Loading learning content...
When a network engineer says "We need a /24 for the new office" or "Add that /28 to the firewall rules," they're speaking in prefix notation—the universal language of CIDR addressing. This concise notation packs tremendous information into a simple format: a base IP address followed by a slash and a number.
Understanding prefix notation isn't optional for anyone working in networking. It appears everywhere: cloud configurations, firewall rules, routing tables, network diagrams, and countless CLI commands. This page will make you completely fluent.
By the end of this page, you will be able to read any CIDR notation instantly, calculate network boundaries in your head, convert between prefix notation and subnet masks, and determine the first and last address of any CIDR block. These are foundational skills for network engineering.
CIDR prefix notation consists of two components separated by a forward slash:
<base-address>/<prefix-length>
For example: 192.168.1.0/24
Let's dissect what each part means:
┌─────────────────────────────────────────────────────────────────┐│ 192.168.1.0 / 24 ││ ─────────── ── ││ │ │ ││ │ └── PREFIX LENGTH ││ │ • Number of network bits ││ │ • Range: 0 to 32 ││ │ • Determines block size ││ │ ││ └────────── BASE ADDRESS ││ • Network identifier ││ • First address in block ││ • Must be properly aligned │└─────────────────────────────────────────────────────────────────┘ Components Explained: BASE ADDRESS (192.168.1.0)├── The starting IP address of the network block├── Often called the "network address" or "network ID"├── All host bits should be zero (for a valid network address)└── Can also specify a host within the network (192.168.1.50/24) PREFIX LENGTH (/24)├── Count of network bits (bits that identify the network)├── Remaining bits (32 - prefix) are for hosts├── /24 means: 24 network bits, 8 host bits└── Determines the size: 2^(32-24) = 2^8 = 256 addressesTwo Uses of Prefix Notation
Prefix notation serves two distinct purposes, which is a common source of confusion:
1. Network Address (Block Identifier)
When the base address has all zeros in the host portion, it represents the entire network block:
192.168.1.0/24 = The network containing 192.168.1.0 through 192.168.1.25510.0.0.0/8 = The entire 10.x.x.x address space2. Host Address with Context
When the base address has non-zero host bits, it identifies a specific host AND the network it belongs to:
192.168.1.100/24 = The host 192.168.1.100 within the 192.168.1.0/24 networkContext determines which interpretation applies. In routing tables, network blocks are specified. In interface configurations, host addresses with network context are used.
When you see /24, think '24 bits for the network, 8 bits for hosts = 256 addresses.' When you see /16, think '16 bits for network, 16 bits for hosts = 65,536 addresses.' The mental math becomes instant with practice: 32 minus prefix = host bits, 2^host_bits = address count.
Before CIDR notation became standard, networks were described using subnet masks—32-bit values with 1s in the network portion and 0s in the host portion. While CIDR notation is preferred today, subnet masks still appear in many contexts, and conversion between them is essential.
