Skip to main content

Documentation Index

Fetch the complete documentation index at: https://resources.devweekends.com/llms.txt

Use this file to discover all available pages before exploring further.

Module 9: IP Addressing Deep Dive

This module takes you from basic IP understanding to complete mastery. You’ll learn to calculate subnets, understand CIDR notation, and deeply grasp how IP addressing works in real networks. Think of IP addressing like the postal addressing system for the entire internet. Just as a mailing address has a country, city, street, and house number — each narrowing down the location — an IP address has a network portion and a host portion that do the same thing for data. CIDR notation is the system that defines where the “city” ends and the “street address” begins.
CIDR and Subnetting
Private vs Public IP Ranges
Estimated Time: 4-5 hours
Difficulty: Intermediate
Prerequisites: Module 4 (Network Layer basics)

9.1 The Complete Picture of IP Addresses

What is an IP Address Really?

An IP address is a logical address assigned to a device on a network. Unlike MAC addresses (which are burned into hardware), IP addresses are:
  • Configurable: Can be changed
  • Hierarchical: Contain network and host portions
  • Routable: Used to find paths across networks

IPv4 Address Structure

A 32-bit number, typically shown in dotted-decimal notation: 
192.168.1.100

Binary: 11000000.10101000.00000001.01100100
        └──────┘ └──────┘ └──────┘ └──────┘
          192      168       1       100
Each octet (8 bits) can range from 0 to 255.

9.2 Network ID vs Host ID

Every IP address has two parts:
PartPurposeAnalogy
Network IDIdentifies the networkStreet name
Host IDIdentifies the specific deviceHouse number
The subnet mask determines where the split occurs.

Example

IP Address:    192.168.1.100
Subnet Mask:   255.255.255.0

Network ID:    192.168.1.0    (First 24 bits)
Host ID:       0.0.0.100      (Last 8 bits)
Mental Model: Think of the Network ID as your ZIP code (gets you to the right neighborhood) and Host ID as your street address (finds the exact house).

9.3 CIDR Notation Explained

CIDR (Classless Inter-Domain Routing) replaced the old class-based system. It uses a prefix length to indicate how many bits belong to the network portion.

The Notation

192.168.1.0/24
            └── 24 bits for network, 8 bits for hosts

Common CIDR Blocks

CIDRSubnet Mask# of HostsUse Case
/32255.255.255.2551Single host
/31255.255.255.2542Point-to-point links
/30255.255.255.2522Point-to-point (with network/broadcast)
/29255.255.255.2486Tiny subnet
/28255.255.255.24014Small subnet
/27255.255.255.22430Small office
/26255.255.255.19262Medium subnet
/25255.255.255.128126Large subnet
/24255.255.255.0254Standard LAN
/16255.255.0.065,534Large organization
/8255.0.0.016,777,214Massive network

Calculating Hosts

Number of usable hosts = 2^(32 - prefix) - 2

Example: /24 network
= 2^(32-24) - 2
= 2^8 - 2
= 256 - 2
= 254 usable hosts

Practical scenario: choosing the right CIDR block

Suppose you are designing a VPC for a startup. You need subnets for web servers (20 instances max), application servers (50 instances max), and databases (5 instances max). Here is how to think through it: 
Web tier:     Need 20 hosts -> /27 gives 30 usable (closest fit with room)
App tier:     Need 50 hosts -> /26 gives 62 usable
Database tier: Need 5 hosts -> /29 gives 6 usable

Always round up to the next power of 2, then subtract 2.
Always leave room for growth -- today's 20 servers become 35 next quarter.
A common mistake is choosing a /28 for the web tier (14 usable hosts) because “we only have 10 servers today.” Six months later you need 16, and re-subnetting a live environment is painful.
Why -2? The first address is the Network Address (all host bits = 0) and the last is the Broadcast Address (all host bits = 1). Neither can be assigned to a host.For example, in 192.168.1.0/24:
  • 192.168.1.0 is the network address (identifies the subnet itself)
  • 192.168.1.255 is the broadcast address (sends to all devices on the subnet)
  • 192.168.1.1 through 192.168.1.254 are the 254 usable addresses
Cloud exception: In AWS VPCs, Amazon reserves 5 addresses per subnet (not just 2). The first four and the last address are reserved: network address, VPC router, DNS server, future use, and broadcast. So a /24 in AWS gives you 251 usable IPs, not 254. This catches people off guard when they plan subnet sizes too tightly.

