number after the slash is the prefix length — the number of bits at the start of the address that identify the network. Whatever's left identifies the host.
An IPv4 address has 32 bits total, so:
/8 → first 8 bits are network, 24 bits are host
/16 → first 16 bits are network, 16 bits are host
/24 → first 24 bits are network, 8 bits are host
/32 → all 32 bits are network (a single host)
/0 → no bits fixed (matches everything)Mental model: each /8 chunk corresponds to one octet in a.b.c.d.
/8fixes the first octet.10.0.0.0/8covers10.0.0.0to10.255.255.255./16fixes the first two.172.16.0.0/16covers172.16.0.0to172.16.255.255./24fixes the first three.192.168.1.0/24covers.0to.255.
If the prefix isn't a multiple of 8, only part of an octet is fixed — that's where things get fiddly.
The Math Without the Math
The core formula: a /N network has 2^(32-N) addresses.
| Prefix | Hosts (2^(32-N)) | Mnemonic |
|---|---|---|
| /32 | 1 | single host |
| /30 | 4 | point-to-point link |
| /29 | 8 | tiny VPN endpoint |
| /28 | 16 | small subnet |
| /27 | 32 | small office |
| /26 | 64 | floor of a building |
| /24 | 256 | "a class C" |
| /22 | 1,024 | small company |
| /20 | 4,096 | a campus |
| /16 | 65,536 | "a class B" |
| /12 | 1,048,576 | private 172.16.0.0/12 |
| /8 | 16,777,216 | "a class A" |
Two addresses are reserved per subnet (network and broadcast), so usable hosts is 2^(32-N) - 2 for prefixes /30 and shorter. Cloud providers reserve more — AWS takes 5 addresses from every VPC subnet.
Each step down in prefix number doubles host count: /24 has 256, /23 has 512, /22 has 1,024.
The Subnet Calculator handles messy octet boundaries automatically.
Common Cloud VPC Sizes
This is where most engineers actually meet CIDR — designing a VPC. The defaults across major providers:
- AWS VPC default:
/16(65,536 addresses). Documented in AWS VPC sizing guide. Subnets within range from/16to/28. AWS reserves 5 IPs per subnet. - GCP VPC: subnets sized individually; no enforced VPC range. Auto-mode VPCs use
/20per region. - Azure VNet: typically
/16per VNet, subnets/24to/29. Azure reserves 5 IPs per subnet.
Common pattern: VPC at /16, subnets at /24 (~250 usable each). A /16 VPC carves up to 256 non-overlapping /24 subnets — enough for most production workloads.
For Kubernetes, check pod CIDR carefully. EKS uses 100.64.0.0/16 for pods (carrier-grade NAT space, intentionally outside RFC 1918 to avoid collision). GKE default is 10.0.0.0/14 — 262,144 IPs, because every pod gets a real IP and pod count grows fast.
The WHOIS Domain Lookup and IP Geolocation Lookup tools are useful when investigating which cloud or ISP a given IP belongs to.
Subnetting in Five Minutes
The classic question: split 10.0.0.0/16 into 4 subnets of equal size.
Step 1: how many bits do you need to address 4 subnets? 2^2 = 4, so 2 bits.
Step 2: add those bits to the prefix. /16 + 2 = /18. Each subnet is now a /18 with 16,384 addresses.
Step 3: list the subnets by incrementing the network bits:
10.0.0.0/18 → 10.0.0.0 - 10.0.63.255
10.0.64.0/18 → 10.0.64.0 - 10.0.127.255
10.0.128.0/18 → 10.0.128.0 - 10.0.191.255
10.0.192.0/18 → 10.0.192.0 - 10.0.255.255Each /18 is 16,384 addresses, landing on third-octet multiples of 64. That's why 64, 128, 192 keep showing up in subnetting tables.
For a /24 split into four /26 networks (64 addresses each):
192.168.1.0/26 → .0 - .63
192.168.1.64/26 → .64 - .127
192.168.1.128/26 → .128 - .191
192.168.1.192/26 → .192 - .255Same logic at a smaller scale. The Wikipedia CIDR article has a comprehensive table of every prefix length if you want a reference.
IPv6 CIDR — Similar but Bigger
IPv6 uses the same notation, just with 128 bits instead of 32. So a /64 has 2^64 addresses — about 18 quintillion. Not a typo.
Sizes you'll actually see:
- /128 — single host
- /64 — standard subnet (smallest you'd typically allocate)
- /56 — typical home/business allocation (256 subnets)
- /48 — typical site allocation (65,536 subnets)
- /32 — typical ISP allocation
/64 is the smallest practical subnet because SLAAC and EUI-64 addressing both need 64 host bits. Subnetting smaller works on paper but breaks address autoconfiguration. Don't do it. With IPv6 you don't subnet to save addresses — you subnet for routing structure and policy boundaries.
