CIDR Notation Explained Learn how to use CIDR (Classless Inter-Domain Routing) notation to authorize ranges of IP addresses in KnoxCall.
What is CIDR? CIDR (pronounced “cider”) is a way to represent a range of IP addresses using a single notation.Example: Parts:
192.168.1.0 - Network address (base IP)/24 - Prefix length (how many IPs in range)
Why Use CIDR? The Problem Without CIDR Imagine authorizing an office with 200 employees:
❌ Without CIDR (tedious): 192.168.1.1 192.168.1.2 192.168.1.3 ... 192.168.1.200 (Need 200 separate client entries!)
The Solution With CIDR ✅ With CIDR (one entry): 192.168.1.0/24 (Covers 192.168.1.1 to 192.168.1.254 - all 254 usable IPs!)
How CIDR Works The Prefix Number The number after the / tells you how many IPs are in the range.
Formula: Number of IPs = 2^(32 - prefix)
Examples: /32 → 2^(32-32) = 2^0 = 1 IP /24 → 2^(32-24) = 2^8 = 256 IPs /16 → 2^(32-16) = 2^16 = 65,536 IPs /8 → 2^(32-8) = 2^24 = 16,777,216 IPs
Common CIDR Ranges CIDR IPs Common Use Example /321 Single host 52.123.45.67/32/304 Point-to-point 10.0.0.0/30/2816 Small subnet 192.168.1.0/28/24256 Office network 192.168.1.0/24/204,096 Large network 172.31.0.0/20/1665,536 Corporate VPN 10.0.0.0/16/816M+ Very large 10.0.0.0/8
/24 - Most Common (256 IPs) Example: Office Network Range covered: First IP: 192.168.1.0 (network address - reserved) Usable: 192.168.1.1 to 192.168.1.254 Last IP: 192.168.1.255 (broadcast - reserved) Total: 256 addresses Usable: 254 addresses (for devices)
What changes:
Last octet (number): 0 to 255
Everything else stays the same
Authorizes: ✅ 192.168.1.1 (office computer) ✅ 192.168.1.50 (another computer) ✅ 192.168.1.100 (developer laptop) ✅ 192.168.1.254 (last usable) ❌ 192.168.2.1 (different subnet!) ❌ 192.168.0.255 (different subnet!)
/16 - Large Networks (65,536 IPs) Example: Corporate VPN Range covered: First IP: 10.8.0.0 Usable: 10.8.0.1 to 10.8.255.254 Last IP: 10.8.255.255 Total: 65,536 addresses
What changes:
Last TWO octets: 0.0 to 255.255
First two stay the same: 10.8
Authorizes: ✅ 10.8.0.1 (VPN user 1) ✅ 10.8.0.50 (VPN user 50) ✅ 10.8.100.200 (VPN user on different subnet) ✅ 10.8.255.254 (last usable) ❌ 10.7.0.1 (different network) ❌ 10.9.0.1 (different network)
/20 - Cloud Subnets (4,096 IPs) Example: AWS VPC Subnet Range covered: First IP: 172.31.0.0 Usable: 172.31.0.1 to 172.31.15.254 Last IP: 172.31.15.255 Total: 4,096 addresses
What changes:
Last octet: Full range (0-255)
Third octet: Partial range (0-15)
Authorizes: ✅ 172.31.0.1 (EC2 instance) ✅ 172.31.5.100 (another instance) ✅ 172.31.15.254 (last usable) ❌ 172.31.16.1 (outside range - /20 only goes to .15) ❌ 172.30.0.1 (different network)
/32 - Single IP (Don’t Use CIDR) Example: Single Server Range covered: Just: 52.123.45.67 Total: 1 address (only this specific IP)
Note: In KnoxCall, just enter 52.123.45.67 without /32. It’s implied.Calculating CIDR Ranges Quick Method Step 1: Look at the prefix /24 → Last octet varies (256 IPs) /16 → Last 2 octets vary (65,536 IPs) /8 → Last 3 octets vary (16M IPs)
Step 2: Calculate range /24 example: 192.168.1.0/24 - Base: 192.168.1.0 - Range: 192.168.1.0 to 192.168.1.255 - Usable: 192.168.1.1 to 192.168.1.254
