Subnetting Made Simple: A Visual Guide to CIDR Notation
Every device on a network needs an address. Your laptop, your phone, that printer in the hallway that nobody can ever seem to connect to. These addresses are called IP (Internet Protocol) addresses, and they look like this: 192.168.1.42. That much is familiar to most people. The part that tends to trip people up is what comes next: how do you organize thousands or millions of those addresses into something manageable? The answer is subnetting, and the notation we use to describe it is called CIDR (Classless Inter-Domain Routing, pronounced "cider"). By the end of this guide, you'll be able to read CIDR notation fluently and understand how networks carve up address space.
An IPv4 (Internet Protocol version 4) address is a 32-bit number. We write it as four groups of numbers separated by dots, where each group ranges from 0 to 255. The address 192.168.1.42 looks human-readable, but underneath, your computer sees it as a string of 32 ones and zeros. Each of those four groups represents 8 bits (called an "octet"), and 4 octets times 8 bits gives us 32 bits total.
Dotted decimal: 192 . 168 . 1 . 42
Binary: 11000000 . 10101000 . 00000001 . 00101010Here's the key idea behind subnetting: every IP address has two parts. The first part identifies which network the device belongs to, and the second part identifies the specific device within that network. Think of it like a street address. "123 Elm Street" has two pieces of information: "Elm Street" tells you which street, and "123" tells you which house. IP addresses work the same way, except the boundary between the network part and the device part can move.
CIDR notation is how we express where that boundary sits. When you see an address written as 192.168.1.0/24, the number after the slash tells you how many of the 32 bits belong to the network portion. In this case, the first 24 bits (the first three octets) identify the network, and the remaining 8 bits identify individual devices. That gives us a clear, compact way to describe a block of addresses.
11000000 . 10101000 . 00000001 . 00000000
|---- network (24 bits) ----| |- host -|The bits left over after the network portion determine how many devices (called "hosts" in networking) can live on that subnet. With 8 host bits, you can represent 2 to the power of 8 values, which is 256. But two of those are reserved: the first address (all host bits set to zero) identifies the network itself, and the last address (all host bits set to one) is the broadcast address, used to send a message to every device on the subnet. That leaves 254 usable addresses. For a /24 network like 192.168.1.0/24, the usable range runs from 192.168.1.1 through 192.168.1.254.
The slash number can be anything from /0 (the entire internet, all 4.3 billion addresses) to /32 (a single specific address). As the number goes up, the network gets smaller. A /16 gives you 65,534 usable hosts. A /24 gives you 254. A /28 gives you 14. Each step up cuts the available space roughly in half. Here's a reference table for the most commonly used sizes:
| CIDR | Subnet Mask | Total Addresses | Usable Hosts | Typical Use |
|---|---|---|---|---|
/8 | 255.0.0.0 | 16,777,216 | 16,777,214 | Huge enterprise or ISP blocks |
/16 | 255.255.0.0 | 65,536 | 65,534 | Large campus or data center |
/20 | 255.255.240.0 | 4,096 | 4,094 | Cloud VPC default (AWS, GCP) |
/24 | 255.255.255.0 | 256 | 254 | Office floor, small branch |
/27 | 255.255.255.224 | 32 | 30 | Server VLAN, DMZ |
/28 | 255.255.255.240 | 16 | 14 | Small department, point-to-point links |
/30 | 255.255.255.252 | 4 | 2 | Router-to-router links |
/32 | 255.255.255.255 | 1 | 1 | Single host (loopback, static route) |
You'll notice the table also includes something called a "subnet mask." This is an older way of expressing the same information as the CIDR slash number. A subnet mask is a 32-bit number where all the network bits are set to 1 and all the host bits are set to 0. For a /24, the mask is 255.255.255.0, because the first 24 bits are ones (three full octets of 255) and the last 8 bits are zeros. CIDR notation and subnet masks are interchangeable; CIDR is just more compact, which is why it has become the standard way to talk about network sizes.
Subnetting gets interesting when you start dividing a larger network into smaller pieces. Say your organization owns the block 10.1.0.0/16, which gives you about 65,000 addresses. You probably don't want all 65,000 devices on a single flat network. Instead, you'd split it into smaller subnets: maybe 10.1.1.0/24 for the engineering team, 10.1.2.0/24 for marketing, 10.1.10.0/24 for the Wi-Fi network, and so on. Each /24 is a self-contained block of 254 addresses carved out of the larger /16. This hierarchy keeps traffic organized, improves security by isolating groups of devices, and makes troubleshooting far easier because you can see at a glance which part of the network a device belongs to.
10.1.0.0/16 (parent: 65,534 usable hosts)
├── 10.1.1.0/24 Engineering (254 hosts)
├── 10.1.2.0/24 Marketing (254 hosts)
├── 10.1.10.0/24 Wi-Fi (254 hosts)
├── 10.1.20.0/24 Servers (254 hosts)
└── ... 252 more /24s availableOne common source of confusion is the difference between the network address and the first usable address. When someone says "the 10.1.1.0/24 network," they mean the entire block of 256 addresses starting at 10.1.1.0. The address 10.1.1.0 itself is the network identifier, and you wouldn't assign it to a device. The first address you'd actually hand out is 10.1.1.1, and the last is 10.1.1.254. The final address, 10.1.1.255, is the broadcast address for that subnet. This convention holds true regardless of the subnet size: the first address is the network, the last is the broadcast, and everything in between is fair game.
A practical question that comes up frequently is: "How do I pick the right size subnet for a given use case?" The answer depends on how many devices you need to support, plus some room for growth. If you're setting up a network for an office floor with 40 workstations, a /24 (254 usable addresses) gives you plenty of room. A /26 (62 usable addresses) would also work but leaves less margin. Going too large wastes address space, and going too small means you'll have to re-subnet later, which is always more painful than planning ahead. A good rule of thumb is to allocate roughly twice as many addresses as you expect to need, rounding up to the nearest standard CIDR block size.
There's one more piece of context worth understanding: private versus public address space. Three ranges of IPv4 addresses are reserved for private use, meaning they can be used freely within internal networks but aren't routable on the public internet. These are 10.0.0.0/8 (about 16.7 million addresses), 172.16.0.0/12 (about 1 million addresses), and 192.168.0.0/16 (about 65,000 addresses). If you've ever configured a home router, you've seen the 192.168.x.x range. Businesses typically use the 10.x.x.x range because it provides the most room. Every internal network you build will draw from one of these three pools, and subnetting is how you organize the addresses within them.
The mental model to keep in your back pocket is straightforward: the number after the slash tells you how many bits are locked in as the network identifier. The remaining bits are yours to assign to devices. More network bits means a smaller, more specific network. Fewer network bits means a larger, broader one. Once that clicks, you can read any CIDR block at a glance, estimate its size, and understand where it fits in a larger network hierarchy. Subnetting isn't hard. It just looks intimidating until someone explains it without the jargon.