Netmasks are used in ACLs (access control lists), firewalls, routing and subnetting. It involves grouping IP addresses. Each range contains a power of two (1, 2, 4, 8, 16, etc) number of addresses and starts on a multiple (0, 1, 2, 3, etc) of that number of addresses.
Most people are used to class A, B and C networks. These have the following IP address, netmasks and size:
1st address Last address Netmask per network A: 0.0.0.0 ... 127.255.255.255 255.0.0.0 B: 128.0.0.0 ... 191.255.255.255 255.255.0.0 C: 192.0.0.0 ... 223.255.255.255 255.255.255.0
127.0.0.1 is reserved for the loopback, with network address 127.0.0.0,
netmask 255.0.0.0 and 127.255.255.255 as its broadcast address.
0.0.0.0 is the entire Internet with netmask 0.0.0.0 and 255.255.255.255 as
its broadcast address.
0.0.0.0 with netmask 255.255.255.255 is an unconfigued interface.
224.0.0.0 ... 239.255.255.255 is used for multicast. 240.0.0.0 ...
255.255.255.255 is reserved.
CIDR does not link the number of hosts to the network address, at least not in the strict way that 'classic' A, B and C networks do. Furthermore, it doesn't limit the size to 16M, 64k or 256 IP nrs. Instead, any power of 2 can be used as a size of the network (number of hosts + network address + broadcast address). In other words, CIDR sees an IP address as a 32 bit rather than a 4 byte address.
The following table shows the netmasks in a binary form. The 'CIDR' column is the number of '1's from left to right. This also known as 'slash notation'.
Binary Hex Quad Dec 2ⁿ CIDR Number of addresses 00000000000000000000000000000000 00000000 0.0.0.0 2³² /0 4,294,967,296 4 G 10000000000000000000000000000000 80000000 128.0.0.0 2³¹ /1 2,147,483,648 2 G 11000000000000000000000000000000 C0000000 192.0.0.0 2³⁰ /2 1,073,741,824 1 G 11100000000000000000000000000000 E0000000 224.0.0.0 2²⁹ /3 536,870,912 512 M 11110000000000000000000000000000 F0000000 240.0.0.0 2²⁸ /4 268,435,456 256 M 11111000000000000000000000000000 F8000000 248.0.0.0 2²⁷ /5 134,217,728 128 M 11111100000000000000000000000000 FC000000 252.0.0.0 2²⁶ /6 67,108,864 64 M 11111110000000000000000000000000 FE000000 254.0.0.0 2²⁵ /7 33,554,432 32 M 11111111000000000000000000000000 FF000000 255.0.0.0 2²⁴ /8 16,777,216 16 M 11111111100000000000000000000000 FF800000 255.128.0.0 2²³ /9 8,388,608 8 M 11111111110000000000000000000000 FFC00000 255.192.0.0 2²² /10 4,194,304 4 M 11111111111000000000000000000000 FFE00000 255.224.0.0 2²¹ /11 2,097,152 2 M 11111111111100000000000000000000 FFF00000 255.240.0.0 2²⁰ /12 1,048,576 1 M 11111111111110000000000000000000 FFF80000 255.248.0.0 2¹⁹ /13 524,288 512 k 11111111111111000000000000000000 FFFC0000 255.252.0.0 2¹⁸ /14 262,144 256 k 11111111111111100000000000000000 FFFE0000 255.254.0.0 2¹⁷ /15 131,072 128 k 11111111111111110000000000000000 FFFF0000 255.255.0.0 2¹⁶ /16 65,536 64 k 11111111111111111000000000000000 FFFF8000 255.255.128.0 2¹⁵ /17 32,768 32 k 11111111111111111100000000000000 FFFFC000 255.255.192.0 2¹⁴ /18 16,384 16 k 11111111111111111110000000000000 FFFFE000 255.255.224.0 2¹³ /19 8,192 8 k 11111111111111111111000000000000 FFFFF000 255.255.240.0 2¹² /20 4,096 4 k 11111111111111111111100000000000 FFFFF800 255.255.248.0 2¹¹ /21 2,048 2 k 11111111111111111111110000000000 FFFFFC00 255.255.252.0 2¹⁰ /22 1,024 1 k 11111111111111111111111000000000 FFFFFE00 255.255.254.0 2⁹ /23 512 11111111111111111111111100000000 FFFFFF00 255.255.255.0 2⁸ /24 256 11111111111111111111111110000000 FFFFFF80 255.255.255.128 2⁷ /25 128 11111111111111111111111111000000 FFFFFFC0 255.255.255.192 2⁶ /26 64 11111111111111111111111111100000 FFFFFFE0 255.255.255.224 2⁵ /27 32 11111111111111111111111111110000 FFFFFFF0 255.255.255.240 2⁴ /28 16 11111111111111111111111111111000 FFFFFFF8 255.255.255.248 2³ /29 8 11111111111111111111111111111100 FFFFFFFC 255.255.255.252 2² /30 4 11111111111111111111111111111110 FFFFFFFE 255.255.255.254 2¹ /31 2 11111111111111111111111111111111 FFFFFFFF 255.255.255.255 2⁰ /32 1
What used to be class A is now '/8', B is '/16', C is '/24' and '/32' is the 'netmask' for a single host.
