Logo

MonoCalc

/

IP Exclusion Calculator

Networking

About This Tool

🔒 IP Exclusion Calculator – Remove IPs from a Network Range

The IP Exclusion Calculator solves a common networking challenge: given a source IP network, compute the exact set of CIDR blocks that remain after one or more addresses or subnets have been removed. This operation — sometimes called CIDR subtraction or subnet exclusion — is essential for writing precise firewall rules, DHCP pool definitions, BGP prefix lists, and routing policies where you need to address everything except a specific range.

Why You Need CIDR Subtraction

Network devices such as firewalls, routers, and DHCP servers require explicit IP ranges in their configuration. You cannot simply say "allow 10.0.0.0/8 except 10.10.50.0/24" — you must provide a list of non-overlapping CIDR blocks that cover exactly the desired address space. Calculating this by hand is tedious and error-prone, especially for large address blocks or multiple exclusions.

Common scenarios where CIDR exclusion is required:

  • Firewall ACLs — permit all traffic from a /16 block except known bad-actor /24 ranges
  • DHCP pools — allocate a /24 for dynamic assignment but reserve specific addresses for printers, servers, and gateways
  • BGP prefix lists — advertise a /20 aggregate but suppress a /24 sub-prefix that routes through a different provider
  • Access control entries — grant access to a department subnet while blocking the management VLAN range
  • Cloud security groups — restrict an entire VPC CIDR but exclude the load-balancer subnet

How the Exclusion Algorithm Works

The calculator uses a binary interval subtraction algorithm that operates on 32-bit integer representations of IPv4 addresses:

  1. Convert the source CIDR and all exclusions to [start, end] integer ranges.
  2. Clip each exclusion to the source boundary — exclusions outside the source network have no effect.
  3. Sort and merge overlapping exclusions into a single consolidated list so double-counting is avoided.
  4. Walk from source.start to source.end, collecting integer gaps between excluded regions.
  5. Convert each gap back to the minimal set of CIDR blocks using a power-of-2 alignment algorithm (similar to how Linux ipcalc works).

Worked Example

Source network: 192.168.1.0/24 (256 addresses, 192.168.1.0–192.168.1.255)

Exclusions: 192.168.1.0/27 (32 addresses) and 192.168.1.64/28 (16 addresses)

Result: 3 CIDR blocks covering the remaining 208 addresses

CIDR BlockRangeHosts
192.168.1.32/27192.168.1.32 – 192.168.1.6332
192.168.1.80/28192.168.1.80 – 192.168.1.9516
192.168.1.96/27192.168.1.96 – 192.168.1.12732
192.168.1.128/25192.168.1.128 – 192.168.1.255128

Why the Result Has Multiple Blocks

When you remove an arbitrary range from a parent CIDR, the leftover space rarely aligns to a single CIDR boundary. CIDR notation can only represent power-of-2 sized blocks whose start address is divisible by the block size. The calculator applies a greedy largest-block-first strategy: at each position it selects the largest CIDR block that (a) starts at the current address and (b) does not exceed the remaining gap. This guarantees the minimum number of CIDR entries in the output.

Input Formats Accepted

FormatExampleInterpretation
CIDR notation10.0.0.0/8Standard network block
Host address192.168.1.1Treated as a /32 (single host)
CIDR with host bits10.0.0.5/24Auto-corrected to 10.0.0.0/24 with a warning

Understanding the Output Columns

  • CIDR Block — the network address with its prefix length (e.g. 10.0.0.128/25)
  • Network / Broadcast — the first and last addresses in the block (reserved, not assignable on standard networks)
  • First / Last Usable — the assignable host range (excludes network and broadcast for prefixes shorter than /31)
  • Total Hosts — all addresses including network and broadcast
  • Usable Hosts — assignable addresses (total − 2 for prefixes ≤ /30; both addresses usable for /31 point-to-point links per RFC 3021; single address for /32)

Practical Tips

  • Enter exclusions one per line or separated by commas — the tool accepts both formats.
  • To exclude a single host address, just enter the IP without a prefix (e.g. 192.168.1.1). It will be treated as /32.
  • Overlapping exclusions are automatically merged, so you can paste a raw block list without pre-deduplicating it.
  • Exclusions that fall entirely outside the source network are ignored — they have no effect on the result.
  • Use the CSV export to import results into a spreadsheet, network management system, or scripting workflow.
  • The Compact CIDR List output at the bottom of the results can be pasted directly into most router and firewall configuration interfaces.

Related Networking Tools

For broader subnet planning, use the CIDR Range Calculator to explore network details or the VLSM Calculator to allocate variable-length subnets to departments. The IP Range Merger performs the inverse operation — combining a list of CIDR blocks into the fewest possible supernets. The CIDR Splitter divides a parent block into equal-sized child subnets, while the Supernet Calculator finds the smallest CIDR that contains a set of networks.

✅ Use this tool when you need to…

  • Build firewall permit rules for "all except" scenarios
  • Define a DHCP scope that skips reserved addresses
  • Generate BGP prefix lists that suppress sub-prefixes
  • Document the remaining address space after reservations

🔗 Complementary tools

  • CIDR Splitter — divide into equal subnets
  • IP Range Merger — consolidate CIDR lists
  • VLSM Calculator — variable-length subnet allocation
  • Supernet Calculator — find smallest containing network

Frequently Asked Questions

Is the IP Exclusion Calculator free?

Yes, IP Exclusion Calculator is totally free :)

Can I use the IP Exclusion Calculator offline?

Yes, you can install the webapp as PWA.

Is it safe to use IP Exclusion Calculator?

Yes, any data related to IP Exclusion Calculator only stored in your browser (if storage required). You can simply clear browser cache to clear all the stored data. We do not store any data on server.

What is the IP Exclusion Calculator?

The IP Exclusion Calculator computes the minimal set of CIDR blocks that remain after removing one or more IP addresses or subnets from a source network. It is used by network engineers to generate precise firewall ACL rules, DHCP pool definitions, or routing prefix lists that cover a range except for certain reserved or blocked addresses.

How does the exclusion algorithm work?

The tool converts the source network and all exclusions to integer ranges, clips each exclusion to the source boundary, merges overlapping exclusions, and then walks the source range collecting the gaps between excluded regions. Each remaining gap is converted back to the minimal list of non-overlapping CIDR blocks using a binary subdivision algorithm.

Why do I get multiple CIDR blocks as output instead of one?

After removing an IP range from a parent network, the remaining address space almost never aligns to a single CIDR boundary. For example, removing 10.0.0.0/27 from 10.0.0.0/24 leaves three blocks: /27, /26, and /25. The tool produces the smallest possible set of CIDR blocks that exactly covers the remaining space.

Can I exclude multiple subnets at once?

Yes. Enter each exclusion on its own line in the exclusion list box. You can mix individual host addresses (treated as /32) and CIDR blocks of any prefix length. The tool automatically merges overlapping exclusions before computing the result.

What happens if an exclusion is outside the source network?

Any exclusion that falls entirely outside the source network is silently ignored, since it has no effect on the remaining address space. Exclusions that partially overlap the source boundary are clipped to the source range automatically.

Does the tool handle host bits set in an address?

Yes. If you enter a CIDR like 192.168.1.5/24 (host bits set), the tool zeros the host bits and treats it as 192.168.1.0/24, showing a correction notice. This prevents common data-entry errors from producing wrong results.