CIDR Notation Explained: The Slash Number Doing All the Work

The Slash Doing All the Work

If you have ever pasted 10.0.0.0/16 into a cloud console, written 0.0.0.0/0 into a security group, or stared at a Kubernetes networking config and wondered why every range had a slash at the end of it, you have already used CIDR notation. You may not have stopped to ask what the slash actually means, because the answer is one of those things that everyone in networking assumes everyone else picked up by osmosis. They mostly did not. They learned to copy the patterns that work and avoid the ones that throw errors.

CIDR notation is a compact, exact way to describe a range of IP addresses. The number after the slash tells you how many of the leading bits in the address identify the network, and by implication how many trailing bits are available for individual hosts. It is genuinely simple once you see the underlying picture, and it stops being something you have to memorize the moment you understand why it exists. This post is the version I wish someone had handed me before I spent a week confidently misreading subnet boundaries in a production VPC.

The World Before CIDR Was a Mess

To explain why the slash exists, you have to look at what it replaced. The original internet, as standardized in the early 1980s, divided the IPv4 address space into rigid classes. A Class A network used the first 8 bits for the network identifier and the remaining 24 bits for hosts, which meant a single Class A allocation gave the holder roughly 16.7 million addresses. A Class B used 16 bits for the network and 16 for hosts, yielding about 65,000 addresses. A Class C used 24 bits for the network and only 8 for hosts, capping you at 254 usable addresses per allocation. There were also Class D (multicast) and Class E (reserved), but the practical action was in A, B, and C.

The problem with classful addressing was that the granularity was terrible. If your organization needed 400 IP addresses, a Class C with 254 was too small, but a Class B with 65,000 was wildly oversized. You requested a Class B because the alternative was running multiple Class Cs and dealing with the resulting routing complexity, and the registries handed them out because that was the only knob they had. By the early 1990s the consequence was visible: the IPv4 address space was being consumed at an unsustainable rate, and the global routing table was growing faster than router hardware could keep up with.

In 1993, the IETF published RFC 1518 and RFC 1519, which introduced Classless Inter-Domain Routing. The core idea was to abandon the fixed 8-, 16-, and 24-bit boundaries entirely. Instead, every network would carry a prefix length specifying how many of its leading bits were network bits. The prefix could be any number from 0 to 32. A network previously identified as a Class B could now be described as 172.16.0.0/16, and a smaller slice of it could be allocated as 172.16.5.0/24. The granularity went from three rigid sizes to thirty-three, and address allocation could finally match actual demand.

CIDR was a bureaucratic fix to an address-exhaustion crisis, and it bought the IPv4 internet roughly two extra decades of useful life. The notation we still use today is the visible residue of that fix.

What the Number After the Slash Actually Means

An IPv4 address is 32 bits. Humans read it as four decimal numbers separated by dots, but the underlying object is just a 32-bit integer. When you write 192.168.1.0/24, you are saying: the first 24 bits of this address identify the network, and the last 8 bits are free to vary across individual hosts in that network.

Once you know the prefix length, everything else falls out arithmetically. The total number of addresses in the block is 2^(32 - prefix). For a /24, that is 2^8, or 256 addresses. For a /16, it is 2^16, or 65,536 addresses. For a /30, it is 2^2, or 4 addresses. Each time you make the prefix one smaller, the block doubles. Each time you make it one larger, the block halves. That doubling-and-halving rule is the single most useful mental tool in subnetting, and it is the thing that lets experienced network engineers eyeball a CIDR block and know roughly what they are looking at without reaching for a calculator.

Two of those addresses in any normal subnet are reserved. The first address in the block is the network address, which identifies the subnet itself and cannot be assigned to a host. The last address is the broadcast address, which is used to send a packet to every host in the subnet at once. For a /24 with 256 total addresses, you therefore get 254 usable host addresses. For a /30 with 4 total, you get 2 usable. The general formula is 2^(32 - prefix) - 2, with two exceptions noted below.

The classic representation of the same information is a dotted-decimal subnet mask. A /24 corresponds to 255.255.255.0, because the first 24 bits are 1s and the last 8 are 0s, and 11111111.11111111.11111111.00000000 in decimal is 255.255.255.0. A /30 corresponds to 255.255.255.252. Older configuration interfaces, and most home router admin pages, still use the dotted-decimal mask. They are saying exactly the same thing as CIDR, just in a less compact way. If you ever need to flip between the two notations without thinking about it, the subnet calculator on this site will hand you both forms plus the network and broadcast addresses for any CIDR block you paste in.

The Edge Cases That Trip People Up

The general formula breaks at the two extreme ends of the prefix range, and these are worth knowing because they show up constantly in production networking.

A /32 is a single address. The prefix length equals the full size of the IPv4 address, so there are no host bits at all and the "block" is just one IP. You see /32 all the time in security group rules ("allow this single jump host"), in BGP route advertisements for individual loopback addresses, and in firewall configurations that want to whitelist a specific machine. Calling it a CIDR block is technically correct but a little ceremonious. It is just an IP with a prefix attached.