Netmasks are used by routers to make routing decisions. For instance;
Quad Dec Hex Binary
Address 192.168.0.1 C0A80001 1100 0000 1010 1000 0000 0000 0000 0001
Network 192.168.0.0 C0A80000 1100 0000 1010 1000 0000 0000 0000 0000
Netmask 255.255.255.0 FFFFFF00 1111 1111 1111 1111 1111 1111 0000 0000
If you want to know if 192.168.0.1 belongs to network 192.168.0.0 simply do a bitwise AND on address and netmask;
Addr 1100 0000 1010 1000 0000 0000 0000 0001 Mask 1111 1111 1111 1111 1111 1111 0000 0000 AND -------------------------------------------- Net 1100 0000 1010 1000 0000 0000 0000 0000
This could also be phrased as;
if ( Address & Netmask == Network ) {
// Belongs to network
...
} else {
// Does not belong to network
...
}
Which yields;
if ( 0xC0A80001 & 0xFFFFFF00 == 0xC0A80000 ) {
// Belongs to network
...
} else {
// Does not belong to network
...
}
Bitwise operators are hardcoded in processors and therefore very efficient.
The bits in the 'host' part of a network address are all '0'. Bits left of
the 'hosts' bits can be either '0' or '1' (this is rather like sub netting
a classic A, B or C network).
The following table/graph shows a network being split in two smaller
networks, then in four, then in eight, then 16, etc.
Netmask:
0 128 192 224 240 248 252
Hex Netmask:
0 80 C0 E0 F0 F8 FC
Split in:
2 4 8 16 32 64
0-+-->0-+-->0-+-->0-+-->0-+-->0-+-->0 (00) Network address (hex)
| | | | | |
| | | | | +-->4 (04)
| | | | |
| | | | +-->8-+-->8 (08)
| | | | |
| | | | +->12 (0C)
| | | |
| | | +->16-+->16-+->16 (10)
| | | | |
| | | | +->20 (14)
| | | |
| | | +->24-+->24 (18)
| | | |
| | | +->28 (1C)
| | |
| | +->32-+->32-+->32-+->32 (20)
| | | | |
| | | | +->36 (24)
| | | |
| | | +->40-+->40 (28)
| | | |
| | | +->44 (2C)
| | |
| | +->48-+->48-+->48 (30)
| | | |
| | | +->52 (34)
| | |
| | +->56-+->56 (38)
| | |
| | +->60 (3C)
| |
| +->64-+->64-+->64-+->64-+->64 (40)
| | | | |
| | | | +->68 (44)
| | | |
| | | +->72-+->72 (48)
| | | |
| | | +->76 (4C)
| | |
| | +->80-+->80-+->80 (50)
| | | |
| | | +->84 (54)
| | |
| | +->88-+->88 (58)
| | |
| | +->92 (5C)
| |
| +->96-+->96-+->96-+->96 (60)
| | | |
| | | +>100 (64)
| | |
| | +->104+>104 (68)
| | |
| | +>108 (6C)
| |
| +>112-+->112+>112 (70)
| | |
| | +>116 (74)
| |
| +->120+>120 (78)
| |
| +>124 (7C)
|
+->128+->128+->128+->128+->128+>128 (80)
| | | | |
| | | | +>132 (84)
