Subnet Masks and CIDR Notation — A Practical Networking Guide
Understand subnet masks, CIDR notation, and IP address ranges. Learn to calculate network addresses, broadcast addresses, and host counts with examples.
Introduction
IP addresses and subnets are networking fundamentals that every developer encounters eventually. Whether you're configuring Docker networks, setting up VPN routes, troubleshooting firewall rules, or answering "why can't this server reach that server?" — understanding subnets saves you from guessing.
This guide explains subnets from first principles, with practical examples you'll actually encounter.
IP Addresses: The Basics
An IPv4 address is 32 bits, written as four octets in decimal: 192.168.1.100. Each octet ranges from 0 to 255, representing 8 bits.
In binary: 192.168.1.100 = 11000000.10101000.00000001.01100100
An IP address has two parts:
- Network portion: identifies which network the device belongs to
- Host portion: identifies the specific device on that network
The subnet mask determines where the split happens.
Subnet Masks
A subnet mask is also 32 bits. The 1-bits mark the network portion, the 0-bits mark the host portion:
IP: 192.168.1.100 = 11000000.10101000.00000001.01100100
Mask: 255.255.255.0 = 11111111.11111111.11111111.00000000
^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^
Network portion Host portion
With a /24 mask (255.255.255.0), the first 24 bits are the network and the last 8 bits are for hosts. This gives you:
- Network:
192.168.1.0 - Host range:
192.168.1.1to192.168.1.254 - Broadcast:
192.168.1.255 - Usable hosts: 254
CIDR Notation
Instead of writing 255.255.255.0, CIDR (Classless Inter-Domain Routing) notation uses a prefix length: /24. The number tells you how many bits are in the network portion.
Common CIDR prefixes:
| CIDR | Subnet Mask | Usable Hosts | Typical Use |
|---|---|---|---|
| /32 | 255.255.255.255 | 1 | Single host route |
| /30 | 255.255.255.252 | 2 | Point-to-point link |
| /28 | 255.255.255.240 | 14 | Small server subnet |
| /24 | 255.255.255.0 | 254 | Typical LAN |
| /20 | 255.255.240.0 | 4,094 | Large department |
| /16 | 255.255.0.0 | 65,534 | Campus network |
| /8 | 255.0.0.0 | 16,777,214 | Class A network |
The formula for usable hosts is $2^{(32-n)} - 2$, where $n$ is the CIDR prefix. You subtract 2 because the first address is the network address and the last is the broadcast address.
Use the subnet calculator to compute all of these values instantly for any IP/CIDR combination.
Calculating Subnets by Hand
Example: What's the network for 10.0.5.130/25?
- A /25 means 25 network bits, 7 host bits
- The last octet has 1 network bit and 7 host bits
- 128 in the last octet = boundary (
10000000in binary) - 130 (
10000010) — the network bit is 1, so we're in the upper half - Network address:
10.0.5.128 - Broadcast address:
10.0.5.255(all host bits set to 1) - Host range:
10.0.5.129to10.0.5.254 - Usable hosts: $2^7 - 2 = 126$
Shortcut: The Magic Number
For any subnet, the "magic number" is $256 - \text{last non-zero octet of the mask}$.
For /25: mask is 255.255.255.128, magic number = $256 - 128 = 128$.
Network boundaries in the last octet are multiples of 128: 0, 128. Since 130 falls between 128 and 256, the network is 10.0.5.128.
For /26: mask is 255.255.255.192, magic number = 64. Boundaries: 0, 64, 128, 192. An IP ending in .200 falls in the .192 subnet.
Private IP Ranges
Three ranges are reserved for private networks (RFC 1918):
| Range | CIDR | Addresses | Common Use |
|---|---|---|---|
| 10.0.0.0 – 10.255.255.255 | 10.0.0.0/8 | 16.7 million | Large enterprises, VPNs, cloud |
| 172.16.0.0 – 172.31.255.255 | 172.16.0.0/12 | 1 million | Docker default networks |
| 192.168.0.0 – 192.168.255.255 | 192.168.0.0/16 | 65,536 | Home routers, small offices |
Your home router probably uses 192.168.1.0/24 or 192.168.0.0/24. Docker uses 172.17.0.0/16 by default. Kubernetes typically uses 10.0.0.0/8 for pod networking.
Practical Scenarios
Docker Networking
Docker creates a bridge network at 172.17.0.0/16 by default. When you create custom networks:
docker network create --subnet=172.20.0.0/24 mynetwork
This gives you 254 usable container IPs. If you need more containers, use a larger subnet (/20 gives 4,094). If you need isolation, create multiple small subnets (/28 gives 14 hosts each).
VPN Split Tunneling
Your company VPN routes 10.0.0.0/8 through the tunnel. But you want to access your home NAS at 10.0.1.50. The route conflict happens because your home NAS's subnet (10.0.1.0/24) falls within the VPN's broader 10.0.0.0/8. Understanding the CIDR hierarchy helps you debug why certain hosts become unreachable when VPN is active.
Firewall Rules
A firewall rule that allows 192.168.1.0/24 permits all traffic from 192.168.1.0 to 192.168.1.255. If you only want to allow a single host, use /32: 192.168.1.50/32.
Cloud Security Groups
AWS security groups and Azure NSGs use CIDR notation for IP-based rules:
Inbound Rule: Allow TCP 443 from 203.0.113.0/24
This allows HTTPS traffic from 256 IP addresses. A common mistake is using 0.0.0.0/0 (all IPv4 addresses) for rules that should be restricted to specific ranges.
VLSM: Variable Length Subnet Masking
In real networks, not all subnets need the same size. VLSM lets you allocate different-sized subnets from the same address space:
Starting with 192.168.1.0/24:
| Subnet | CIDR | Range | Usable Hosts | Purpose |
|---|---|---|---|---|
| 192.168.1.0/26 | /26 | .0-.63 | 62 | Office LAN |
| 192.168.1.64/27 | /27 | .64-.95 | 30 | Server farm |
| 192.168.1.96/28 | /28 | .96-.111 | 14 | DMZ |
| 192.168.1.112/29 | /29 | .112-.119 | 6 | Management |
| 192.168.1.120/30 | /30 | .120-.123 | 2 | Point-to-point |
You've fit 5 subnets of different sizes into a single /24 with no wasted space. Use the subnet calculator to plan these divisions and verify the ranges don't overlap.
IPv6 Subnets
IPv6 addresses are 128 bits, written in hexadecimal: 2001:0db8:85a3::8a2e:0370:7334. The concepts are the same — CIDR prefix determines the network/host split — but the numbers are much larger.
A typical ISP assigns a /48 to an organization and a /64 to each individual network. A /64 gives you $2^{64}$ host addresses per subnet — enough for every grain of sand on Earth, many times over. Subnetting IPv6 focuses on organization, not conservation.
Conclusion
Subnets are the building blocks of network architecture. Whether you're sizing a Docker network, writing firewall rules, or debugging connectivity between services, the ability to quickly calculate network ranges from a CIDR prefix is essential.
The subnet calculator does the math instantly. The binary/hex converter helps when you need to see the bit patterns. And once you build the mental model of "network bits vs host bits," it all clicks into place.