Subnetting, netmasks and slash notation

Netmasks are used in ACLs (access control lists), firewalls, routing and subnetting. It involves grouping IP addresses. Each range contains a power of two (1, 2, 4, 8, 16, etc) number of addresses and starts on a multiple (0, 1, 2, 3, etc) of that number of addresses.

IPv4 CIDR

Most people are used to class A, B and C networks. These have the following IP address, netmasks and size:


   1st address   Last address      Netmask per network

A:   0.0.0.0 ... 127.255.255.255   255.0.0.0
B: 128.0.0.0 ... 191.255.255.255   255.255.0.0
C: 192.0.0.0 ... 223.255.255.255   255.255.255.0

127.0.0.1 is reserved for the loopback, with network address 127.0.0.0, netmask 255.0.0.0 and 127.255.255.255 as its broadcast address.
0.0.0.0 is the entire Internet with netmask 0.0.0.0 and 255.255.255.255 as its broadcast address.
0.0.0.0 with netmask 255.255.255.255 is an unconfigued interface.
224.0.0.0 ... 239.255.255.255 is used for multicast. 240.0.0.0 ... 255.255.255.255 is reserved.

CIDR does not link the number of hosts to the network address, at least not in the strict way that 'classic' A, B and C networks do. Furthermore, it doesn't limit the size to 16M, 64k or 256 IP nrs. Instead, any power of 2 can be used as a size of the network (number of hosts + network address + broadcast address). In other words, CIDR sees an IP address as a 32 bit rather than a 4 byte address.

Netmasks

The following table shows the netmasks in a binary form. The 'CIDR' column is the number of '1's from left to right. This also known as 'slash notation'.


Binary                             Hex        Quad Dec          2ⁿ    CIDR   Number of addresses

00000000000000000000000000000000   00000000   0.0.0.0           2³²   /0     4,294,967,296     4 G
10000000000000000000000000000000   80000000   128.0.0.0         2³¹   /1     2,147,483,648     2 G
11000000000000000000000000000000   C0000000   192.0.0.0         2³⁰   /2     1,073,741,824     1 G
11100000000000000000000000000000   E0000000   224.0.0.0         2²⁹   /3       536,870,912   512 M
11110000000000000000000000000000   F0000000   240.0.0.0         2²⁸   /4       268,435,456   256 M
11111000000000000000000000000000   F8000000   248.0.0.0         2²⁷   /5       134,217,728   128 M
11111100000000000000000000000000   FC000000   252.0.0.0         2²⁶   /6        67,108,864    64 M
11111110000000000000000000000000   FE000000   254.0.0.0         2²⁵   /7        33,554,432    32 M
11111111000000000000000000000000   FF000000   255.0.0.0         2²⁴   /8        16,777,216    16 M
11111111100000000000000000000000   FF800000   255.128.0.0       2²³   /9         8,388,608     8 M
11111111110000000000000000000000   FFC00000   255.192.0.0       2²²   /10        4,194,304     4 M
11111111111000000000000000000000   FFE00000   255.224.0.0       2²¹   /11        2,097,152     2 M
11111111111100000000000000000000   FFF00000   255.240.0.0       2²⁰   /12        1,048,576     1 M
11111111111110000000000000000000   FFF80000   255.248.0.0       2¹⁹   /13          524,288   512 k
11111111111111000000000000000000   FFFC0000   255.252.0.0       2¹⁸   /14          262,144   256 k
11111111111111100000000000000000   FFFE0000   255.254.0.0       2¹⁷   /15          131,072   128 k
11111111111111110000000000000000   FFFF0000   255.255.0.0       2¹⁶   /16           65,536    64 k
11111111111111111000000000000000   FFFF8000   255.255.128.0     2¹⁵   /17           32,768    32 k
11111111111111111100000000000000   FFFFC000   255.255.192.0     2¹⁴   /18           16,384    16 k
11111111111111111110000000000000   FFFFE000   255.255.224.0     2¹³   /19            8,192     8 k
11111111111111111111000000000000   FFFFF000   255.255.240.0     2¹²   /20            4,096     4 k
11111111111111111111100000000000   FFFFF800   255.255.248.0     2¹¹   /21            2,048     2 k
11111111111111111111110000000000   FFFFFC00   255.255.252.0     2¹⁰   /22            1,024     1 k
11111111111111111111111000000000   FFFFFE00   255.255.254.0     2⁹    /23              512
11111111111111111111111100000000   FFFFFF00   255.255.255.0     2⁸    /24              256
11111111111111111111111110000000   FFFFFF80   255.255.255.128   2⁷    /25              128
11111111111111111111111111000000   FFFFFFC0   255.255.255.192   2⁶    /26               64
11111111111111111111111111100000   FFFFFFE0   255.255.255.224   2⁵    /27               32
11111111111111111111111111110000   FFFFFFF0   255.255.255.240   2⁴    /28               16
11111111111111111111111111111000   FFFFFFF8   255.255.255.248   2³    /29                8
11111111111111111111111111111100   FFFFFFFC   255.255.255.252   2²    /30                4
11111111111111111111111111111110   FFFFFFFE   255.255.255.254   2¹    /31                2
11111111111111111111111111111111   FFFFFFFF   255.255.255.255   2⁰    /32                1

