Skip to main content

CIDR Notation Explained

Learn how to use CIDR (Classless Inter-Domain Routing) notation to authorize ranges of IP addresses in KnoxCall.

What is CIDR?

CIDR (pronounced “cider”) is a way to represent a range of IP addresses using a single notation.

Format

IP_ADDRESS/PREFIX_LENGTH
Example: 
192.168.1.0/24
Parts:
  • 192.168.1.0 - Network address (base IP)
  • /24 - Prefix length (how many IPs in range)

Why Use CIDR?

The Problem Without CIDR

Imagine authorizing an office with 200 employees: 
❌ Without CIDR (tedious):
192.168.1.1
192.168.1.2
192.168.1.3
...
192.168.1.200

(Need 200 separate client entries!)

The Solution With CIDR

✅ With CIDR (one entry):
192.168.1.0/24

(Covers 192.168.1.1 to 192.168.1.254 - all 254 usable IPs!)

How CIDR Works

The Prefix Number

The number after the / tells you how many IPs are in the range. Formula: 
Number of IPs = 2^(32 - prefix)
Examples: 
/32 → 2^(32-32) = 2^0  = 1 IP
/24 → 2^(32-24) = 2^8  = 256 IPs
/16 → 2^(32-16) = 2^16 = 65,536 IPs
/8  → 2^(32-8)  = 2^24 = 16,777,216 IPs

Common CIDR Ranges

CIDRIPsCommon UseExample
/321Single host52.123.45.67/32
/304Point-to-point10.0.0.0/30
/2816Small subnet192.168.1.0/28
/24256Office network192.168.1.0/24
/204,096Large network172.31.0.0/20
/1665,536Corporate VPN10.0.0.0/16
/816M+Very large10.0.0.0/8

/24 - Most Common (256 IPs)

Example: Office Network

CIDR: 192.168.1.0/24
Range covered: 
First IP:  192.168.1.0   (network address - reserved)
Usable:    192.168.1.1   to   192.168.1.254
Last IP:   192.168.1.255 (broadcast - reserved)

Total: 256 addresses
Usable: 254 addresses (for devices)
What changes:
  • Last octet (number): 0 to 255
  • Everything else stays the same
Authorizes: 
✅ 192.168.1.1    (office computer)
✅ 192.168.1.50   (another computer)
✅ 192.168.1.100  (developer laptop)
✅ 192.168.1.254  (last usable)
❌ 192.168.2.1    (different subnet!)
❌ 192.168.0.255  (different subnet!)

/16 - Large Networks (65,536 IPs)

Example: Corporate VPN

CIDR: 10.8.0.0/16
Range covered: 
First IP:  10.8.0.0
Usable:    10.8.0.1   to   10.8.255.254
Last IP:   10.8.255.255

Total: 65,536 addresses
What changes:
  • Last TWO octets: 0.0 to 255.255
  • First two stay the same: 10.8
Authorizes: 
✅ 10.8.0.1       (VPN user 1)
✅ 10.8.0.50      (VPN user 50)
✅ 10.8.100.200   (VPN user on different subnet)
✅ 10.8.255.254   (last usable)
❌ 10.7.0.1       (different network)
❌ 10.9.0.1       (different network)

/20 - Cloud Subnets (4,096 IPs)

Example: AWS VPC Subnet

CIDR: 172.31.0.0/20
Range covered: 
First IP:  172.31.0.0
Usable:    172.31.0.1   to   172.31.15.254
Last IP:   172.31.15.255

Total: 4,096 addresses
What changes:
  • Last octet: Full range (0-255)
  • Third octet: Partial range (0-15)
Authorizes: 
✅ 172.31.0.1     (EC2 instance)
✅ 172.31.5.100   (another instance)
✅ 172.31.15.254  (last usable)
❌ 172.31.16.1    (outside range - /20 only goes to .15)
❌ 172.30.0.1     (different network)

/32 - Single IP (Don’t Use CIDR)

Example: Single Server

CIDR: 52.123.45.67/32
Range covered: 
Just: 52.123.45.67

Total: 1 address (only this specific IP)
Note: In KnoxCall, just enter 52.123.45.67 without /32. It’s implied.

