Private IP Address Ranges and IP Subnet/CIDR Rules

As more and more devices are connected to internal networks including PCs, printers, barcode scanners, IoT sensors, and the like, IP address saturation and management becomes more unwieldy. Some basic networking rules that can give us more options for internal network scalability include thoughful selection of private IP address schemes and creative use of CIDR IP Subnetting.

For example: If you use 192.168.1.0/24 as your base network IP scheme (BTW, you should NEVER do this) your subnet mask for a /24 network is 255.255.255.0, which gives you access to IP addresses from 192.168.1.1 to 192.168.1.254, or 254 IP addresses to assign to network devices. So, what to do if your number of network devices exceed 254? One option is to implement VLANs, which requires a Layer-3 device to manage VLAN routing. When you are scaling out to thousands of devices, nobody wants to manage hundreds of VLANs. Now, don't get me wrong, network segmentation using VLANs is a basic network security necessity, but limiting yourself to 254 IPs per VLAN in a large environment is foolish (at best), and borderline masochistic (at worst). So, what is a network manager to do? Go back to the basics of using CIDR Subnet Masking in your favor.

Let's consider for a moment the use of 255.255.255.0 and the alternatives to this default network mask. The table above outlines the initial thirteen CIDR options for subnetting. Notice that a /21 CIDR of 255.255.248.0 would give you 2048 IP addresses with 2,046 of those being usable. That's 8X more IP addresses that can be assigned in a single VLAN.

Here's an example for more clarity: If I have a 192.168.1.0 network (again, a TERRIBLE idea. Please never do this.) and I change my subnet mask from 255.255.255.0 to 255.255.254.0, I gain the use of IP addresses in the 192.168.0.0 and 192.168.1.0 ranges, or a total of 512 IPs with 510 of those being usable. But wait, why did that subnet change go to the LEFT of the IP range instead of the RIGHT of the range, ie 192.168.0.0 instead of 192.168.2.0. Well, as in everything else networking, there are RULES. I won't go into the depths of those here, but save yourself some time and always use a subnet calculator to verify the net effect of a subnet mask change. In this case, if I wanted to use 192.168.2.0 addresses in addition to my 192.168.1.0 addresses, I'd need to use a subnet mask of 255.255.252.0, which gives me access to 192.168.0.0 thru 192.168.3.255, or four octets (1,024) of IP address ranges. Notice there is no 255.255.253.0 option - remember, I said there are RULES.

One major caveat here: Be careful when planning your IP subnet ranges for multiple locations to ensure that your subnet masking for one location doesn't overlap a subnet range for a second location. For example, if you have a 192.168.9.0 network with 255.255.252.0 mask, your range is 192.168.8.0 through 192.168.11.255, with your 9.x network falling in the middle of that subnet range. Once again, there are CIDR RULES. A second location would not be able to use a 192.168.11.0 network with a 255.255.255.0 mask and still be able to properly route traffic to your 192.168.9.0/22 network.

So, as a brief reminder to us all, don't neglect the simplicity of using subnet masking to expand your range of usable IP addresses, but take care in selecting your masking option so as to not break your routing rules.