The Binary Foundation
A prefix of /n means:
n bits of the subnet mask are 1(32 - n) bits are 0For /24:
11111111.11111111.11111111.00000000255.255.255.0| Prefix | Binary Mask | Decimal Mask | Addresses | Common Use |
|---|---|---|---|---|
| /8 | 11111111.00000000.00000000.00000000 | 255.0.0.0 | 16,777,216 | Class A default |
| /9 | 11111111.10000000.00000000.00000000 | 255.128.0.0 | 8,388,608 | Large ISP blocks |
| /10 | 11111111.11000000.00000000.00000000 | 255.192.0.0 | 4,194,304 | Carrier networks |
| /12 | 11111111.11110000.00000000.00000000 | 255.240.0.0 | 1,048,576 | Large enterprises |
| /16 | 11111111.11111111.00000000.00000000 | 255.255.0.0 | 65,536 | Class B default |
| /17 | 11111111.11111111.10000000.00000000 | 255.255.128.0 | 32,768 | Campus networks |
| /18 | 11111111.11111111.11000000.00000000 | 255.255.192.0 | 16,384 | Regional offices |
| /19 | 11111111.11111111.11100000.00000000 | 255.255.224.0 | 8,192 | Branch networks |
| /20 | 11111111.11111111.11110000.00000000 | 255.255.240.0 | 4,096 | Department blocks |
| /21 | 11111111.11111111.11111000.00000000 | 255.255.248.0 | 2,048 | Building networks |
| /22 | 11111111.11111111.11111100.00000000 | 255.255.252.0 | 1,024 | Floor networks |
| /23 | 11111111.11111111.11111110.00000000 | 255.255.254.0 | 512 | Large VLANs |
| /24 | 11111111.11111111.11111111.00000000 | 255.255.255.0 | 256 | Standard subnet |
| /25 | 11111111.11111111.11111111.10000000 | 255.255.255.128 | 128 | Half subnet |
| /26 | 11111111.11111111.11111111.11000000 | 255.255.255.192 | 64 | Lab networks |
| /27 | 11111111.11111111.11111111.11100000 | 255.255.255.224 | 32 | Small offices |
| /28 | 11111111.11111111.11111111.11110000 | 255.255.255.240 | 16 | DMZ networks |
| /29 | 11111111.11111111.11111111.11111000 | 255.255.255.248 | 8 | Small segments |
| /30 | 11111111.11111111.11111111.11111100 | 255.255.255.252 | 4 | Point-to-point |
| /31 | 11111111.11111111.11111111.11111110 | 255.255.255.254 | 2 | RFC 3021 links |
| /32 | 11111111.11111111.11111111.11111111 | 255.255.255.255 | 1 | Single host |
Quick Conversion Methods
Prefix to Mask (for common boundaries):
For prefixes that fall on octet boundaries (/8, /16, /24, /32):
/8 → 255.0.0.0 (first octet all 1s)/16 → 255.255.0.0 (first two octets all 1s)/24 → 255.255.255.0 (first three octets all 1s)/32 → 255.255.255.255 (all octets all 1s)For prefixes within an octet, use the magic numbers: 128, 192, 224, 240, 248, 252, 254, 255
These are the cumulative sums: 128, 128+64=192, 192+32=224, etc.
123456789101112131415161718192021222324252627282930
# The "Magic Numbers" within an octet# Each additional bit adds to the mask value:# Bit: 1 → 128# Bit: 2 → 64 (total: 192)# Bit: 3 → 32 (total: 224)# Bit: 4 → 16 (total: 240)# Bit: 5 → 8 (total: 248)# Bit: 6 → 4 (total: 252)# Bit: 7 → 2 (total: 254)# Bit: 8 → 1 (total: 255) Third Octet Examples (prefix 17-24):/17 = 255.255.128.0 (1 bit in third octet → 128)/18 = 255.255.192.0 (2 bits in third octet → 192)/19 = 255.255.224.0 (3 bits in third octet → 224)/20 = 255.255.240.0 (4 bits in third octet → 240)/21 = 255.255.248.0 (5 bits in third octet → 248)/22 = 255.255.252.0 (6 bits in third octet → 252)/23 = 255.255.254.0 (7 bits in third octet → 254)/24 = 255.255.255.0 (8 bits in third octet → 255) Fourth Octet Examples (prefix 25-32):/25 = 255.255.255.128 (1 bit in fourth octet → 128)/26 = 255.255.255.192 (2 bits in fourth octet → 192)/27 = 255.255.255.224 (3 bits in fourth octet → 224)/28 = 255.255.255.240 (4 bits in fourth octet → 240)/29 = 255.255.255.248 (5 bits in fourth octet → 248)/30 = 255.255.255.252 (6 bits in fourth octet → 252)/31 = 255.255.255.254 (7 bits in fourth octet → 254)/32 = 255.255.255.255 (8 bits in fourth octet → 255)In practice, you'll use a handful of prefixes repeatedly: /8, /16, /20, /22, /24, /26, /27, /28, /30, /32. Memorize these and their corresponding masks. The others can be derived when needed.