A /31 is a special case introduced by RFC 3021 in 2000. Mathematically a /31 has only 2 addresses, and under the normal rule you would lose both to network and broadcast, leaving zero usable hosts. That is useless. RFC 3021 changed the rule for /31 specifically: on a point-to-point link, where there are exactly two endpoints and no need for a broadcast address, both addresses can be used as host addresses. /31s are now standard for router-to-router links and conserve a meaningful amount of address space across a large network.

At the other extreme, /0 matches every IPv4 address in existence. The string 0.0.0.0/0 is the default route — "send everything we don't have a more specific route for to this next hop." In a cloud security group, an inbound rule allowing 0.0.0.0/0 on port 22 is the configuration that gets you on the front page of Hacker News for the wrong reasons. It is the polite notation for "the entire internet."

The Small Set of Prefixes You Will Actually See

In practice, the universe of prefix lengths you encounter in day-to-day work is much smaller than the 33 possibilities the standard allows. Knowing the common ones by sight saves an enormous amount of cognitive overhead.

/8, /12, /16 are the prefixes RFC 1918 uses to define the private IP ranges that almost every internal network in the world relies on. 10.0.0.0/8 gives you 16.7 million private addresses and is the default for most large cloud and enterprise networks. 172.16.0.0/12 gives you roughly a million and is the often-forgotten middle option. 192.168.0.0/16 gives you 65,536 and is what your home router has been handing out since you bought it. These three ranges are not routable on the public internet, which is exactly what makes them safe to reuse inside private networks.

/16 and /24 are the workhorses of cloud networking. An AWS VPC can be sized between a /16 and a /28, but in practice almost everyone picks a /16 for the VPC itself and then carves it into /24 subnets, one per availability zone or tier. A /24 with 254 usable hosts is a nicely sized chunk that maps cleanly to one logical network segment, and the math is simple: the third octet of the IP tells you which subnet, the fourth octet tells you which host.

/30 and /31 are the standard for point-to-point links. A /30 gives you 2 usable hosts (the two router interfaces) plus the wasted network and broadcast addresses; a /31 gives you the same 2 usable hosts without the waste. Older equipment that does not support RFC 3021 still uses /30 for these links.

/10 is the prefix length used by RFC 6598 for the Carrier-Grade NAT range 100.64.0.0/10. If you are debugging odd-looking IPs on a mobile or residential ISP connection, that is what you are looking at: a third private-ish range, allocated specifically for the layer of NAT that sits between subscribers and the public internet.

/12, /14, /16 are typical for Kubernetes pod and service CIDRs. A common cluster default is a /14 for pods and a /12 or /16 for services, which gives you tens of thousands of available pod IPs without colliding with your VPC's primary range. Picking these wrong at cluster creation time is a remarkably painful mistake to recover from, which is why every Kubernetes provisioning guide spends a paragraph on it.

Subnetting Is Halving, Repeatedly

Once you internalize the doubling rule, subnetting is much less mysterious. Splitting a network in half means taking the prefix length and adding one to it. A /24 with 256 addresses, split in half, becomes two /25s of 128 addresses each. Split those again and you have four /26s of 64 addresses. Split again, eight /27s of 32 addresses. Each successive cut halves the block size and adds one to the prefix.

This is the foundation of Variable Length Subnet Masking — the practice of carving a single allocated range into subnets of different sizes to fit different needs. A typical office allocation might take a single /22 (1024 addresses) and split it into a /23 for the wired user network, a /24 for guest Wi-Fi, two /27s for server segments, and a handful of /30s for the inter-router links. The total has to add up to the original allocation, and the boundaries have to fall on power-of-two address counts. That second constraint is why subnets always start on certain addresses and not others: a /26 can only begin at an address whose last six bits are zero (the .0, .64, .128, or .192 in a typical fourth octet), because those are the only addresses where the prefix actually lines up with the bit boundary.

The constraint feels arbitrary until you remember that the prefix length is literally counting bits. A network whose first 26 bits are fixed has to start at an address where those 26 bits can actually be fixed without truncating anything. The boundaries are the points where the bit math works out cleanly. There is nothing else to it.

How To Read Any CIDR You Meet

If you internalize four things, you can read any CIDR block in the wild without thinking about it. First, the prefix counts network bits, so a smaller number means a larger block. Second, the address count is 2 to the power of (32 minus the prefix), and every step up in prefix length halves it. Third, the first and last addresses are usually reserved, except in the special cases of /31 (point-to-point) and /32 (single host). Fourth, the network address has to fall on a boundary aligned with the prefix, which is why 10.0.0.0/24 is legal but 10.0.0.17/24 is a sloppy way of saying the same network with one host inside it.

The arithmetic is not hard, but it is fiddly enough that no one does it by hand in production. The point of understanding the underlying picture is not to compute network and broadcast addresses in your head; it is to read a configuration and immediately know whether a range collides with another, whether a security rule is too permissive, or whether a proposed VPC layout has enough room to grow. The computer can do the arithmetic. You just have to know what you are asking it to compute.

The slash, in other words, is doing a lot of work. Once you can see what it is doing, the entire vocabulary of IP networking gets quieter, and the configs that used to look like noise start reading like sentences.