CIDR to Subnet Mask Guide

Use subnet math to decide whether traffic belongs to a single host, a small office subnet, or a large provider-owned block.

CIDR output is deterministic and useful for access planning, but it does not say whether a provider range should be trusted or blocked.

Calculate CIDR Back to Network/Security hub
Use this when
A single IP lookup has turned into a question about the size, boundaries, or blast radius of a subnet.
What to inspect first
Check the network address, usable host count, and first/last host before you widen a security rule.
Guardrail
Subnet math explains scope. It should slow you down before you block an entire provider range without context.
Example workflows
Office subnet example
A /24 is a common way to reason about a small office or branch network. 
192.168.1.0/24
Tightly scoped rule example
A /30 is a small range for point-to-point links or narrowly scoped allowlists. 
203.0.113.8/30
IPv6 example
Use a /64 example to confirm the calculator supports both IPv4 and IPv6 planning. 
2001:db8::/64
Quick checklist

Use this checklist when subnet size starts to matter.

  • Do you need the network address or the first usable host?
  • Do total hosts and usable hosts differ in a way that changes the rule you want to write?
  • Does the prefix represent a precise subnet or a provider-sized range that should be handled more carefully?
Trust and limitations

CIDR helps you reason about scope, but it does not justify blocking an entire provider range by itself.

  • Use CIDR context to avoid overbroad security actions.
  • Pause when not to block an entire provider range is the real question instead of raw subnet math.
Next steps
Investigation workflow
Return to the workflow when subnet scope is only one part of the investigation.
IP and ASN guide
Start from the single address first when subnet math still feels too broad.
Domain WHOIS and SSL guide
Pivot back to domain ownership when the investigation began from a hostname.