9.4 Subnetting Step-by-Step

Problem: Divide 192.168.1.0/24 into 4 equal subnets

Step 1: Determine bits needed 
4 subnets = 2^n where n = 2
Need to borrow 2 bits from host portion
Step 2: Calculate new prefix 
Original: /24
Borrowed: 2 bits
New prefix: /26
Step 3: Calculate subnet size 
Hosts per subnet = 2^(32-26) - 2 = 62 hosts
Block size = 64 (2^6)
Step 4: List the subnets
SubnetNetwork AddressFirst HostLast HostBroadcast
1192.168.1.0/26192.168.1.1192.168.1.62192.168.1.63
2192.168.1.64/26192.168.1.65192.168.1.126192.168.1.127
3192.168.1.128/26192.168.1.129192.168.1.190192.168.1.191
4192.168.1.192/26192.168.1.193192.168.1.254192.168.1.255

Quick Subnet Cheat Sheet

For /24 networks being subnetted:
New PrefixSubnetsHosts/SubnetBlock Size
/252126128
/2646264
/2783032
/28161416
/293268
/306424

9.5 Private vs Public IP Addresses

The Problem

There are only ~4.3 billion IPv4 addresses (2^32), but billions of devices need to connect.

The Solution: Private IP Ranges

RFC 1918 reserved three blocks for private use:
RangeCIDR# of AddressesTypical Use
10.0.0.0 - 10.255.255.25510.0.0.0/816,777,216Large enterprises, Cloud VPCs
172.16.0.0 - 172.31.255.255172.16.0.0/121,048,576Medium organizations
192.168.0.0 - 192.168.255.255192.168.0.0/1665,536Home/Small office

Key Rules

Private IPs

  • Not routable on the public internet
  • Can be reused by any organization
  • Need NAT to reach the internet
  • Free to use, no registration needed

Public IPs

  • Globally unique and routable
  • Assigned by IANA → RIRs → ISPs
  • Must be purchased/leased
  • Required for internet-facing services

Can Multiple Organizations Use the Same Private IP?

Yes! This is exactly the point. Consider: 
Company A Office:          Company B Office:
┌─────────────────┐        ┌─────────────────┐
│ 192.168.1.0/24  │        │ 192.168.1.0/24  │
│                 │        │                 │
│ PC: 192.168.1.5 │        │ PC: 192.168.1.5 │
│ PC: 192.168.1.6 │        │ PC: 192.168.1.6 │
└────────┬────────┘        └────────┬────────┘
         │                          │
    NAT Gateway               NAT Gateway
    Public: 203.0.113.10      Public: 198.51.100.20
         │                          │
         └──────────┬───────────────┘

              ┌─────┴─────┐
              │  Internet │
              └───────────┘
Both companies use 192.168.1.5 internally, but that’s fine because:
  1. Private IPs never leave their local network
  2. NAT translates them to unique public IPs before packets hit the internet
  3. The internet only sees the public IPs

9.6 Special IP Addresses

Address/RangePurpose
0.0.0.0”This network” / Default route
127.0.0.0/8Loopback (localhost)
169.254.0.0/16Link-local (APIPA) - when DHCP fails
224.0.0.0/4Multicast
255.255.255.255Broadcast

9.7 IPv6 Addressing

Why IPv6?

IPv4 has ~4.3 billion addresses. IPv6 has: 
2^128 = 340,282,366,920,938,463,463,374,607,431,768,211,456 addresses
That’s 340 undecillion addresses - enough to assign trillions of addresses to every grain of sand on Earth.

