CIDR Explained in Layman Terms and Decimal Numbers

CIDR Explained in Layman Terms and Decimal Numbers

If you work on cloud it is likely that you have used those numbers and slash that follow the IP addresses. The documentation points to something called CIDR. It is said to be super helpful, and awesome standard adopted by internet that extended life of IP4 . But have you tried searching ‘what is CIDR’? It is all jargon, all of it. There is hardly any lay-man friendly explanation of the term. Even Wikipedia has managed to find a complex way of explaining it. And yet it is something we use everyday, especially if you are working on cloud, containers or container orchestration frameworks.

We use it for defining networks when using docker. We use it when we specify services and networks in orchestration frameworks like swarm, compose, kubernetes, ECS or GKE. We use it when we specify ingress/egress rules in an AWS security group. We use it when we create a subnet in AWS EC2 specification, when we define VPCs, when we define clusters. Even single IP addresses (range size 1) at times are defined using CIDR notation.

I was wondering if CIDR could be explained without getting into binary number calculations, or more jargon of classes or routing, and found one.

CIDR is simply a way of specifying range of IP addresses. In cloud we mostly deal with IPV4 addresses and so let us see how we can think of CIDR in IPV4 context.

An IP address has 4 parts, joined together by dots. Each part can have 2 ^ 8 = 256 values, between 0 -255 both inclusive. In CIDR, we add a slash after the IP followed by a number between 1 to 32, both inclusive, these numbers are in fact a netmask specification. Now these 32 numbers can be divided in 4 groups of size 8, similar to the IP address (groups being 1-8, 9-16, 17-24 and 25-32). Each group has effect on the corresponding section of the IP address to generate a range. Like in the diagram below:

Now looking at the number in the group you can quickly tell what all IPs can come as part of the range. for example:

  1. 99.123.43.64/8 –> 99.0.0.0 to 99.255.255.255
  2. 99.123.43.64/16 –> 99.123.0.0 to 99.123.255.255
  3. 99.123.43.64/24 –> 99.123.43.0 to 99.123.43.255
  4. 99.123.43.64/32 –> 99.123.43.64!

The size of the range decreases as this number goes up, 1 being widest and 32 being strictest. Simple enough?

Now on to a little more complex part, what about number that are not multiples of 8? You can certainly define something like: 99.123.43.64/18 or 99.123.43.64/5 or 99.123.43.64/27 what would that mean? We have seen that each group of netmask governs IP values (0 – 255) in its group (and the groups that come after it). What if we divided these groups further? Larger groups were with multiples of 8, we will now divide the 255 numbers in 8 different ways, using 8 powers of 2, using a little 10th grade maths to do this:

  1. 7th power of 2, i.e. 128 creates two sub-groups: 0 – 127 and 128 – 255
  2. 6th power of 2 i.e. 64 creates four sub-groups: 0 – 63, 64 – 127, 128 – 191, 192 – 255
  3. 5th power of 2 i.e. 32 creates eight sub-groups: 0 – 31, 32 – 63, 64 – 95, 96 – 127, 128 – 159, 160 – 191, 192 – 223, 224 – 255
  4. 4th power of 2 i.e. 16 creates sixteen sub-groups: 0 – 15, 16 – 31, …. 240 – 255
  5. 3rd power of 2 i.e. 8 creates thirty two sub-groups: 0 – 7, 8 – 16, …. 240 – 247, 248 – 255
  6. 2nd power of 2 i.e. 4 creates sixty four sub-groups: 0 – 3, 4 – 7, …. 248 – 251, 252 – 255
  7. oneth power of 2 i.e. 2 creates one hundred and twenty eight sub-groups: 0 – 1, 2 – 3, 4- 5, … 252 – 253, 254 – 255
  8. zeroth power of 2 i.e. 1 creates two hundred and fifty six sub-groups: 0, 1, 2, 3, 4, 5, …. 253, 254, 255

With me so far? Now let us see how we can understand the meaning of intermediate numbers:

  1. Step 1: Identify the larger group your netmask belongs to using the diagram above, call it major group. Ex: /18 belongs to group 3 (17-24) and /30 belongs to group 4 (25-32)
  2. Step 2: Deduct your netmask number from the higher bound of the group. Ex: with /18, you get 24-18 = 6 and if /30 you get 32 – 30 = 2; this is your power of 2 (say n).
  3. Step 3: Now you can calculate the number of IPs that fall in this range by nth power of 2. Meaning when you specify /18, you have 2^6 = 64 and for /30 you have 2 ^ 2 = 4 possible values in the range.
  4. Now its just a job of identifying which sub-group your number in the place of major group fits in and you have the exact range of IPs that fit your CIDR. Ex: /18, means group 3 and sub-group with power 6. So the number in 3rd group in an ip like 99.123.43.64 is 43 and it fits in 1st sub-group.

Let us look at some examples:

  1. 99.123.43.64/27
    1. 27 is in group 4 (25 – 32)
    2. There are 32 – 27 = 5 and 2 ^ 5 = 32 addresses and we pick from the 5th power sub-group.
    3. and the 4th group number, 64 falls in 64 – 95 subgroup. so the range is: 99.123.43.64 to 99.123.43.95
  2. 99.123.43.64/30
    1. 30 is in group 4 (25 – 32)
    2. The power would be: 32 – 30 = 2 and there would be 2 ^ 2 = 4 addresses.
    3. and the range would be: 99.123.43.64 to  99.123.43.67
  3. 99.123.43.64/18
    1. 19 is in major group 3 (17 – 24).
    2. The power would be: 24 – 18 = 6 and there will be 2 ^ 6 = 64 possible values in group 3. Applying all possible values in group 4 for each in group 3, gets us: 2 ^ 6 * 2 ^ 8 = 16384 addresses
    3. and the range would be: 99.123.0.0 to 99.123.63.255
  4. 99.123.43.64/13
    1. 13 is in major group 2 (9 – 16)
    2. The power would be: 16 – 13 = 3 and there will be 2 ^ 3 = 8 possible values in group 2. Applying all possible values from group 4 and 3, we get 2 ^ 3 * 2 ^ 8 * 2 ^ 8 = 524288 addresses
    3. And the range would be: 99.120.0.0 to 99.127.255.255

I hope that clarifies it a bit!

Leave a Reply

Your email address will not be published. Required fields are marked *