Subnetting and CIDR Notation

IPv4 Addresses and Address Classes

Before we dive into CIDR Blocks and CIDR notation, it is important to have a fundamental understanding IP address. IPv4 is the fourth version of the IP. It is one of the core protocols of the standards-based methods used to interconnect the internet and other networks. IPv4 is currently assigned to all computers. An IPv4 address uses 32-bit binary numbers to form a unique IP address. It takes the format of four sets of numbers, each of which ranges from 0 to 255 and represents an eight-digit binary number, separated by a period point.

Address Classes

Some IP addresses are reserved by the Internet Assigned Numbers Authority (IANA). These are typically reserved for networks that carry a specific purpose on the Transmission Control Protocol/Internet Protocol (TCP/IP), which is used to interconnect devices. Four of these IP address classes include:
  • 0.0.0.0: This IP address in IPv4 is also known as the default network. It is the non-routeable meta address that designates an invalid, non-applicable, or unknown network target.
  • 127.0.0.1: This IP address is known as the loopback address, which a computer uses to identify itself regardless of whether it has been assigned an IP address.
  • 169.254.0.1 to 169.254.254.254: A range of addresses that are automatically assigned if a computer is unsuccessful in an attempt to receive an address from the DHCP.
  • 255.255.255.255: An address dedicated to messages that need to be sent to every computer on a network or broadcasted across a network.
    • Further reserved IP addresses are for what is known as subnet classes. Subnetworks are small computer networks that connect to a bigger network via a router. The subnet can be assigned its own IP address system, so that all devices connecting to it can communicate with each other without having to send data via the wider network.
    The router on a TCP/IP network can be configured to ensure it recognizes subnets, then route the traffic onto the appropriate network. IP addresses are reserved for the following subnets:
  • Class A: IP addresses between 10.0.0.0 and 10.255.255.255
  • Class B: IP addresses between 172.16.0.0 and 172.31.255.255
  • Class C: IP addresses between 192.186.0.0 and 192.168.255.255
  • Class D or multicast: IP addresses between 224.0.0.0 and 239.255.255.255
  • Class E, which are reserved for experimental usage: IP addresses between 240.0.0.0 and 254.255.255.254
    • IP addresses listed under Class A, Class B, and Class C are most commonly used in the creation of subnets. Addresses within the multicast or Class D have specific usage rules outlined in the Internet Engineering Task Force (IETF) guidelines, while the release of Class E addresses for public use was the cause of plenty of debate before the IPv6 standard was introduced.

    CIDR Blocks

    Filtering an IP address using a CIDR block (a backslash followed by a number) requires thinking of an address in binary. An IP address in four 8-bit sections results in a total of 32 bits. The number that follows the backslash represents the amount of bits that are blocked when defining the range.

  • A CIDR block of /0 would allow access to any IP address between 0.0.0.0 and 255.255.255.255.
  • While a CIDR block of /32 would only allow access to the IP address that precedes it.
  • Adding /8 after an IP address will block all IP addresses that do not match the first 8 bits, or first number, in the address included.
  • This means typing 19.34.212.155/8 would create a range that includes all IP addresses between 19.0.0.0 and 19.255.255.255.
  • Similarly, a CIDR block of /16 will block all IP addresses that do not match the first 16 bits, or first and second numbers, in the address included.
  • A CIDR block of /24 will block all IP addresses that do not match the first 24 bits, or first, second, and third numbers, in the address included.

    • CIDR Notation

    CIDR stands for Classless Inter-Domain Routing, and is a compact representation of an IP address and its associated routing prefix and a method for allocating IP addresses and for IP routing. It is the "/" at the end of an IP address, like 192.168.60.55/20 for example.

    To visualize what is going on, we can look at something called the "Powers of Two" table, and taking the above example of 192.168.60.55/20, begin with the Subnet Mask, which is a bitmask that encodes the prefix length associated with an IPv4 address or network in quad-dotted notation: 32 bits, starting with a number of 1 bits equal to the prefix length, ending with 0 bits, and encoded in four-part dotted-decimal format: 255.255.255.0. The CIDR notation is in simple terms, the number of bits "turned on". (Represented by 1). More on a bitmask here.

    It is first important to define what an octet is, as I will be referring to this term many times. The 32-bit IP address is grouped 8 bits at a time, each group of 8 bits is an octet. Each of the four octets are separated by a dot, and represented in decimal format. Put simply, an octet is each group of numbers in the IP address that are separated by the dot.

    Using our example above of a CIDR notation of 192.168.60.55/20, moving through the octets, this table shows we have 20 bits turned on - 8 for the first 2, and 4 for the third. Important to note, each position in the octet corresponds with a position in the Powers of Two table.

