Check IPv4 Range Containment in a CIDR Block

Validate whether a start-to-end IPv4 range is fully contained inside a target CIDR block for ACLs, planning, and network troubleshooting.

Setup
Ready
Examples: 10.1.0.0/16 or 10.1.0.0 255.255.0.0.
Private range shortcuts
Examples: 10.0.0.0/8 or 10.0.0.0 255.0.0.0.
Private range shortcuts
Share
To share your settings, paste this link in an email, web page, or on social media
Enter values and run the tool to generate subnet results, relationship checks, and Mermaid diagrams.
Topology View
A generated Mermaid view of the current network relationship.
Waiting for input
Mermaid preview appears here after a successful calculation.
No result yet.
Run the tool to inspect normalized details and copy-ready values.
Quick Copy
Copy buttons appear here after a successful result.

Try These Related Tools
IPv4 Address in Range
IPv6 CIDR Range Checker
IPv6 Address in Range
IPv4 Subnet Calculator
IPv4 Subnet Boundary
IPv6 Addresses CIDR Notations Boundary
IPv6 Subnet Calculator

IPv4 Range in Range Checker for Full CIDR Containment Validation

This page checks whether an IPv4 address range is fully contained inside a target CIDR block. That is useful when a single host check is not enough and you need to know whether an entire start-to-end range fits the parent network you intend to allow, route, document, or reserve.

This kind of validation matters in ACL work, IP planning, firewall object cleanup, and change review. Range mistakes are easy to miss visually, especially when only one endpoint escapes the subnet.

Key Features

  • Check whether a start-to-end IPv4 range is fully contained inside a target CIDR block.
  • Useful for ACLs, firewall rules, IP planning, and documentation cleanup.
  • Helps catch boundary mistakes where one endpoint spills into the next subnet.
  • Better fit than a single-address checker when the real decision is about range containment.
  • Pairs naturally with IPv4 Address in Range and IPv4 Subnet Calculator.

Use Cases

  • Checking whether an allowlisted address range stays fully inside the intended parent subnet.
  • Validating that a proposed range allocation really fits the reserved network block.
  • Reviewing firewall or WAF range objects before a rule change goes live.
  • Cleaning up IPAM or documentation entries that may have been recorded under the wrong parent subnet.

How To Use

  1. Enter the start address of the IPv4 range.
  2. Enter the end address of the IPv4 range.
  3. Enter the target CIDR block you want to validate against.
  4. Run the check and review whether the entire range is contained.
  5. If the result fails, inspect which boundary assumption is wrong before widening the CIDR carelessly.

A disciplined approach is to confirm both endpoints first. If the start fits but the end does not, the issue is usually a prefix-length or boundary-selection problem rather than random failure.

How It Works

A CIDR subnet defines one continuous address block. For a tested range to be fully contained, both the start and end points must sit inside that same normalized block and the range itself must be valid from lower to higher address order.

That seems simple, but it catches a surprisingly common class of operational mistakes: ranges that look visually close to a subnet but actually cross the boundary by one or more addresses.

Examples

Firewall object review

A team wants to confirm that a permitted range does not unintentionally expand beyond the intended subnet. The page reveals whether the full object fits.

Allocation sanity check

A requested child range should sit inside a larger reserved network. Use the checker before creating documentation or provisioning changes.

Cleanup of recorded ranges

An IPAM entry or spreadsheet claims a range belongs to a subnet. This page validates whether the record is actually true.

Edge Cases & Troubleshooting

  • Containment fails if even one endpoint falls outside the target subnet, so review both edges carefully.
  • A visually similar subnet is not the same thing as the correct subnet; prefix length is often the real issue.
  • If you only need to validate one host, use IPv4 Address in Range instead.
  • If the broader subnet itself is unclear, calculate the boundary first with IPv4 Subnet Calculator.

FAQ

What does this page validate?

It validates whether a full IPv4 start-to-end range is fully contained inside one target CIDR subnet.

Why not just test one endpoint?

Because a range can start inside the subnet and still cross the boundary at the far end.

When should I use this instead of a host checker?

Use this page when the policy or allocation decision is about a range object, not a single IP address.

What if I am not sure what the parent subnet should be?

Use IPv4 Subnet Calculator or IPv4 Subnet Boundary first to reason about the correct network block.

Next Steps / Related Workflows

Sometimes it pays to stay in bed on Monday, rather than spending the rest of the week debugging Monday’s code.

Dan Salomon

CodersTool Categories
Data & Format
Data & Format Tools
Encode Decode Tools
Base64 Tools
Unicode UTF Tools
Text Tools
Database Tools
Developer
Developer Tools
Code Editor Tools
Database Tools
Test Data Tools
Dev Calculators
Web & Markup
Site Diagnostics
Meta & Schema Tools
Network & Security
Network Tools
Security Tools
Encryption Tools
Reference
Cheat Sheets
Blog