| | | |
| | | +->136+>136 (88)
| | | |
| | | +>140 (8C)
| | |
| | +->144+->144+>144 (90)
| | | |
| | | +>148 (94)
| | |
| | +->152+>152 (98)
| | |
| | +>156 (9C)
| |
| +->160+->160+->160+>160 (A0)
| | | |
| | | +>164 (A4)
| | |
| | +->168+>168 (A8)
| | |
| | +>172 (AC)
| |
| +->176+->176+>176 (B0)
| | |
| | +>180 (B4)
| |
| +->184+>184 (B8)
| |
| +>188 (BC)
|
+->192+->192+->192+->192+>192 (C0)
| | | |
| | | +>196 (C4)
| | |
| | +->200+>200 (C8)
| | |
| | +>204 (CC)
| |
| +->208+->208+>208 (D0)
| | |
| | +>212 (D4)
| |
| +->216+>216 (D8)
| |
| +>220 (DC)
|
+->224+->224+->224+>224 (E0)
| | |
| | +>228 (E4)
| |
| +->232+>232 (E8)
| |
| +>236 (EC)
|
+->240+->240+>240 (F0)
| |
| +>244 (F4)
|
+->248+>248 (F8)
|
+>252 (FC)
Example: Subnetting a /24 in a table.
In the example above the smallest network is four successive IP addresses. If you want even smaller ranges, below is an example for '248' beeing split in two and then four;
Netmask: 252 254 255
Hex mask: FC FE FF
248+->248+->248 (F8)
| |
| +->249 (F9)
|
+->250+->250 (FA)
|
+->251 (FB)
| Slash | Network |
|---|---|
| 0 - 7 | N.0.0.0 |
| 8 - 15 | a.N.0.0 |
| 16 - 23 | a.b.N.0 |
| 24 - 31 | a.b.c.N |
A table with values of 'N';
| Slash | Nr of nets |
N is mul- tiple of |
Possible values of 'N' | |||
|---|---|---|---|---|---|---|
| /0 | /8 | /16 | /24 | 1 | 0 | 0 |
| /1 | /9 | /17 | /25 | 2 | 128 | 0, 128 |
| /2 | /10 | /18 | /26 | 4 | 64 | 0, 64, 128, 192 |
| /3 | /11 | /19 | /27 | 8 | 32 | 0, 32, 64, 96, 128, 160, 192, 224 |
| /4 | /12 | /20 | /28 | 16 | 16 | 0, 16, 32, 48, 64, 80, 96, 112, 128, 144, 160, 176, 192, 208, 224, 240 |
| /5 | /13 | /21 | /29 | 32 | 8 | 0, 8, 16, 24, 32, 40, 48, 56, 64, 72, 80, 88, 96, 104, 112, 120, 128, 136, 144, 152, 160, 168, 176, 184, 192, 200, 208, 216, 224, 232, 240, 248 |
| /6 | /14 | /22 | /30 | 64 | 4 | 0, 4, 8, 12, 16, 20, 24, 28, 32, 36, 40, 44, 48, 52, 56, 60, 64, 68, 72, 76, 80, 84, 88, 92, 96, 100, 104, 108, 112, 116, 120, 124, 128, 132, 136, 140, 144, 148, 152, 156, 160, 164, 168, 172, 176, 180, 184, 188, 192, 196, 200, 204, 208, 212, 216, 220, 224, 228, 232, 236, 240, 244, 248, 252 |
| /7 | /15 | /23 | /31 | 128 | 2 | Any even number from 0 to 254; 0, 2, 4, ... 254 |
Note: 0.0.0.0 is not a valid IP address, 0.0.0.0/0 is all IP addresses
Note: a.b.c.d/32 is a single IP address.
IPv6 works the same way. The numbers are just bigger.
