/24 means 256 addresses. /16 means 65,536. /32 means exactly one. The number after the slash is how many bits are locked in place. Once that clicks, subnetting stops being mysterious.
I spent an embarrassing amount of time early in my career avoiding subnetting. I would copy VPC configurations from Stack Overflow and hope they worked. Then one afternoon I sat down and actually learned the binary math, and the whole thing took maybe fifteen minutes to understand permanently.
What the slash number actually means
An IPv4 address is 32 bits long. That is it. The number after the slash in CIDR notation tells you how many of those 32 bits define the network portion. The remaining bits define the host portion, which is where individual device addresses live.
/24 means the first 24 bits are the network. That leaves 32 - 24 = 8 bits for hosts. 2^8 = 256 possible addresses. But two are reserved: the network address (all host bits set to 0) and the broadcast address (all host bits set to 1). So you get 254 usable addresses.
The formula for usable hosts: 2^(32 - prefix) - 2.
/16 gives you 2^16 - 2 = 65,534 usable hosts. /8 gives you 2^24 - 2 = 16,777,214. The numbers get large fast.
The subnet mask connection
Before CIDR notation existed, people wrote subnet masks. 255.255.255.0 is the same as /24. Each 255 is 8 bits set to 1, so three 255s is 24 bits.
255.255.0.0 = /16. 255.0.0.0 = /8. These are easy. Where it gets interesting is non-octet boundaries.
255.255.255.128 = /25. That 128 in binary is 10000000, which is one more bit set to 1. So /25 splits a /24 in half: 126 usable hosts per subnet instead of 254.
255.255.255.192 = /26. That gives you 62 usable hosts. You are carving the address space into smaller and smaller blocks, each time by powers of two.
The subnets you will actually use
Here are the ones that come up constantly:
/32 - single host (1 address). Used for specific routes and security rules.
/31 - point-to-point link (2 addresses). Used between two routers. RFC 3021 made this valid by eliminating the need for network and broadcast addresses on a two-device link.
/30 - smallest traditional subnet (4 addresses, 2 usable). Used for router-to-router links before /31 was standardized.
/28 - 16 addresses, 14 usable. Common for small DMZ segments.
/24 - 256 addresses, 254 usable. The default "one subnet" for most office networks.
/16 - 65,536 addresses. Typical VPC size.
/8 - 16.7 million addresses. The big private ranges.
Private address ranges
Three blocks are reserved for private use. You will see these everywhere:
10.0.0.0/8 gives you 16.7 million addresses. AWS, GCP, and Azure all default to this range for VPCs. It is the largest private block and gives you the most room to subdivide.
172.16.0.0/12 gives you about 1 million addresses. The /12 is often confusing because it does not land on an octet boundary. It covers 172.16.0.0 through 172.31.255.255. Docker uses 172.17.0.0/16 by default, which lives inside this range.
192.168.0.0/16 gives you 65,536 addresses. Your home router almost certainly uses this. 192.168.1.0/24 or 192.168.0.0/24 are the most common home network subnets.
A real AWS VPC example
When you create a VPC in AWS, you assign it a CIDR block. Say you pick 10.0.0.0/16. That gives you 65,536 addresses to work with.
Now you need subnets across availability zones. A common pattern:
- 10.0.1.0/24 for public subnet in AZ-a (254 usable IPs)
- 10.0.2.0/24 for public subnet in AZ-b
- 10.0.3.0/24 for private subnet in AZ-a
- 10.0.4.0/24 for private subnet in AZ-b
Each /24 gives you enough room for typical workloads. You have used 4 of the 256 possible /24 subnets inside your /16, leaving plenty of room to grow.
AWS reserves 5 addresses per subnet (not the usual 2): the network address, the VPC router, the DNS server, a reserved-for-future-use address, and the broadcast address. So a /24 in AWS gives you 251 usable IPs, not 254.
If you need more than 254 hosts in a subnet, go to /23 (510 usable) or /22 (1022 usable). Kubernetes clusters often need larger subnets because every pod gets an IP.
Why /31 works for point-to-point
Traditional subnetting says you always lose two addresses to network and broadcast. But on a link between exactly two routers, there is no need for broadcast. RFC 3021 recognized this and allowed /31 subnets for point-to-point links.
This matters at scale. If you run a data center with thousands of router-to-router links, using /30 for each one wastes half your addresses. /31 wastes none. Most modern network operating systems support it.
The mental math shortcut
When someone asks how many hosts fit in a /21, you do not need to reach for a calculator. Start from /24 (256 addresses) and double for each bit: /23 is 512, /22 is 1024, /21 is 2048. Subtract 2 for usable hosts: 2046.
Going the other direction from /24: /25 is 128, /26 is 64, /27 is 32, /28 is 16. Half each time.
Once you internalize this doubling/halving pattern, you can subnet in your head. The whole system is just powers of two with a consistent offset of 2 for the reserved addresses.
Subnetting is one of those topics that looks harder than it is because networking courses wrap it in jargon. The underlying math is addition and exponents. Learn it once and it sticks.
I'm Michael Lip. I build free developer tools at zovo.one. 350+ tools, all private, all free.
Top comments (0)