Subnet Mask & CIDR: The Complete Guide for Developers

Networking is often considered a dark art by many application developers. We write code that talks to databases, APIs, and microservices, but when it comes to configuring a VPC (Virtual Private Cloud) or debugging a connectivity issue, terms like "Subnet Mask" and "/24" can feel intimidating.

However, understanding Subnet Masks and CIDR (Classless Inter-Domain Routing) is fundamental for modern software engineering. Whether you are setting up a Kubernetes cluster, configuring AWS Security Groups, or just trying to understand why your local container can't talk to the host, these concepts are ubiquitous.

In this deep dive, we will demystify IP addressing, break down how subnetting works, and give you the practical skills to calculate network ranges in your head (or at least know exactly what to type into a calculator).

The Anatomy of an IP Address

Before we dive into subnets, let's quickly recap what an IPv4 address actually is. An IP address like 192.168.1.1 is just a human-readable representation of a 32-bit binary number.

Each number separated by a dot is called an octet because it represents 8 bits.

• 192 = 11000000
• 168 = 10101000
• 1 = 00000001
• 1 = 00000001

So, 192.168.1.1 is really 11000000.10101000.00000001.00000001.

Why does this matter? Because subnetting is all about bitwise operations. The network doesn't care about the decimal numbers; it only cares about the bits.

What is a Subnet Mask?

An IP address serves two purposes: it identifies the network you are on, and it identifies your specific host (device) within that network.

But how does a router know which part of 192.168.1.1 is the network address and which part is the host address? That's where the Subnet Mask comes in.

A subnet mask acts like a filter. It is a 32-bit sequence of 1s followed by 0s.

• The 1s represent the Network portion.
• The 0s represent the Host portion.

Example: The Classic Class C Mask

The most common subnet mask you've likely seen is 255.255.255.0.
In binary, this looks like:
11111111.11111111.11111111.00000000

If we apply this mask to our IP 192.168.1.1:

• Network Part: The first 24 bits (matching the 1s) -> 192.168.1
• Host Part: The last 8 bits (matching the 0s) -> .1

This means any device with an IP starting with 192.168.1 is on the same local network. Devices can talk to each other directly without going through a gateway. If the destination IP starts with 192.168.2, it's a different network, and traffic must be routed.

Enter CIDR Notation (The "/24" Stuff)

Writing out 255.255.255.0 is tedious. In 1993, the IETF introduced Classless Inter-Domain Routing (CIDR) to replace the old "Class A/B/C" system and make routing more efficient.

CIDR notation simplifies the subnet mask by just counting the number of 1s in the mask.

• 255.255.255.0 has 24 ones. -> /24
• 255.0.0.0 has 8 ones. -> /8
• 255.255.0.0 has 16 ones. -> /16

So, 192.168.1.1/24 tells you immediately that the first 24 bits are the network.

Common CIDR Blocks Cheat Sheet

Note: "Usable IPs" is always Total IPs minus 2. We lose one for the Network Address (all host bits 0) and one for the Broadcast Address (all host bits 1).

Calculating Subnets: A Practical Example

Let's say you are designing a network for a new office. You have the block 10.0.0.0/16. You want to split this into smaller networks for different departments.

Scenario: Creating a /24 Subnet

You decide to give the Engineering team a /24 block.

• Base: 10.0.0.0
• Subnet: 10.0.1.0/24

This gives them IPs from 10.0.1.1 to 10.0.1.254.

Scenario: The Tricky /28

You need a small subnet for a few servers, maybe just 10 IPs. A /24 is wasteful. Let's try a /28.

• A /28 mask means 28 bits for network, 4 bits for host (32 - 28 = 4).
• Total IPs = 2^4 = 16.
• Usable IPs = 16 - 2 = 14.

This is perfect. If we start at 10.0.2.0/28:

1. Network Address: 10.0.2.0
2. First Usable: 10.0.2.1
3. ...
4. Last Usable: 10.0.2.14
5. Broadcast: 10.0.2.15

The next subnet would start immediately after, at 10.0.2.16/28.

Why This Matters for Cloud Computing

In AWS, Azure, or GCP, you define your Virtual Private Cloud (VPC) using CIDR blocks. A common mistake is choosing a block that is too small.

If you create a VPC with 10.0.0.0/24 (254 IPs) and try to launch an EKS (Kubernetes) cluster, you will run out of IP addresses almost instantly because each Pod needs its own IP. A standard recommendation is to use a /16 for the VPC (65k IPs) and carve out /20 or /24 subnets for different availability zones.

Troubleshooting Tips

1. "Destination Host Unreachable": This often means your computer thinks the destination is on the local subnet (because of your subnet mask configuration) and is trying to ARP for it, but the device is actually remote. Check your mask!
2. Overlapping Subnets: If you have a VPN connected to an office network 192.168.1.0/24 and your home network is also 192.168.1.0/24, routing will fail. This is why using 10.x.x.x or 172.16.x.x ranges is often safer for corporate VPNs than the default 192.168.1.x.

Tools to Help You

Calculating binary in your head is a great party trick (for a very specific kind of party), but in production, you should verify your math. One small mistake can take down a network segment.

If you need to quickly calculate IP ranges, check usable hosts, or visualize a CIDR block, using a dedicated calculator is the way to go.

Try the Pockit Subnet Calculator

It allows you to input any IP and CIDR mask to instantly see the Network Address, Broadcast Address, and the full range of usable IPs. It's a lifesaver when planning VPC subnets or debugging firewall rules.

Conclusion

Subnet masks and CIDR notation are the coordinate system of the internet. They define the boundaries of where traffic flows and where it stops. While the binary math can be dry, mastering it gives you a superpower: the ability to design robust, scalable networks and troubleshoot connectivity issues with confidence.

Next time you see a /24 or /28, you won't just see a number—you'll see the exact scope of that network.