Netmask binary Hex / 0000000000000000 0000 /0 1000000000000000 8000 /1 1100000000000000 c000 /2 1110000000000000 e000 /3 1111000000000000 f000 /4 1111100000000000 f800 /5 1111110000000000 fc00 /6 1111111000000000 fe00 /7 1111111100000000 ff00 /8 1111111110000000 ff80 /9 1111111111000000 ffc0 /10 1111111111100000 ffe0 /11 1111111111110000 fff0 /12 1111111111111000 fff8 /13 1111111111111100 fffc /14 1111111111111110 fffe /15 1111111111111111 ffff /16
'ffff' in IPv6 is the same as '255.255' in IPv4.
Netmask / 2ⁿ Number of addresses Number of /64s 0000:0000:0000:0000:0000:0000:0000:0000 /0 2¹²⁸ 340,282,366,920,938,463,463,374,607,431,768,211,456 16 E ffff:0000:0000:0000:0000:0000:0000:0000 /16 2¹¹² 5,192,296,858,534,827,628,530,496,329,220,096 256 T ffff:ffff:0000:0000:0000:0000:0000:0000 /32 2⁹⁶ 79,228,162,514,264,337,593,543,950,336 4 G ffff:ffff:ffff:0000:0000:0000:0000:0000 /48 2⁸⁰ 1,208,925,819,614,629,174,706,176 1 Y 64 k ffff:ffff:ffff:ffff:0000:0000:0000:0000 /64 2⁶⁴ 18,446,744,073,709,551,616 16 E 1 ffff:ffff:ffff:ffff:ffff:0000:0000:0000 /80 2⁴⁸ 281,474,976,710,656 256 T ffff:ffff:ffff:ffff:ffff:ffff:0000:0000 /96 2³² 4,294,967,296 4 G ffff:ffff:ffff:ffff:ffff:ffff:ffff:0000 /112 2¹⁶ 65,536 64 k ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff /128 2⁰ 1 1
':0000:' can be written as ':0:'. And the longest sequence of zeros as '::'.
Since the IPv6 internet is 2000::/3
(2000:0000:0000:0000:0000:0000:0000:0000 to
3fff:ffff:ffff:ffff:ffff:ffff:ffff:ffff), the number of available addresses
is 2¹²⁵ = 42,535,295,865,117,307,932,921,825,928,971,026,432.
Some ISPs provide a /56 or a /60 instead of a /48;
Netmask / 2ⁿ Number of addresses Number of /64s ffff:ffff:ffff:0000:0000:0000:0000:0000 /48 2⁸⁰ 1,208,925,819,614,629,174,706,176 65356 ffff:ffff:ffff:ff00:0000:0000:0000:0000 /56 2⁷² 4,722,366,482,869,645,213,696 256 ffff:ffff:ffff:fff0:0000:0000:0000:0000 /60 2⁶⁸ 295,147,905,179,352,825,856 16 ffff:ffff:ffff:ffff:0000:0000:0000:0000 /64 2⁶⁴ 18,446,744,073,709,551,616 1
A /48 is 2¹⁶ = 65,536 successive /64s. A /56 is 2⁸ = 256 successive /64s. A /60 is 2⁴ = 16 successive /64s.