Given a CIDR block, you need to determine:
Let's develop systematic methods for these calculations.
1234567891011121314151617181920212223242526272829303132333435363738
┌─────────────────────────────────────────────────────────────────┐│ CALCULATING NETWORK BOUNDARIES: 192.168.10.0/22 │└─────────────────────────────────────────────────────────────────┘ Step 1: Identify the components├── Base Address: 192.168.10.0├── Prefix Length: /22├── Host Bits: 32 - 22 = 10 bits└── Block Size: 2^10 = 1,024 addresses Step 2: Convert to binary (focus on relevant octets)192.168.10.0 in binary: 11000000.10101000.00001010.00000000 └───────────────────────────────────┘ Third octet: 00001010 = 10 Step 3: Find the network addressApply /22 mask (22 ones followed by 10 zeros): 11111111.11111111.11111100.00000000 AND operation: 00001010 (third octet of IP)AND 11111100 (third octet of mask) = 00001000 = 8 Network Address: 192.168.8.0/22 (NOT 192.168.10.0!) Step 4: Calculate all boundaries├── Network Address: 192.168.8.0├── First Usable Host: 192.168.8.1├── Last Usable Host: 192.168.11.254├── Broadcast Address: 192.168.11.255├── Total Addresses: 1,024└── Usable Hosts: 1,022 (total - 2) Verification:192.168.8.0 = 192.168. 8.0 → Third octet range: 8, 9, 10, 11192.168.11.255 = 192.168.11.255 → That's 4 values × 256 = 1,024 ✓The Block Size Method (Faster for Mental Math)
For prefixes in the third octet (/17-/24), there's a faster approach:
Calculate the block size: 256 / 2^(prefix - 16)
Find which block the address falls in:
Find the broadcast address:
| Prefix Range | Block Size Formula | Example | 3rd Octet Increment |
|---|---|---|---|
| /17 - /24 | 256 / 2^(prefix-16) | /20 → 256/16 = 16 | Varies by prefix |
| /22 | 256 / 64 = 4 | 0, 4, 8, 12, ... | 4 |
| /23 | 256 / 128 = 2 | 0, 2, 4, 6, ... | 2 |
| /24 | 256 / 256 = 1 | 0, 1, 2, 3, ... | 1 |
| /25 - /32 | 256 / 2^(prefix-24) | /27 → 256/8 = 32 | 4th octet varies |
Network engineers should be able to calculate /22, /23, /24, /25, /26, /27, /28, and /30 boundaries in their head within seconds. This comes from practice—work through dozens of examples until the patterns become automatic.
Let's work through several complete examples covering different scenarios. These examples build competence with the full range of prefix calculations.
Problem: Given the IP address 172.16.45.130/27, find all network parameters.
1234567891011121314151617181920212223242526272829
Given: 172.16.45.130/27 Step 1: Calculate fundamentals├── Prefix: /27├── Host bits: 32 - 27 = 5├── Block size: 2^5 = 32 addresses└── Subnet mask: 255.255.255.224 Step 2: Find network boundaries (block size method)├── Focus on fourth octet: 130├── Block size: 32├── Block boundaries: 0, 32, 64, 96, 128, 160, 192, 224├── 130 falls between 128 and 160└── Network starts at: 172.16.45.128 Step 3: Calculate all addresses├── Network Address: 172.16.45.128├── First Usable Host: 172.16.45.129├── Last Usable Host: 172.16.45.158├── Broadcast Address: 172.16.45.159 (128 + 32 - 1)├── Total Addresses: 32└── Usable Hosts: 30 Verification via binary:130 in binary: 10000010Mask (/27): 11100000AND result: 10000000 = 128 ✓ Address range: 172.16.45.128 - 172.16.45.159Notice how we always focus on the octet where the prefix boundary falls. For /17-/24, we work in the third octet. For /25-/32, we work in the fourth. For /9-/16, the second. Understanding which octet is 'active' is the key to fast mental calculations.
