IPv4 Supernet Calculator

IPv4 CIDR blocks:

Paste route candidates such as 10.44.0.0/24. CIDR and dotted-mask forms are accepted.

Route goal:

Choose the primary recommendation shown in the summary and Route Brief.

Exposure policy:

Use strict when the route must not cover unassigned or separately routed space.

Review CIDR input

{{ error }}

Field	Value	Decision note	Copy
{{ row.field }}	{{ row.value }}	{{ row.note }}

Plan	#	CIDR	Range	Addresses	Use	Copy
{{ row.plan }}	{{ row.order }}	{{ row.cidr }}	{{ row.range }}	{{ row.addresses }}	{{ row.use }}

Line	Input	Normalized CIDR	Range	Addresses	Status	Copy
{{ row.line }}	{{ row.input }}	{{ row.cidr }}	{{ row.range }}	{{ row.addresses }}	{{ row.status }}

Exposure type	CIDR	Range	Addresses	Action	Copy
{{ row.type }}	{{ row.cidr }}	{{ row.range }}	{{ row.addresses }}	{{ row.action }}

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

Route summarization reduces a long list of IPv4 prefixes into fewer advertisements or policy entries. The payoff can be smaller route tables, shorter prefix lists, cleaner firewall rules, and simpler handoff notes. The risk is overreach: a broader prefix may also match addresses that were never part of the original list.

CIDR aggregation works only on binary boundaries. Four aligned /24 networks such as 10.44.0.0/24 through 10.44.3.0/24 can become one 10.44.0.0/22. If one of those /24 blocks is missing, the same one-line cover still exists, but it now includes a gap. That gap may be harmless reserved space, or it may belong to another customer, site, route owner, or security policy.

IPv4 supernet terms and practical meanings
Term	Meaning	Why it changes the decision
Supernet	A broader CIDR prefix that contains smaller routes.	It can reduce advertisements, but it may include addresses outside the input list.
Single cover route	The shortest one-route CIDR that contains the lowest through highest submitted address.	It optimizes route count, not policy safety.
Exact aggregate	A minimal CIDR set that stays inside the submitted address coverage.	It avoids outside coverage but may still require several routes.
Exposure	Addresses included by the single cover route but absent from the inputs.	Those addresses need ownership and routing review before advertisement.

IPv4 aggregation diagram showing submitted CIDR blocks, an exposed gap, and a broader cover route.

Two route summaries can both be mathematically correct while serving different goals. The smallest single cover route is useful when the entire address span is owned by the same routing domain or when a broad comparison is needed. The exact aggregate set is safer when missing space, customer boundaries, firewall zones, or upstream filters make outside coverage unacceptable.

A supernet review should not stop at the prefix. Longest-prefix-match routing can preserve a more-specific exception, but only if that exception exists where traffic is forwarded. Allocation records, route filters, NAT policy, and special-purpose address ranges still decide whether a candidate aggregate belongs in production.

How to Use This Tool:

Use the route list as it appears in a ticket, router note, prefix list, or spreadsheet. The calculator normalizes each valid line before comparing a one-route cover with an exact aggregate set.

Paste one route per line in IPv4 CIDR blocks, or use Browse to import a small text, CSV, log, or config-style file.
Use CIDR notation such as 10.44.0.0/24, a slash with a dotted mask, or an address plus dotted mask. Text after # is ignored, and trailing commas or semicolons are tolerated.
Choose Route goal. Smallest single covering route makes one broad comparison route. Exact aggregate route set keeps advertised routes inside the submitted coverage.
The selected goal changes the primary recommendation, but both the single cover route and exact aggregate rows remain available for comparison.
Choose Exposure policy. Use warnings for exploratory planning, or choose Require exact coverage when a single cover route must not include unsubmitted addresses.
Click Normalize when pasted notes contain host bits or dotted masks and you want the input box rewritten as network-boundary CIDRs.
Read Route Brief first, then inspect Aggregate Routes, Input Ledger, and Gap Ledger for the rows behind the recommendation.
If Review CIDR input appears, fix the named line before using any result. A run is blocked until every non-blank line parses as valid IPv4 CIDR or dotted-mask input.
The parser accepts up to 512 non-blank lines per run, and file import is limited to text-style files under 256 KiB.

