How can we explain CIDR notation with /24 and /32 to a manager?

Question

Update: I seem to get two kinds of answers and I need to get more clarity on how they relate (or not). What we have so far is, roughly in the lines of:

you have 32 bits, the / indicates how you split it

and (or versus)

You have an address, the / indicates the range around it

Main question

I am looking for a way to explain a notation such as a.b.c.d/e to someone who is not too deep into networking.

Imagine it is a manager type, or even a data scientist who has seen some sites can be accessed by typing an IP address, but he/she does not have too much more familiarity with the field.

What have I tried?

I searched for explanations, and found many but often these things talk about 'subnet masks' which would require an explanation by itself.

Therefore I have tried to come up with a simple anecdote, though I am also open to an explanation that is simple without an anecdote I have found this to work well in the past.

Attempt so far -- Warning, comments pointed out my example has some serious issues

An IP address consists of four numbers separated with a dot between each. You read it from left to right, and each dot adds a level of detail. This is very similar to a real address, think about:

Country.City.Street.Housenumber

When working with IP addresses, we often add something like /24 or /32 at the back. This is...

I think it would be helpful to say more about _why_ you need a manager (presumably not an IT manager) to understand subnet masks. Just for fun? Or to solve some problem? Normally if a (non-IT) manager is having to think about subnet masks, I would consider _that_ the problem... (And honestly I know people who work in IT who don't really understand them that well.) — Glenn Willen, Aug 01 '20 at 18:44
@GlennWillen I showcase products across companies to any kind of audience, and though this is out of my focus area I figured I should be able to explain everything that may be shown on the screen in a simple way (including the rarely shown security config), just in case it gets asked. — Dennis Jaheruddin, Aug 01 '20 at 19:14
You're confusing IP addresses and networks/ranges. a.b.c.d is an IP address. a.b.c.d/e is a network or a range. — jcaron, Aug 01 '20 at 22:00
@jcaron. You’re both wrong. a.b.c.d/e is a perfectly acceptable way to display and communicate the addressing scheme a single device should use, identifying both the IP address and subnet mask. — Darren, Aug 01 '20 at 23:52
Why does your manager need this level of understanding ? Perhaps telephone numbers and area/country codes would be a better example ? — Criggie, Aug 02 '20 at 01:40
@Darren Thank you for the critical view, I have updated my question to ask more clarification in this area. — Dennis Jaheruddin, Aug 02 '20 at 09:43
Wrote this a while back, trying to explain networking to managers: https://github.com/etlweather/understanding-networking — ETL, Aug 02 '20 at 14:37
/32 is a prefix given to large enterprises, and a /24 to large ISPs. 4 billion and 1 trillion /64s respectively. Oh, you meant IPv4, not IPv6. :) — John Mahowald, Aug 03 '20 at 03:14
@DennisJaheruddin To answer your update: Both. All IP hosts have addresses. Those addresses are part of IP networks. Every network contains a range of IP addresses. That range (and the maximum number of available addresses) is determined by the subnet mask, since it defines the number of bits in the host portion of the address. The network 192.168.0.16/28 contains 16 address (actually 14, because 2 are reserved), 192.168.0.16 through 192.168.0.31. Note: I’m purposely not using a /24, to show you how unintuitive it is to do this in decimal form. It’s quite simple in binary. — Ron Trunk, Aug 03 '20 at 12:30

Ron Trunk · Accepted Answer · 2020-08-02T14:33:33.500

20

An ip address consists of four numbers separated with a dot between each. You read it from left to right, and each dot adds a level of detail. This is very similar to a real address, think about:

Country.City.Street.Housenumber

I'm sorry, but this is simply wrong. The dots do not have any significance. They are only there to make a 32-bit binary number (that's all that an IPv4 address is) easier for humans to read. You can't infer any hierarchy from them. If you're explaining IP addresses that way, you're misleading people.

I know you don't want to get into subnet masks or binary math, but there's really no way around it. I'll keep it as simple as I can.

IP addresses have a two-level hierarchy: network and host. Think of area code and number for your phone (at least in the US). Ten digit telephone numbers have a fixed format: 3 digits for the area code, and 7 digits for the phone number. Similarly, for IP addresses, part of that 32-bit binary number is the network address portion, and part is the host address portion.

Unlike phones, IP addresses do not have a fixed format for hierarchy. The number of (binary) digits that make up the network and host portions can vary. Where you divide the bits between the two is determined by the subnet mask (There. I said it).

