CIDR Notation Explained: How to Read 10.0.0.0/24
Every time you configure a VPC, firewall rule, or VPN tunnel you'll see something like 10.0.0.0/24 or 192.168.1.0/23. The slash-number is CIDR notation, and understanding it well enough to read it at a glance is the difference between shipping a working network and locking yourself out of one.
This guide walks through what the slash actually means, how to count hosts, how to recognize common subnets, and how IPv6 handles the same ideas at a vastly larger scale.
What CIDR Means
CIDR stands for Classless Inter-Domain Routing and was introduced in RFC 1518/1519 back in 1993. Before CIDR, IPv4 used classful networking — addresses were divided into rigid Class A (/8), Class B (/16), and Class C (/24) networks. That scheme wasted huge blocks of address space and contributed to the IPv4 exhaustion crisis.
CIDR replaced classes with variable-length prefixes. Instead of "this is a Class B network, so the first 16 bits are the network portion," you write the prefix length explicitly after a slash: /16.
The number after the slash is the number of bits that identify the network. Everything after those bits identifies a host within the network.
Reading the Slash
An IPv4 address is 32 bits — four octets of 8 bits each. The slash splits those 32 bits into two parts:
10.0.0.0 / 24
│ │
│ └─ 24 bits identify the network
└─ Therefore 32 − 24 = 8 bits identify the host
With 8 bits for hosts, there are 2^8 = 256 possible host addresses in this subnet. Two of those are reserved (network address + broadcast), leaving 254 usable hosts.
General formula:
Total addresses = 2^(32 − prefix)
Usable hosts = 2^(32 − prefix) − 2 (for IPv4, for prefixes ≤ /30)
The Subnet Reference Table
Memorize — or at least recognize — these common IPv4 prefixes:
| CIDR | Mask | Addresses | Usable Hosts | Typical Use |
|---|---|---|---|---|
/32 |
255.255.255.255 | 1 | 1 | Single host |
/31 |
255.255.255.254 | 2 | 2 | Point-to-point (RFC 3021) |
/30 |
255.255.255.252 | 4 | 2 | Point-to-point legacy |
/29 |
255.255.255.248 | 8 | 6 | Very small subnet |
/28 |
255.255.255.240 | 16 | 14 | Small office |
/27 |
255.255.255.224 | 32 | 30 | Small office |
/26 |
255.255.255.192 | 64 | 62 | Medium subnet |
/25 |
255.255.255.128 | 128 | 126 | Medium subnet |
/24 |
255.255.255.0 | 256 | 254 | Classic "Class C" |
/23 |
255.255.254.0 | 512 | 510 | Two joined /24s |
/22 |
255.255.252.0 | 1,024 | 1,022 | Four joined /24s |
/16 |
255.255.0.0 | 65,536 | 65,534 | Large VPC |
/8 |
255.0.0.0 | 16,777,216 | 16,777,214 | 10.0.0.0/8 private range |
Every time the prefix gets shorter by one bit (e.g., /25 → /24), the subnet size doubles.
Why You Subtract Two
For prefixes shorter than /31, two addresses are reserved:
- The network address — all host bits set to 0. Identifies the subnet itself.
- The broadcast address — all host bits set to 1. Sends to every host on the subnet.
In 10.0.0.0/24:
10.0.0.0is the network address10.0.0.255is the broadcast10.0.0.1through10.0.0.254are usable hosts
Two exceptions:
/31(RFC 3021) is specifically designed for point-to-point links — no network/broadcast, both addresses are usable./32is a single host with no network or broadcast concept.
Converting Between Mask and Prefix
Classic subnet masks like 255.255.255.0 and CIDR prefixes like /24 express the same information. To convert by hand, convert each octet to binary and count the leading ones:
255.255.255.0
= 11111111.11111111.11111111.00000000
= 8 + 8 + 8 + 0 ones
= /24
A non-power-of-two mask like 255.255.254.0 works the same way:
255.255.254.0
= 11111111.11111111.11111110.00000000
= 8 + 8 + 7 + 0 ones
= /23
If the binary representation ever shows a zero followed by a one (discontinuous ones), the mask is invalid.
The IP to Binary converter shows this conversion in one click, and the CIDR Calculator handles the full network/broadcast/host-range computation.
