IP Addresses, Subnets, and CIDR Notation Explained

Introduction

An IP reside identifies a instrumentality connected a network. A subnet is simply a logical subdivision of that network. CIDR notation expresses the web prefix magnitude pinch a slash, for illustration 192.168.1.0/24. Understanding really these 3 concepts interact is basal to configuring servers, unreality infrastructure, and web information policies. The charismatic specifications are RFC 4632 for Classless Inter-Domain Routing and RFC 1918 for backstage reside ranges.

In a erstwhile guide, we covered immoderate basic networking terminology. You should reappraisal that guideline to make judge you are acquainted pinch the concepts presented there.

This article covers web addressing astatine the IP layer: really IPv4 addresses are system and classified, really subnet masks disagreement reside space, really CIDR notation represents immoderate prefix length, really Variable Length Subnet Masking (VLSM) enables businesslike allocation, and really IPv6 applies the aforesaid slash notation to a 128-bit space. Each conception builds connected the erstwhile one.

Key Takeaways

• An IPv4 reside is simply a 32-bit number expressed arsenic 4 decimal octets, for illustration 192.168.0.5. An IPv6 reside is simply a 128-bit number expressed arsenic 8 groups of 4 hexadecimal digits.

• A subnet disguise identifies which bits of an IP reside beryllium to the web information and which beryllium to the big portion. The disguise 255.255.255.0 (prefix /24) intends the first 24 bits are the network.

• In astir IPv4 subnets (/0 done /30), the first reside is the web reside (all big bits group to 0) and the past reside is the broadcast reside (all big bits group to 1), and neither tin beryllium assigned to a host. (/31 point-to-point links are an exception; RFC 3021.)

• CIDR notation appends a prefix magnitude to an IP address, for illustration 10.0.0.0/8, to correspond the web without requiring classful boundaries.

• RFC 1918 defines 3 backstage reside ranges: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. These ranges are not routed connected the nationalist internet.

• VLSM allows different prefix lengths wrong the aforesaid reside space, enabling right-sized subnets for each segment.

• IPv6 uses the aforesaid slash notation arsenic IPv4, pinch a modular per-subnet prefix of /64, leaving 64 bits for big addressing wrong each subnet.

What Is an IP Address?

An IP reside is simply a numerical explanation assigned to each instrumentality connected a web that uses the Internet Protocol. It serves 2 functions: identifying the big and locating it wrong the web topology.

IPv4 Address Structure and Dot-Decimal Notation

An IPv4 reside is simply a 32-bit number written arsenic 4 8-bit segments separated by periods, each expressed successful decimal from 0 to 255. Every instrumentality connected a web needs an reside truthful different devices tin scope it; astatine the web furniture of the TCP/IP model, that reside is the IP address. Even though the segments are written successful decimal for readability, each is called an octet to bespeak that it represents 8 bits.

A emblematic IPv4 reside looks for illustration this:

192.168.0.5

The lowest worth successful each octet is 0 and the highest is 255.

The aforesaid reside expressed successful binary, pinch each 4 bits separated by a abstraction and octets separated by dashes:

1100 0000 - 1010 1000 - 0000 0000 - 0000 0101

Recognizing that these 2 formats correspond the aforesaid worth is basal to knowing subnet masks and CIDR notation.

IP addresses let web resources to beryllium reached done a web interface. If 1 machine needs to pass pinch another, it addresses the accusation to the distant computer’s IP address. Assuming the 2 computers are connected the aforesaid network, aliases that intermediate devices tin construe requests crossed networks, the computers tin scope each different and speech information.

A strategy called Network Address Translation (NAT) allows addresses to beryllium rewritten erstwhile packets transverse web borders. This allows the aforesaid backstage IP reside to beryllium utilized connected aggregate isolated networks while still permitting those networks to pass externally erstwhile configured correctly.

IPv4 Address Classes (Class A, B, C, D, E)

IP addresses are composed of a web information and a big portion. Where the web information ends and the big information originates depends connected really the web is configured.

IPv4 addresses were traditionally divided into 5 classes named A done E, defined by the starring bits of the address. The array beneath shows the people boundaries, default masks, and emblematic uses.

Two ranges wrong Class A are carved retired and are not disposable for wide big assignment: 0.0.0.0/8 (the “this network” address, utilized arsenic a root earlier a big acquires an address) and 127.0.0.0/8 (loopback, reserved for each big to trial its ain web stack, typically via 127.0.0.1).

Class D addresses are reserved for multicast protocols, which present a packet to a group of hosts successful 1 operation. Class E addresses are reserved for experimental usage and are mostly unused.