What used to be class A is now '/8', B is '/16', C is '/24' and '/32' is the 'netmask' for a single host.

Netmasks are used by routers to make routing decisions. For instance;


           Quad Dec        Hex        Binary

Address    192.168.0.1     C0A80001   1100 0000  1010 1000  0000 0000  0000 0001

Network    192.168.0.0     C0A80000   1100 0000  1010 1000  0000 0000  0000 0000

Netmask    255.255.255.0   FFFFFF00   1111 1111  1111 1111  1111 1111  0000 0000

If you want to know if 192.168.0.1 belongs to network 192.168.0.0 simply do a bitwise AND on address and netmask;


 Addr   1100 0000  1010 1000  0000 0000  0000 0001
 Mask   1111 1111  1111 1111  1111 1111  0000 0000
 AND   --------------------------------------------
 Net    1100 0000  1010 1000  0000 0000  0000 0000

This could also be phrased as;


if ( Address & Netmask == Network ) {
     // Belongs to network
     ...
} else {
     // Does not belong to network
     ...
}

Which yields;


if ( 0xC0A80001 & 0xFFFFFF00 == 0xC0A80000 ) {
     // Belongs to network
     ...
} else {
     // Does not belong to network
     ...
}

Bitwise operators are hardcoded in processors and therefore very efficient.

Networks

The bits in the 'host' part of a network address are all '0'. Bits left of the 'hosts' bits can be either '0' or '1' (this is rather like sub netting a classic A, B or C network).
The following table/graph shows a network being split in two smaller networks, then in four, then in eight, then 16, etc.


    Netmask:
    0   128   192   224   240   248   252
    Hex Netmask:
    0    80    C0    E0    F0    F8    FC
    Split in:
      2     4     8     16    32    64

