A guide to CIDR notation and configuration for Linux networking
A Linux networking guide to CIDR notation and configuration
One of the key concepts in network routing that any Linux professional should be familiar with is network notation. This article was inspired by a request from a reader of my article, An introduction to Linux network routing, to explain more about CIDR notation and how it works. CIDR stands for Classless-Inter Domain Routing; it defines a notation methodology for network addressing that is used to specify the network portion of an IP address.
Before examining how CIDR actually works, let's first look at the classful network notation that CIDR replaces. Introduced in 1981, the classful methodology defined five network classes to be used for identification and addressing devices on the Internet. The network class is defined by the four leading bits of the address.
|Class||Leading bits||Start||End||Subnet Mask||CIDR||Networks||IP Addr / Network|
Table 1: Classful Internet addressing defines five classes.
Table 1 shows the five network classes defined by classful network addressing, including both the subnet mask and CIDR notation for each class. Classes A, B, and C are the commonly used unicast address ranges that were assigned to organizations. Unicast means that the data packets are sent to a single target host. Class D was the so-called multicast range of addresses. In this range, data packets would be sent to all hosts on a defined network. This range of IP addresses was essentially unused. The Class E address range was reserved for future expansion but was also never used.
Note that there are only three possible subnet masks that match each class of the classful networks, 255.0.0.0 (8 bits), 255.255.0.0 (16 bits), and 255.255.255.0 (24 bits), divided on the octet boundaries. This is one of the limiting factors in public address allocation due to the relatively limited number of networks that the classes define.
Unfortunately, classful networking assignments led to major waste. Organizations would apply for a number of addresses but if they needed more than the number of addresses in a class C network, for example, they would be applied for and be assigned an entire class B network whether they needed all of the addresses in that network or not. The same is true for class B networks; a few large organizations needed more than a class B network, so they were assigned class A networks. Thus a few large organizations became assigns of very large numbers of IP addresses. See the References, below, for a link to the complete list of the assigns of the current /8 blocks and historical Class A networks.
It is important to understand that the four leading (leftmost) bits of the address define the class of the network, not the subnet mask or the CIDR equivalent of the subnet mask. In practical terms, this meant that large networks could not be broken down into smaller subnets at the Internet level because the Internet routers could only have a single route to each assigned classful network. Further, although the large, classful networks could be divided into subnets by the organizations that owned them, routing packets to other geographical locations on the same network then required the organization to use private internal networks or public VPNs at a very high premium cost.
For a simple example, imagine that a company that has six departments and requires about 400 IP addresses for each. This requires more than a single class C network of 256 IP addresses, a total of 2,400 addresses. The company has a class B network of 65,536 addresses assigned to it. As a result, the remaining 63,136 IP addresses would be wasted because they could not be assigned to other organizations.
Note: For the purposes of this example, it is necessary to use a portion of the current private 10.0.0.0/8 CIDR block of addresses as if it were a public class B address. This is to protect public addresses that may belong to some organization.
I used the sipcalc command-line program to provide the network data for this randomly selected class B network from the pseudo-public address range. The sipcalc command provides a great deal of information about an IP address, or address ranges. As you will see later, it also has the capability to generate a list of subnets in a given address range given a subnet mask. You may have to install the sipcalc program; it was not installed by default on my Fedora system.
$ sipcalc 10.125.0.0/16
-[ipv4 : 10.125.0.0/16] - 0
Host address - 10.125.0.0
Host address (decimal) - 175964160
Host address (hex) - A7D0000
Network address - 10.125.0.0
Network mask - 255.255.0.0
Network mask (bits) - 16
Network mask (hex) - FFFF0000
Broadcast address - 10.125.255.255
Cisco wildcard - 0.0.255.255
Addresses in network - 65536
Network range - 10.125.0.0 - 10.125.255.255
Usable range - 10.125.0.1 - 10.125.255.254
Figure 1: Details for network 10.125.0.0/16
The output from the sipcalc command in Figure 1 shows, among other things, the network address, the netmask, the network address range as well as the available addresses in that range. The address 10.125.0.0 is the network address, and 10.125.255.255 is the broadcast address for this network. Those two addresses cannot be used for hosts.
Another option would have been to assign multiple class C networks to the company. That would significantly reduce the number of wasted IP addresses, but configuring the routing for this organization would be more complex than it would otherwise need to be with a single network. This option would also reduce the number of class C address blocks available for other organizations.