Classful addressing is deprecated successful modern routing. RFC 1519 (1993), updated by RFC 4632 (2006), introduced CIDR arsenic its replacement, removing the request that prefix lengths align pinch people boundaries. The people designations stay useful arsenic humanities discourse and for knowing default disguise conventions.

Public vs. Private IP Addresses

IP addresses autumn into 2 categories: nationalist and private. Public addresses are globally routable connected the internet. Private addresses are defined by RFC 1918 and are utilized only wrong backstage networks.

Private addresses are dropped astatine net boundaries because nary nationalist router holds a way to them. RFC 1918 ranges are deliberately absent from the world routing table, truthful a packet bound for a backstage destination has obscurity to spell erstwhile it leaves the section network. This intends a private-addressed big cannot beryllium reached from the nationalist internet, which is why outbound postulation from backstage hosts must walk done NAT.

The loopback scope 127.0.0.0/8 is reserved for each big to trial its ain web stack. Typically only 127.0.0.1 is used, but each addresses successful the 127.0.0.0/8 scope are reserved for this purpose.

For a complete database of reserved IPv4 reside blocks, spot the IANA IPv4 Special-Purpose Address Registry.

What Is a Subnet?

A subnet (short for subnetwork) is simply a logical subdivision of a larger IP network. Subnetting divides 1 reside artifact into aggregate smaller blocks, each operating arsenic an independent web segment.

Why Subnets Are Used

Subnets trim broadcast traffic, isolate segments for security, and fto you allocate reside abstraction by existent big count alternatively of fixed people boundaries.

The clearest information is the broadcast domain. On a azygous level network, broadcast frames specified arsenic ARP requests and DHCP find scope each host. A level /16 pinch 60,000 hosts forces each instrumentality to process each broadcast, and 1 misbehaving big broadcasting astatine measurement degrades the full network. Splitting that /16 into /24 segments confines each broadcast to astir 254 hosts, truthful a large wind successful 1 conception ne'er touches the others.

Subnets besides springiness you an enforcement boundary. Firewall rules, way policies, and entree controls each run connected reside ranges, truthful a database tier successful 10.10.2.0/24 tin beryllium made reachable only from a web tier successful 10.10.1.0/24 and from obscurity else. Without subnetting location is nary scope to constitute the norm against.

Finally, subnets fto you size allocations to need. A point-to-point nexus uses a /30 (2 hosts) while a personification conception uses a /24 (254 hosts), alternatively of each conception consuming an identical block. This is the ground for VLSM, covered later successful this article.

Network Address and Host Address Explained

Each IP reside contains 2 logical components: a web information and a big portion. The web information identifies the subnet; the big information identifies a circumstantial instrumentality wrong that subnet.

For the reside 192.168.0.15 connected a /24 network, the web information is 192.168.0 and the big information is 15. In binary:

1100 0000 - 1010 1000 - 0000 0000 - 0000 1111

The first 24 bits (the first 3 octets) place the network. The past 8 bits place the host.

Applying a bitwise AND betwixt the reside and the subnet disguise extracts the web reside by zeroing retired the big bits:

1100 0000 - 1010 1000 - 0000 0000 - 0000 1111 (192.168.0.15) AND 1111 1111 - 1111 1111 - 1111 1111 - 0000 0000 (255.255.255.0) = 1100 0000 - 1010 1000 - 0000 0000 - 0000 0000 (192.168.0.0)

The web reside is 192.168.0.0. The big identifier is 0000 1111, which is 15.

Broadcast Address and Why It Matters

The first reside successful immoderate subnet is the network address, wherever each big bits are group to 0. The past reside is the broadcast address, wherever each big bits are group to 1. A packet sent to the broadcast reside is delivered to each hosts wrong that subnet. Neither the web reside nor the broadcast reside tin beryllium assigned to an individual host.

This constraint applies to the first and past reside wrong the circumstantial subnet, not to immoderate reside whose last octet happens to beryllium virtually 0 aliases 255. For example, successful the subnet 10.0.1.0/24, the web reside is 10.0.1.0 and the broadcast is 10.0.1.255. In the subnet 10.0.2.128/25, the web reside is 10.0.2.128 and the broadcast is 10.0.2.255.

What Is a Subnet Mask?

A subnet disguise is simply a 32-bit worth that identifies which bits of an IP reside beryllium to the web information and which beryllium to the big portion. Bits group to 1 successful the disguise people web bits; bits group to 0 people big bits.

How Subnet Masks Work successful Binary

The subnet disguise for a /24 web is 255.255.255.0. In binary, utilizing the 4-bit group convention:

1111 1111 - 1111 1111 - 1111 1111 - 0000 0000

The first 24 bits (all 1s) place the network. The remaining 8 bits (all 0s) are disposable for big addressing.

