What does a subnet calculator tell you?

A subnet calculator takes an IP address and a subnet mask or CIDR prefix and returns the complete network breakdown including network address, first and last usable host, broadcast address, total hosts, wildcard mask, and binary mask. It may also display the IP class and whether the address is private or public.

What is the difference between a subnet mask and a CIDR prefix?

A subnet mask and a CIDR prefix represent the same information in different formats. A subnet mask such as 255.255.255.0 uses dotted decimal notation, while a CIDR prefix such as /24 indicates how many leading bits are set to 1. Both formats are interchangeable.

What is the difference between FLSM and VLSM?

Fixed-Length Subnet Masking (FLSM) divides a network into subnets that are all the same size and use the same subnet mask. Variable-Length Subnet Masking (VLSM) creates subnets of different sizes based on host requirements, which makes more efficient use of IP address space.

When should I use FLSM instead of VLSM?

FLSM is useful when all network segments require the same number of hosts, such as in structured lab environments or simple legacy networks. In most modern networks VLSM is preferred because it uses address space more efficiently.

How does VLSM allocate subnets?

VLSM sorts host requirements from largest to smallest and assigns the smallest possible subnet that can support each requirement. For example, if a network needs 100, 50, and 20 hosts, it may allocate a /25, then a /26, then a /27 to minimize wasted addresses.

Does this calculator find free or unused IP addresses?

Yes. After performing FLSM or VLSM calculations, the calculator can generate a Free or Unused IP Network table that shows which address ranges remain unallocated and available for future subnetting.

What is Supernetting (Route Summarization)?

Supernetting, also called route summarization, combines multiple contiguous smaller networks into one larger summary route. This reduces routing table size, improves router efficiency, and simplifies network management.

What are the rules for supernetting to work correctly?

For supernetting to work correctly, the networks must be contiguous with no gaps, the number of networks must be a power of two such as 2, 4, 8, or 16, and the first network must start on the correct boundary for the summarized prefix.

Do I need to create an account or install software?

No. The calculator runs entirely in your browser and does not require account creation, downloads, or installation. All calculations are performed locally.

Can I calculate IPv6 subnets here?

This page focuses on IPv4 subnetting. A separate IPv6 subnet calculator can be used to analyze IPv6 prefixes and address details.

What other tools are available on this site?

The site offers multiple networking tools including subnet calculators, VLSM and FLSM calculators, supernetting tools, subnet overlap checkers, IPv6 calculators, EUI-64 generators, IP range to CIDR converters, wildcard mask converters, MAC address tools, and other utilities.

Are the results accurate enough to use in a real network design?

Yes. The calculations are based on the same binary and bitwise logic used by routers and networking systems, making them suitable for production network planning, certification study, firewall configuration, and cloud network design.

Understanding Cisco Wildcard Masks for ACLs and OSPF

If you are studying for a Cisco certification or configuring a real-world enterprise router, you will quickly discover that Cisco iOS does not use standard subnet masks for Access Control Lists (ACLs) or dynamic routing protocols like OSPF and EIGRP. Instead, it demands a Wildcard Mask.

[Image comparing subnet mask binary to wildcard mask binary]

To beginners, wildcard masks look like subnet masks that have been turned completely upside down. In this guide, we will look at the math behind wildcard masks and why routers prefer them over standard CIDR notation for filtering traffic.

What is a Wildcard Mask?

A subnet mask dictates the size of a network by stating "These bits represent the network, and these bits represent the host." A wildcard mask, however, is a matching rule. It tells the router’s packet processing engine exactly which bits of an IP address it must evaluate, and which bits it can ignore.

A binary 0 in a wildcard mask means: "Must strictly MATCH this bit."
A binary 1 in a wildcard mask means: "IGNORE this bit (it can be anything)."

The Inverse Subnet Mask Shortcut

For 95% of networking scenarios, a wildcard mask is simply the mathematical inverse of a subnet mask. To calculate it quickly without converting to binary, simply subtract your subnet mask from 255.255.255.255.

Example for a /24 network:
255.255.255.255
- 255.255.255.0 (Your Subnet Mask)
= 0.0.0.255 (Your Wildcard Mask)

Convert Subnet Masks to Wildcards Instantly

Skip the manual math. Enter any subnet mask or CIDR prefix into our Wildcard Converter and get the exact inverse mask and binary breakdown.

Open the Free Wildcard Converter →

Why Do We Use Wildcard Masks?

You might be asking, "Why not just use standard subnet masks? Why invent a new format?" The answer is flexibility.

A standard subnet mask must be contiguous (a solid block of 1s followed by a solid block of 0s). Wildcard masks do not have this restriction! You can place 0s and 1s anywhere you want to create incredibly complex, highly specific firewall rules.

Advanced Use Case: Filtering Even/Odd IP Addresses

Imagine you have a subnet (192.168.1.0/24), and you assigned all of your printers to odd IP addresses (1, 3, 5, 7...) and all your workstations to even IP addresses (2, 4, 6, 8...).

You want to write an ACL that blocks all workstations but allows all printers. With a standard subnet mask, this is mathematically impossible—you would have to write 127 individual ACL lines.

With a wildcard mask, you can look at the very last binary bit of the IP address (which determines if a number is even or odd) and write a discontiguous wildcard mask:

access-list 10 permit 192.168.1.1 0.0.0.254

Because the last octet in the wildcard is 254 (binary 11111110), the router ignores the first 7 bits of the host IP, but strictly matches the final bit (which must be a 1, meaning it is an odd number). In one single line of code, you have filtered 127 IP addresses!

While discontiguous wildcard masks are rarely used today due to modern Next-Gen Firewalls, understanding the underlying binary math is crucial for mastering Cisco routing infrastructure.