CIDR CRASH COURSE
CIDR notation, subnet calculation, and range identification. Not a dedicated S+ topic, but you need it for firewall rules, scan scopes, network segmentation, and half the labs on this site.
THE CORE CONCEPT
An IPv4 address is 32 bits. The /number after an IP tells you how many bits from the left are the network portion. The remaining bits are available for host addresses.
That's it. That's the whole concept. Everything else is just math from this starting point.
THE FORMULA
Examples:
- /24 → 32 - 24 = 8 → 28 = 256 addresses (254 usable)
- /27 → 32 - 27 = 5 → 25 = 32 addresses (30 usable)
- /20 → 32 - 20 = 12 → 212 = 4,096 addresses (4,094 usable)
CHEAT SHEET — MEMORIZE THIS COLUMN
The /24 through /30 range covers 90% of what you'll see. The block size column is the one to commit to memory.
| CIDR | SUBNET MASK | BLOCK SIZE | USABLE HOSTS | COMMON USE |
|---|---|---|---|---|
| /8 | 255.0.0.0 | 16,777,216 | 16,777,214 | Class A (10.x.x.x) |
| /16 | 255.255.0.0 | 65,536 | 65,534 | Class B (172.16.x.x) |
| /24 | 255.255.255.0 | 256 | 254 | Standard LAN subnet |
| /25 | 255.255.255.128 | 128 | 126 | Split a /24 in half |
| /26 | 255.255.255.192 | 64 | 62 | Small office, DMZ |
| /27 | 255.255.255.224 | 32 | 30 | Small VLAN, server segment |
| /28 | 255.255.255.240 | 16 | 14 | Management VLAN, IoT segment |
| /29 | 255.255.255.248 | 8 | 6 | Point-to-point links, tiny subnets |
| /30 | 255.255.255.252 | 4 | 2 | Router-to-router link |
| /32 | 255.255.255.255 | 1 | 1 | Single host (host route) |
Pattern: each step up doubles the block size. /28 = 16, /27 = 32, /26 = 64, /25 = 128, /24 = 256.
SUBNET MASK — WHERE IT COMES FROM
The subnet mask is just 256 minus the block size in the relevant octet.
Full mask is 255.255.255.X for anything /24 or smaller. For larger blocks, the subtraction happens in an earlier octet (/16 = 255.255.0.0, /20 = 255.255.240.0).
FINDING THE RANGE — THE PART PEOPLE STRUGGLE WITH
The network address is always a multiple of the block size. The broadcast address is one less than the next block.
EXAMPLE: 10.0.1.0/26 (block size 64)
QUICK METHOD
Given 10.0.1.100/26 — which block is .100 in?
- Block size = 64
- 100 ÷ 64 = 1.56 → floor to 1
- Network address = 1 × 64 = .64
- Broadcast = .64 + 64 - 1 = .127
- Usable hosts: .65 through .126
RFC 1918 — PRIVATE ADDRESS RANGES
These never route on the public internet. Know them cold — they show up everywhere on the exam.
Also know: 127.0.0.0/8 (loopback), 169.254.0.0/16 (APIPA — "I couldn't reach DHCP"), 100.64.0.0/10 (CGNAT — carrier-grade NAT, increasingly tested).
WHERE THIS SHOWS UP IN SECURITY
EXAM DAY BRAIN DUMP
Write this down in the first 30 seconds before touching a question. It's just the block sizes doubling.
PRACTICE — WORK THESE IN YOUR HEAD
1. How many usable hosts in a /28?
Answer
24 = 16 total, minus 2 = 14 usable hosts
2. What is the subnet mask for /27?
Answer
Block size = 32. 256 - 32 = 255.255.255.224
3. 192.168.1.200/27 — what's the network address and broadcast?
Answer
Block size = 32. 200 ÷ 32 = 6.25, floor to 6. Network = 6 × 32 = .192. Broadcast = .192 + 32 - 1 = .223. Usable: .193 – .222
4. You need a subnet for 50 devices. What's the smallest CIDR block?
Answer
/26 = 64 addresses (62 usable). /27 = 32 (only 30 usable — not enough). Answer: /26
5. Are 10.0.1.68 and 10.0.1.130 on the same /25 subnet?
Answer
/25 block size = 128. .68 is in block 0–127. .130 is in block 128–255. Different subnets. They can't communicate without a router.
6. A firewall rule says "deny 172.16.0.0/12". Does it block 172.25.10.5?
Answer
172.16.0.0/12 covers 172.16.0.0 – 172.31.255.255. 172.25.10.5 is in that range. Yes, it's blocked.
Want to test your understanding? The CIDR Range Calculator lab goes deeper — decode blocks, check containment, aggregate ranges, and find redundancies in real-world whitelists.