What is CIDR notation? The slash-numbers explained

If you've spent any time reading about IP addresses, you've seen notation like 192.168.1.0/24, 10.0.0.0/8, or 8.8.8.0/24. The part before the slash looks like a normal IP address. The part after the slash — the number — looks like an afterthought.

It isn't. The slash number tells you exactly which IP addresses belong to that network and which don't. It defines the size of the block, the first address, the last address, and how many hosts can fit inside. Once you can read it, a lot of networking writing that looked opaque — firewall rules, routing tables, ISP allocations, the RFC 1918 blocks described in our private IP ranges post — clicks into place immediately.

What CIDR stands for

CIDR is "Classless Inter-Domain Routing". It was introduced in 1993 to replace an older system — the "classful" system — where networks came in only three fixed sizes: Class A (/8), Class B (/16), and Class C (/24). No in-between options.

The problem with classful addressing was that those three sizes were a terrible fit for the actual diversity of networks the internet needed to support. A company that needed 500 addresses had to request a Class B (65,536 addresses) and leave 65,000 of them idle. A company that needed 300 addresses had to take two Class Cs. Every misfit wasted addresses from a pool that was already under pressure.

CIDR threw out the fixed sizes and replaced them with a single idea: a network can be any size you want, described by a base address and a prefix length. That prefix length is the slash number. With CIDR, a network of 500 addresses is a /23; a network of 300 is a /23 as well; a network of 30 is a /27. Every allocation fits its actual requirement, and far fewer addresses go to waste.

The math, in plain language

An IPv4 address is 32 bits — four groups of eight, displayed in decimal as the familiar dotted-quad form. The slash number tells you how many of those 32 bits identify the network, leaving the rest to identify hosts within that network.

• /24 means the first 24 bits are the network; the last 8 bits are the host. 2⁸ = 256 possible addresses.
• /16 means 16 bits network, 16 bits host. 2¹⁶ = 65,536 possible addresses.
• /8 means 8 bits network, 24 bits host. 2²⁴ = 16,777,216 possible addresses.

The pattern holds for any number: subtract the prefix length from 32 to get the number of host bits, then raise 2 to that power to get the number of addresses in the block. A /20 has 12 host bits and therefore 4,096 addresses. A /28 has 4 host bits and therefore 16 addresses.

The direction matters: a smaller slash number means a bigger network. A /8 is enormous — over sixteen million addresses. A /30 is tiny — just four. This trips people up the first time because it's counterintuitive: the number looks smaller, but the network it describes is larger.

Worked example: 192.168.1.0/24

Take 192.168.1.0/24 apart piece by piece.

The base address is 192.168.1.0. The /24 means the first 24 bits are fixed — in dotted-decimal terms, that's the first three octets: 192.168.1. Every address in this network starts with those three octets. The last octet — the remaining 8 bits — can be anything from 0 to 255.

That gives 256 total addresses, running from 192.168.1.0 to 192.168.1.255.

Of those 256, two are reserved and can't be assigned to devices:

• 192.168.1.0 is the network address — the "name" of the network itself. No host gets this address.
• 192.168.1.255 is the broadcast address — used to send a packet to every device on the network simultaneously.

That leaves 254 usable addresses, from 192.168.1.1 to 192.168.1.254. This is the range your router draws from when handing out addresses via DHCP, which is why home networks almost always have devices in the 192.168.1.x or 192.168.0.x range. The CIDR calculator will show you the full breakdown for any prefix you enter.

Worked example: 10.0.0.0/8

Now the other end of the scale. 10.0.0.0/8 has only the first 8 bits fixed — the single octet 10. Every address starting with 10. is in this network: from 10.0.0.0 all the way to 10.255.255.255.

That's 2²⁴ = 16,777,216 total addresses, with 16,777,214 usable. This is the largest of the three RFC 1918 private blocks — the one ISPs, large enterprises, and data centres tend to use when they need enough room to address thousands of internal devices without ever touching the public internet. A /8 is so large that most organisations carve it into smaller subnets rather than treating it as one flat network.

