Skip to content
yutils

How IP Addresses and CIDR Actually Work

Why an IP address is just a 32-bit number, what /24 means, the private ranges every backend touches, NAT, and why IPv6 came along — explained as bit patterns, not networking jargon.

~8 min read

192.168.1.1, 10.0.0.0/8, 127.0.0.1, 2001:db8::/32. You see them in firewall rules, network configs, AWS security groups. But an IP address is just a 32-bit integer — the dots are there to make it readable. This guide unpacks IP's bit structure, CIDR notation, private ranges, NAT, and the reason IPv6 exists — without the networking jargon.

IPv4 is one 32-bit integer

192.168.1.100
↓
192 . 168 . 1 . 100  ← human-friendly (dotted decimal)
↓
11000000.10101000.00000001.01100100  ← actual bits
↓
0xC0A80164                              ← same value in hex
↓
3,232,235,876                           ← same value in decimal

4 bytes = 32 bits, each byte 0-255. The dots are just visual — the computer sees a 4-byte integer.

Total addresses = 2^32 ≈ 4.3 billion. In 1981 that felt infinite. The 90s internet boom said otherwise.

The old classes — A / B / C (1981-1993)

Early IPv4 divided the space into classes:

ClassLeading bitsRangeNetworksHosts
A0xxx0.0.0.0 - 127.255.255.25512816M each
B10xx128.0.0.0 - 191.255.255.25516K65K each
C110x192.0.0.0 - 223.255.255.2552M256 each

Problem — a company needing 500 hosts couldn't fit in Class C (256) and wasted Class B (65K). CIDR replaced the system in 1993.

CIDR — Classless Inter-Domain Routing

Append /N to mean "the first N bits are the network prefix":

192.168.1.0/24
                ↑
                first 24 bits = network
                last 8 bits = host

binary:
11000000.10101000.00000001.00000000
└────── network (24 bits) ──┘└host(8)─┘

network: 192.168.1.0
hosts:   0-255 (usable 1-254; .0 and .255 are reserved)

Flexible allocation without class boundaries:

  • /16 = 65,534 hosts (≈ Class B)
  • /24 = 254 hosts (≈ Class C)
  • /26 = 62 hosts (custom)
  • /28 = 14 hosts (small office)
  • /30 = 2 hosts (point-to-point link)
  • /32 = single host

Try it — IP / CIDR Calculator takes a CIDR and shows network / broadcast / range / subnet mask instantly.

Subnet mask — the old way to say CIDR

The same information, two notations:

/24                       (CIDR)
255.255.255.0             (subnet mask)

In binary:
11111111.11111111.11111111.00000000
└────── 24 ones ───────┘└── 0s ───┘

Subnet masks live on in older routers and Windows config screens. CIDR is shorter.

Special addresses worth memorizing

RangeNameUse
127.0.0.0/8LoopbackYour own machine (usually 127.0.0.1)
10.0.0.0/8Private (Class A range)16M addresses. Large corporate / VPC
172.16.0.0/12Private (Class B range)1M addresses
192.168.0.0/16Private (Class C range)65K addresses. Default for home routers
169.254.0.0/16Link-localDHCP failed auto-config (APIPA)
224.0.0.0/4MulticastGroup delivery
0.0.0.0/0Any / default"All addresses" — route tables, firewall rules
255.255.255.255BroadcastEvery host on the local subnet

RFC 1918 (private ranges) — never routed on the public internet. Every office, home, and AWS VPC uses them.

NAT — the IPv4 shortage workaround

4.3 billion wasn't enough. NAT (Network Address Translation, 1994):

100 internal hosts (192.168.1.1 - 192.168.1.100)
                       │
                       │
                   ┌───┴───┐
                   │ Router │
                   │  NAT   │  ← one public IP (203.0.113.5)
                   └───┬───┘
                       │
                  Internet

Request flow:
1. 192.168.1.50 calls google.com:443
2. Router rewrites the source to 203.0.113.5 : (random port)
3. Google replies to 203.0.113.5 : port
4. Router maps the port back to 192.168.1.50

Consequences:

  • Many internal hosts share one public IP
  • External hosts can't directly initiate a connection inward (port forwarding required)
  • Peer-to-peer gets harder (both sides behind NAT)
  • VoIP / games need NAT traversal (STUN / TURN / ICE)

IPv6 — the 128-bit answer

The real fix. Standardized in 1998. 128 bits = 2^128 ≈ 3.4 × 10^38 addresses:

IPv6 format:
2001:0db8:85a3:0000:0000:8a2e:0370:7334
└──── 8 groups × 16 bits ────┘

Compressed zeros (::):
2001:0db8:85a3::8a2e:0370:7334       ← :: is the run of zeros

loopback:
::1                                  ← IPv4's 127.0.0.1

specials:
::/0                                 ← any
fe80::/10                            ← link-local
fc00::/7                             ← private (ULA)
2001:db8::/32                        ← documentation only

IPv6 has enough addresses that NAT isn't needed — every device can have a globally unique address. Peer-to-peer becomes natural.

