Calculate Subnet Mask from CIDR: Step-by-Step Guide

The Problem: Reading CIDR Notation

You are setting up an AWS security group and need to allow traffic from your office network 10.50.0.0/18. Your firewall GUI asks for a subnet mask, not a CIDR prefix. What is the subnet mask for /18? Most engineers look this up every time because the manual calculation involves binary arithmetic.

This guide teaches you the method once so you can calculate any subnet mask from memory, and provides a complete reference table for the most common prefix lengths.

What Is CIDR Notation?

CIDR stands for Classless Inter-Domain Routing. It is a compact way to specify an IP address and the size of its network simultaneously. The notation 192.168.1.0/24 means:

• 192.168.1.0 - the network address (also called the base address)
• /24 - 24 bits of the 32-bit IPv4 address are the "network" portion; the remaining 8 bits identify individual hosts

Before CIDR was introduced in 1993, IP addresses were divided into rigid "classes" (Class A used /8, Class B used /16, Class C used /24). This was enormously wasteful. CIDR allows any prefix length from /0 to /32, making it possible to allocate exactly the right number of addresses.

How Subnet Masks Work

A subnet mask is a 32-bit number written in dotted-decimal notation, just like an IP address. All the 1-bits in the mask represent the network portion; all the 0-bits represent the host portion. To derive it from a CIDR prefix length, set the first N bits to 1 and the remaining (32-N) bits to 0:

CIDR /24 in binary:
11111111.11111111.11111111.00000000
         ↑ 24 ones ↑          ↑ 8 zeros ↑

Convert each octet from binary to decimal:
11111111 = 255
11111111 = 255
11111111 = 255
00000000 = 0

Subnet mask: 255.255.255.0

This is the only calculation you need to understand. Everything else - host counts, network address, broadcast address - follows directly from this.

Step-by-Step: Convert Any CIDR Prefix to a Subnet Mask

1. Start with 32 bits, all set to 0.
2. Set the first N bits to 1, where N is the prefix length (the number after the slash).
3. Group the 32 bits into four octets of 8 bits each.
4. Convert each octet from binary to decimal.

For most prefix lengths, you only need to calculate the last "partial" octet. The full octets are always 255, and trailing full zero octets are always 0. Let's work through /18 as an example:

Prefix length: 18
First 18 bits are 1, remaining 14 bits are 0:
11111111.11111111.11000000.00000000

Octet 1: 11111111 = 255
Octet 2: 11111111 = 255
Octet 3: 11000000 = 128 + 64 = 192  ← this is the interesting one
Octet 4: 00000000 = 0

Subnet mask for /18: 255.255.192.0

The trick for octet 3: /18 means 18 total bits. Two full octets use 16 bits. So octet 3 has 18-16 = 2 bits set. From left to right: bit 1 = 128, bit 2 = 64. Sum = 192.

The Binary Values You Need to Know

Each bit position in an octet has a fixed decimal value. Knowing these makes mental conversion instant:

Bit position (left to right):  1    2    3    4    5    6    7    8
Decimal value:                128   64   32   16    8    4    2    1

Examples:
2 bits set:  128 + 64 = 192     (used in /18, /26)
3 bits set:  128 + 64 + 32 = 224
4 bits set:  128 + 64 + 32 + 16 = 240
5 bits set:  128 + 64 + 32 + 16 + 8 = 248
6 bits set:  128 + 64 + 32 + 16 + 8 + 4 = 252
7 bits set:  128 + 64 + 32 + 16 + 8 + 4 + 2 = 254
8 bits set:  255 (full octet)

Quick-Reference Table: /8 to /32

Calculating Network Address, Broadcast, and Host Range

Given an IP address and subnet mask, you can derive all the key values using bitwise AND:

Example: 192.168.10.45/26

Step 1: Subnet mask for /26
26 bits set: 11111111.11111111.11111111.11000000 = 255.255.255.192

Step 2: Network address = IP AND mask
  192.168.10.45:   11000000.10101000.00001010.00101101
  255.255.255.192: 11111111.11111111.11111111.11000000
  AND result:      11000000.10101000.00001010.00000000 = 192.168.10.0

Step 3: Broadcast address = network OR (inverted mask)
  Inverted mask: 00000000.00000000.00000000.00111111
  OR result:     11000000.10101000.00001010.00111111 = 192.168.10.63

Step 4: Usable host range
  First host: 192.168.10.1  (network + 1)
  Last host:  192.168.10.62 (broadcast - 1)
  Total usable: 62 hosts (2^6 - 2)

The formula for usable hosts is 2^(32 - prefix) - 2. The two subtracted addresses are the network address (all host bits 0) and the broadcast address (all host bits 1). Exception: /31 subnets (RFC 3021) and /32 single-host routes do not subtract 2.

