How to use
Paste a CIDR (`10.0.0.0/24`, `192.168.1.0/26`, `2001:db8::/32`) and the calculator splits it into network address, broadcast address, first / last usable host, subnet mask in both dotted decimal and binary form, wildcard mask, total host count, and usable host count (which excludes the network and broadcast addresses on IPv4). IPv6 inputs show network and first / last address with the full expanded form alongside the compressed `::` notation.
Reach for this when sizing a VPC, planning a private subnet split, troubleshooting a firewall rule, or sanity-checking a route table. A `/24` is "256 IPs, 254 usable"; a `/16` is "65,536 IPs"; a `/8` is "16 million". CIDR prefixes are off-by-one easy to misread (the *bits used for the network*, not the bits left for hosts) and this calculator turns the prefix into concrete numbers you can paste into AWS Console or Cisco config. Everything runs in the browser as BigInt arithmetic — no IP address ever leaves your machine.
Examples
A typical AWS subnet (`/24`)
Output
Network: 10.0.1.0
Broadcast: 10.0.1.255
First host: 10.0.1.1
Last host: 10.0.1.254
Mask: 255.255.255.0
Wildcard: 0.0.0.255
Total: 256
Usable: 254
`/24` gives 256 addresses; AWS reserves the first four (10.0.1.0–10.0.1.3) and the last (10.0.1.255) so the actual usable range in a VPC subnet is 251. On bare-metal or non-cloud setups only `.0` (network) and `.255` (broadcast) are reserved, leaving 254. Always check the cloud provider's reservation policy when sizing.
A small subnet (`/29`, 8 addresses)
Output
Network: 192.168.1.0
Broadcast: 192.168.1.7
First host: 192.168.1.1
Last host: 192.168.1.6
Mask: 255.255.255.248
Total: 8
Usable: 6
`/29` is the smallest subnet most clouds and routers actually accept (`/30` and `/31` exist but `/30` only gives 2 usable IPs after the reservations, and `/31` needs special point-to-point handling per RFC 3021). Useful for tiny segments like a NAT gateway dedicated subnet, a transit interconnect, or a single load balancer pair.
An IPv6 site allocation (`/56`)
Input
2001:db8:abcd:1200::/56
Output
Network: 2001:db8:abcd:1200::
First: 2001:db8:abcd:1200::
Last: 2001:db8:abcd:12ff:ffff:ffff:ffff:ffff
Expanded: 2001:0db8:abcd:1200:0000:0000:0000:0000/56
Total: 4,722,366,482,869,645,213,696 (≈ 4.7 × 10^21)
A `/56` is the typical residential IPv6 allocation from an ISP, giving 256 separate `/64` subnets — each one already larger than the entire IPv4 internet. In IPv6 the concept of "broadcast" is gone (multicast handles that role), so the calculator shows total addresses rather than "usable". Every host on an IPv6 subnet is usable; the math just gets astronomical.
FAQ
What does `/24` actually mean?
The number after the slash is the count of leading bits used to identify the network — 24 of the 32 IPv4 bits in this case. The remaining 8 bits identify hosts within the network, giving 2^8 = 256 addresses. The same logic applies to IPv6: `/64` means 64 network bits and 64 host bits, yielding 2^64 addresses per subnet. Smaller prefix number = bigger network (more host bits); bigger prefix number = smaller network (fewer host bits).
Why are the first and last addresses unusable on IPv4?
The first address (all host bits zero) is the **network address** — a label for the subnet itself, not a host. The last address (all host bits one) is the **broadcast address** — a special destination that delivers to every host in the subnet. RFC 950 reserved both. IPv6 drops this convention because it has no broadcast (multicast handles equivalent jobs), so an IPv6 subnet has every address usable, including what would have been "network" or "broadcast" in v4.
What are the RFC 1918 private ranges?
Three blocks reserved for non-routable internal networks: `10.0.0.0/8` (16M addresses), `172.16.0.0/12` (1M addresses, the 172.16.0.0–172.31.255.255 range), and `192.168.0.0/16` (65K addresses). Home routers use `192.168.0.0/16`, corporate networks usually pick `10.0.0.0/8`. RFC 6598 adds `100.64.0.0/10` as the Carrier-Grade NAT range that ISPs use between you and the public internet. IPv6 has its own private range, `fc00::/7` (ULAs, RFC 4193).
What is the wildcard mask and when do I need it?
The wildcard mask is the bitwise NOT of the subnet mask — 1s where the subnet mask has 0s. For `/24` the subnet mask is `255.255.255.0` and the wildcard is `0.0.0.255`. Cisco ACLs and OSPF area definitions accept wildcard masks instead of subnet masks; AWS security groups and most modern firewalls accept CIDR directly. Treat the wildcard column as "if Cisco asks, paste this".
My VPC CIDR is `10.0.0.0/16`. What sizes should the subnets be?
A pragmatic default is `/24` per subnet — 256 IPs each, room for 256 subnets in a `/16`, easy to read in route tables and security groups. AWS VPC best practices favor `/20` to `/24` for application subnets, with `/27` or `/28` for management or transit subnets. Avoid sizing below `/28` (16 IPs, 11 usable after AWS reservations); ENI requirements creep up fast on Kubernetes / Fargate workloads.
How do I check if two CIDRs overlap?
Compute the network address and total range for each, then check whether one starts inside the other's range. `10.0.0.0/16` (10.0.0.0–10.0.255.255) and `10.0.5.0/24` (10.0.5.0–10.0.5.255) overlap because the second is fully inside the first. `10.0.0.0/16` and `10.1.0.0/16` don't — they're adjacent but distinct. This tool only handles one CIDR at a time, but you can paste each side, read the first and last addresses, and compare visually. For programmatic checks use `ipaddress` (Python), `netaddr` (Ruby), or `cidr-tools` (Node).
Related concepts
CIDR (Classless Inter-Domain Routing, RFC 4632) replaced the old A / B / C classful addressing in 1993. The new format `address/prefix` lets you slice the address space at any bit boundary instead of the rigid 8 / 16 / 24-bit splits of classful — a major win when the world was running out of IPv4 addresses and needed finer-grained allocation. The IETF's CIDR rollout extended the practical life of IPv4 by roughly two decades and made BGP route table sizes tractable.
Four key numbers map between human and machine views. The **prefix length** (e.g., `/24`) is the count of leading network bits. The **subnet mask** (`255.255.255.0`) is the bit pattern with those bits set to 1. The **wildcard mask** (`0.0.0.255`) is the bit-inverse of the subnet mask. The **host count** is 2^(32 − prefix) for IPv4 or 2^(128 − prefix) for IPv6. Cisco IOS uses the wildcard mask in ACLs and OSPF; everything modern uses CIDR notation directly.
Three adjacent concepts are worth knowing. **VLSM** (Variable-Length Subnet Masking) is what CIDR enables — different subnets in the same network can have different sizes, e.g., a `/22` parent split into a `/24` plus a `/23` plus a `/24`. **NAT** (Network Address Translation, RFC 2663) lets many private IPs share one public IP, which is why RFC 1918 ranges work despite not being routable. **Anycast** uses the same IP advertised from multiple locations and lets BGP route to the closest — the core trick behind CDNs, public DNS resolvers (`1.1.1.1`, `8.8.8.8`), and DDoS scrubbing. CIDR is the foundation that all three sit on.
