CIDR and Subnets: Reading IP Ranges Like a Pro
CIDR notation (like /24) describes the size of an IP range.
Key Takeaways
- Subnets organize address space for routing, security rules, and allocation.
- Many network policies and ownership records operate on prefixes, not single IPs.
- You don’t need heavy math to understand the most common CIDR sizes.
Why IP Ranges Exist (Not Just Single IPs)
Networks are administered in blocks: - ISPs receive large blocks and allocate smaller blocks to regions/customers. - Companies and cloud providers route traffic using prefixes.
That’s why you’ll often see ranges like 203.0.113.0/24 instead of a single IP.
CIDR Notation, Explained Simply
CIDR uses a slash number, like /24.
The idea:
- IPv4 addresses have 32 bits.
- /24 means the first 24 bits describe the network, and the remaining bits describe hosts.
You can treat it as: bigger / number → smaller range.
Common IPv4 Prefixes You’ll See
These are the “everyday” CIDR sizes:
- /24: 256 addresses (common for small allocations)
- /23: 512 addresses
- /22: 1024 addresses
- /20: 4096 addresses
- /16: 65,536 addresses (very large)
Practical intuition: - A /24 is “one typical small block.” - A /16 is “many /24 blocks grouped together.”
IPv6 Prefixes: Why /64 Is Everywhere
IPv6 works differently, but the same “prefix size” concept applies.
Common IPv6 patterns: - /64: the standard size for a single local network segment - /56 or /48: often allocated to a site/customer
You don’t need to compute IPv6 ranges manually often; focus on recognizing the prefix size and what it implies.
Subnets vs Subnet Masks (Avoid the Trap)
Older documentation uses subnet masks (like 255.255.255.0).
A mask is just another way of expressing CIDR.
Common equivalences:
- /24 ⇔ 255.255.255.0
- /16 ⇔ 255.255.0.0
You can safely learn CIDR first and treat masks as a legacy notation.
Practical Uses of CIDR
CIDR shows up in real workflows: - Firewalls allowlisting a partner’s IP range - Blocking abusive ranges (with caution) - Routing policies and network ownership - Reading WHOIS/RDAP results that list prefixes
Common Mistakes
- Confusing
/24with “24 IPs” (it’s 256 addresses) - Thinking larger slash means larger range (it’s the opposite)
- Mixing local network subnets with public IP allocation concepts
Practical Implications in Real Systems
IPVerdict results often align with prefixes: - Ownership and ASN context are commonly consistent within a prefix. - If you see multiple IPs in the same CIDR block, they usually share the same provider characteristics.
Use IPVerdict to compare: - IPs you suspect belong to the same block/provider - Differences between nearby IPs (sometimes a clue of reassignment)
Common Misunderstandings
Q1: Do I need to calculate exact start/end addresses? Usually no. Recognize common sizes and use tools when exact boundaries matter.
Q2: Why do blocklists use CIDR? Because abuse often clusters in provider ranges, but it can also create collateral damage.
Q3: Is a /24 always owned by one company? Often, but not guaranteed—cloud platforms can subdivide blocks.
Q4: Is IPv6 harder than IPv4? Different, but not necessarily harder. Prefix sizes are the key concept.
Q5: Can IPVerdict show the CIDR block? If your tool exposes prefix info, use it. If not, ownership/ASN can still suggest the block context.
Limitations
- A prefix can contain many different customers (especially in clouds).
- Geolocation and reputation can vary inside the same prefix.
- Some providers announce routes in complex ways; prefixes can overlap (less common in simple cases).
Disclaimer
The information in this guide is provided for educational and diagnostic use. Network behavior can vary by environment, configuration, and data sources, so results should be treated as informative signals rather than definitive proof.
Conclusion
Understanding these fundamentals helps you interpret network signals more confidently and troubleshoot issues with fewer false assumptions.