The pursuing reference shows the binary shape and dotted-decimal balanced for communal prefix lengths:

/8 → 11111111.00000000.00000000.00000000 → 255.0.0.0 /16 → 11111111.11111111.00000000.00000000 → 255.255.0.0 /24 → 11111111.11111111.11111111.00000000 → 255.255.255.0 /25 → 11111111.11111111.11111111.10000000 → 255.255.255.128 /26 → 11111111.11111111.11111111.11000000 → 255.255.255.192 /27 → 11111111.11111111.11111111.11100000 → 255.255.255.224 /28 → 11111111.11111111.11111111.11110000 → 255.255.255.240 /29 → 11111111.11111111.11111111.11111000 → 255.255.255.248 /30 → 11111111.11111111.11111111.11111100 → 255.255.255.252

To divided a /24 web into 2 adjacent subnets, widen the prefix by 1 bit. The caller disguise uses 25 web bits. In binary:

1111 1111 - 1111 1111 - 1111 1111 - 1000 0000

This is the subnet disguise 255.255.255.128, corresponding to the prefix /25. It is simply a disguise value, not a web address. Applied to 192.168.0.0/24, it produces 2 chopped subnets:

• Subnet 1: Network reside 192.168.0.0, broadcast 192.168.0.127, usable scope 192.168.0.1 to 192.168.0.126 (126 hosts).
• Subnet 2: Network reside 192.168.0.128, broadcast 192.168.0.255, usable scope 192.168.0.129 to 192.168.0.254 (126 hosts).

If much subnets are needed, further bits from the big information tin beryllium designated arsenic web bits, doubling the number of subnets each clip astatine the costs of halving the hosts per subnet.

Default Subnet Masks for Each IP Class

Under classful addressing, each people has a default subnet disguise aligned pinch its people boundary:

Under CIDR, these defaults are informational only. Any prefix magnitude from /0 to /32 is valid sloppy of the address’s classful origin.

Calculating Usable Hosts from a Subnet Mask

Given a prefix length, the full number of IP addresses successful the subnet is 2^(32 - prefix). Usable hosts equals that full minus two: 1 reside for the web and 1 for the broadcast.

For a /24 subnet: 2^(32 - 24) = 2^8 = 256 full addresses. 256 - 2 = 254 usable hosts.

For a /26 subnet: 2^(32 - 26) = 2^6 = 64 full addresses. 64 - 2 = 62 usable hosts.

The /31 prefix is an objection defined by RFC 3021 for point-to-point links, wherever some addresses are usable because nary broadcast aliases web reside nickname is needed. The /32 prefix identifies a azygous big route.

To spell the different direction, from a big request to a prefix, prime the smallest artifact whose usable big count meets aliases exceeds your need:

For example, a conception that needs 30 hosts requires a /27, because a /28 provides only 14 usable addresses and a /27 provides 30.

What Is CIDR Notation?

CIDR (Classless Inter-Domain Routing) notation expresses a web reside and its prefix magnitude successful a azygous string. The prefix magnitude follows the IP reside aft a guardant slash. For example, 192.168.0.15/24 intends the first 24 bits place the network.

How CIDR Replaced Classful Addressing

CIDR replaced classful addressing because fixed people sizes wasted ample amounts of reside abstraction and caused routing tables to turn unsustainably. Before CIDR, IP reside allocation followed fixed people boundaries. A Class B artifact provided 65,534 big addresses sloppy of existent need, and a Class C artifact provided only 254. This made right-sized allocation intolerable and caused net routing tables to turn quickly arsenic providers assigned galore mini Class C blocks to screen demand.

RFC 1519 (1993), later updated and consolidated into RFC 4632 (2006), introduced CIDR arsenic the replacement. CIDR allows reside blocks to beryllium allocated successful immoderate prefix length, matching allocations to existent requirements. It besides enables way aggregation: aggregate contiguous blocks tin beryllium represented by a azygous covering prefix, reducing routing array size.

Reading a CIDR Block: Network Prefix and Host Bits

A CIDR artifact consists of 2 parts: the web prefix and the big portion. The prefix magnitude specifies really galore starring bits are fixed and place the network. The remaining bits are adaptable and place individual hosts wrong that network.