How to Spot a Bad Subnet
Three common mistakes in CIDR ranges:
1. Network address not aligned to the prefix. 10.0.0.128/24 is invalid — /24 requires the last 8 bits to be zero. Valid forms: 10.0.0.0/24, 10.0.1.0/24, 10.0.2.0/24. Cloud providers will reject misaligned subnets outright.
2. Prefix too short for the intended split. If you want 500 hosts, /24 (254 usable) is too small. You need /23 (510 usable) or larger.
3. Overlap with an existing subnet. 10.0.0.0/24 and 10.0.0.128/25 overlap — the second is wholly contained within the first. Route tables don't error out on overlap; they just silently pick the more specific (longer-prefix) match, which can be hard to debug.
Subnetting and Supernetting
Subnetting means splitting a network into smaller pieces by extending the prefix. Split 10.0.0.0/24 into four /26 subnets:
| Subnet | Range |
|---|---|
10.0.0.0/26 |
.0–.63 |
10.0.0.64/26 |
.64–.127 |
10.0.0.128/26 |
.128–.191 |
10.0.0.192/26 |
.192–.255 |
Each jump of 64 matches the subnet size (2^(32−26) = 64).
Supernetting (also called route aggregation) is the opposite — combining adjacent networks into a single shorter prefix. 10.0.0.0/24 and 10.0.1.0/24 can be expressed as 10.0.0.0/23, which shrinks a two-line routing entry into one.
Private Address Ranges
Three IPv4 ranges are reserved for private networks (RFC 1918):
| Range | CIDR | Total addresses |
|---|---|---|
10.0.0.0 – 10.255.255.255 |
10.0.0.0/8 |
~16.7M |
172.16.0.0 – 172.31.255.255 |
172.16.0.0/12 |
~1M |
192.168.0.0 – 192.168.255.255 |
192.168.0.0/16 |
65,536 |
Note the /12 in the second range — it's an awkward boundary. 172.16.0.0/12 covers 172.16.0.0 through 172.31.255.255, not just 172.16.x.x.
Additionally, 169.254.0.0/16 (APIPA / link-local) and 127.0.0.0/8 (loopback) are reserved.
CIDR in IPv6
IPv6 addresses are 128 bits, so the math scales up but the notation is identical:
2001:db8::/32
└─ first 32 bits identify the network
remaining 96 bits for subnetting + hosts
Common IPv6 prefix sizes:
/128— single host (equivalent to IPv4/32)/64— standard "LAN" subnet. Exactly one of these per VLAN is the rule. Never subnet below /64 — it breaks SLAAC./56— typical residential allocation. Provides 256/64subnets./48— typical small-site allocation. Provides 65,536/64subnets./32— ISP or very large organization.
A /64 subnet contains 2^64 addresses — about 18 quintillion. You will never run out of hosts in a single IPv6 subnet.
Example: Designing a VPC CIDR
A common question: "What CIDR should I use for my VPC?"
Rule of thumb: pick the largest private range you think you'll ever need, because VPC CIDRs can be hard to change after resources are deployed.
For a small startup:
- VPC:
10.0.0.0/16(65,534 addresses — plenty of room to grow) - Public subnet (AZ-1):
10.0.0.0/24 - Public subnet (AZ-2):
10.0.1.0/24 - Private subnet (AZ-1):
10.0.10.0/24 - Private subnet (AZ-2):
10.0.11.0/24 - Database subnet (AZ-1):
10.0.20.0/24 - Database subnet (AZ-2):
10.0.21.0/24
This leaves 10.0.100.0/24 and up free for future subnets, and avoids overlap if you later peer with another VPC that chose 10.1.0.0/16.
Avoid 192.168.0.0/16 for cloud VPCs — it's the default home-router range, and a developer VPN from home will immediately collide with it.
Quick Reference
- The number after the slash is the network prefix length in bits.
- Addresses in a subnet = 2^(32 − prefix). Usable hosts subtract 2 (except
/31and/32). - Subtracting 1 from the prefix doubles the subnet size.
- Network and broadcast addresses are the first and last in the range.
- Misaligned networks like
10.0.0.128/24are invalid. - Use the CIDR Calculator to compute ranges, or the Subnet Calculator for subdivision.
- IPv6 uses identical notation but with 128-bit addresses and
/64as the standard subnet size.