Online calculators: Example: Input: 192.168.1.0/24 Output: First: 192.168.1.0 Last: 192.168.1.255 Usable: 192.168.1.1 - 192.168.1.254
Common Scenarios Scenario 1: Office Wi-Fi Need: Authorize all 50 office computersSolution: Why /24:
Office has 50 devices now
Room to grow to 254 devices
Typical office network size
Client in KnoxCall: Name: office-wifi-main Type: Server IP: 192.168.1.0/24 Description: Main office Wi-Fi network
Scenario 2: Corporate VPN Need: Authorize 500 remote employeesSolution: Why /16:
VPN has 500 users now
Room for 65,000+ connections
Standard VPN range
Client in KnoxCall: Name: company-vpn Type: Server IP: 10.8.0.0/16 Description: Corporate VPN - all remote workers
Scenario 3: AWS Subnet Need: Authorize EC2 instances in subnetSolution: Why /20:
AWS VPC subnet
~4,000 IPs
Multiple microservices
Client in KnoxCall: Name: aws-prod-subnet Type: Server IP: 172.31.0.0/20 Description: AWS VPC subnet - production instances
Scenario 4: Partner Network Need: Authorize partner company’s entire networkSolution: Why /24:
Partner has small office
~100 employees
/24 covers them
Client in KnoxCall: Name: partner-acme-network Type: Server IP: 203.14.0.0/24 Description: ACME Corp office network
Testing CIDR Ranges How to Test Step 1: Create client with CIDR Step 2: Test from different IPs From 192.168.1.50: curl https://a1b2c3d4.acme.knoxcall.com/api/test \ -H "x-knoxcall-route: test-route" ✅ Success: 200 OK (IP in range! )
From 192.168.2.50: curl https://a1b2c3d4.acme.knoxcall.com/api/test \ -H "x-knoxcall-route: test-route" ❌ Error: 403 Forbidden (IP not in range )
Private IP Ranges Reserved Private Networks These IP ranges are for internal networks only (not internet-routable):
Class A (Large): 10.0.0.0/8 - Range: 10.0.0.0 to 10.255.255.255 - IPs: 16,777,216 - Use: Large corporate networks, VPNs
Class B (Medium): 172.16.0.0/12 - Range: 172.16.0.0 to 172.31.255.255 - IPs: 1,048,576 - Use: Medium networks, cloud providers (AWS uses 172.31.0.0/16)
Class C (Small): 192.168.0.0/16 - Range: 192.168.0.0 to 192.168.255.255 - IPs: 65,536 - Use: Home/office networks (most common: 192.168.1.0/24)
Note: Private IPs only work for:
Office networks (devices behind router)
VPNs (tunnel private network over internet)
Cloud private subnets
Don’t use for:
Public internet servers (use public IPs)
Public vs Private IPs Public IPs (Internet) Examples: 52.123.45.67 (AWS Elastic IP) 104.21.45.67 (Cloudflare) 142.250.185.78 (Google) Format: Any IP not in private ranges CIDR: Typically /32 (single IP) or /24 (small block)
Use in KnoxCall:
Production servers
Partner webhooks
Public APIs
Private IPs (Internal Networks) Examples: 192.168.1.0/24 (Office Wi-Fi) 10.8.0.0/16 (Corporate VPN) 172.31.0.0/20 (AWS VPC private subnet) Format: 10.x.x.x, 172.16-31.x.x, 192.168.x.x CIDR: Often /16 or /24
Use in KnoxCall:
Office networks
VPN access
Internal testing
Common Mistakes ❌ Mistake 1: Using /32 for Networks ❌ Wrong: IP: 192.168.1.1/32 Type: Server Problem: /32 = only 1 IP (defeats purpose)
Fix: ✅ Correct: IP: 192.168.1.0/24 Type: Server
❌ Mistake 2: Too Broad Range ❌ Dangerous: IP: 0.0.0.0/0 Problem: Allows ENTIRE internet!