Interpreting Results:

The primary recommendation follows the selected route goal. In single-cover mode, the main value can be one broad CIDR with exposed addresses. In exact mode, the main value can be a count of exact aggregate routes rather than one prefix. Treat the recommendation as a routing candidate, then verify the exposure count and gap rows before copying anything into a change plan.

IPv4 supernet result interpretation guide
Result	Meaning	Verification cue
Single cover route	The shortest CIDR that contains the complete submitted address span.	Use only after the Exposure value and Gap Ledger are acceptable.
Exact aggregate routes	The minimal CIDR set that covers only the unique submitted address space.	Prefer this when gaps, edge padding, or ownership boundaries are not allowed.
Input union	Unique address coverage after overlaps and duplicates are merged.	Investigate unexpected overlap before treating route reduction as a win.
Exposure	Addresses inside the single cover route that were not in the submitted coverage.	Check whether those addresses are unassigned, separately routed, or owned elsewhere.
Route reduction	The drop from input route count to the selected advertisement count.	Use it as a maintenance signal, not as proof that the aggregate is safe.

A large route-count reduction can hide a bad aggregate when the missing space is important. Strict exposure policy changes the recommendation when outside coverage exists, but it does not change the underlying CIDR math. The Coverage Balance Chart helps compare scale, yet the numeric exposed-address count is the value to trust when the visual gap looks small.

The safest follow-up is to compare Gap Ledger rows with route ownership, upstream filters, firewall objects, and any more-specific routes that must remain active.

Technical Details:

IPv4 prefixes describe aligned blocks inside a 32-bit address space. A prefix length fixes the leftmost bits and leaves the remaining bits to vary. The block size is always a power of two, and the first address has all host bits cleared. Aggregation succeeds when the smaller ranges can be represented by one broader aligned block, or by a smaller exact set of aligned blocks.

Input routes are first converted into network and broadcast endpoints. Host bits are cleared, so 192.168.8.19/26 becomes 192.168.8.0/26. Ranges are sorted, overlaps are collapsed, and adjacent coverage is merged before the cover route and exact aggregate set are calculated.

Formula Core

The same bit and range equations drive prefix normalization, cover selection, exposure reporting, and route-count reduction.

\begin{array}{lcl} N & = & IP \land M_{p} \\ S & = & 2^{32 - p} \\ B & = & N + S - 1 \\ p_{cover} & = & 32 - changedEndpointBits \\ Exposure & = & coverSize - uniqueInputCoverage \end{array}

IPv4 supernet processing stages
Stage	Rule	Audit clue
Parse	Accept CIDR, slash plus dotted mask, or address plus dotted mask on each non-blank line.	Reject invalid addresses, prefixes outside `/0` to `/32`, and non-contiguous masks.
Normalize	Apply the mask and clear host bits to find the network boundary.	Host normalized flags pasted addresses that were not already network bases.
Merge	Sort ranges and combine overlaps or direct adjacency into unique covered spans.	Overlap warnings mean declared address coverage was larger than unique coverage.
Cover	Compare the lowest start and highest end address, then keep their common leading bits.	The cover is always one route, but it may include outside space.
Exact aggregate	Split each merged span into the largest aligned CIDR blocks that fit wholly inside the span.	Fragmented coverage can produce many exact rows.
Exposure	Subtract unique submitted coverage from the single cover size and list the missing ranges as CIDRs.	Internal gaps and edge padding need separate review.

For four adjacent inputs from 10.44.0.0/24 through 10.44.3.0/24, the lowest endpoint is 10.44.0.0 and the highest endpoint is 10.44.3.255. Their common leading bits produce 10.44.0.0/22, which contains 1,024 addresses. Because the inputs fill the entire cover, exposure is zero.

Cover Route Versus Exact Aggregate

Comparison of single cover routes and exact aggregate route sets
Route choice	Optimizes for	Main risk
Single cover route	One advertisement and the shortest possible route list.	Can cover gaps, padding, or addresses owned by another policy domain.
Exact aggregate set	No outside coverage while still reducing routes when alignment allows.	Can return many routes when the input coverage is fragmented.
More-specific exception	Preserving a smaller route under a broader aggregate through longest-prefix match.	Fails if the exception is not advertised, filtered, or installed where forwarding occurs.