Calculating CIDR Ranges

Quick Method

Step 1: Look at the prefix 
/24 → Last octet varies (256 IPs)
/16 → Last 2 octets vary (65,536 IPs)
/8  → Last 3 octets vary (16M IPs)
Step 2: Calculate range 
/24 example: 192.168.1.0/24
- Base: 192.168.1.0
- Range: 192.168.1.0 to 192.168.1.255
- Usable: 192.168.1.1 to 192.168.1.254

CIDR Calculator Tools

Online calculators: Example: 
Input:  192.168.1.0/24
Output: First: 192.168.1.0
        Last:  192.168.1.255
        Usable: 192.168.1.1 - 192.168.1.254

Common Scenarios

Scenario 1: Office Wi-Fi

Need: Authorize all 50 office computers Solution: 
CIDR: 192.168.1.0/24
Why /24:
  • Office has 50 devices now
  • Room to grow to 254 devices
  • Typical office network size
Client in KnoxCall: 
Name: office-wifi-main
Type: Network
IP: 192.168.1.0/24
Description: Main office Wi-Fi network

Scenario 2: Corporate VPN

Need: Authorize 500 remote employees Solution: 
CIDR: 10.8.0.0/16
Why /16:
  • VPN has 500 users now
  • Room for 65,000+ connections
  • Standard VPN range
Client in KnoxCall: 
Name: company-vpn
Type: Network
IP: 10.8.0.0/16
Description: Corporate VPN - all remote workers

Scenario 3: AWS Subnet

Need: Authorize EC2 instances in subnet Solution: 
CIDR: 172.31.0.0/20
Why /20:
  • AWS VPC subnet
  • ~4,000 IPs
  • Multiple microservices
Client in KnoxCall: 
Name: aws-prod-subnet
Type: Network
IP: 172.31.0.0/20
Description: AWS VPC subnet - production instances

Scenario 4: Partner Network

Need: Authorize partner company’s entire network Solution: 
CIDR: 203.14.0.0/24
Why /24:
  • Partner has small office
  • ~100 employees
  • /24 covers them
Client in KnoxCall: 
Name: partner-acme-network
Type: Network
IP: 203.14.0.0/24
Description: ACME Corp office network

Testing CIDR Ranges

How to Test

Step 1: Create client with CIDR 
IP: 192.168.1.0/24
Step 2: Test from different IPs From 192.168.1.50: 
curl https://a1b2c3d4.acme.knoxcall.com/api/test \
  -H "x-knoxcall-route: test-route"

 Success: 200 OK (IP in range!)
From 192.168.2.50: 
curl https://a1b2c3d4.acme.knoxcall.com/api/test \
  -H "x-knoxcall-route: test-route"

 Error: 403 Forbidden (IP not in range)

Private IP Ranges

Reserved Private Networks

These IP ranges are for internal networks only (not internet-routable): Class A (Large): 
10.0.0.0/8
- Range: 10.0.0.0 to 10.255.255.255
- IPs: 16,777,216
- Use: Large corporate networks, VPNs
Class B (Medium): 
172.16.0.0/12
- Range: 172.16.0.0 to 172.31.255.255
- IPs: 1,048,576
- Use: Medium networks, cloud providers (AWS uses 172.31.0.0/16)
Class C (Small): 
192.168.0.0/16
- Range: 192.168.0.0 to 192.168.255.255
- IPs: 65,536
- Use: Home/office networks (most common: 192.168.1.0/24)
Note: Private IPs only work for:
  • Office networks (devices behind router)
  • VPNs (tunnel private network over internet)
  • Cloud private subnets
Don’t use for:
  • Public internet servers (use public IPs)

Public vs Private IPs

Public IPs (Internet)

Examples:
52.123.45.67        (AWS Elastic IP)
104.21.45.67        (Cloudflare)
142.250.185.78      (Google)

Format: Any IP not in private ranges
CIDR: Typically /32 (single IP) or /24 (small block)
Use in KnoxCall:
  • Production servers
  • Partner webhooks
  • Public APIs

Private IPs (Internal Networks)

Examples:
192.168.1.0/24      (Office Wi-Fi)
10.8.0.0/16         (Corporate VPN)
172.31.0.0/20       (AWS VPC private subnet)

Format: 10.x.x.x, 172.16-31.x.x, 192.168.x.x
CIDR: Often /16 or /24
Use in KnoxCall:
  • Office networks
  • VPN access
  • Internal testing