Real-World Examples

AWS VPC Design

AWS VPCs are typically sized with a /16 (65,534 usable IPs). Within the VPC, subnets are carved out per availability zone and per tier (public/private/database). A common pattern:

VPC:                10.0.0.0/16       (65,534 hosts)
  Public subnet AZ-a:   10.0.0.0/24   (254 hosts)
  Public subnet AZ-b:   10.0.1.0/24   (254 hosts)
  Private subnet AZ-a:  10.0.10.0/23  (510 hosts)
  Private subnet AZ-b:  10.0.12.0/23  (510 hosts)
  DB subnet AZ-a:       10.0.20.0/26  (62 hosts)
  DB subnet AZ-b:       10.0.20.64/26 (62 hosts)

Kubernetes Pod CIDR

Kubernetes clusters define a pod CIDR for internal pod-to-pod networking. A typical cluster might use 10.244.0.0/16, with each node allocated a /24 slice (254 pods per node):

Pod CIDR: 10.244.0.0/16
Node 1 pod range: 10.244.0.0/24    (254 pods)
Node 2 pod range: 10.244.1.0/24    (254 pods)
Node 3 pod range: 10.244.2.0/24    (254 pods)

Firewall Allowlist

When writing firewall rules, CIDR notation lets you allow an entire range with a single rule:

# Allow the entire 10.50.0.0/18 range (16,382 hosts)
# This covers 10.50.0.0 through 10.50.63.255
iptables -A INPUT -s 10.50.0.0/18 -j ACCEPT

Common Mistakes

• Using the network address as a host address: 192.168.1.0 in a /24 is the network identifier, not assignable to a host. The first usable address is 192.168.1.1.
• Overlapping subnets: When carving subnets from a VPC, ensure ranges do not overlap. 10.0.0.0/24 and 10.0.0.128/25 overlap because /25 starts at the same address as the lower half of /24.
• Not leaving room to grow: If you allocate a /28 (14 hosts) and later need 20 hosts, you have to re-subnet. Always allocate with 2x-4x your current needs.
• Forgetting AWS reserves 5 addresses per subnet: AWS reserves the network address, broadcast address, and 3 more for internal use. A /26 has 62 usable IPs in general, but only 59 in an AWS subnet.

FAQ

What is the difference between a subnet mask and a CIDR prefix?

They express the same information in different formats. A subnet mask (255.255.255.0) is a 32-bit number in dotted-decimal notation. A CIDR prefix (/24) is just the count of 1-bits in that mask. They are mathematically equivalent and can be freely converted.

What does /32 mean?

A /32 subnet contains exactly one IP address. All 32 bits are in the network portion, leaving zero bits for hosts. It is used for host routes (routing traffic to a single specific IP), loopback addresses, and virtual IP assignments in load balancers.

What is the subnet mask for /24?

255.255.255.0. This is the most common subnet for small networks. It provides 256 total addresses (254 usable hosts), which covers a typical home network, small office, or server VLAN.

How do I split a /24 into smaller subnets?

Add one bit to the prefix to split in half: a /24 becomes two /25s. Add another to get four /26s, and so on. Each time you increase the prefix by 1, you halve the number of hosts per subnet but double the number of subnets. This is called Variable Length Subnet Masking (VLSM).

What CIDR should I use for a home network?

Most home routers use 192.168.1.0/24 or 192.168.0.0/24 by default. This gives you 254 usable addresses, which is more than enough for any home or small office. If you are running a lab with many VMs, a /22 or /20 gives you more room without wasting private IP space.

Use our free tool here → Subnet Calculator on SecureBin.ai