Netmasks /0 to /63;
| Slash | Network |
|---|---|
| 0 - 3 | N000:: [1] |
| 4 - 7 | xN00:: |
| 8 - 11 | xxN0:: |
| 12 - 15 | xxxN:: |
| 16 - 19 | xxxx:N000:: [1] |
| 20 - 23 | xxxx:xN00:: |
| 24 - 27 | xxxx:xxN0:: |
| 28 - 31 | xxxx:xxxN:: |
| 32 - 35 | xxxx:xxxx:N000:: [1] |
| 36 - 39 | xxxx:xxxx:xN00:: |
| 40 - 43 | xxxx:xxxx:xxN0:: |
| 44 - 47 | xxxx:xxxx:xxxN:: |
| 48 - 51 | xxxx:xxxx:xxxx:N000:: [1] |
| 52 - 55 | xxxx:xxxx:xxxx:xN00:: |
| 56 - 59 | xxxx:xxxx:xxxx:xxN0:: |
| 60 - 63 | xxxx:xxxx:xxxx:xxxN:: |
A table with values of 'N';
| Slash | Nr of nets |
N is mul- tiple of |
Possible values of 'N' | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 0 | 4 | 8 | 12 | 16 | 20 | 24 | 28 | 32 | 36 | 40 | 44 | 48 | 52 | 56 | 60 | 1 | 0 | 0 |
| 1 | 5 | 9 | 13 | 17 | 21 | 25 | 29 | 33 | 37 | 41 | 45 | 49 | 53 | 57 | 61 | 2 | 8 | 0, 8 |
| 2 | 6 | 10 | 14 | 18 | 22 | 26 | 30 | 34 | 38 | 42 | 46 | 50 | 54 | 58 | 62 | 4 | 4 | 0, 4, 8, c |
| 3 | 7 | 11 | 15 | 19 | 23 | 27 | 31 | 35 | 39 | 43 | 47 | 51 | 55 | 59 | 63 | 8 | 2 | 0, 2, 4, 6, 8, a, c, e |
Note: When 'N' is zero ':N000::' becomes '::'!
Note: :: is not a valid IPv6 address. ::/0 is all IPv6 addresses.
It is possible to split up a /64 even further;
| Slash | Network |
|---|---|
| 64 - 67 | xxxx:xxxx:xxxx:xxxx:N000:: [2] |
| 68 - 71 | xxxx:xxxx:xxxx:xxxx:xN00:: |
| 72 - 75 | xxxx:xxxx:xxxx:xxxx:xxN0:: |
| 76 - 79 | xxxx:xxxx:xxxx:xxxx:xxxN:: |
| 80 - 83 | xxxx:xxxx:xxxx:xxxx:xxxx:N000:: [2] |
| 84 - 87 | xxxx:xxxx:xxxx:xxxx:xxxx:xN00:: |
| 88 - 91 | xxxx:xxxx:xxxx:xxxx:xxxx:xxN0:: |
| 92 - 95 | xxxx:xxxx:xxxx:xxxx:xxxx:xxxN:: |
| 96 - 99 | xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:N000:: [2] |
| 100 - 103 | xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xN00:: |
| 104 - 107 | xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxN0:: |
| 108 - 111 | xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxN:: |
| 112 - 115 | xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:N000 [2] |
| 116 - 119 | xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xN00 |
| 120 - 123 | xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxN0 |
| 124 - 127 | xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxN |
A table with values of 'N';
| Slash | Nr of nets |
N is mul- tiple of |
Possible values of 'N' | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 64 | 68 | 72 | 76 | 80 | 84 | 88 | 92 | 96 | 100 | 104 | 108 | 112 | 116 | 120 | 124 | 1 | 0 | 0 |
| 65 | 69 | 73 | 77 | 81 | 85 | 89 | 93 | 97 | 101 | 105 | 109 | 113 | 117 | 121 | 125 | 2 | 8 | 0, 8 |
| 66 | 70 | 74 | 78 | 82 | 86 | 90 | 94 | 98 | 102 | 106 | 110 | 114 | 118 | 122 | 126 | 4 | 4 | 0, 4, 8, c |
| 67 | 71 | 75 | 79 | 83 | 87 | 91 | 95 | 99 | 103 | 107 | 111 | 115 | 119 | 123 | 127 | 8 | 2 | 0, 2, 4, 6, 8, a, c, e |
Note: When 'N' is zero ':N000::' and ':N000' become '::'!
Some advocate the use of /120s. A /120 is the same size as an IPv4 /24; 256 addresses;
Netmask / 2ⁿ Number of addresses ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00 /120 2⁸ 256
The idea is only to use 256 addresses out of a /64 and firewall the rest in order to avoid NDP (Neighbour Discovery Protocol) exhaustion attacks.
Suppose I have a host '2001:db8:1234:1::1/128' and a network '2001:db8:1234:1::/64'. One can combine both statements (EG in ifconfig) in one statement; '2001:db8:1234:1::1/64'.