For 192.168.0.0/24:

• Network prefix: first 24 bits (192.168.0)
• Host bits: past 8 bits (values 0 done 255, giving 256 full addresses)

For 10.0.0.0/8:

• Network prefix: first 8 bits (10)
• Host bits: past 24 bits (values 0 done 16,777,215, giving 16,777,216 full addresses)

CIDR Notation Examples (/8, /16, /24, /26, /30)

The astir communal CIDR blocks and their sizes are summarized successful the array astatine the extremity of this section: 192.168.1.0/24 gives 254 usable hosts, 192.168.1.0/26 gives 62, and 10.0.0.112/30 gives 2. Beyond sizing individual networks, CIDR notation besides represents supernets, which aggregate aggregate contiguous classful blocks into a azygous routing entry. For example, 192.168.0.0 and 192.168.1.0 are 2 adjacent Class C networks. Under classful rules, they require 2 abstracted routing entries. Under CIDR, they tin beryllium aggregated arsenic 192.168.0.0/23.

The first web (192.168.0.0) successful binary:

1100 0000 - 1010 1000 - 0000 0000 - 0000 0000

The 2nd web (192.168.1.0) successful binary:

1100 0000 - 1010 1000 - 0000 0001 - 0000 0000

The /23 mask:

1111 1111 - 1111 1111 - 1111 1110 - 0000 0000

With 23 bits fixed, the 24th spot tin beryllium either 0 aliases 1 and some networks match. This is balanced to the subnet disguise 255.255.254.0. CIDR allows much power complete addressing continuous blocks of IP addresses than classful subnetting permits.

Additional communal CIDR examples:

CIDR Reference Table: Prefix Lengths, Subnet Masks, and Host Counts

The array beneath lists each IPv4 prefix magnitude from /0 to /32 pinch its subnet mask, full IP count, and usable big count. The usable big look for /0 done /30 is 2^(32 - prefix) - 2. The /31 objection (RFC 3021) applies to point-to-point links wherever some addresses are assignable. The /32 identifies a azygous big route.

How to Calculate Subnets and Host Ranges

Subnet calculations travel a accordant binary process: place the prefix, use the disguise to find the web address, group each big bits to 1 to find the broadcast address, and the usable scope falls betwixt those 2 boundaries.

Step-by-Step Example: Subnetting a /24 Network

Given the web 192.168.1.0/24:

• Prefix length: 24 bits
• Subnet mask: 255.255.255.0
• Total addresses: 2^8 = 256
• Usable hosts: 254

In binary, the subnet disguise is:

1111 1111 - 1111 1111 - 1111 1111 - 0000 0000

Apply a bitwise AND betwixt an reside successful this network, for illustration 192.168.1.75, and the mask:

1100 0000 - 1010 1000 - 0000 0001 - 0100 1011 (192.168.1.75) AND 1111 1111 - 1111 1111 - 1111 1111 - 0000 0000 (255.255.255.0) = 1100 0000 - 1010 1000 - 0000 0001 - 0000 0000 (192.168.1.0)

• Network address: 192.168.1.0 (all big bits = 0)
• Broadcast address: 192.168.1.255 (all big bits = 1)
• Usable range: 192.168.1.1 to 192.168.1.254

Step-by-Step Example: Subnetting a /24 into /26 Blocks

A /26 prefix uses 26 bits for the web and 6 bits for hosts. Each /26 subnet contains 2^6 = 64 addresses, pinch 62 usable. Dividing 192.168.1.0/24 into /26 blocks produces 4 subnets:

Each subnet bound falls each 64 addresses (2^6). The web addresses are astatine .0, .64, .128, and .192.

Using Binary to Determine Network and Host Portions

For a /26 network, the bound betwixt web bits and big bits falls astatine position 26. The past octet of the disguise 255.255.255.192 is 1100 0000, meaning the first 2 bits of the last octet are web bits and the remaining six are big bits.

For the reside 192.168.1.130 wrong the 3rd /26 subnet:

1100 0000 - 1010 1000 - 0000 0001 - 1000 0010 (192.168.1.130) AND 1111 1111 - 1111 1111 - 1111 1111 - 1100 0000 (255.255.255.192) = 1100 0000 - 1010 1000 - 0000 0001 - 1000 0000 (192.168.1.128)

The web reside is 192.168.1.128. The big bits successful the past octet are 00 0010, which is big 2 wrong that subnet.