Along came a CIDR
CIDR notation was introduced in 1993 as a means of extending the lifetime of IPV4 which was running out of assignable addresses. It accomplishes this by making it possible for organizations to more fully utilize the public IPV4 address ranges assigned to them and by opening up some previously reserved address ranges.
In 1996, RFC1918 enhanced CIDR with the assignments of reserved, externally non-routable networks in each of the old A, B, and C, class ranges. These private networks can be used freely by any organization for their internal networks; no longer is it necessary for every computer to have an assigned public IP address. This feature provides a significant portion of the solution to multiple problems.
|CIDR Block||Address Range||Number of IP Addresses|
10.0.0.0 – 10.255.255.255
172.16.0.0 – 172.31.255.255
192.168.0.0 – 192.168.255.255
Table 2: Address ranges reserved for use as internal networks.
The use of these private internal networks allows organizations to be assigned one or possibly a few public IP addresses for access to the outside Internet while providing large private address spaces for internal networks. To be absolutely clear, each of these address ranges can be used by many different organizations because these private network addresses are not routable through the Internet; of course, organizations can route internally between private networks.
Returning to our example company, let's make the assumption that it only requires a single public IP address to connect it to the outside world. The company's Internet provider only assigns minimum blocks of 4 addresses, two of which are reserved for the network address and the broadcast address thus leaving 2 usable addresses. This provides a balance between unusable addresses due to excessive subnetting, wasted addresses, and cost to the customer.
The ISP assigns the company a public network address, 10.125.16.32/30. Remember that, for this example, we are using part of the 10.0.0.0/8 private network as if it were public. This assignment provides the company with the following public network.
$ sipcalc 10.125.16.32/30
-[ipv4 : 10.125.16.32/30] - 0
Host address - 10.125.16.32
Host address (decimal) - 175968288
Host address (hex) - A7D1020
Network address - 10.125.16.32
Network mask - 255.255.255.252
Network mask (bits) - 30
Network mask (hex) - FFFFFFFC
Broadcast address - 10.125.16.35
Cisco wildcard - 0.0.0.3
Addresses in network - 4
Network range - 10.125.16.32 - 10.125.16.35
Usable range - 10.125.16.33 - 10.125.16.34
Figure 2: Details for network 10.125.75.32/30
Our example company can then choose to use any of the private network ranges for their internal networks. They can then use Network Address Translation (NAT) to access the outside world from their internal, private network.
$ sipcalc 172.16.0.0/12
-[ipv4 : 172.16.0.0/12] - 0
Host address - 172.16.0.0
Host address (decimal) - 2886729728
Host address (hex) - AC100000
Network address - 172.16.0.0
Network mask - 255.240.0.0
Network mask (bits) - 12
Network mask (hex) - FFF00000
Broadcast address - 172.31.255.255
Cisco wildcard - 0.15.255.255
Addresses in network - 1048576
Network range - 172.16.0.0 - 172.31.255.255
Usable range - 172.16.0.1 - 172.31.255.254
Figure 3: Details for network 172.16.0.0/12
At first glance, the straightforward thing to do might be to choose a network from the private 172.16.0.0/12 range to provide a large enough range for a single internal network. For our example, they could choose the 172.16.0.0/12 network which would provide the following internal network space for them.
Note that this network does not conform to the old B-class network as it has fewer network bits in the netmask, thus providing more space for host address bits. The 12 network bits leaves 20 bits for hosts, or 1,048,576 hosts total. That is far more hosts available than an old class B network would provide for a network. It is also far more space than they actually need for their network.
Variable length subnet masking (VLSM)
CIDR also brings with it a new approach to the old netmask, called variable length subnet masking, or VLSM. The use of a 12-bit netmask for the private address range defined by the CIDR block in Figure 3 hints at this.
VLSM allows our example company to easily create more manageable subnets from the large private address space available to them by adding bits to the netmask. Using the 12-bit netmask encompasses this entire available private address range, so in order to be more conservative about the address space that the company actually needs, they decide to increase the number of bits in the netmask they will use.
The sipcalc -s xx command, where xx is the number of bits in the subnet mask, can be used to calculate the subnets in this private address range. For example Figure 4, below, shows the 16 subnets of 172.16.0.0/12 that have a 16-bit subnet mask.
