Skip to content

The Subnet Calculator in Your Head

  • lesson
  • cidr-notation
  • subnet-masks
  • network/broadcast-addresses
  • vlsm
  • ip-planning
  • l1 ---# The Subnet Calculator in Your Head

Topics: CIDR notation, subnet masks, network/broadcast addresses, VLSM, IP planning Level: L1 (Foundations) Time: 45–60 minutes Prerequisites: None (binary math explained from scratch)

The Mission

Someone says "give me a /24 in the 10.0 range for the new VLAN." You nod. You have no idea what they mean. You open a subnet calculator website. You feel like you should know this.

Subnetting isn't hard. It's just binary math that nobody teaches well. This lesson gives you the mental model to do it in your head — no calculator needed for common cases.

The One Rule

An IP address is 32 bits. A subnet mask divides those bits into two parts:

IP:     10.0.1.50
Mask:   255.255.255.0 (/24)

Binary: 00001010.00000000.00000001.00110010
Mask:   11111111.11111111.11111111.00000000
        ├── network (24 bits) ──────┤├ host ┤

Network: 10.0.1.0     (first 24 bits = network identity)
Host:    .50           (last 8 bits = host within network)

The CIDR number (/24) is just how many bits are "network." The rest are "host."

/24 = 24 network bits, 8 host bits  = 256 addresses (254 usable)
/16 = 16 network bits, 16 host bits = 65,536 addresses
/32 = 32 network bits, 0 host bits  = 1 address (a single host)
/0  = 0 network bits, 32 host bits  = all addresses (default route)

The Cheat Sheet You'll Memorize

CIDR Subnet mask Addresses Usable hosts Common name
/32 255.255.255.255 1 1 Single host
/31 255.255.255.254 2 2 Point-to-point link
/30 255.255.255.252 4 2 Point-to-point (traditional)
/29 255.255.255.248 8 6 Tiny subnet
/28 255.255.255.240 16 14 Small subnet
/27 255.255.255.224 32 30 Small office
/26 255.255.255.192 64 62 Department
/25 255.255.255.128 128 126 Floor
/24 255.255.255.0 256 254 Standard subnet
/23 255.255.254.0 512 510 Double subnet
/22 255.255.252.0 1,024 1,022 Large subnet
/16 255.255.0.0 65,536 65,534 Class B
/8 255.0.0.0 16,777,216 16,777,214 Class A

Remember: The pattern: every CIDR step doubles/halves. /24 = 256 addresses. /25 = 128. /26 = 64. /23 = 512. Just double or halve.

Gotcha: Usable hosts = total addresses - 2. The first address is the network address (identifies the subnet). The last is the broadcast address (sends to all hosts). Neither can be assigned to a host. Exception: /31 (RFC 3021) uses both addresses for point-to-point links.

Mental Math: Given an IP and CIDR, Find the Network

Question: What network is 10.0.1.200/26 on?

Step 1: /26 = 64 addresses per subnet (256 / 4)
Step 2: Subnets start at multiples of 64: .0, .64, .128, .192
Step 3: 200 falls between 192 and 256
Step 4: Network: 10.0.1.192/26
        First host: 10.0.1.193
        Last host: 10.0.1.254
        Broadcast: 10.0.1.255

Question: What network is 172.16.5.100/23?

Step 1: /23 = 512 addresses (2 × /24)
Step 2: /23 means the third octet changes in pairs: .0-.1, .2-.3, .4-.5, .6-.7
Step 3: 5 falls in the .4-.5 pair
Step 4: Network: 172.16.4.0/23 (starts at .4.0)
        Range: 172.16.4.1 – 172.16.5.254
        Broadcast: 172.16.5.255

Private IP Ranges (RFC 1918)

10.0.0.0/8      → 10.0.0.0 – 10.255.255.255    (16M addresses)
172.16.0.0/12   → 172.16.0.0 – 172.31.255.255   (1M addresses)
192.168.0.0/16  → 192.168.0.0 – 192.168.255.255 (65K addresses)

Trivia: These ranges were reserved in 1996 (RFC 1918) because the internet was running out of IPv4 addresses. By using private addresses internally and NAT at the border, organizations could use the same IP ranges without conflicting. This extended IPv4's life by decades — arguably delaying IPv6 adoption to this day.

Practical: VPC/Cloud Subnet Design

VPC: 10.0.0.0/16 (65,536 addresses)

Public subnets (for load balancers, bastion hosts):
  10.0.0.0/24   (AZ-a)  256 addresses
  10.0.1.0/24   (AZ-b)  256 addresses
  10.0.2.0/24   (AZ-c)  256 addresses

Private subnets (for application servers):
  10.0.10.0/24  (AZ-a)  256 addresses
  10.0.11.0/24  (AZ-b)  256 addresses
  10.0.12.0/24  (AZ-c)  256 addresses

Database subnets (isolated):
  10.0.20.0/24  (AZ-a)  256 addresses
  10.0.21.0/24  (AZ-b)  256 addresses

Kubernetes pod CIDR:
  10.0.128.0/17 (32,768 addresses for pods)

Gotcha: Don't use /16 for a single subnet. You'll never need 65,536 hosts on one broadcast domain, and ARP broadcasts on a flat /16 network will consume bandwidth. Break it into /24s or /22s based on actual need.

Flashcard Check

Q1: /24 = how many usable hosts?

  1. (256 total - network address - broadcast address = 254)

Q2: What network is 10.0.1.200/26 on?

10.0.1.192/26. (64 addresses per /26. 192 is the nearest multiple of 64 below 200.)

Q3: What are the three RFC 1918 private ranges?

10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. Used for internal networks, not routable on the internet.

Q4: /25 = how many addresses?

  1. (Each CIDR step doubles/halves. /24=256, /25=128, /26=64.)

Cheat Sheet

Quick Mental Math

/24 = 256 addresses (most common)
Each step up: halve it   (/25=128, /26=64, /27=32, /28=16)
Each step down: double it (/23=512, /22=1024, /21=2048)
Usable = total - 2

Subnet Boundaries

/24: .0, .0, .0  (every octet boundary)
/25: .0, .128
/26: .0, .64, .128, .192
/27: .0, .32, .64, .96, .128, .160, .192, .224
/28: multiples of 16

Common Commands

Task Command
Show IP and mask ip addr show
Show routes ip route show
Calculate subnet ipcalc 10.0.1.200/26
Check if IP is in range python3 -c "import ipaddress; print(ipaddress.ip_address('10.0.1.200') in ipaddress.ip_network('10.0.1.192/26'))"

Takeaways

  1. CIDR is just "how many bits are network." /24 = 24 network bits, 8 host bits = 256 addresses. That's the whole concept.

  2. Each CIDR step doubles or halves. /24=256, /25=128, /26=64. You can do this in your head.

  3. Usable = total - 2. Network address (first) and broadcast (last) can't be assigned.

  4. Plan for growth. Subnets can't easily grow. Start with /24 for most things, /22 for Kubernetes pods. Don't use /16 for a single subnet.

  5. RFC 1918 extended IPv4's life by decades. Private ranges + NAT = most of the internet runs on 10.x and 192.168.x internally.

  • What Happens When You Click a Link — IP routing at step 3
  • iptables: Following a Packet — source/destination matching uses CIDR
  • Connection Refused — when subnet misconfiguration causes connectivity issues