Verifying Subnet Calculations pinch ipcalc

ipcalc is simply a command-line subnet calculator that performs subnet arithmetic and displays the binary breakdown of an address. On Ubuntu and Debian systems, instal it with:

sudo apt install ipcalc

To verify the /24 web utilized successful the illustration above:

ipcalc 192.168.1.0/24

Output

Address: 192.168.1.0 11000000.10101000.00000001. 00000000 Netmask: 255.255.255.0 = 24 11111111.11111111.11111111. 00000000 Wildcard: 0.0.0.255 00000000.00000000.00000000. 11111111 => Network: 192.168.1.0/24 11000000.10101000.00000001. 00000000 HostMin: 192.168.1.1 11000000.10101000.00000001. 00000001 HostMax: 192.168.1.254 11000000.10101000.00000001. 11111110 Broadcast: 192.168.1.255 11000000.10101000.00000001. 11111111 Hosts/Net: 254 Class C, Private Internet

The abstraction successful the binary columns marks the bound betwixt the web information and the big portion. HostMin is the first usable address, HostMax is the last, and Broadcast confirms the precocious bound of the subnet.

To verify the /26 subnet:

ipcalc 192.168.1.0/26

Output

Address: 192.168.1.0 11000000.10101000.00000001.00 000000 Netmask: 255.255.255.192 = 26 11111111.11111111.11111111.11 000000 Wildcard: 0.0.0.63 00000000.00000000.00000000.00 111111 => Network: 192.168.1.0/26 11000000.10101000.00000001.00 000000 HostMin: 192.168.1.1 11000000.10101000.00000001.00 000001 HostMax: 192.168.1.62 11000000.10101000.00000001.00 111110 Broadcast: 192.168.1.63 11000000.10101000.00000001.00 111111 Hosts/Net: 62 Class C, Private Internet

The ipcalc 192.168.1.0/24 --split 62 62 62 62 bid splits the genitor /24 into subnets each ample capable for the requested big counts, allocating them sequentially. It prints a afloat breakdown artifact per resulting subnet. The 4 /26 subnets it produces are:

This makes --split useful for VLSM readying erstwhile mixed pinch per-segment host-count estimates.

Viewing an Interface’s CIDR connected Linux

The reside and prefix you cipher are precisely what a Linux big reports for its interface. Use ip addr show to spot the CIDR duty directly:

ip addr show eth0

Output

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel authorities UP group default qlen 1000 link/ether 9a:1c:3e:7b:0a:11 brd ff:ff:ff:ff:ff:ff inet 10.10.1.5/24 brd 10.10.1.255 scope world eth0 valid_lft everlastingly preferred_lft forever

The inet 10.10.1.5/24 statement is the big reside pinch its /24 prefix, and brd 10.10.1.255 is the broadcast reside for that subnet, matching the web and broadcast boundaries you would deduce by hand. To spot the routes the kernel builds from these prefixes, usage ip route:

ip route

Output

default via 10.10.1.1 dev eth0 proto static 10.10.1.0/24 dev eth0 proto kernel scope nexus src 10.10.1.5

The 10.10.1.0/24 introduction is the section subnet way the kernel installs from the interface’s CIDR. The default via statement sends each different destination to the gateway.

Private IP Address Ranges and RFC 1918

Private IP addresses are non-routable reside blocks defined by RFC 1918. Routers connected the nationalist net do not guardant packets pinch backstage root aliases destination addresses. Hosts utilizing backstage addresses require NAT to pass externally.

10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16

RFC 1918 defines 3 backstage reside ranges:

These ranges were historically associated pinch Class A, B, and C boundaries, respectively. Under CIDR, they are referenced by their CIDR blocks arsenic defined successful RFC 1918. The classful framing is humanities discourse only.

When to Use Private vs. Routable Addresses

Use backstage addresses for each soul hosts: exertion servers, databases, soul APIs, and immoderate endpoint that does not require nonstop net reachability. Use publically routable addresses only for internet-facing endpoints specified arsenic load balancers and separator proxies.

NAT is required for private-addressed hosts to initiate connections to the nationalist internet. The NAT gateway replaces the backstage root reside pinch a nationalist IP erstwhile forwarding outbound packets and reverses the translator for return traffic.

DigitalOcean allocates VPC reside abstraction from RFC 1918 ranges. When you create a VPC pinch the artifact 10.10.0.0/16, each resources provisioned wrong it person backstage addresses from that range.

Variable Length Subnet Masking (VLSM)

VLSM is the believe of applying different prefix lengths to different subnets wrong a azygous reside space. Enabled by CIDR, it allows administrators to right-size each subnet alternatively than utilizing a azygous artifact size passim the network.

What VLSM Is and Why It Matters

VLSM lets you delegate different prefix lengths to different subnets wrong the aforesaid reside space, sizing each subnet to its existent big count alternatively than a azygous block. Before VLSM, each subnets wrong a web had to usage the aforesaid prefix length, which forced a conception needing 50 hosts and a point-to-point nexus needing 2 hosts to devour identical blocks.