Adoption has been slow because 30+ years of IPv4 infrastructure won't budge overnight. Dual-stack (IPv4 + IPv6 together) is today's reality.

Practical CIDR calculations

"Is 192.168.1.50 in 10.0.0.0/8?"

10.0.0.0/8 has network bits = first 8 bits
10.0.0.0 first byte = 10

192.168.1.50 first byte = 192

10 ≠ 192 → not in the range

"How many hosts in /24?"

/24 = 24 network bits + 8 host bits
2^8 = 256 addresses total

Reserved:
- 0 (network address)
- 255 (broadcast)
→ 254 usable hosts

"Do two CIDRs overlap?"

192.168.0.0/16  vs  192.168.1.0/24

/16's network = first 16 bits = "192.168"
/24's network = first 24 bits = "192.168.1"

The /24's first 16 bits = "192.168" — matches the /16
→ /24 is a subset of /16 → they overlap

IP / CIDR Calculator does this automatically — enter two CIDRs to see ranges, host counts, and overlap.

VPC CIDR in AWS / GCP / Azure

Cloud VPCs use private ranges with your own CIDR layout:

VPC: 10.0.0.0/16          (65K addresses)
  ├── Subnet A: 10.0.1.0/24  (254 hosts, AZ-1)
  ├── Subnet B: 10.0.2.0/24  (254 hosts, AZ-2)
  └── Subnet C: 10.0.3.0/24  (254 hosts, AZ-3)

Watch out — peered VPCs can't overlap. Establish a company-wide convention up front (e.g. prod = 10.0/16, staging = 10.1/16).

Security groups use CIDR too

# AWS Security Group rule
Inbound HTTPS from 0.0.0.0/0    ← anyone (public)
Inbound SSH from 203.0.113.0/24 ← only the corp office IP range
Inbound 5432 from 10.0.0.0/16   ← only inside the VPC (Postgres)

Firewall rules express source and destination as CIDR. /32 = a single IP, /0 = anywhere.

Common pitfalls

1. /24 vs /23 host count

/24 = 254 hosts. /23 = 510 hosts (2×). One extra host bit doubles addresses — host bits N → 2^N addresses. The math sometimes surprises.

2. The meaning of 0.0.0.0/0

Default route, or "any source." Inbound 0.0.0.0/0 on a firewall = exposed to the world. Only use intentionally.

3. CIDR overlaps

VPC peering / VPN with overlapping CIDRs creates ambiguous routes. Plan a company-wide convention before you have many VPCs.

4. Mixing IPv4 and IPv6

# both mean "localhost"
127.0.0.1   (IPv4)
::1         (IPv6)

# service binding
0.0.0.0     (IPv4 only)
::          (IPv6 only — some OSes also accept IPv4)
[::]        (explicit IPv6)

Docker and Kubernetes dual-stack configs get confused by this regularly.

5. Client IPs behind load balancers

A service behind an LB sees the LB's IP via req.connection.remoteAddress. The real client IP is in X-Forwarded-For. Watch for spoofing — only trust the header when the request comes from a trusted proxy.

References

Summary

  • IPv4 is one 32-bit integer. The dots are just for humans.
  • CIDR /N = first N bits are the network. Replaced classes A/B/C in 1993.
  • Private ranges — 10/8, 172.16/12, 192.168/16. LAN / VPC / home routers.
  • NAT (1994) papered over IPv4 scarcity. One public IP shared by many internal hosts.
  • IPv6 = 128 bits. 2^128 addresses. No NAT needed. Slowly becoming the default.
  • Cloud VPCs let you pick the CIDR layout. Plan to avoid overlap.
  • Firewall rules and route tables use CIDR. /32 = single host, /0 = anywhere.
  • Try it: IP / CIDR Calculator for instant network / broadcast / range / host counts.

Related tools

Back to guides