The CIDR notation tells you how many bits of the address belong to the network portion. For example, /20 means the first 20 bits of the address are the network portion of the address -- the rest (32 - 20 = 12) are the host portion. /24 means 24 bits are the network and 8 are the host (32 - 24 = 8), and so on.

If all you're doing is typing in address into your browser, you don't need to know the binary math. But if you're creating networks and assigning addresses, you need to understand the binary math behind them. Otherwise you will make mistakes that lead to incorrect addresses.

EDIT:

I know that my answer will go over the heads of many so-called "managers", but it's important that YOU understand it so you can explain it better. It you're confused, your explanation will be confusing (and possibly wrong). Based on your scenario, the best simple explanation I can give is this:

IP addresses are divided into two parts - network and host, just like telephone numbers are divided into parts - area/city code and number. The /xx indicates how much of the IP address is the network part and how much is the host part.

I wouldn't go any deeper than that. If you get questions, then you'll have to bring in binary and subnet masks.

edited Aug 02 '20 at 14:33

answered Aug 01 '20 at 14:48

Ron Trunk

2,159
1
11
19

4

If you use the phone number analogy, the CIDR is like telling how many digits of the phone number was the country code + the area code. Phone numbers don't have a fixed amout of digits for the area code, either, but country codes are 1-3 digits (or up to 5-7 depending on how you count them) followed by local area code of various length. Like `+15551234567/4` (U.S. `+1` area code `555`) or `+358501234567/5` (Finnish `+358` mobile phone `50`). Vatican has been assigned `+379` but use Italian `+3906698` with 7 digits. Phone numbers do work regardless of this knowledge, but IP addresses don't. – Esa Jokinen Aug 01 '20 at 15:14
Yes, I know, but I used the US example to make it easier to understand. Sorry for being so "provincial" :-) – Ron Trunk Aug 01 '20 at 15:15
1

I just think the opposite: that the analogy is easier to understand knowing that the area code lenght varies. :) – Esa Jokinen Aug 01 '20 at 15:16
1

I think this makes sense, especially in a country like the Netherlands where all phone numbers are 10 digits, and the network indicator can by anything from the first 2-4 digits. And this would even enrich the analogy: Calling to a different network used to be more expensive than calling within your own area. (And from an it perpective, knowing that a certain network is owned by a company could even make a difference for the end user from a trust perspective). – Dennis Jaheruddin Aug 01 '20 at 18:33
Exactly. I still remember the times when I could call my neighbors with local 3 digit numbers (comparable to the *host identifier*) and had to use special `0` to use longer numbers (comparable to the *network prefix*). The *subnet mask* sort of tells how many (`32-N`) digits you are allowed to use before you need to get outside the local network. – Esa Jokinen Aug 01 '20 at 19:57
While the explanation in this answer is accurate and clear, having worked with many "management types" I can't recall a single one who would actually consume and understand this. A less accurate but easier to consume analogy would probably be preferable in this scenario – Darren H Aug 01 '20 at 20:02
I feel like this answer is in line of 'you have an ip addres, the / indicates how it gets split into two parts'. (How) does this relate to the answer type of 'you have an ip address, the / indicates how wide the range around it is'? – Dennis Jaheruddin Aug 02 '20 at 09:37
I know this isn't relevant for the manager, but I just want to note that IPs can have a fixed format, called classless. CIDR is classless winters domains routing but before that the # of bits as part of the prefix was fixed in either class A, B, C or D. – ljrk Aug 02 '20 at 14:04
1

@larkey Classful address is **obsolete**, and has been for over 27 years. It only exists in books and stubborn professors. – Ron Trunk Aug 02 '20 at 14:09
@DennisJaheruddin *"How) does this relate to the answer type of 'you have an ip address, the / indicates how wide the range around it is'?"*. Unfortunately, you really can't answer that question without getting into binary math. Read the [second answer to this question](https://networkengineering.stackexchange.com/questions/7106/how-do-you-calculate-the-prefix-network-subnet-and-host-numbers) and see if it helps your understnding. – Ron Trunk Aug 02 '20 at 14:32
@RonTrunk Sure, but the point is: that's nothing inherent to the IP protocol but how to structure IP addresses. – ljrk Aug 02 '20 at 18:26

score 8 · Answer 2 · answered Aug 01 '20 at 22:49

You don't need even that detail. Simply treat them as magic values:

Short answer: An IP address has four blocks of digits. There is a standard notation called CIDR where if you put /24 at the end it means every IP address that starts by the same three numbers. So if you put 192.168.120.0/24 that means that access is allowed from every IP address from 192.168.120.0 to 192.168.120.255 so only those within the allowed range is allowed into the system.

