IP/Subnet Checker

What is Subnet Checking?

Subnet checking (also called subnet membership testing or IP-in-CIDR verification) answers a simple but critical question: does a given IP address belong to a specific CIDR block? This operation is one of the most fundamental building blocks in networking, used billions of times per second across the internet by every firewall, router, and load balancer that processes traffic.

When a packet arrives at a firewall, the device must decide whether the source or destination IP matches any of its rules. Each rule typically specifies a CIDR block (e.g., “allow traffic from 10.0.0.0/8”). The firewall performs a subnet membership check for every packet against every relevant rule to determine whether to allow, deny, or route the traffic.

The operation is computationally trivial — it requires a single bitwise AND — but its importance to network security and routing cannot be overstated.

Binary AND Masking

The mathematical operation behind subnet checking is a bitwise AND between the IP address and the subnet mask. If the result equals the network address of the CIDR block, the IP belongs to that subnet.

Here is the step-by-step process for checking whether 192.168.1.50 belongs to 192.168.1.0/24:

1. Convert the IP to binary:

   • 192.168.1.50 = 11000000.10101000.00000001.00110010

2. Determine the subnet mask from the prefix length:

   • /24 = 11111111.11111111.11111111.00000000 (255.255.255.0)

3. Perform bitwise AND:

   • 11000000.10101000.00000001.00110010 (IP)
   • 11111111.11111111.11111111.00000000 (mask)
   • = 11000000.10101000.00000001.00000000 = 192.168.1.0

4. Compare with the network address:

   • Result (192.168.1.0) equals the network address (192.168.1.0)
   • The IP is in the subnet.

Now check 10.0.0.1 against 192.168.0.0/16:

1. Convert: 10.0.0.1 = 00001010.00000000.00000000.00000001
2. Mask: /16 = 11111111.11111111.00000000.00000000
3. AND: = 00001010.00000000.00000000.00000000 = 10.0.0.0
4. Compare: 10.0.0.0 does not equal 192.168.0.0 — the IP is NOT in the subnet.

This operation runs in constant time O(1) regardless of the CIDR block size, which is why it scales to billions of checks per second on modern hardware.

In Code

Most programming languages provide libraries for subnet checking, but the core logic is simple:

function isInSubnet(ip, cidr):
    networkAddress = cidr.baseAddress
    prefixLength = cidr.prefix
    mask = (0xFFFFFFFF << (32 - prefixLength)) & 0xFFFFFFFF
    return (ip & mask) == (networkAddress & mask)

In JavaScript, Python, Go, and most other languages, this is a one-liner once the addresses are parsed into 32-bit integers.

Common Use Cases

• Firewall rules: Every inbound and outbound rule in a firewall performs subnet membership checks to determine whether traffic should be allowed, denied, or logged
• VPN split tunneling: VPN clients check destination IPs against a list of CIDR blocks to decide whether traffic should go through the tunnel or directly to the internet
• Access control lists (ACLs): Routers and switches use ACLs with CIDR-based rules to filter traffic at the network edge and between VLANs
• Cloud security groups: AWS, Azure, and GCP security groups evaluate CIDR rules to control ingress and egress traffic for virtual machines and containers
• Rate limiting: API gateways often apply different rate limits based on whether the client IP falls within a trusted CIDR block (internal) or an external range
• Geo-restriction: Content delivery networks check client IPs against country-level CIDR blocks published by Regional Internet Registries to enforce geographic content policies
• Network troubleshooting: When a device cannot reach a destination, checking whether the target IP falls within the local subnet helps determine if the issue is a routing problem or a local misconfiguration