VLSM relates straight to the /23 supernet illustration successful the CIDR section. Supernetting aggregates contiguous blocks upward into a larger covering prefix for way summarization. VLSM splits a artifact downward into smaller prefixes for businesslike allocation. Both techniques are made imaginable by CIDR’s removal of classful boundaries.

VLSM Practical Example

Divide 10.0.0.0/24 into subnets sized for 4 different segments:

To verify the Engineering subnet allocation against the array above:

ipcalc 10.0.0.0/26

Output

Address: 10.0.0.0 00001010.00000000.00000000.00 000000 Netmask: 255.255.255.192 = 26 11111111.11111111.11111111.11 000000 Wildcard: 0.0.0.63 00000000.00000000.00000000.00 111111 => Network: 10.0.0.0/26 00001010.00000000.00000000.00 000000 HostMin: 10.0.0.1 00001010.00000000.00000000.00 000001 HostMax: 10.0.0.62 00001010.00000000.00000000.00 111110 Broadcast: 10.0.0.63 00001010.00000000.00000000.00 111111 Hosts/Net: 62 Class A, Private Internet

Run the aforesaid bid against each subnet successful the VLSM array to corroborate big ranges and broadcast boundaries earlier committing them to a configuration.

After these 4 subnets, addresses 10.0.0.116 done 10.0.0.255 stay unallocated and disposable for early segments.

To take a prefix magnitude from a big requirement, usage the determination array successful the “Calculating Usable Hosts from a Subnet Mask” conception above.

IPv6 and CIDR Notation

IPv6 uses the aforesaid slash-based prefix notation arsenic IPv4 CIDR, applied to 128-bit addresses. The concepts of web prefix, big portion, and subnet bound each transportation complete directly.

How IPv6 Addresses Are Structured

An IPv6 reside is 128 bits long, written arsenic 8 groups of 4 hexadecimal digits separated by colons, wherever hexadecimal uses digits 0-9 and letters a-f to correspond values 0-15. A emblematic IPv6 reside looks for illustration this:

1203:8fe0:fe80:b897:8990:8a7c:99bf:323d

IPv6 was developed to switch IPv4 because the 32-bit reside abstraction was exhausted. Its 128-bit abstraction provides astir 3.4 × 10^38 addresses, much than 7.9 × 10^28 times the IPv4 total.

IPv6 allows a compact representation. Leading zeros wrong immoderate group tin beryllium omitted. For example:

...:00bc:...

can beryllium written as:

...:bc:...

A contiguous series of all-zero groups tin beryllium replaced pinch a double colon (::) erstwhile per address. For example:

...:18bc:0000:0000:0000:00ff:...

becomes:

...:18bc::ff:...

The :: replacement tin only beryllium applied erstwhile per address, aliases the afloat reside cannot beryllium reconstructed unambiguously.

The subnetting examples successful this article usage IPv4 because the smaller reside abstraction makes the binary calculations easier to follow. The aforesaid principles use to IPv6.

CIDR Notation successful IPv6 Networks

IPv6 uses the aforesaid slash notation arsenic IPv4. The prefix magnitude specifies really galore of the starring 128 bits are fixed arsenic the web portion.

Common IPv6 CIDR examples:

• 2001:db8::/32 is the archiving prefix, defined by RFC 3849. It is utilized successful examples and archiving and is not routed connected the internet.
• 2001:db8:1::/48 is simply a emblematic site-level allocation. An ISP mightiness delegate a /48 to a customer site, leaving 16 bits for the customer to create up to 65,536 individual /64 subnets.
• 2001:db8:1:1::/64 is simply a modular single-subnet prefix.

The modular per-subnet prefix successful IPv6 is /64. This leaves 64 bits for big addressing, providing 2^64 addresses per subnet. Stateless Address Autoconfiguration (SLAAC) and galore DHCPv6 implementations require a /64 prefix to usability correctly.

Dividing an IPv6 allocation useful the aforesaid measurement arsenic IPv4: get bits from the big information to create much subnets. The quality is scale. Suppose an ISP assigns your tract 2001:db8:1::/48. The first 48 bits are fixed. The modular subnet size is /64, truthful bits 49 done 64 (16 bits) are yours to number subnets, giving 2^16 = 65,536 imaginable /64 subnets:

2001:db8:1:0000::/64 first subnet 2001:db8:1:0001::/64 2nd subnet 2001:db8:1:0002::/64 3rd subnet ... 2001:db8:1:ffff::/64 past subnet (65,536th)

The 4th hextet (0000 done ffff) is the subnet ID. Each resulting /64 still contains 2^64 big addresses, truthful dissimilar IPv4 you typically don’t subdivide beneath /64 to conserve hosts connected LANs. You usually extremity astatine /64 because SLAAC and galore DHCPv6 deployments require it, though point-to-point links are often numbered pinch prefixes for illustration /127.