Common Mistakes
Forgetting reserved addresses. A /24 is 256 addresses but only 254 hosts. A /30 has 4 addresses, 2 usable. Cloud providers reserve more — AWS takes 5 per subnet, so a /28 AWS subnet has 11 usable IPs, not 14.
Overlapping CIDR blocks. Two VPCs with the same CIDR can't peer — you must renumber one. The most common mistake when bolting new environments onto existing networks. Always check existing allocations first.
Picking too small a VPC. You can't change a VPC's primary CIDR after creation in most providers. Default to /16. Teams running real workloads regret going smaller.
Confusing /24 with 255.255.255.0. They mean the same thing. The dotted-decimal mask form (24 ones, 8 zeros) still appears in older configs and firewalls.
Using public IP space privately. RFC 1918 reserves 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. Teams that use 1.1.1.1 internally lose access to Cloudflare DNS because their internal DNS shadows the real address. Stick to RFC 1918.
Forgetting CGNAT space. 100.64.0.0/10 is reserved for ISPs running carrier-grade NAT. Some Kubernetes deployments use it for pod networks because it's unlikely to collide with corporate VPNs.
For deeper context on how IP routing actually works once a packet has a destination, see our How DNS Works post.
Quick Reference Table
A cheat sheet for the prefix lengths you'll actually use day to day:
| Prefix | Hosts | Common use |
|---|---|---|
| /8 | 16.7M | RFC 1918 10.0.0.0/8 whole space |
| /12 | 1M | RFC 1918 172.16.0.0/12 |
| /16 | 65,536 | Standard VPC, RFC 1918 192.168.0.0/16 |
| /20 | 4,096 | Mid-size subnet, GCP auto-mode |
| /22 | 1,024 | Office network |
| /23 | 512 | Department |
| /24 | 256 | Standard subnet ("class C") |
| /25 | 128 | Small subnet |
| /26 | 64 | Floor / small VLAN |
| /27 | 32 | Small office, ~30 hosts |
| /28 | 16 | AWS minimum, ~11 usable |
| /29 | 8 | VPN endpoint |
| /30 | 4 | Point-to-point link, 2 hosts |
| /32 | 1 | Single host (firewall rule) |
When verifying DNS records or MX servers for a particular network range, the DNS Propagation Checker and MX Record Lookup help confirm how a network is actually reachable from the public internet.
FAQ
What does /24 mean in plain English?
A /24 is a network where the first 24 bits identify the network and the last 8 identify the host. That gives 256 addresses, 254 usable (the first and last are reserved as network and broadcast). It's the most common subnet size and the modern equivalent of the old "Class C" network.
How is CIDR different from a subnet mask?
Two notations for the same thing. /24 is CIDR; 255.255.255.0 is the dotted-decimal mask. Count the 1 bits: 255 is 8 ones, so 255.255.255.0 = /24. Modern tools use CIDR; older firewalls and Windows still show the dotted form.
Why does AWS reserve 5 IPs per subnet?
Network address, broadcast address, plus three for the VPC router, DNS, and future-use placeholder. A /28 (16 addresses) has only 11 usable. This catches people who size subnets right at the edge and discover they can't launch enough instances.
What's the smallest practical subnet?
For routed traffic, /30 (4 addresses, 2 usable) — used for point-to-point router links. /31 (2 addresses, both usable) is valid per RFC 3021 for point-to-point links. /32 is one host, used in firewall rules and BGP advertisements rather than as a real network.
Can I expand a VPC's CIDR after creating it?
In AWS, you can add secondary CIDR blocks but can't change the primary. GCP allows adding subnet ranges. Azure permits expansion under certain conditions. Clean answer: pick /16 upfront and you rarely need to expand.
What's the difference between RFC 1918 and CGNAT space?
RFC 1918 reserves 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 for private use. CGNAT space is 100.64.0.0/10, reserved by RFC 6598 for ISPs to share IPs across customers. Both private. CGNAT is useful when you need a non-RFC-1918 range to avoid VPN collisions.
Why is /64 the smallest IPv6 subnet I should use?
SLAAC and EUI-64 addressing both expect 64 bits of host space. Subnetting smaller breaks autoconfiguration. With IPv6 you don't economize on addresses — every subnet should be /64 regardless of host count.
How do I check if two CIDR ranges overlap?
Calculate the network address and end of range for each, then check if either range's start falls inside the other. The Subnet Calculator does this directly. Algorithm: ranges A and B overlap if start_A <= end_B AND start_B <= end_A. Cloud peering fails loudly on overlap — validate before deploying.