$ sipcalc 172.16.0.0/12 -s 16
-[ipv4 : 172.16.0.0/12] - 0
Network - 172.16.0.0 - 172.16.255.255
Network - 172.17.0.0 - 172.17.255.255
Network - 172.18.0.0 - 172.18.255.255
Network - 172.19.0.0 - 172.19.255.255
Network - 172.20.0.0 - 172.20.255.255
Network - 172.21.0.0 - 172.21.255.255
Network - 172.22.0.0 - 172.22.255.255
Network - 172.23.0.0 - 172.23.255.255
Network - 172.24.0.0 - 172.24.255.255
Network - 172.25.0.0 - 172.25.255.255
Network - 172.26.0.0 - 172.26.255.255
Network - 172.27.0.0 - 172.27.255.255
Network - 172.28.0.0 - 172.28.255.255
Network - 172.29.0.0 - 172.29.255.255
Network - 172.30.0.0 - 172.30.255.255
Network - 172.31.0.0 - 172.31.255.255
Figure 4: Using sipcalc to calculate the 16-bit subnets of the 172.0.0/12 private address range.
Using sipcalc to calculate the number of addresses provided by various numbers of bits in the netmask of the 172.16.0.0/12 network, they determine the following:
|Bits in netmask||Number of addresses|
Table 3: Number of addresses in various subnet ranges for network 172.16.0.0/12
As mentioned before, the company currently needs about 2400 IP addresses. To allow plenty of room for growth while reducing the total number of addresses to a manageable level, the company chooses to use a 19-bit netmask that provides 8,192 addresses. They calculate the available 19-bit subnets using sipcalc as shown in Figure 5, below.
$ sipcalc 172.16.0.0/12 -s 19
-[ipv4 : 172.16.0.0/12] - 0
Network - 172.16.0.0 - 172.16.31.255
Network - 172.16.32.0 - 172.16.63.255
Network - 172.16.64.0 - 172.16.95.255
Network - 172.16.96.0 - 172.16.127.255
Network - 172.16.128.0 - 172.16.159.255
Network - 172.16.160.0 - 172.16.191.255
Network - 172.16.192.0 - 172.16.223.255
Network - 172.16.224.0 - 172.16.255.255
Network - 172.31.0.0 - 172.31.31.255
Network - 172.31.32.0 - 172.31.63.255
Network - 172.31.64.0 - 172.31.95.255
Network - 172.31.96.0 - 172.31.127.255
Network - 172.31.128.0 - 172.31.159.255
Network - 172.31.160.0 - 172.31.191.255
Network - 172.31.192.0 - 172.31.223.255
Network - 172.31.224.0 - 172.31.255.255
Figure 5: A partial list of the 128 19-bit subnets in the 172.16.0.0/12 private address range.
The company randomly decides to use the 172.30.64.0/19 subnet. So their network specification looks like Figure 6, below.
$ sipcalc 172.30.64.0/19
-[ipv4 : 172.30.64.0/19] - 0
Host address - 172.30.64.0
Host address (decimal) - 2887663616
Host address (hex) - AC1E4000
Network address - 172.30.64.0
Network mask - 255.255.224.0
Network mask (bits) - 19
Network mask (hex) - FFFFE000
Broadcast address - 172.30.95.255
Cisco wildcard - 0.0.31.255
Addresses in network - 8192
Network range - 172.30.64.0 - 172.30.95.255
Usable range - 172.30.64.1 - 172.30.95.254
Figure 6: Details for network 172.30.64.0/19
Of course, this is only one possible 19-bit subnet out of 128 in the private address range. The company could have chosen any of the 19-bit subnets calculated in Figure 5, any of which would work equally well.
Another option would be to use the 192.168.0.0/16 private address range and select one of the 19-bit subnets available in that range. I leave the task of determining how many and which subnets would be available in that range as an exercise for the reader.
Using CIDR notation along with the reorganization of previously allocated addresses by CIDR block, as well as the use of VLSM provides more usable public IP addresses and increased flexibility in the assignment of public addresses. The design of CIDR notation with VLSM respects the old classful networking scheme while providing significantly more flexibility and IP address availability for private internal use by organizations of all sizes. Private address spaces, as well as assigned public address spaces, can be easily split into subnets by adding bits to the netmask without consideration for network classes.
CIDR notation can be used when referring to classful networks but only as a notational shorthand.