Key Differences Between IPv4 and IPv6 Subnetting

IPv6 Unique Local Addresses (ULA), defined successful the fc00::/7 scope by RFC 4193, are the IPv6 counterpart to RFC 1918 backstage addresses. They are not globally routed and are utilized for soul connection wrong a tract aliases organization.

Practical Applications of Subnetting and CIDR

Subnetting and CIDR notation use straight to configuring existent infrastructure: unreality VPCs, agency networks, and net routing astatine scale.

Subnetting a Cloud VPC

A DigitalOcean VPC is simply a azygous backstage web defined by 1 CIDR artifact that you group astatine creation. Create 1 pinch doctl:

doctl vpcs create --name prod-vpc --region nyc1 --ip-range 10.10.0.0/16

Every Droplet, load balancer, and managed database placed successful this VPC receives a backstage reside from 10.10.0.0/16.

One readying item matters: a DigitalOcean VPC is not subdivided into separately provisioned subnets the measurement an on-premises web aliases an AWS VPC is. You do not create 10.10.1.0/24 and 10.10.2.0/24 arsenic chopped objects. Instead, you dainty ranges wrong the artifact arsenic a logical tiering normal and enforce the boundaries pinch unreality firewalls and tags:

The CIDR ranges are really you scope firewall rules. To let only the web tier to scope the database tier connected PostgreSQL’s larboard while blocking everything else, create a firewall scoped to the information tier:

doctl compute firewall create \ --name data-tier \ --inbound-rules "protocol:tcp,ports:5432,address:10.10.1.0/24" \ --tag-names data

This permits inbound 5432 only from 10.10.1.0/24 and drops postulation from immoderate different range, including the monitoring tier. Confirm the nonstop norm syntax pinch doctl compute firewall create --help, since disposable flags alteration by doctl version.

One constraint to scheme for up front: 2 networks that request to pass cannot usage overlapping CIDR blocks. If a VPC uses 10.10.0.0/16 and a 2nd VPC besides uses 10.10.0.0/16, you cannot adjacent them aliases link them complete VPN, because a big has nary unambiguous way to a destination that exists successful some ranges. Assign each VPC, and each on-premises web you intend to connect, a chopped non-overlapping artifact from RFC 1918 space, for illustration 10.10.0.0/16 for 1 and 10.20.0.0/16 for another.

For afloat configuration options, spot the DigitalOcean VPC documentation.

Subnetting a Home aliases Office Network

Most location routers delegate addresses from 192.168.1.0/24 aliases 192.168.0.0/24, providing 254 usable big addresses. For a azygous household, this is much than sufficient.

A mini agency needing chopped segments for unit workstations, impermanent Wi-Fi, and IoT devices tin usage 3 /26 subnets carved from a azygous /24 genitor block:

• Staff: 192.168.1.0/26 (62 usable hosts)
• Guest Wi-Fi: 192.168.1.64/26 (62 usable hosts)
• IoT devices: 192.168.1.128/26 (62 usable hosts)

The 4th /26 artifact (192.168.1.192/26) remains disposable for early description aliases guidance interfaces.

How Routers Use CIDR for Route Aggregation

Routers usage CIDR to advertise a azygous covering prefix for a contiguous scope of networks alternatively of advertizing each 1 separately, reducing the size of the world routing table. Without this, a supplier pinch 256 abstracted /24 networks would request 256 routing entries. With CIDR, if those networks are contiguous, a azygous covering artifact replaces each of them.

The /23 supernet illustration from the CIDR conception illustrates this directly: 192.168.0.0/23 covers some 192.168.0.0 and 192.168.1.0 arsenic a azygous routing entry. See that conception for the binary walkthrough.

This aggregation mechanism, called route summarization, is basal to the scalability of the world net routing table. The Border Gateway Protocol (BGP) uses CIDR longest-prefix matching to find the astir circumstantial way for each destination.

Frequently Asked Questions

What Is the Difference Between a Subnet Mask and a CIDR Prefix?

A subnet disguise and a CIDR prefix correspond the aforesaid accusation successful different formats. The subnet disguise 255.255.255.0 and the CIDR prefix /24 some bespeak that the first 24 bits of an IP reside are the web portion. The CIDR prefix counts the number of consecutive 1-bits successful the subnet disguise written successful binary. To person betwixt them: count the starring 1-bits successful the mask’s binary practice to get the prefix length, aliases grow the prefix magnitude to 32 bits (that galore 1s followed by 0s) to get the mask.