Certain prefix lengths have special significance or unusual properties. Understanding these cases helps avoid common mistakes.
1234567891011121314151617181920212223242526272829
# Router Configuration Examples # /31 for Point-to-Point (saves addresses)interface GigabitEthernet0/0 ip address 192.0.2.0 255.255.255.254 description Link to Router-B # Corresponding interface on Router-Binterface GigabitEthernet0/0 ip address 192.0.2.1 255.255.255.254 description Link to Router-A # /32 Host Route (specific traffic handling)ip route 192.168.1.100 255.255.255.255 10.0.0.1# All traffic to this specific host goes via 10.0.0.1 # /0 Default Routeip route 0.0.0.0 0.0.0.0 203.0.113.1# All traffic not matching other routes goes here # Firewall Rule Examples# Allow single hostallow from 192.168.1.100/32 to any port 443 # Allow entire VPN networkallow from 10.10.0.0/16 to any # Default deny (matches all)deny from 0.0.0.0/0 to anyFor most prefixes, usable hosts = 2^(32-n) - 2 (subtract network and broadcast). Exceptions: /31 gives 2 usable (point-to-point), /32 gives 1 (single host). Don't mechanically subtract 2 without considering the context.
Even experienced engineers occasionally make prefix notation errors. Knowing the common pitfalls helps you avoid them and catch mistakes in others' work.
123456789101112131415161718192021222324252627
# Examples of INVALID CIDR notation and why: 192.168.1.0/22├── Block size: 2^10 = 1,024 (4 × 256, spans 4 values in 3rd octet)├── Valid /22 boundaries: 0, 4, 8, 12, 16, 20, ...├── Third octet 1 is NOT on a /22 boundary└── INVALID: Should be 192.168.0.0/22 10.0.0.100/30├── Block size: 4├── Valid /30 boundaries: 0, 4, 8, 12, ..., 96, 100, 104├── Fourth octet 100 IS on a /30 boundary└── VALID... but this is host notation, not network notation If meant as network: 10.0.0.100/30 is valid If meant as host: Should clarify 10.0.0.100 on 10.0.0.100/30 network 172.16.50.0/19├── Block size: 8,192 (32 × 256, spans 32 values in 3rd octet)├── Valid /19 boundaries: 0, 32, 64, 96, 128, 160, 192, 224├── Third octet 50 is NOT on a /19 boundary (between 32 and 64)└── INVALID: Should be 172.16.32.0/19 # Quick validation formula:# For prefix /n where 17 ≤ n ≤ 24:# Third octet must be divisible by 2^(24-n)# For prefix /n where 25 ≤ n ≤ 32:# Fourth octet must be divisible by 2^(32-n)To verify a CIDR block is valid: Convert the relevant octet to binary, check that the rightmost (32-prefix) bits are all zeros. If any are 1, the block is misaligned. Example: 192.168.1.0/22 → third octet is 1 = 00000001 binary. For /22, we need last 2 bits of this octet to be 0. They're 01, not 00, so invalid.
Prefix notation is the universal language of modern IP networking. Fluency in reading, writing, and calculating CIDR blocks is essential for network engineering work of any kind.
What's Next:
Now that you can read and calculate prefix notation, we'll explore one of CIDR's most powerful features: address aggregation. You'll learn how multiple networks can be combined into single routing entries, reducing routing table size and enabling the hierarchical structure that makes Internet routing possible.
You now have the foundational skills to work with CIDR prefix notation. Practice calculating network boundaries until it becomes automatic—this skill is used daily in network engineering. The next page builds on this foundation with address aggregation techniques.