IPv6 Format

2001:0db8:85a3:0000:0000:8a2e:0370:7334

8 groups of 4 hexadecimal digits (16 bits each)
Total: 128 bits

Simplification Rules

  1. Leading zeros can be omitted: 
    2001:0db8 → 2001:db8
  2. Consecutive zero groups can be replaced with :: (once per address): 
    2001:0db8:0000:0000:0000:0000:0000:0001
→ 2001:db8::1

IPv6 Address Types

TypePrefixDescriptionIPv4 Equivalent
Global Unicast2000::/3Public, routablePublic IPv4 addresses
Link-Localfe80::/10Auto-configured, not routable beyond local segment169.254.x.x (APIPA)
Unique Localfc00::/7Private, not routable on internet10.x.x.x, 172.16.x.x, 192.168.x.x
Loopback::1Localhost127.0.0.1
Every IPv6 interface automatically gets a link-local address (starting with fe80::), even without any manual configuration or DHCP. This is useful for neighbor discovery and local communication. However, these addresses cannot be routed beyond the local network segment — for internet connectivity, you need a global unicast address.
Troubleshooting IP addressing: When a device cannot communicate on the network, check these in order: (1) Does it have an IP address? (ip addr on Linux, ipconfig on Windows). If it has a 169.254.x.x address, DHCP failed. (2) Is it on the correct subnet? If the device is 10.0.1.50/24 but the gateway is 10.0.2.1, they are on different subnets and cannot communicate directly. (3) Is the subnet mask correct? A /16 mask on a /24 network means the device thinks far more IPs are “local” than they actually are, causing traffic to bypass the router. (4) Run ping to the gateway first — if that fails, the problem is Layer 2 or Layer 1 (cabling, switch port, VLAN).

9.8 Practice Problems

Solution:
/8 has 24 bits for hosts (32 - 8 = 24)
/24 has 8 bits for hosts (32 - 24 = 8)

Bits to borrow: 24 - 8 = 16 bits
Number of /24 networks: 2^16 = 65,536

Answer: You can create 65,536 /24 networks from a /8
Solution:
/26 means 26 network bits, 6 host bits
Block size = 2^6 = 64

172.16.45.130 ÷ 64 = 2.03... → Subnet starts at 2 × 64 = 128

Network: 172.16.45.128/26
Range: 172.16.45.128 - 172.16.45.191
Broadcast: 172.16.45.191
Requirements:
  • Engineering: 50 hosts
  • Sales: 20 hosts
  • HR: 10 hosts
  • Starting block: 192.168.10.0/24
Solution:
DeptHosts NeededSubnet SizeCIDRRange
Engineering50/26 (62 hosts)192.168.10.0/26.1 - .62
Sales20/27 (30 hosts)192.168.10.64/27.65 - .94
HR10/28 (14 hosts)192.168.10.96/28.97 - .110
Remaining: 192.168.10.112 - 192.168.10.255 (for future use)

9.9 Key Takeaways

CIDR is Essential

Master /24, /26, /28 calculations. They appear in every cloud and network config.

Private IPs are Infinite

10.x.x.x can be used by millions of organizations simultaneously.

Always Plan for Growth

Leave room in your subnetting for future expansion.

IPv6 is Coming

No NAT needed, every device gets a public IP.

Next Module

Module 10: NAT & PAT Deep Dive

Understand how private networks communicate with the internet through Network Address Translation.