The non-octet-boundary cases

So far the examples have fallen on neat boundaries: /8 covers exactly one octet, /16 covers two, /24 covers three. But CIDR doesn't have to align to octets, and this is where most people's intuition breaks down.

Consider /22. That's 22 bits for the network and 10 bits for hosts — 2¹⁰ = 1,024 addresses. A valid /22 network is 192.168.4.0/22: the first 22 bits are fixed, which means the first two octets (192.168) are entirely fixed, and the first six bits of the third octet are fixed (000001). The remaining two bits of the third octet can vary, giving third-octet values of 4, 5, 6, and 7. The block spans 192.168.4.0 through 192.168.7.255.

A common point of confusion: 192.168.5.0/22 is not a valid network. For a CIDR prefix to be valid, the host bits — the bits after the prefix length — must all be zero in the base address. 192.168.5.0 has non-zero bits where the host portion begins, so it can't be the base of a /22. The valid base in that neighbourhood is 192.168.4.0/22.

Other useful non-octet examples:

• /20 — 12 host bits, 4,096 addresses. Spans 16 sequential /24 blocks.
• /28 — 4 host bits, 16 addresses (14 usable). Common for small server subnets.
• /30 — 2 host bits, 4 addresses (2 usable). The traditional choice for point-to-point links where you only need two host addresses.
• /29 — 3 host bits, 8 addresses. When an ISP assigns you a /29, you get 8 addresses total; accounting for network address, broadcast, and gateway, 5 are available for your own devices.

For anything beyond mental arithmetic, the CIDR calculator handles the bit-shifting automatically — give it any prefix and it returns the network address, broadcast address, usable host range, and total count.

The IPv6 version

The same notation works for IPv6, but the numbers are different because an IPv6 address is 128 bits instead of 32. The slash number still means "this many bits are the network prefix; the rest are the host".

A /64 is the standard subnet size in IPv6: 64 bits for the network, 64 bits for hosts. That leaves 2⁶⁴ — about 18.4 quintillion — addresses per subnet. IPv6 subnets are intentionally generous. The IPv6 explainer covers why those address counts are so extreme and how the address structure is arranged.

A /48 is a common allocation for an organisation — enough space for 65,536 individual /64 subnets within a single organisation's block. A /128 is exactly one address — the equivalent of an IPv4 /32.

The math principle is identical to IPv4. Only the scale changes.

Why CIDR matters in practice

You might encounter CIDR notation in three contexts more than any others.

Reading network announcements. When an ASN lookup shows that AS15169 announces 8.8.8.0/24, it means Google has told the global routing system that it's responsible for those 256 addresses. The slash number is the entire description of the block being claimed. The ASN explainer walks through how those announcements propagate across the internet via BGP.

Writing firewall rules. Access control lists use CIDR to allow or deny traffic from ranges rather than individual addresses. A rule like "allow 10.0.0.0/8" means "accept traffic from any address in the entire ten-dot RFC 1918 block" — all sixteen million of them, in one line. Without CIDR, you'd need to enumerate them individually, which is obviously impossible.

Allocating addresses. When an ISP assigns you address space, the slash number is the whole negotiation. A /29 gives 8 addresses (5 usable for your equipment after network, broadcast, and gateway). A /28 gives 16 (13 usable). The difference between those two assignments is exactly one bit — but it doubles the available space. Understanding the relationship between slash numbers and block sizes means you can have that conversation without guessing.

The slash number is just a count of fixed bits

Strip away the jargon and CIDR notation is a compact way of writing "these N addresses, starting here". The slash number counts how many bits at the front of the address are fixed. The bits after that count are free to vary, and the number of free bits determines the size of the block.

Once that idea is in place, notation like 172.16.0.0/12 or 2001:db8::/32 stops being intimidating and starts being precise. The slash numbers will start reading like plain language the more you encounter them — and the CIDR calculator is there for any time you'd rather not do the bit-counting by hand.