    0-+-->0-+-->0-+-->0-+-->0-+-->0-+-->0 (00)    Network address (hex)
      |     |     |     |     |     |
      |     |     |     |     |     +-->4 (04)
      |     |     |     |     |
      |     |     |     |     +-->8-+-->8 (08)
      |     |     |     |           |
      |     |     |     |           +->12 (0C)
      |     |     |     |
      |     |     |     +->16-+->16-+->16 (10)
      |     |     |           |     |
      |     |     |           |     +->20 (14)
      |     |     |           |
      |     |     |           +->24-+->24 (18)
      |     |     |                 |
      |     |     |                 +->28 (1C)
      |     |     |
      |     |     +->32-+->32-+->32-+->32 (20)
      |     |           |     |     |
      |     |           |     |     +->36 (24)
      |     |           |     |
      |     |           |     +->40-+->40 (28)
      |     |           |           |
      |     |           |           +->44 (2C)
      |     |           |
      |     |           +->48-+->48-+->48 (30)
      |     |                 |     |
      |     |                 |     +->52 (34)
      |     |                 |
      |     |                 +->56-+->56 (38)
      |     |                       |
      |     |                       +->60 (3C)
      |     |
      |     +->64-+->64-+->64-+->64-+->64 (40)
      |           |     |     |     |
      |           |     |     |     +->68 (44)
      |           |     |     |
      |           |     |     +->72-+->72 (48)
      |           |     |           |
      |           |     |           +->76 (4C)
      |           |     |
      |           |     +->80-+->80-+->80 (50)
      |           |           |     |
      |           |           |     +->84 (54)
      |           |           |
      |           |           +->88-+->88 (58)
      |           |                 |
      |           |                 +->92 (5C)
      |           |
      |           +->96-+->96-+->96-+->96 (60)
      |                 |     |     |
      |                 |     |     +>100 (64)
      |                 |     |
      |                 |     +->104+>104 (68)
      |                 |           |
      |                 |           +>108 (6C)
      |                 |      
      |                 +>112-+->112+>112 (70)
      |                       |     |
      |                       |     +>116 (74)
      |                       |
      |                       +->120+>120 (78)
      |                             |
      |                             +>124 (7C)
      |
      +->128+->128+->128+->128+->128+>128 (80)
            |     |     |     |     |
            |     |     |     |     +>132 (84)
            |     |     |     |
            |     |     |     +->136+>136 (88)
            |     |     |           |
            |     |     |           +>140 (8C)
            |     |     |
            |     |     +->144+->144+>144 (90)
            |     |           |     |
            |     |           |     +>148 (94)
            |     |           |
            |     |           +->152+>152 (98)
            |     |                 |
            |     |                 +>156 (9C)
            |     |
            |     +->160+->160+->160+>160 (A0)
            |           |     |     |
            |           |     |     +>164 (A4)
            |           |     |
            |           |     +->168+>168 (A8)
            |           |           |
            |           |           +>172 (AC)
            |           |
            |           +->176+->176+>176 (B0)
            |                 |     |
            |                 |     +>180 (B4)
            |                 |
            |                 +->184+>184 (B8)
            |                       |
            |                       +>188 (BC)
            |
            +->192+->192+->192+->192+>192 (C0)
                  |     |     |     |
                  |     |     |     +>196 (C4)
                  |     |     |
                  |     |     +->200+>200 (C8)
                  |     |           |
                  |     |           +>204 (CC)
                  |     |
                  |     +->208+->208+>208 (D0)
                  |           |     |
                  |           |     +>212 (D4)
                  |           |
                  |           +->216+>216 (D8)
                  |                 |
                  |                 +>220 (DC)
                  |
                  +->224+->224+->224+>224 (E0)
                        |     |     |
                        |     |     +>228 (E4)
                        |     |
                        |     +->232+>232 (E8)
                        |           |
                        |           +>236 (EC)
                        |
                        +->240+->240+>240 (F0)
                              |     |
                              |     +>244 (F4)
                              |
                              +->248+>248 (F8)
                                    |
                                    +>252 (FC)

Example: Subnetting a /24 in a table.

In the example above the smallest network is four successive IP addresses. If you want even smaller ranges, below is an example for '248' beeing split in two and then four;


    Netmask:    252   254   255
    Hex mask:   FC    FE    FF

                248+->248+->248 (F8)
                   |     |
                   |     +->249 (F9)
                   |
                   +->250+->250 (FA)
                         |
                         +->251 (FB)

IPv6 slash notation

IPv6 works the same way. The numbers are just bigger.