Interview Deep-Dive

Strong Answer:
  • I would start with a large VPC CIDR like 10.0.0.0/16, providing 65,534 usable addresses with room for growth. The most common mistake is choosing a /24 “because we only have 10 servers today” and running out within a year.
  • For subnet strategy, I create at least three tiers across multiple AZs: public subnets (load balancers, bastion hosts), private application subnets (microservices), and private data subnets (databases). Each tier gets a /20 or /19 per AZ. With 3 AZs and 3 tiers, that is 9 subnets with thousands of IPs each.
  • I account for AWS’s 5-address reservation per subnet. A /24 in AWS gives 251 usable IPs, not 254. For microservices on EKS with VPC CNI, each node consumes multiple addresses (one per pod), so a /24 can be exhausted with just 15 nodes running 40 pods each.
  • I ensure the VPC CIDR does not overlap with any other VPCs that might need peering, on-premises networks via VPN, or third-party networks. I coordinate ranges centrally: 10.1.0.0/16 for production, 10.2.0.0/16 for staging, 10.3.0.0/16 for dev.
Follow-up: Why does the VPC CNI plugin consume so many IP addresses, and what alternatives exist?The AWS VPC CNI assigns each Kubernetes pod a real VPC IP from the subnet, making pods first-class VPC citizens with direct access to VPC resources and per-pod security groups. A c5.xlarge can support roughly 58 pods’ worth of IPs. Alternatives include overlay CNIs like Calico or Cilium, which assign pod IPs from a separate CIDR range (e.g., 100.64.x.x) encapsulated in VXLAN or IPIP tunnels. This reduces VPC IP consumption dramatically but adds overhead and loses VPC-native features. The choice depends on whether VPC integration or IP efficiency is the higher priority.
Strong Answer:
  • A /26 means 26 network bits and 6 host bits. Block size is 2^6 = 64 addresses per subnet. Subnets start at multiples of 64: .0, .64, .128, .192.
  • 172.16.45.130 falls in the .128 block (130 is between 128 and 191). Network address: 172.16.45.128/26.
  • Broadcast address: 172.16.45.128 + 64 - 1 = 172.16.45.191.
  • Usable range: 172.16.45.129 through 172.16.45.190, giving 62 usable hosts.
  • Subnet mask: 255.255.255.192 (last octet: 128 + 64 = 192).
  • My shortcut: divide the host octet by the block size and take the floor. 130 / 64 = 2.03, floor 2, start at 2 x 64 = 128.
Follow-up: When would you use a /26 versus a /24 or /28 in the real world?A /26 (62 hosts) is good for small, scoped subnets like a private database tier with 20-30 RDS instances. A /24 (254 hosts) is the standard default for general-purpose subnets because it is easy to reason about. A /28 (14 hosts) works for very tightly scoped uses — management subnets for bastion hosts, NAT Gateways, or point-to-point links. In AWS, /28 is the smallest allowed subnet (5 reserved addresses leave 11 usable). I default to /24 for application subnets and use smaller prefixes only for security segmentation or address conservation.
Strong Answer:
  • 0.0.0.0 has two meanings. In routing, 0.0.0.0/0 is the default route matching everything. In socket binding, it means “listen on all interfaces.” Binding to 0.0.0.0:8080 accepts connections on every network interface. A common “works locally” bug is binding to 127.0.0.1 — reachable locally but invisible from other machines.
  • 127.0.0.1 (and the entire 127.0.0.0/8 range) is the loopback address. Traffic never leaves the kernel’s network stack. Used for local IPC, testing, and same-host service communication. The full /8 is reserved — 127.0.0.2 also loops back, which some apps use to distinguish local services.
  • 169.254.0.0/16 is the link-local (APIPA) range. Devices self-assign from this range when DHCP fails. Not routable across routers. In AWS, 169.254.169.254 is the instance metadata service (IMDS) endpoint — every EC2 instance queries it for IAM role credentials, instance identity, and user data.
Follow-up: Why is the AWS metadata endpoint at 169.254.169.254 a security concern?IMDS provides IAM role credentials via simple HTTP GET requests. If an attacker achieves SSRF (Server-Side Request Forgery) on an application, they can request http://169.254.169.254/latest/meta-data/iam/security-credentials/role-name and steal temporary AWS credentials. This was the exact vector in the 2019 Capital One breach — SSRF through a misconfigured WAF yielded IAM credentials that unlocked S3 buckets with customer data. The defense is IMDSv2, which requires a session token from a PUT request before metadata access. Since SSRF typically only supports GET, IMDSv2 blocks this vector. Always enforce IMDSv2 and disable IMDSv1.