Limitations, Privacy, and Accuracy Notes:

The calculation runs in the browser. Pasted CIDR text, imported files, normalized rows, gap rows, chart data, copied values, and JSON output are computed locally during the page session. Exported files and shared links can still reveal internal addressing or routing intent after they leave your browser.

Only IPv4 dotted notation is supported; IPv6 prefix planning uses a different address size and notation.
Each run accepts up to 512 non-blank route lines, and file import accepts text-style files under 256 KiB.
Preview tables are capped at 512 rows when exact routes or gap CIDRs are very large; use JSON for the structured result details available in the page.
Special-purpose, private, documentation, provider-assigned, and customer-owned ranges can all be mathematically valid while carrying different routing policy.

Worked Examples:

These cases show how route-count reduction, exposure, normalization, and overlap warnings change the recommendation.

Four adjacent /24 routes

Enter 10.44.0.0/24, 10.44.1.0/24, 10.44.2.0/24, and 10.44.3.0/24. The single cover route is 10.44.0.0/22, the exact aggregate set is the same one route, and Exposure is 0 addresses.

One missing block

Enter 10.44.0.0/24, 10.44.1.0/24, and 10.44.3.0/24. The one-route cover remains 10.44.0.0/22, but 10.44.2.0/24 appears as exposed space. With Require exact coverage, the recommendation moves away from the cover route.

Host bits in pasted notes

Paste 192.168.8.19/26 # branch users and 192.168.8.64/26 # branch voice. The first line normalizes to 192.168.8.0/26, while the second line already starts on its prefix boundary. Read Input Ledger before trusting routes copied from device output or spreadsheets.

Overlap removed before aggregation

Enter 172.16.0.0/23 and 172.16.1.0/24. The second route sits inside the first, so duplicate coverage is removed before route generation. The warning is useful because overlap can reveal stale policy, duplicate ownership, or an over-specific line that still matters operationally.

Bad prefix recovery

A line such as 10.44.0.0/33 or a dotted mask with non-contiguous bits triggers Review CIDR input. Fix the named line first; the route brief and tables should be used only after every submitted route has valid IPv4 meaning.

FAQ:

What is the difference between subnetting and supernetting?

Subnetting divides a larger prefix into smaller blocks. Supernetting summarizes smaller blocks into a broader prefix or a reduced exact aggregate set.

Why can one cover route include addresses I did not enter?

A CIDR block must start on its binary boundary and contain a power-of-two address count. If the submitted routes do not fill that aligned block, the cover includes the missing addresses too.

Should I always choose exact aggregate routes?

Use exact aggregate routes when outside coverage is not allowed. A single cover route can be acceptable when the exposed space is intentionally owned by the same routing domain.

Does lower route count mean safer routing?

No. Fewer routes can simplify operations, but exposed space can create reachability, blackhole, or ownership problems. Check the exposure count and gap CIDRs before using route reduction as a success signal.

Why did a host address change to a network address?

CIDR routes describe aligned network blocks. When an input contains host bits, the calculation clears those bits and reports the network boundary that the prefix actually describes.

Can this summarize IPv6 prefixes?

No. The parser, arithmetic, limits, and examples are for 32-bit IPv4 dotted notation. IPv6 aggregation needs different notation and a much larger address space.

Glossary:

CIDR: Classless Inter-Domain Routing notation, written as an IP address plus a slash prefix length.
Supernet: A broader prefix that contains multiple smaller IPv4 networks.
Single cover route: The shortest one-line CIDR that contains the lowest through highest submitted addresses.
Exact aggregate: A minimal CIDR set that covers submitted address space without including outside addresses.
Network boundary: The aligned first address of a CIDR block after host bits are cleared.
Exposure: Addresses included by the single cover route but absent from the submitted input coverage.
Longest-prefix match: The forwarding rule where the most-specific matching route is preferred over a broader matching route.

References:

RFC 4632: Classless Inter-domain Routing (CIDR), RFC Editor, August 2006.
RFC 791: Internet Protocol, RFC Editor, September 1981.
RFC 1918: Address Allocation for Private Internets, RFC Editor, February 1996.
RFC 5737: IPv4 Address Blocks Reserved for Documentation, RFC Editor, January 2010.
IPv4 Special-Purpose Address Space Registry, IANA.