Subnet / CIDR Calculator
Enter an IPv4 or IPv6 CIDR range. We compute the network address, broadcast, host range, total addresses, and subnet mask. Everything happens in your browser. No data leaves the page.
Try an example: 10.0.0.0/24 · 192.168.1.0/26 · 2001:db8::/48
Validation results
How this CIDR and subnet calculator works
CIDR notation (RFC 4632) packs a network address and a prefix length into one string. The number after the slash is how many leading bits identify the network. The rest identify hosts. Paste any IPv4 or IPv6 block above and the calculator works out the boundaries, the host range, the address count, and the reverse DNS zone.
Every input is parsed in your browser using BigInt. Nothing is sent to the server, logged or stored.
What does the output actually contain?
For IPv4 you get the network address, broadcast address, first and last usable host, total address count, the dotted-decimal mask, and the wildcard mask used in Cisco-style access lists. For IPv6 you get the network prefix, the first and last address in the block, and the address count (shown as a power of two, because the raw number is unwieldy).
192.0.2.0/24 → 256 addresses, 254 usable, mask 255.255.255.0
2001:db8::/32 → 2^96 addresses, prefix 2001:db8::/32What can I use the splitter and aggregator for?
The splitter divides one network into equal-size subnets. Handy for VLAN planning, AWS VPC layouts, and Kubernetes node-pool CIDR ranges. The aggregator finds the smallest prefix that contains a list of ranges. That is what you want when an SPF record has drifted into a dozen ip4: entries and the 10-DNS-lookup ceiling is in sight.
Why this matters for email
SPF authorises senders by IP. Every ip4: and ip6: mechanism takes a CIDR, and a record that includes the wrong block silently authorises the wrong network or silently fails legitimate mail. Sizing the range correctly before it goes into DNS is the difference between an SPF record that means what you think and one that doesn't.
Our take: calculate the block here, paste it straight into the SPF builder, and you skip the most common cause of "SPF passed in testing, fails in production" tickets.
Where to go next
To look up the owner, ASN or PTR record for a specific address inside the range, the IP / ASN lookup pulls RDAP and reverse DNS side by side. For the rest of the authentication stack, see the SPF checker and the DMARC checker.
Frequently Asked Questions
Common questions about CIDR notation, subnetting and SPF.
What does CIDR notation actually say?
It's address/prefix-length. The prefix length counts the leading bits that identify the network. The rest identify hosts.
192.168.1.0/24 means the first 24 bits are network, the last 8 are host. That's 256 addresses, 254 of them usable. Everything the calculator shows is derived from that one number.
How does a CIDR end up in an SPF record?
Prefix the block with ip4: or ip6: and drop it into the record:
v=spf1 ip4:192.0.2.0/24 ip6:2001:db8::/32 -allOne large block is cheaper than five small ones. SPF caps total DNS lookups at 10 (RFC 7208 §4.6.4), and ip4: mechanisms are the one common type that costs zero lookups. Aggregate where you can. Use the SPF builder to confirm the record still parses.
/30 or /31 for a point-to-point link?
A /30 has 4 addresses: network, two usable hosts, broadcast. A /31 (RFC 3021) has 2 addresses, both usable, no broadcast. Modern routers handle both. /31 halves the address waste on transit links, which adds up at scale.
The IPv6 equivalent is /127 (RFC 6164). IPv6 has no broadcast, so every address in the prefix is a host address.
How do I work out the reverse DNS zone for a subnet?
The calculator shows it next to every result. Quick rules:
10.20.30.0/24 → 30.20.10.in-addr.arpa
2001:db8::/32 → 8.b.d.0.1.0.0.2.ip6.arpaByte-aligned IPv4 prefixes (/8, /16, /24, /32) map straight onto a single in-addr.arpa zone. Anything in between needs RFC 2317 classless delegation, and your upstream has to play along. IPv6 is simpler: every nibble (4 bits) is one label under ip6.arpa.
When should I aggregate, and when shouldn't I?
Aggregate when the ranges are actually adjacent. 10.0.0.0/24 and 10.0.1.0/24 aggregate cleanly to 10.0.0.0/23 with zero waste. Useful for shortening an SPF record or collapsing route-table entries.
Don't aggregate when the supernet sweeps in addresses you don't actually control. The tool reports the waste percentage for exactly that reason. If it shows above 50%, you're authorising someone else's network. For SPF that's a spoofing hole. Keep the ranges separate.
Where did the IPv6 broadcast address go?
It doesn't exist. IPv6 replaced broadcast with multicast. The "all hosts on this link" job is done by the link-local multicast group ff02::1, and the "all routers" job by ff02::2. So an IPv6 prefix has a network address and a usable range, but no broadcast row in the result card. Every address in the prefix is a host address.
Does my CIDR input leave the browser?
No. The calculator runs locally with JavaScript and BigInt. Nothing about the input is sent to our server, logged or stored. Open the Network tab while you click Calculate if you want to verify.