There are times that we need to step back and have a look at the basics again. It happens so often that we use calculators for everything that we need these days and sometimes we forget how wonderful it is to write down on a piece of paper while trying to figure out the beauty of bits that give life to the networks and of course the internet.
Why should I care?
Say you want to design a network solution for an Azure virtual network and a large number of on-premises networks that you will connect with Azure Site-to-Site VPN. Or even something less complicated, you need to isolate your virtual networks and their subnets without introducing any unnecessary conflict in the future usage i.e. in case of vnet peering. You need to think this quite a bit before giving away address spaces to resources and/or people for deployment.
So, what are going to talk about? CIDR notation.
Classless Inter-Domain Routing (CIDR /ˈsaɪdər, ˈsɪ-/) is a method for allocating IP addresses and IP routing. The Internet Engineering Task Force introduced CIDR in 1993 to replace the previous addressing architecture of classful network design in the Internet. Its goal was to slow the growth of routing tables on routers across the Internet, and to help slow the rapid exhaustion of IPv4 addresses.Wikipedia
Goal achieved, right? I believed that it managed quite well since we are 27 years later and still operating with IPv4 even with the rapid growth of IP devices used in all things in life today. From computers to toasters to any IoT capable hardware out there.
IPv6 is, of course, released many years now, but still not so much in the fabric of our everyday IT existence, at least not in the spotlight. So, we will focus on IPv4.
So, how did CIDR notation made this possible? Let’s break it down to bits and see this unfolding.
The “Classful” era
An IP address is always expressed in the context of a subnet maks that indicated the network it belongs to. Routing is achieved through this concept. An IP is made up of 4 octets of 8 bits in each octet. The same concept as for subnet mask. A very common network used in private, non-routable, networks is the following:
IP address 192.168.0.0 with a network mask of 255.255.255.0
This means that we have 256 available addresses to assign to our hosts in the network. (In reality, we have 254 as 0 and 255 are reserved for other uses: network and broadcast)
But what if we had 400 because we have a large organization or we need only 50? In the “Classful” era, this would mean that we would need to give an extra octet to the IP hosts by changing the subnet mask to:
192.168.0.0 witn a network mask of 255.255.0.0
This would give the space we need to add our 400 hosts but it would leave 65,136 IP addresses unused. Quite a waste as you can see! From 256 available by giving a full octet to the IP range we got 65,536 addresses! Don’t mind how I came to these numbers for now. We’ll deal with this further down.
Enters CIDR-notation: The Class-less era.
CIDR is based on variable-length subnet masking (VSLM) technique that lets you set an arbitrary length on your network prefix. This is done by adding a suffix to an address that indicates the number of bits that will be the mask of the network. For instance, if we would express the following IP network:
192.168.0.0 with network mask 255.255.255.0
to CIDR notation it would be:
Why “24” you ask? Let’s see the bits-magic unfold.
An IPv4 address is a 32bit address that is represented by a number from 0-255. In reality, this is used for us humans in order not to talk in bits which can be a bit of pain. As we said in the begging an IPv4 is broken down in 4 octets separated by a period in between the octets. An octet signifies that there are 8 bits in each octet. If we were to translate say 192.168.0.15 IP to bits it would be:
Do you see why we use the decimal and not the binary? Not too friendly for us humans.
But how does that conversion work under the hood. Let’s see.
Each bit in an octet is converted in decimal in the following way:
|Powers of 2||2^7||2^6||2^5||2^4||2^3||2^2||2^1||2^0|
Breaking the IP 192.168.0.15 down to the 4 octets:
(always starting from the left side of the address)
192 = 128+64 => 2^7+2^6 => 11000000 168 = 128+32+8 => 2^7+2^5+2^3 => 10010100 0 => 00000000 15 = 8+4+2+1 => 2^3+2^2+2^1+2^0 => 00001111
Did you see what we did just there? We lit up the position of the bit based on the number used to add up to the corresponding decimal of the octet! Brilliant math in its simplicity! Love it! This is a demonstration of how computers translates all the things we trow at them. But they do it much faster than me 😛
Moving on to the subnetting, that means breaking the whole network to any kind of network mask we need based on our host needs.
A /24 is the most common IP network address. But how does this translate to bits?
24-bit mask means that we "light-up" the following bits: 11111111.11111111.11111111.00000000 => sum-up the bits = 24 16-bit mask means that we "light-up" the following bits: 11111111.11111111.00000000.00000000 => sum-up the bits = 16 8-bit mask means that we "light-up" the following bits: 11111111.00000000.00000000.00000000 => sum-up the bits = 8
Let’s say that we want a network with a smaller amount of hosts than 256 i.e. something closer to 60 hosts. That way we could create 4 networks in the “same” address space.
This is the first we see a network that is not a full octet; it’s 3 full octets and 2 bits from the last octet:
11111111.11111111.11111111.11000000 => sum-up the bits = 26
Converting this to decimal would be:
11111111 => 2^7+2^6+2^5+2^4+2^3+2^2+2^1+2^0 = 255 11111111 => 2^7+2^6+2^5+2^4+2^3+2^2+2^1+2^0 = 255 11111111 => 2^7+2^6+2^5+2^4+2^3+2^2+2^1+2^0 = 255 11000000 => 2^7+2^6+2^5+2^4+2^3+2^2+2^1+2^0 = 192
That means that the network mask in decimal is:
Having the network mask in bits we can find the wildcard mask that will give us the number of hosts that can exist in this /26 network.
The “wildcard mask” is a mask of bits that is the inverted bits of the network mask. This is a simple practical explanation.
Following our example above let’s see the wildcard mask:
11111111.11111111.11111111.11000000 (network mask) 00000000.00000000.00000000.00111111 (wildcard mask)
Let’s add-up the “lit-up” bits of the wildcard mask:
00000000 = 0 00000000 = 0 00000000 = 0 00111111 = 2^5+2^4+2^3+2^2+2^1+2^0 = 63
If you notice, adding up the last octet of the network mask + the wildcard mask, in decimal, yields 255 which is normal as it is its inverted mirror of remaining “un-lit” bits.
Putting all this together for this network address would mean:
CIDR notation given: 192.168.0.0/26 Network mask: 255.255.255.192 Wildcard mask: 0.0.0.63 First IP: 192.168.0.0 Last IP: 192.168.0.63
This means we have 64 available IPs in our 192.168.0.0/26 network! Beautiful right? Since the first and last IPs are reserved for network and broadcast we have 62 IPs we can assign to hosts and devices in that network.
In Azure virtual networks, a subnet reserves 5 IP addresses for internal Azure routing purposes like a gateway, DNS, broadcast, etc. So when you allocate a subnet of /26 you have 59 IP addresses available.
If we wanted to create another subnet without changing the address space we could create a subnet of:
If you do the same math you will end up in the following:
CIDR notation given: 192.168.0.64/26 Network mask: 255.255.255.192 Wildcard mask: 0.0.0.63 First IP: 192.168.0.64 Last IP: 192.168.0.127
This is how we save IPs and we segregate our networks and at the same time isolate workloads for security or other purposes.
Hope you enjoyed this post as I did while writing it! Rate if you did!