What Is CIDR Notation?
CIDR (Classless Inter-Domain Routing) notation is a compact way to represent an IP address and its associated network mask. It is written as an IP address followed by a slash and a number (the prefix length) - For example, 192.168.1.0/24. CIDR replaced the older class-based system (Class A, B, C) in 1993 and is the standard for all modern IP address allocation and routing. Use our CIDR calculator to expand any notation into its full host range.
Reading CIDR Notation
| CIDR | Network Address | Subnet Mask | Prefix Bits | Usable Hosts |
|---|---|---|---|---|
| 10.0.0.0/8 | 10.0.0.0 | 255.0.0.0 | 8 bits fixed | 16,777,214 |
| 172.16.0.0/12 | 172.16.0.0 | 255.240.0.0 | 12 bits fixed | 1,048,574 |
| 192.168.1.0/24 | 192.168.1.0 | 255.255.255.0 | 24 bits fixed | 254 |
| 192.168.1.64/26 | 192.168.1.64 | 255.255.255.192 | 26 bits fixed | 62 |
| 203.0.113.5/32 | 203.0.113.5 | 255.255.255.255 | 32 bits fixed | 1 (host route) |
| 0.0.0.0/0 | 0.0.0.0 | 0.0.0.0 | 0 bits fixed | All IPs (default route) |
How the Prefix Length Works
The number after the slash tells you how many bits of the 32-bit IPv4 address are fixed (the network portion). The remaining bits are free to vary (the host portion). A /24 fixes the first 24 bits, leaving 8 bits for hosts - That's 2⁸ = 256 total addresses, minus 2 reserved = 254 usable hosts. A /25 fixes 25 bits, leaving 7 bits = 128 total, 126 usable.
Where You'll Encounter CIDR Notation
- Firewall rules and access control lists - E.g. "allow 10.0.0.0/8" means allow any IP in the entire 10.x.x.x range.
- Cloud provider security groups (AWS, GCP, Azure) use CIDR to specify which IPs can connect to resources.
- VPN split-tunneling configuration - Specify which CIDRs to route through the tunnel vs. send directly.
- BGP routing tables - Internet routers exchange CIDR prefixes to describe which networks they can reach. See a live example via our ASN lookup.
- WHOIS and RIR records - IP address allocations are listed in CIDR format.
Converting Between CIDR and Subnet Masks
A prefix length and a dotted subnet mask are the same information in two notations. To convert by hand:
| Step | Action | Example (/26) |
|---|---|---|
| 1 | Write the prefix as that many binary 1s, padded with 0s to 32 bits | 11111111 11111111 11111111 11000000 |
| 2 | Split into four octets and convert each to decimal | 255 . 255 . 255 . 192 |
| 3 | Going the other way, count the 1-bits in the mask to recover the prefix | 255.255.255.192 → 26 ones → /26 |
| 4 | Verify with the CIDR calculator, which shows mask, range, and host count together | 62 usable hosts |
Only nine octet values can ever appear in a valid mask - 0, 128, 192, 224, 240, 248, 252, 254, 255 - Because mask bits must be contiguous. If you see anything else, it's a typo. Background on masks is in the subnet mask FAQ.
Supernetting: CIDR in the Other Direction
CIDR's original purpose (RFC 4632) was not splitting networks but joining them. Aggregating 192.168.0.0/24 through 192.168.3.0/24 into a single 192.168.0.0/22 announcement lets one routing-table entry stand for four networks. This aggregation is what keeps the global BGP table - Already nearly a million IPv4 routes - From being many times larger. The same logic powers firewall rules: blocking 203.0.113.0/24 is one rule instead of 256.
The longest-prefix-match rule
When several CIDR routes overlap, routers always follow the most specific one - The longest prefix. If a routing table holds both 10.0.0.0/8 and 10.1.2.0/24, a packet for 10.1.2.7 follows the /24. This single rule is how default routes, overrides, and even some traffic hijacks work, and it applies identically in cloud route tables and home routers.
CIDR in IPv6
IPv6 uses identical notation with longer prefixes: 2001:db8::/32 fixes the first 32 of 128 bits. You will commonly meet /128 (a single host), /64 (one standard subnet), /56 and /48 (site delegations from an ISP), and ::/0 (the default route). Because the numbers are so large, nobody talks about "usable hosts" in IPv6 - A single /64 contains 18.4 quintillion addresses.
What This Means for You
CIDR notation is the vocabulary of every access rule you will ever write. Whitelisting your office in a cloud security group, allowing a friend's server through your firewall, or reading why a whole ASN's range got blocked all come down to reading a /-number correctly. Two values are worth memorising: /32 means exactly one address (use it when whitelisting yourself - Check your address on the homepage first) and /0 means everything (in a firewall rule, 0.0.0.0/0 opens a port to the entire internet - The most common cloud misconfiguration there is).
Frequently Asked Questions
What does the /24 in an IP address mean?
It means the first 24 of the address's 32 bits identify the network and the last 8 identify hosts within it. A /24 therefore spans 256 consecutive addresses - For example 192.168.1.0 through 192.168.1.255 - Of which 254 are usable by devices.
Is a bigger or smaller CIDR number a bigger network?
Smaller number = bigger network. Each step down doubles the size: a /23 holds twice the addresses of a /24, and a /8 holds 16.7 million. The number counts fixed network bits, so fewer fixed bits leave more room for hosts.
What is the difference between CIDR and a subnet mask?
They express the same thing. CIDR notation (/24) counts the network bits; a subnet mask (255.255.255.0) shows them as a dotted decimal pattern. Modern tools prefer CIDR because it is shorter and unambiguous, but older router and OS dialogs still ask for the dotted form.