Per bit


Netmask binary     Hex    /

0000000000000000   0000   /0
1000000000000000   8000   /1
1100000000000000   c000   /2
1110000000000000   e000   /3
1111000000000000   f000   /4
1111100000000000   f800   /5
1111110000000000   fc00   /6
1111111000000000   fe00   /7
1111111100000000   ff00   /8
1111111110000000   ff80   /9
1111111111000000   ffc0   /10
1111111111100000   ffe0   /11
1111111111110000   fff0   /12
1111111111111000   fff8   /13
1111111111111100   fffc   /14
1111111111111110   fffe   /15
1111111111111111   ffff   /16

'ffff' in IPv6 is the same as '255.255' in IPv4.

Per 16 bits


Netmask                                   /      2ⁿ     Number of addresses                                           Number of /64s

0000:0000:0000:0000:0000:0000:0000:0000   /0     2¹²⁸   340,282,366,920,938,463,463,374,607,431,768,211,456            16 E
ffff:0000:0000:0000:0000:0000:0000:0000   /16    2¹¹²         5,192,296,858,534,827,628,530,496,329,220,096           256 T
ffff:ffff:0000:0000:0000:0000:0000:0000   /32    2⁹⁶                 79,228,162,514,264,337,593,543,950,336             4 G
ffff:ffff:ffff:0000:0000:0000:0000:0000   /48    2⁸⁰                      1,208,925,819,614,629,174,706,176     1 Y    64 k
ffff:ffff:ffff:ffff:0000:0000:0000:0000   /64    2⁶⁴                             18,446,744,073,709,551,616    16 E     1
ffff:ffff:ffff:ffff:ffff:0000:0000:0000   /80    2⁴⁸                                    281,474,976,710,656   256 T
ffff:ffff:ffff:ffff:ffff:ffff:0000:0000   /96    2³²                                          4,294,967,296     4 G
ffff:ffff:ffff:ffff:ffff:ffff:ffff:0000   /112   2¹⁶                                                 65,536    64 k
ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff   /128   2⁰                                                       1     1

':0000:' can be written as ':0:'. And the longest sequence of zeros as '::'.
Since the IPv6 internet is 2000::/3 (2000:0000:0000:0000:0000:0000:0000:0000 to 3fff:ffff:ffff:ffff:ffff:ffff:ffff:ffff), the number of available addresses is 2¹²⁵ = 42,535,295,865,117,307,932,921,825,928,971,026,432.

/56 and /60

Some ISPs provide a /56 or a /60 instead of a /48;


Netmask                                   /      2ⁿ     Number of addresses                 Number of /64s

ffff:ffff:ffff:0000:0000:0000:0000:0000   /48    2⁸⁰    1,208,925,819,614,629,174,706,176   65356
ffff:ffff:ffff:ff00:0000:0000:0000:0000   /56    2⁷²        4,722,366,482,869,645,213,696     256
ffff:ffff:ffff:fff0:0000:0000:0000:0000   /60    2⁶⁸          295,147,905,179,352,825,856      16
ffff:ffff:ffff:ffff:0000:0000:0000:0000   /64    2⁶⁴           18,446,744,073,709,551,616       1

A /48 is 2¹⁶ = 65,536 successive /64s. A /56 is 2⁸ = 256 successive /64s. A /60 is 2⁴ = 16 successive /64s.

/120

Some advocate the use of /120s. A /120 is the same size as an IPv4 /24; 256 addresses;


Netmask                                   /      2ⁿ     Number of addresses

ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00   /120	 2⁸	256

The idea is only to use 256 addresses out of a /64 and firewall the rest in order to avoid NDP (Neighbour Discovery Protocol) exhaustion attacks.

Combine host and network in one statement

Suppose I have a host '2001:0db8:1234:1::1/128' and a network '2001:0db8:1234:1::/64'. One can combine both statements (EG in ifconfig) in one statement; '2001:0db8:1234:1::1/64'.

IPv6 Ready