Any network/security engineer actually needing to set that will understand that setting right away. If you sidetrack the product showcase into a Networking 101 you will lose time that could be used to present other features, while the technical people that is also in the meeting and that know perfectly about CIDR will be cringing about such waste of time.† And that manager won't need such information, anyway. It's best IMHO to ask them to question you after the meeting / send you a mail if they are interested in the long, detailed answer.

Nothing wrong about being curious and wanting to know more about it, but a product showcase is not the right place, and I suspect in reality such manager probably don't really mind about that detail.

† In fact, this simplified version may lead those network engineers to jump asking if you don't support IPv6, which they are using internally. A more accurate version of that answer would start by “An IPv4 address is formed by four octets...“ which would already get the manager lost in the first phrase.

Thanks, this is sensible advice that i was slowly coming to myself. Upvoted but will not accept as the original question is answered more directly by some of the other answers. — Dennis Jaheruddin, Aug 01 '20 at 23:03
I feel like this answer is in line of 'you have an ip address, the / indicates how wide the range around it is'. (How) does this relate to the answer type of 'you have an ip addres, the / indicates how it gets split into two parts'? — Dennis Jaheruddin, Aug 02 '20 at 09:38

score 6 · Answer 3 · answered Jul 31 '20 at 13:06

6

... how many house numbers the street has.

If you have more than 256 houses in a street, you need to use part of the street number for house numbers. This is only important to know when you want to know if someone else lives on the same street as you because you drop off letters directly instead of giving them to the post office.

answered Jul 31 '20 at 13:06

Simon Richter

3,317
19
19

I like this gem as the distionction between network and host could matter from the perspective of a user. Upvoted but did accept the other answer. – Dennis Jaheruddin Aug 01 '20 at 18:38

score 3 · Answer 4 · answered Aug 01 '20 at 16:55

3

Here are some partial building blocks for you:

"Lets say you have an IP address, for example 123.4.5.6. It is a single IP address. However, if we change it a bit, we can get something like this: 123.0.0.0/8

That latter concept is something called a CIDR notation. You can think now that it is kind of a bunch of IP addresses. 123.0.0.0/8 means the same as 123.* .* .* Also, 123.0.0.0/16 means 123.0.* .*

So, the number after the slash tells how much of the address can be wildcards. The smaller the number, the bigger the amount of wildcards.

Wildcards start from the end of the address."

answered Aug 01 '20 at 16:55

Janne Paalijarvi

86
6

Is 123.0.0.0/8 then A. exactly the same as 123.100.0.0/8? (e.g. both 'ignore' everything after the first 8 bits? and both equal to 123.*.*.* ) -- Or more like B. 123.100.0.0/8 is the same as the union of 123.1**.*.* + 124.something.*.* – Dennis Jaheruddin Aug 01 '20 at 17:57
That's a good question I don't have a solid answer to. I think it wanders a bit into philosophical territory. How deep you need to go with your manager btw? – Janne Paalijarvi Aug 01 '20 at 18:30
Well, not too filosofical but indeed outside the scope of my original question. my practical thought: If you set open a firewall with permissions for 123.100.0.0/8 would the whole 123.*.*.* range be able to get in? and if you set it to something like /1, would nearly the whole world be able to get in? – Dennis Jaheruddin Aug 01 '20 at 18:36
1

I'd say it is implementation -specific. But if we test with iptables for example: root@debian10:~# iptables -A INPUT -s 123.100.0.0/8 -j DROP root@debian10:~# iptables -n -L INPUT Chain INPUT (policy ACCEPT) target prot opt source destination DROP all -- 123.0.0.0/8 0.0.0.0/0 So, 123.100.0.0/8 gets normalized to 123.0.0.0/8 there. This is the sanest approach, IMHO. – Janne Paalijarvi Aug 01 '20 at 18:42
Thanks that makes sense. I upvoted your answer as I found it valuable, but did accept the other answer as it covered a few more aspects of my question. – Dennis Jaheruddin Aug 01 '20 at 19:18
2