Common Mistakes

❌ Mistake 1: Using /32 for Networks

❌ Wrong:
IP: 192.168.1.1/32
Type: Network

Problem: /32 = only 1 IP (defeats purpose)
Fix: 
✅ Correct:
IP: 192.168.1.0/24
Type: Network

❌ Mistake 2: Too Broad Range

❌ Dangerous:
IP: 0.0.0.0/0

Problem: Allows ENTIRE internet!
Fix: 
✅ Correct:
IP: 192.168.1.0/24 (specific network only)

❌ Mistake 3: Wrong Base IP

❌ Wrong:
IP: 192.168.1.55/24

Problem: Base should be .0 not .55
Fix: 
✅ Correct:
IP: 192.168.1.0/24

❌ Mistake 4: Prefix Doesn’t Match Network

❌ Wrong:
Need: 50 IPs
Used: 10.0.0.0/8 (16 million IPs!)

Problem: Massively oversized
Fix: 
✅ Correct:
Need: 50 IPs
Used: 10.0.0.0/24 (256 IPs - enough headroom)

CIDR Cheat Sheet

PrefixIPsTypical Use
/321Single server (don’t use CIDR)
/304Point-to-point link
/298Very small subnet
/2816Small office
/2732Small network
/2664Medium office
/25128Large office
/24256Standard office network
/23512Large office/campus
/221,024Campus network
/212,048Large network
/204,096Cloud subnet (AWS)
/198,192Large cloud network
/1816,384Very large network
/1732,768Enterprise
/1665,536Corporate VPN, large enterprise
/15131,072ISP
/14262,144Large ISP
/13524,288Very large ISP
/121M+Regional network
/112M+National network
/104M+Continental network
/98M+Very large network
/816M+Class A network

Tools & Resources

CIDR Calculators

IP Address Guide: https://www.ipaddressguide.com/cidr CIDR.xyz: https://cidr.xyz/ Subnet Calculator: https://www.subnet-calculator.com/

Command Line Tools

Test if IP is in CIDR range: 
# Using Python
python3 -c "
import ipaddress
network = ipaddress.ip_network('192.168.1.0/24')
ip = ipaddress.ip_address('192.168.1.50')
print(ip in network)  # True or False
"
List all IPs in range: 
# Using Python
python3 -c "
import ipaddress
for ip in ipaddress.ip_network('192.168.1.0/24'):
    print(ip)
"

Best Practices

✅ Do

  1. Use smallest range needed 
    ✅ Office has 50 users → /24 (256 IPs)
❌ Office has 50 users → /16 (65,536 IPs)
  2. Use .0 as base 
    ✅ 192.168.1.0/24
❌ 192.168.1.1/24
  3. Document what’s in range 
    Description: "Main office Wi-Fi - floors 1-3, ~100 employees"
  4. Test before production 
    Test with curl from expected IP range
Verify rejection from outside range
  5. Use private IPs for internal 
    ✅ 192.168.1.0/24 for office
✅ 10.8.0.0/16 for VPN

❌ Don’t

  1. Don’t use 0.0.0.0/0 
    ❌ Allows entire internet (defeats purpose!)
  2. Don’t over-authorize 
    ❌ Need 10 IPs → /8 (16 million!)
✅ Need 10 IPs → /28 (16 IPs)
  3. Don’t forget private vs public 
    ❌ Using 192.168.1.0/24 for internet servers
✅ Using public IP for internet servers
  4. Don’t mix ranges 
    ❌ One client for unrelated networks
✅ Separate clients for separate networks

Quick Reference

Your NetworkRecommended CIDRIPs
Single server52.123.45.67 (no /32)1
Small office (< 20)192.168.1.0/2816
Medium office (< 100)192.168.1.0/24256
Large office (< 500)192.168.0.0/23512
VPN (< 1000)10.8.0.0/221,024
Large VPN (< 10k)10.0.0.0/1816,384
Enterprise VPN10.0.0.0/1665,536
AWS Subnet172.31.0.0/204,096

Next Steps

What are Clients?

Client basics and IP whitelisting

Client Types

Server, User, and Network types

Managing Clients

Create and assign clients

IP Issues

Troubleshoot IP problems
Quick Tip: For most offices, /24 (256 IPs) is perfect. For VPNs, /16 (65,536 IPs) gives plenty of headroom. When in doubt, use a CIDR calculator!