Utility · routing math

CIDR aggregator

Combine many CIDR blocks into the smallest set that covers them — the same route-summarization arithmetic that keeps the global BGP table from exploding. Works for IPv4 and IPv6, handles overlap and adjacency.

Bare addresses (no /) are treated as /32 (IPv4) or /128 (IPv6).

What CIDR aggregation actually does

CIDR aggregation (also called route summarization or supernetting) takes a list of IP prefixes and returns the smallest equivalent set. "Equivalent" means the union of addresses covered is exactly the same — never larger, never smaller.

The mechanics, in plain terms:

  1. Convert each input CIDR to a numeric range. 10.0.0.0/24 becomes [10.0.0.0, 10.0.0.255]. 2001:db8::/64becomes a 64-bit range starting at 2001:db8::0.
  2. Sort by start address.
  3. Merge overlapping or adjacent ranges. Two ranges are adjacent if the end of one is exactly one less than the start of the next. Overlap means the end of one is greater than or equal to the start of the next.
  4. Decompose each merged range back into the minimal set of CIDR blocks. A range that isn't a perfect power-of-two-aligned block can't be a single CIDR; instead it's a small number of CIDRs that exactly cover it.

For example, 10.0.0.0/24, 10.0.1.0/24, 10.0.2.0/24, 10.0.3.0/24 → 10.0.0.0/22 (one block). But 10.0.0.0 through 10.0.2.255 → 10.0.0.0/23 + 10.0.2.0/24 (two blocks, because the start isn't /22-aligned).

When you actually need this

BGP route summarization

ISPs and large enterprises announce IP prefixes via BGP. The fewer prefixes they announce, the less work everyone else's routers do. Aggregating customer allocations into the smallest set of supernets that covers them is core network engineering. Modern best practice is to announce no more than one or two prefixes per RIR-assigned block; route summarization is how you get there.

Firewall rules and ACLs

"Allow connections from these 50 IP ranges to port 443" reads better and runs faster if you can collapse the 50 ranges into 5 supernets. Modern stateful firewalls handle long ACL lists, but cleaner rules are easier to audit and review.

Cloud-provider IP allowlists

AWS, GCP, and Azure publish their IP ranges as JSON files with hundreds of CIDRs per region. If you're building an allowlist of "all AWS us-east-1 IPs," aggregating the raw list cuts it from ~300 prefixes to ~80 supernets while preserving exact coverage.

Static-route compaction

Building a static routing table for a small router is much easier when you can collapse a long destination list into a few aggregates. The same applies to container networking, VPC route tables, and any system that consumes a route table as configuration.

How it differs from the CIDR calculator

The CIDR calculator takes ONE CIDR and decomposes it: it tells you the network address, broadcast, host range, host count. The aggregator goes the other direction: takes MANY CIDRs and combines them into the smallest equivalent set. They're inverse operations.

What the aggregator cannot do

  • Inflate to a larger range. If your input is 10.0.0.0/24 and 10.0.2.0/24, the result is exactly those two — not 10.0.0.0/22. The aggregator would never silently include addresses you didn't ask for.
  • Aggregate across families. IPv4 and IPv6 are independent namespaces. They're displayed in separate result blocks; no operation can merge them.
  • Express ranges that aren't expressible as CIDRs. Arbitrary address ranges sometimes need multiple CIDR blocks to cover exactly. The decomposition step handles this automatically: every merged range is split into the fewest CIDR blocks that cover it without spillover.

A worked example

Input:

10.0.0.0/24
10.0.1.0/24
10.0.2.0/24
10.0.3.0/24
192.168.1.0/24
192.168.2.0/24

The four 10.0.x.0/24 ranges are contiguous and start-aligned, so they collapse to a single 10.0.0.0/22. The two 192.168.x.0/24 ranges aren't aligned for a /22 (which would need to start at192.168.0.0), so they collapse to 192.168.1.0/24 +192.168.2.0/24 — the same two we started with, because that's already the minimum cover.

Output:

10.0.0.0/22
192.168.1.0/24
192.168.2.0/24

Six CIDRs in, three out. Exact coverage preserved.

Adjacent tools