@DennisJaheruddin 123.100.0.0/8 just isn't valid notation. There should not be `1` bits beyond the first 8. Most software will just apply the prefix-length and convert that to 123.0.0.0/8, but some may just break because it's not valid. – jcaron Aug 01 '20 at 21:59
@DennisJaheruddin "*Is 123.0.0.0/8 then exactly the same as 123.100.0.0/8? *" No. they are two different host addresses, but on the same network. More accurately 123.0.0.0/8 is not a host, but a special address that is used to describe the network as a whole. A simpler example would be 123.0.0.1/8 and 123.100.0.0/8. They are two different host addresses on the same network (123.0.0.0/8). – Ron Trunk Aug 02 '20 at 14:43
@DennisJaheruddin If you are talking about a specific host, then 123.100.0.0/8 is a valid address. But if you're referring to the network that the host is on, then it's 123.0.0.0/8. – Ron Trunk Aug 02 '20 at 14:46

score 2 · Answer 5 · answered Aug 02 '20 at 22:48

Nobody has yet addressed the "why" of subnet masks. At least in my understanding...

A subnet mask represents the scope of a broadcast domain.

Computers/devices within a subnet domain are able to discover other devices within that subnet. They can also find out how to communicate (find each others address) even though they initially know nothing about each other.

Computers/devices across different subnet domains cannot discover each other. Something must be known about the device being sought (such as a device name in the DNS system) before the devices can communicate.

An (rather poor) analogy may be multiple open-plan offices within a building. I can walk around my open plan office and introduce myself to anyone else. However to find someone in a different open-plan office I need to walk to reception, identify a specific person by name, and ask the receptionist in which room, and at which desk the person maybe found.

Thanks, this indeed seems to be an addition to the existing answers! — Dennis Jaheruddin, Aug 03 '20 at 08:23

score 1 · Answer 6 · answered Aug 02 '20 at 00:14

An IPv4 IP address is 32 bits of data, often written as 4 8 bit fields (A.B.C.D), (or, in binary, aaaaaaaa.bbbbbbbb.cccccccc dddddddd) . Netmasks are 32 bits, as well, and can be written the same way.

The IP address is, for routing purposes, divided into "network" and "host" fields, by the netmask. /20 and /24 are abbreviations for 20 and 24 bit netmasks. That's 20 or 24 initial 1 bits, 255.255.240.0 or 255.255.255.0. The 1 bits represent the "network" field in the IP address. The 0 bits in the netmask represent the "host" field. The size of the "host" field limits the number of hosts in the "local" network, except that host addresses 0 and all bits are reserved. Thus, a /20 network may have up to 2,045 unique IP addresses, while a /24 network may have up to 253.

To extract the "network" field, the IP address is logically ANDed with the netmask. To extract the "host" field, the IP address is logically ANDed with the complement of the netmask. 0.0.15.255 and 0.0.0.255 for the /20 and /24 examples.

If the "network part" of a destination IP address (destination IP address ANDed with the netmask) is equal to the "network part" of MY IP address (MY IP address ANDed with the netmask), the destination IP address is "local", and the packet containing the destination IP address can be sent out without routing.

If the two "network parts" are NOT equal, one must consult the routing tables to find where to send the packet.

I feel like this answer is in line of 'you have an ip addres, the / indicates how it gets split into two parts'. (How) does this relate to the answer type of 'you have an ip address, the / indicates how wide the range around it is'? — Dennis Jaheruddin, Aug 02 '20 at 09:36

score 0 · Answer 7 · answered Aug 02 '20 at 18:32

Your phone number is 10 digits long right? Well, it's a /3 CIDR. We never talk about the CIDR in a phone number because they're all the same length (in the US). But your phone number is a /3 CIDR meaning all the numbers with the same area code are in the same network. When you call someone with a different area code, the call has to go through a 'router' which we call a long distance company.

Well....

IP addresses work the same way except that phone numbers use the digits 0-9, where IP uses just the digits 0 and 1. The CIDR number just tells you how many of those digits are part of the network and how many are part of the end user's number. We talk about the CIDR in networking because in IP networks (unlike phone networks) the CIDR can be different depending on economic and other factors.

Yes. I know that my explanation of telephone networks is oversimplified, outdated, and an outright lie if you want to be pedantic about it. But if your manager doesn't get CIDR/sub-netting, then chances are they will still have old notions of the phone network to compare to in their mind. Throw in a fax machine reference if you want too. — Billy left SE for Codidact, Aug 02 '20 at 18:35

How can we explain CIDR notation with /24 and /32 to a manager?

Main question

What have I tried?

Attempt so far -- Warning, comments pointed out my example has some serious issues

7 Answers7