Cisco Netmasks, CIDR sizes, and Inverse Masks

The address/netmask syntax of 172.16.35.0/255.255.255.0 should be familiar to anyone with some experience with IP routing, and is fairly easy to figure out address ranges given a calculator and a piece of scrap paper. There are other forms of addressing which are used interchangeably which start to get confusing even to experienced routing folks - occasionally people call me experienced and I have a little slip of paper next to my monitor with all the translations on it. That same network may be addressed as 172.16.35.0/24 or even 172.16.35.0 0.0.0.255 in Cisco access-lists.

Let's take the address 172.16.35.42. This address is represented as:

10101100 00010000 00100011 00101010         (172.16.35.42)
to the computer. Now for routing to work, the computer needs to know which addresses are local to the subnet (ie: it can send packets directly to that computer) or if it needs to use a gateway ('router') to get there. The netmask is used for this. The address and netmask are:
10101100 00010000 00100011 00101010         (172.16.35.42)
11111111 11111111 11111111 00000000         (255.255.255.0)
now say the computer is trying to get to the address 172.16.35.109 we use the AND logical function to see if the networks are the same:
10101100 00010000 00100011 00101010         (172.16.35.42 - my address)
11111111 11111111 11111111 00000000         (255.255.255.0 - my netmask)

10101100 00010000 00100011 00000000         (my address AND netmask = network)

10101100 00010000 00100011 01101101         (172.16.35.109 - remote address)
11111111 11111111 11111111 00000000         (255.255.255.0 - my netmask)

10101100 00010000 00100011 00000000         (remote address AND netmask = network)
See how these are both the same. This means that the source computer can simply send packets directly to the remote computer. Let's look at a different example.

Say we wanted to go to 192.48.96.9. Let's take a look at the numbers:

10101100 00010000 00100011 00101010         (172.16.35.42 - my address)
11111111 11111111 11111111 00000000         (255.255.255.0 - my netmask)

10101100 00010000 00100011 00000000         (my address AND netmask = network)

11000000 00110000 01100000 00001001         (192.48.96.9 - remote address)
11111111 11111111 11111111 00000000         (255.255.255.0 - my netmask)

11000000 00110000 01100000 00000000         (remote address AND netmask)
A quick comparison shows that these address/netmask comparisons are not the same hence a gateway must be used to get to this address.

The CIDR syntax is simply the number of ones in the netmask and the inverse netmask is just that, the inverse of the netmask. Looking at 255.255.255.0 you see:

11111111 11111111 11111111 00000000    (255.255.255.0 netmask)
-------- -------- --------             (there are 24 ones, hence this is a /24)
00000000 00000000 00000000 11111111    (0.0.0.255 inverse netmask)
This is one of the simpler cases, things get interesting when you move away from the classical Class A/B/C boundaries.

Below is a translation table of netmask to inverse to CIDR.
NetmaskInverse/CIDRUsableSize
0.0.0.0255.255.255.255/04,294,967,294The Internet
128.0.0.0127.255.255.255/12,147,483,646128 Class 'A's
192.0.0.063.255.255.255/21,073,741,82264 Class 'A's
224.0.0.031.255.255.255/3536,870,91032 Class 'A's
240.0.0.015.255.255.255/4268,435,45416 Class 'A's
248.0.0.07.255.255.255/5134,217,7268 Class 'A's
252.0.0.03.255.255.255/667,108,8624 Class 'A's
254.0.0.01.255.255.255/733,554,4302 Class 'A's
255.0.0.00.255.255.255/816,777,2141 Class 'A'
255.128.0.00.127.255.255/98,388,606128 Class 'B's
255.192.0.00.63.255.255/104,194,30264 Class 'B's
255.224.0.00.31.255.255/112,097,15032 Class 'B's
255.240.0.00.15.255.255/121,048,57416 Class 'B's
255.248.0.00.7.255.255/13524,2868 Class 'B's
255.252.0.00.3.255.255/14262,1424 Class 'B's
255.254.0.00.1.255.255/15131,0702 Class 'B's
255.255.0.00.0.255.255/1665,5341 Class 'B'
255.255.128.00.0.127.255/1732,766128 Class 'C's
255.255.192.00.0.63.255/1816,38264 Class 'C's
255.255.224.00.0.31.255/198,19032 Class 'C's
255.255.240.00.0.15.255/204,09416 Class 'C's
255.255.248.00.0.7.255/212,0468 Class 'C's
255.255.252.00.0.3.255/221,0224 Class 'C's
255.255.254.00.0.1.255/235102 Class 'C's
255.255.255.00.0.0.255/242541 Class 'C'
255.255.255.1280.0.0.127/25126128 Hosts
255.255.255.1920.0.0.63/266264 Hosts
255.255.255.2240.0.0.31/273032 Hosts
255.255.255.2400.0.0.15/281416 Hosts
255.255.255.2480.0.0.7/2968 Hosts
255.255.255.2520.0.0.3/3024 Hosts
255.255.255.2540.0.0.1/3102 Hosts
255.255.255.2550.0.0.0/3211 Host