CIDR Subnet Calculator with Host Range + Binary View

They're two notations for the same thing. /24 is CIDR (Classless Inter-Domain Routing) and counts how many bits identify the network: 24 in this case. 255.255.255.0 is the dotted-decimal form, which is 24 binary ones followed by 8 zeros. CIDR is what you'll see in modern routing tables, BGP announcements, and most documentation. Dotted-decimal still shows up in older Cisco IOS configurations and Windows Server interfaces. A network engineer should be able to read both fluently and switch between them without converting in their head.

One address is reserved at the bottom of the range as the network address (all-zeros host portion), used to identify the subnet itself in routing tables. One is reserved at the top as the broadcast address (all-ones host portion), used to send packets to every host on the segment. Two exceptions matter. /31 subnets per RFC 3021 use both addresses for point-to-point links because the broadcast concept doesn't apply on a two-host segment. /32 represents a single host route where the question doesn't arise.

A handful of places. Cisco access control lists use wildcard masks because the syntax developed before CIDR became universal: `permit ip 192.168.1.0 0.0.0.255` matches the /24. OSPF network statements use the same notation when defining which interfaces participate in an area. Some firewall rule languages (older Juniper, certain iptables patterns) also accept wildcards for non-contiguous matching, like matching only odd-numbered addresses in a range. Outside those contexts, subnet masks are what you want.

Print operations grow when departments add devices, so a /27 (30 usable hosts) is the conservative choice for an office under 20 printers today. /28 (14 usable) is tighter and renumbers painfully if you outgrow it. Moving printers between subnets means coordinating IP changes across print servers, GPO settings, and direct-IP queue references. The calculator's Usable Hosts output gives you the realistic ceiling. Don't size by today's count. Size by the count you'll have in three years.

A few common failure modes. Most often: martian routes leak when private addresses get mistakenly redistributed into BGP announcements. Then there's the merger problem, where two acquired networks both run 192.168.0.0/16 and you discover IP collisions during integration testing. NAT hairpinning bites people too, when two segments share the same private space and you need traffic between them to traverse NAT. RFC 1918 allocates 10/8, 172.16/12, and 192.168/16 as private. Anything outside those ranges that isn't in your IGP shouldn't be routed internally. One useful aside: 100.64.0.0/10 (CGNAT space, RFC 6598) is reserved for ISP-side carrier-grade NAT and shouldn't appear in enterprise networks despite looking private-ish.

When a flat /24-everywhere design would burn address space you'll need later. A campus with 200-host office segments, 14-host wiring-closet management VLANs, and 2-host point-to-point WAN links is the canonical VLSM case. Using /24 across all three wastes 90% of the address pool. VLSM also matters for route summarization. Aggregating eight /27s into a /24 reduces routing-table entries upstream, which matters on routers with limited TCAM. For homelab and small office networks under 100 hosts, the savings are theoretical and a flat /24 is fine.

The most common use is loopback interfaces on routers, where /32 gives the device an identity address that stays stable even when physical interfaces flap. Routing protocols use those loopbacks for things like OSPF router-IDs and BGP neighbor relationships. /32s also show up in firewall rules when you need to permit a specific host (and only that host) to reach a destination. VPN endpoints commonly use them. So do BGP next-hop entries where the next hop is a single address rather than a network. The common thread: when routing or filtering needs to talk about exactly one host, /32 is the right prefix length.

A /23 contains 512 addresses (510 usable), which you can split into two /24s, four /25s, eight /26s, sixteen /27s, or down to /30s for point-to-point links. Each bit you borrow from the host portion doubles the subnet count and halves the host count. The manual approach: write out the third octet in binary, identify which bits become subnet bits at each prefix length, and read off the resulting ranges. Sanity-check at /27. The third octet's last bit and the fourth octet's top three bits combine to give 8 subnets of 32 addresses each within a /23.

The network address is the all-zeros host portion (192.168.1.0 in a /24). It identifies the subnet itself and isn't assignable. The first usable host is the network address plus one (192.168.1.1), and that's where most networks place the default gateway, though there's no protocol requirement to do so. Some shops use the last usable address (.254 in a /24) for the gateway instead. Pick a convention and stick to it across the network. Mixed conventions are how on-call engineers find the gateway in an unexpected place at 2 AM.

Convert the IP and the subnet mask to binary, AND them bit-by-bit (1 AND 1 = 1, all other combinations = 0), and convert the result back to decimal. For 192.168.1.100 with mask 255.255.255.0: the IP becomes 11000000.10101000.00000001.01100100, the mask becomes 11111111.11111111.11111111.00000000, the AND result is 11000000.10101000.00000001.00000000 = 192.168.1.0. Worth doing on paper once or twice when you're learning, especially for non-octet-aligned masks like /27 where the third or fourth octet doesn't fall on a clean boundary.

10.0.0.0/8 (16.7M addresses), 172.16.0.0/12 (1M addresses), and 192.168.0.0/16 (65K addresses). For home networks and small offices, 192.168.0.0/16 is the cultural default because every consumer router ships with 192.168.1.x or 192.168.0.x. For enterprise networks, 10.0.0.0/8 gives the most room and the cleanest hierarchical addressing (10.[region].[site].[host]). 172.16.0.0/12 is the awkward middle child, large enough for medium businesses but visually less obvious as private space, so it shows up in network diagrams less often. None of the three is more secure than another. Security comes from NAT and firewalling, not the address range.

A few possibilities. The first thing to check is whether you're on a /31 (RFC 3021 point-to-point), because there is no broadcast in that case. Both addresses are usable hosts, and most routers display the link's directed broadcast differently than the standard math suggests. If it isn't a /31, look at whether the router is using directed-broadcast suppression. That's been the security default on modern Cisco IOS images for years. The broadcast address exists, but the router won't forward to it. The other common cause is just a fat-fingered mask: somebody typed /25 instead of /24 in the interface config. The calculator returns the standards-defined broadcast (the all-ones host address), which is correct for /30 and shorter but never matters on /31s.