    Using this, it is simple to calculate the subnet mask:
  • The CIDR notation indicates 20 bits "turned on" (/20) - so in our table above, we put 20 "1's" starting from left to right.
  • Each position of a "1" or "0" corresponds to a position in the Powers of Two table.
  • The first two octets have all the bits turned on, so we know those will be 255.
  • We get this by adding all of the "turned on" bits, by their corresponding position in the table.
  • So for the first two, that would be: 128 + 64 + 32 + 16 + 8 + 4 + 2 +1. Which equals 255.
  • The third octet has 4 turned on, and this will correspond with the addition of their matching places in the table.
  • So, that would be 128 + 64 + 32 + 16.
  • This equals 240, and that is our third octet number.
  • Now we have our subnet: 255.255.240.0.

    • From here, we could translate each octet into binary, but in the example of 255.255.240.0, that wouldn't be unnecessary. Since the first two octets are all "on" (255.255), and the last is all "off", we can simply look at the third octet, (240).

    Since the first two octets are all turned on, we know they will be 192.168, as well as the last octet being all zeros, that will be 0 for Network IP, and 255 for Broadcast ID. For more on why the BroadcastID is 255, see here: BroadcastID.

    Now to calculate, and since we already know the first two and last octets, those are represented in x's.

  • The middle row is our subnet mask number we calculated earlier.
  • The top number is the subnet mask converted to binary.
  • The bottom number is the final number we get by applying what is called a logic table to determine what the IP address would be for that particular number.
  • This works by taking both values, and if they both equal true, then it'll make it true. Almost like multiplication. The bottom number times the top.

    • Binary

    (Top row in picture above.) Use the Powers of Two table to determine. Starting with our IP number of 60, and moving through the table:

  • Can I take 128 out of 60? No.
  • Can I take 64 out of 60? No.
  • Can I take 32 out of 60? Yes. With 28 left over.
  • Can I take 16 out of 28? Yes. With 12 left over.
  • Can I take 8 out of 12? Yes. 4 left over.
  • Can I take 4 out of 4? Yes. Zero left over
  • Last two places are zero as we have used up all our bits

    • Final Number - IP Address

    To get final number for our IP address, all we do is use the logic table to determine the values. So, just using the octet we have been looking at, we take the value of the subnet mask and 'multiply' it by the binary we just calculated.

  • This results in an octet that represents the IP address.

    • The result is 48 because we have ones in the 32 and 16 positions in the Powers of Two tables. So 32 + 16 = 48.

    Broadcast ID

    The definition of a broadcast address is a network address used to transmit to all devices connected to a multiple-access communications network. A message sent to a broadcast address may be received by all network-attached hosts. In simple terms, a broadcast address refers to a special IP address that is used to send a message or packet to all devices on a network. This may sound similar to a default gateway, but there is a key difference:

  • A broadcast address is the one that is used by one host to communicated to another host on the same network whereas the default gateway is this address that is used by all hosts to communicate with hosts outside the network/subnet.

    • Back to our example, to figure this number out, we need to find whatever number would be the next possible Network ID in the list, and the number right before it would be the Broadcast ID. This is determined by looking at something called the "magic number". The magic number is the last bit that is turned on in the subnet mask (in our case it is the 4th from the left). That number represents 16.

  • We add that number to the IP we just found, then subtract 1.
  • 48 + 16 = 64
  • 64 - 1 = 63

    • Finding the Broadcast ID

    BroadcastID or Broadcast Address is the address in a subnet not assigned to single host, it is broadcasted or sent to all hosts and devices on the network. Since we know the network portion of the ID based on the subnet, we now take what is called the wildcard bits which will indicate the portion of the octet bits that are not a part of the network. We logically assign a value of 1 to all those bits, and in our working example our wildcard is: 0.0.0.255.

    In simple terms, you can think of the broadcast ID as an inversion or opposite of the bits set in the subnet ID. Using our working example, since the subnet is 192.168.40.0, the last octet consists of the wildcard bits. Since all bits are set a value of 1, it will be: 192.168.63.255.

    Final Range

    Now that we have both the Network and Broadcast IDs, thus having our upper and lower range we just calculated (the 48 and 63 above), expanding on the table shown above, we can determine the full IP range of available IPs:

  • Usable IPs Range: 192.168.48.1 - 192.168.63.254
  • The last octet is plus one for the lower, and minus 1 for the upper because we can't assign a computer a .0 address, nor a .255 address.

    • Code Example / CLI Tool

    I created a CLI tool in Python that performs this logic for a given IP address. It takes an IP address as a command line argument and determines whether the IP provided on the CLI is in any of the CIDRs retrieved. (The list of IP, ASN, and CIDR ranges is a default list taken from https://stat.ripe.net/data/country-resource-list)

    The tool with output Pass/ Fail to the command line based on the presence of the IP address in the CIDR ranges.
  •  Finding Given IP Address in Subnetwork

    • Written: December 26, 2023
    BACK HOME