What does a subnet calculator tell you?

A subnet calculator takes an IP address and a subnet mask or CIDR prefix and returns the complete network breakdown including network address, first and last usable host, broadcast address, total hosts, wildcard mask, and binary mask. It may also display the IP class and whether the address is private or public.

What is the difference between a subnet mask and a CIDR prefix?

A subnet mask and a CIDR prefix represent the same information in different formats. A subnet mask such as 255.255.255.0 uses dotted decimal notation, while a CIDR prefix such as /24 indicates how many leading bits are set to 1. Both formats are interchangeable.

What is the difference between FLSM and VLSM?

Fixed-Length Subnet Masking (FLSM) divides a network into subnets that are all the same size and use the same subnet mask. Variable-Length Subnet Masking (VLSM) creates subnets of different sizes based on host requirements, which makes more efficient use of IP address space.

When should I use FLSM instead of VLSM?

FLSM is useful when all network segments require the same number of hosts, such as in structured lab environments or simple legacy networks. In most modern networks VLSM is preferred because it uses address space more efficiently.

How does VLSM allocate subnets?

VLSM sorts host requirements from largest to smallest and assigns the smallest possible subnet that can support each requirement. For example, if a network needs 100, 50, and 20 hosts, it may allocate a /25, then a /26, then a /27 to minimize wasted addresses.

Does this calculator find free or unused IP addresses?

Yes. After performing FLSM or VLSM calculations, the calculator can generate a Free or Unused IP Network table that shows which address ranges remain unallocated and available for future subnetting.

What is Supernetting (Route Summarization)?

Supernetting, also called route summarization, combines multiple contiguous smaller networks into one larger summary route. This reduces routing table size, improves router efficiency, and simplifies network management.

What are the rules for supernetting to work correctly?

For supernetting to work correctly, the networks must be contiguous with no gaps, the number of networks must be a power of two such as 2, 4, 8, or 16, and the first network must start on the correct boundary for the summarized prefix.

Do I need to create an account or install software?

No. The calculator runs entirely in your browser and does not require account creation, downloads, or installation. All calculations are performed locally.

Can I calculate IPv6 subnets here?

This page focuses on IPv4 subnetting. A separate IPv6 subnet calculator can be used to analyze IPv6 prefixes and address details.

What other tools are available on this site?

The site offers multiple networking tools including subnet calculators, VLSM and FLSM calculators, supernetting tools, subnet overlap checkers, IPv6 calculators, EUI-64 generators, IP range to CIDR converters, wildcard mask converters, MAC address tools, and other utilities.

Are the results accurate enough to use in a real network design?

Yes. The calculations are based on the same binary and bitwise logic used by routers and networking systems, making them suitable for production network planning, certification study, firewall configuration, and cloud network design.

Using Subnets to Prevent Ransomware Lateral Movement

A "flat network" is a hacker's dream environment. When an entire enterprise—workstations, servers, printers, and IoT devices—operates on a single /16 subnet, compromising just one receptionist's computer grants the attacker unrestricted, unmonitored access to the entire business infrastructure.

In modern cybersecurity, network segmentation via Variable Length Subnet Masking (VLSM) and VLANs is the foundational bedrock of a Zero-Trust architecture. Here is how proper subnetting stops ransomware dead in its tracks.

The Concept of Lateral Movement

When ransomware (like LockBit or Conti) infects a machine, its immediate goal is to spread. It achieves this by scanning the local broadcast domain for open SMB ports (445), RDP vulnerabilities (3389), or unpatched systems.

If the infected computer is on a massive flat network, the ransomware can scan and encrypt hundreds of machines in minutes without ever passing through a firewall or an Intrusion Prevention System (IPS).

How Segmentation Contains the Blast Radius

By breaking your network into strictly sized, highly isolated subnets using VLSM, you create physical and logical boundaries. Traffic within a subnet is freely switched, but traffic between subnets must pass through a Layer 3 router or a Next-Generation Firewall.

Real-World Security Design:

Workstation Subnets: Segmented by floor or department (e.g., HR gets a /26, Sales gets a /25). If an HR laptop gets infected, the ransomware can only scan the other 60 computers in HR. It cannot natively see the Sales laptops.
Server Subnets: Servers should never be on the same subnet as workstations. Place Domain Controllers, File Servers, and Database Servers in heavily restricted /27 or /28 blocks.
IoT Subnets: Smart TVs, security cameras, and smart thermostats are notoriously insecure. Isolate them completely on a /24 guest or IoT network that is denied access to the corporate subnets via strict Access Control Lists (ACLs).

Segment Your Network Properly

Planning a secure, segmented network requires precise IP boundaries to avoid overlap. Use our VLSM tool to generate your secure network architecture.

Open the VLSM Calculator →

Implementing the ACLs (Access Control Lists)

Once your subnets are mathematically defined, you apply security rules using Wildcard Masks on your firewall. For example, to completely block the HR subnet (10.1.1.64/26) from accessing the sensitive Database Server subnet (10.1.2.16/28), you simply write an ACL denying that specific IP block.

By enforcing strict subnet boundaries, you ensure that even if ransomware enters the building, its "blast radius" is limited to a single, small department rather than bringing down the entire company.