Fix: ✅ Correct: IP: 192.168.1.0/24 (specific network only)
❌ Mistake 3: Wrong Base IP ❌ Wrong: IP: 192.168.1.55/24 Problem: Base should be .0 not .55
Fix: ✅ Correct: IP: 192.168.1.0/24
❌ Mistake 4: Prefix Doesn’t Match Network ❌ Wrong: Need: 50 IPs Used: 10.0.0.0/8 (16 million IPs!) Problem: Massively oversized
Fix: ✅ Correct: Need: 50 IPs Used: 10.0.0.0/24 (256 IPs - enough headroom)
CIDR Cheat Sheet Prefix IPs Typical Use /321 Single server (don’t use CIDR) /304 Point-to-point link /298 Very small subnet /2816 Small office /2732 Small network /2664 Medium office /25128 Large office /24256 Standard office network /23512 Large office/campus /221,024 Campus network /212,048 Large network /204,096 Cloud subnet (AWS) /198,192 Large cloud network /1816,384 Very large network /1732,768 Enterprise /1665,536 Corporate VPN, large enterprise /15131,072 ISP /14262,144 Large ISP /13524,288 Very large ISP /121M+ Regional network /112M+ National network /104M+ Continental network /98M+ Very large network /816M+ Class A network
CIDR Calculators IP Address Guide:
https://www.ipaddressguide.com/cidr CIDR.xyz:
https://cidr.xyz/ Subnet Calculator:
https://www.subnet-calculator.com/ Test if IP is in CIDR range: # Using Python python3 -c " import ipaddress network = ipaddress.ip_network('192.168.1.0/24') ip = ipaddress.ip_address('192.168.1.50') print(ip in network) # True or False "
List all IPs in range: # Using Python python3 -c " import ipaddress for ip in ipaddress.ip_network('192.168.1.0/24'): print(ip) "
Best Practices ✅ Do
Use smallest range needed ✅ Office has 50 users → /24 (256 IPs) ❌ Office has 50 users → /16 (65,536 IPs)
Use .0 as base ✅ 192.168.1.0/24 ❌ 192.168.1.1/24
Document what’s in range Description: "Main office Wi-Fi - floors 1-3, ~100 employees"
Test before production Test with curl from expected IP range Verify rejection from outside range
Use private IPs for internal ✅ 192.168.1.0/24 for office ✅ 10.8.0.0/16 for VPN
❌ Don’t
Don’t use 0.0.0.0/0 ❌ Allows entire internet (defeats purpose!)
Don’t over-authorize ❌ Need 10 IPs → /8 (16 million!) ✅ Need 10 IPs → /28 (16 IPs)
Don’t forget private vs public ❌ Using 192.168.1.0/24 for internet servers ✅ Using public IP for internet servers
Don’t mix ranges ❌ One client for unrelated networks ✅ Separate clients for separate networks
Quick Reference Your Network Recommended CIDR IPs Single server 52.123.45.67 (no /32)1 Small office (< 20)192.168.1.0/2816 Medium office (< 100)192.168.1.0/24256 Large office (< 500)192.168.0.0/23512 VPN (< 1000)10.8.0.0/221,024 Large VPN (< 10k)10.0.0.0/1816,384 Enterprise VPN 10.0.0.0/1665,536 AWS Subnet 172.31.0.0/204,096
Next Steps
What are Clients? Client basics and IP whitelisting
Client Types Server, User, and Network types
Managing Clients Create and assign clients
IP Issues Troubleshoot IP problems
Quick Tip: For most offices, /24 (256 IPs) is perfect. For VPNs, /16 (65,536 IPs) gives plenty of headroom. When in doubt, use a CIDR calculator!