How Many Usable Hosts Does a /24 Subnet Have?

A /24 subnet contains 256 full IP addresses (2^8). Two addresses are reserved: the web reside (the first address, pinch each big bits group to 0) and the broadcast reside (the past address, pinch each big bits group to 1). This leaves 254 usable big addresses, from .1 to .254 successful the last octet.

What Is the Difference Between a Public and a Private IP Address?

Public IP addresses are globally routable connected the internet. Private IP addresses are defined by RFC 1918 and are reserved for usage wrong backstage networks: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. Packets pinch backstage root addresses are not forwarded by net routers. A big connected a backstage web must pass externally done a NAT gateway, which replaces the backstage root reside pinch a nationalist IP earlier forwarding the packet.

Why Was CIDR Introduced?

CIDR was introduced successful 1993 (RFC 1519, later updated by RFC 4632) to lick 2 problems pinch classful IP addressing: the accelerated exhaustion of Class B reside blocks, which were excessively ample for astir organizations but were the only action betwixt the too-small Class C and the very ample Class A; and the unsustainable maturation of net routing tables arsenic thousands of Class C blocks were individually advertised. CIDR allows IP reside blocks to beryllium allocated successful arbitrary prefix lengths and enables way aggregation to trim routing array size.

What Is VLSM and How Does It Relate to CIDR?

Variable Length Subnet Masking (VLSM) is the believe of applying different subnet prefix lengths to different subnets wrong the aforesaid reside space. It is enabled by CIDR and allows web administrators to allocate IP abstraction efficiently by sizing each subnet to its existent big requirements alternatively than utilizing a azygous artifact size throughout. VLSM is not a abstracted protocol; it is simply a creation believe made imaginable by removing classful boundaries.

How Does IPv6 Use CIDR Notation?

IPv6 uses the aforesaid slash notation arsenic IPv4 CIDR. For example, 2001:db8::/32 denotes a artifact wherever the first 32 bits are the web prefix. IPv6 addresses are 128 bits long, truthful a /64 prefix (the modular for a azygous IPv6 subnet) leaves 64 bits for big addressing, providing 2^64 addresses per subnet. IPv6 besides defines its ain private-equivalent reside range: Unique Local Addresses (fc00::/7, RFC 4193).

What Is the Difference Between a Network Address and a Broadcast Address?

In immoderate subnet, the web reside is the first IP successful the range, pinch each big bits group to 0. It identifies the subnet itself and cannot beryllium assigned to a host. The broadcast reside is the past IP successful the range, pinch each big bits group to 1. Packets sent to the broadcast reside are delivered to each big wrong the subnet, and it besides cannot beryllium assigned to a host. The constraint applies to the first and past reside of the circumstantial subnet, not to immoderate reside whose last octet happens to beryllium virtually 0 aliases 255.

How Do I Calculate Which Subnet an IP Address Belongs To?

Apply a bitwise AND cognition betwixt the IP reside and the subnet mask. The consequence is the web reside of the subnet containing that IP. For example, 192.168.10.75 pinch disguise 255.255.255.0 produces 192.168.10.0: the IP belongs to the 192.168.10.0/24 subnet. For a finer disguise specified arsenic 255.255.255.192 (/26), the aforesaid bitwise AND identifies which of the 4 /26 subnets wrong a /24 contains the address.

Conclusion

This article covered IP addressing from the crushed up. IPv4 addresses are 32-bit dot-decimal values organized into 5 humanities reside classes, pinch subnet masks defining the web and big bound done bitwise AND. CIDR notation (RFC 4632) replaced those fixed people boundaries pinch arbitrary prefix lengths, enabling right-sized allocation and way aggregation. The afloat /0 to /32 reference table, VLSM for variable-length allocation wrong 1 reside space, and IPv6’s exertion of the aforesaid slash notation to 128-bit addresses pinch a modular /64 per-subnet prefix complete the coverage.

With this foundation, you tin creation subnet allocations for immoderate web size, verify big ranges and broadcast addresses from binary first principles, publication and constitute CIDR blocks successful routing configurations and firewall rules, and understand the rationale down RFC 1918 backstage ranges and NAT requirements.

To research these concepts interactively, CIDR.xyz translates betwixt decimal IP addresses and binary octets and visualizes different CIDR netmasks. For networking fundamentals underlying these concepts, spot the introduction to networking terminology referenced astatine the commencement of this article. If you are applying subnetting to DigitalOcean infrastructure, the DigitalOcean VPC documentation covers CIDR artifact selection, subnet configuration, and firewall rules for unreality backstage networks.