CIDR: A Prescription for Shortness of Address Space

This article explains the concept of CIDR and shows you how you can implement it on your network.
CIDR

While IP classifications A-D are still in use in the networking world, those terms are obsolete. For the sake of clarity, I will continue to use them to explain how CIDR works and how you can implement it. Along with CIDR comes the concept of variable length subnet masking (VLSM).

Basically, with a “Class” address, you have a default subnet mask. For a Class C address, this default subnet is 24 bytes long, so putting all ones in the first 24 bytes and zeroes in the rest, we have 255.255.255.0. For class A and B, this would be 255.0.0.0 and 255.255.0.0, respectively. This basically gives anyone assigned a full Class C address 256 unique addresses, of which two are reserved, one each for network and broadcast addresses. Under “classful” addressing, we are limited to providing full Class A, B or C addresses to those requiring IP addresses. With “classless” addressing, we can subnet these addresses quite simply. As stated above, the network portion of the address is equivalent to that portion of the IP address corresponding in base 2 to all ones, and the host address to all zeroes. This means that a Class C address looks like:

11111111.11111111.11111111.00000000 = 255.255.255.0 (128+64+32+16+8+4+2+1 in the first three positions and 0 in the last). Again, note that this is 24 ones and 8 zeroes, for a total of 32 positions.

Let's say we have one Class C address (192.168.1.0) available for use, but we have two offices with approximately 75 hosts at each location, one in New York and one in New Jersey. While we could simply use the Class A address at each site with each office using unique numbers, we can't connect them together because machines in New Jersey can't find those in New York and vice versa. The reason these two portions of the network can't find each other is because in order for a computer to find another on a network, it assumes an address on its local network (the host portion where all the numbers are zeroes) is directly connected to it, and one on another network is reachable only by going through a gateway.

A gateway is a machine (computer or router) that has two or more network addresses, at least one on the local network and one or more on other networks. A gateway sends any communications not on the local network via one of its other communications devices, depending on the information stored in its routing table. Under classful routing, we would need two half-used Class C addresses for each office, which would be very wasteful of scarce IP addresses.

With CIDR, we can cut the Class C address into two different networks. To do this, we will extend our netmask by one more bit, giving us two separate networks, where before we just had one. This will change our netmask from 255.255.255.0 or 24 ones (hereinafter referred to as /24) to a /25 network, or 255.255.255.128. Both of our new networks will have this same netmask; all other rules remain the same. We now have one network with a network address of 192.168.1.0 and a broadcast address of 192.168.1.127. The other network will use a network address of 192.168.1.128 and a broadcast address of 192.168.1.255.

In the same manner, we can continue slicing up our network into four, eight, sixteen, thirty-two, ... networks. In fact, starting at /8, we can slice and dice until we reach /30. Since we have 32 numbers to work with, a /32 represents just one address, and in this special case, there's no need for network or broadcast addresses. That also means a /31 would represent two addresses, but since one would be the network address and the other the broadcast address, this would leave us with no host addresses—almost certainly undesirable.

Under this scheme, the first octet of the netmask would remain 255, but after that we could change any of the other numbers. Instead of being restricted to 255 and 0, we may find ourselves replacing the first zero in our netmask with any of 128, 192, 224, 240, 248, 252 or 254, except in the last octet as noted above. The network and broadcast addresses would bind each subnet (see Table 2 for details). Now, any network can be referred to by its variable length subnet mask, or the number of ones in the host portion of the address from /8 to /32 (excepting /31). By extrapolation, each host can be referred to directly by its IP address and the VLSM notation, so that it is readily apparent what the network and broadcast addresses and netmask are.

For example, if someone told me to assign my machine 192.168.0.50/27, I would know that the network address was 192.168.0.32, the broadcast address was 192.168.0.63, and the netmask was 255.255.255.224. For those of you who still have problems visualizing how this all translates, I've provided a chart to assist you (Table 3).

You will find more uses for classless addressing than this. CIDR can also give you a way to isolate departments in large organizations to provide better security (by implementing internal firewalls) and decrease traffic on any given network segment, reducing collisions and increasing response times.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

ping no longer working without destination address?

koanhead's picture

I realize that this article is 12 years old, but I stumbled across it whilst searching to find if/why ping does not work with CIDR addresses. The article says:

Type the following command:

ping -c 1
What you will see in response is every UNIX box answering back with its IP address, and each reply following the first one will have (DUP!) next to it, indicating it is a duplicate reply.

On my system, I see:
me@here:~$ ping -c 1
Usage: ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline]
[-p pattern] [-s packetsize] [-t ttl] [-I interface or address]
[-M mtu discovery hint] [-S sndbuf]
[ -T timestamp option ] [ -Q tos ] [hop1 ...] destination
Which suggests to me that ping won't work at all without a destination address.
It's possible but not clear that my router is causing a problem with this. ip neigh show outputs the router's address only. I can ping other hosts on the network, but only if I already know their IP addresses. I don't know any other way of discovering the hosts on the network, so I tried ping with a CIDR address, which was not recognized:
me@here:~$ ping 10.0.0.0/24
ping: unknown host 10.0.0.0/24
Interestingly, nmap does work with CIDR, and discovers most but not all hosts on the network (except the sole Win7 computer, which responds to ping.)
None of this is intended as a complaint against the author, only as further information for others who may read this article.

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix