Networking, Firewall, Powers of Two
This page contains mathematical information about how to calculate IP address ranges for use with the campus firewall groups.
NOTE: The following information applies only to IPv4 address ranges. Network administrators who are configuring firewall ranges for IPv6 should contact Technology Services Network Design & Support at email@example.com for assistance.
This page takes a traditional, mathematical approach to explaining the binary system, powers of two, and netmasks. If you are a visual learner, you may be interested in the Network Tree approach as well.
2^x is the general form for 2 raised to the power of x. X can be any number from 0 to infinity. 2^x means 2 multiplied by itself x times. For example, 2^3 means 2*2*2 or 8.
For most computer and networking issues, we only need to work with the powers of 2 from 0 to 8.
2^0 = 1
2^1 = 2
2^2 = 4
2^3 = 8
2^4 = 16
2^5 = 32
2^6 = 64
2^7 = 128
2^8 = 256
Netmasks are most commonly seen in the form of 255.255.255.0 or 255.255.254.0 or 255.255.255.224. Netmasks are 4 groups of 8 bits each, representing a total of 32 bits.
Netmasks must have 1s in a continuous string. Once you have a 0 in a netmask, all of the positions to the right of that 0 must also be 0s. This leads to a limited number of valid netmasks.
In order to understand which netmasks are valid, we need to convert the base 10 form (255.255.etc) into the binary form (0s and 1s).
To convert 255 to binary, we need to add up powers of 2 until we reach 255.
|Base 10:||128 +||64 +||32 +||16 +||8 +||4 +||2+||1||= 255|
|Powers of 2:||2^7 +||2^6 +||2^5 +||2^4 +||2^3 +||2^2 +||2^1 +||2^0|
1 1 1 1 1 1 1 1 would represent 255 in binary. This is a valid netmask component, since it contains an unbroken string of 1s. Therefore, a netmask of 255.255.255.0 in binary is written as: 11111111.11111111.11111111.00000000.
Let's try another number: 160.
|Base 10:||128 +||32 +||= 160|
|Powers of 2:||2^7 +||2^5 +|
So in binary 160 would be 10100000. This means that 160 is NOT a valid netmask component, because there is a 1 after the first 0.
More netmask examples :
11111111.11111111.11111111.10000000 is valid.
11111111.11111111.11111111.11110000 is valid.
11111111.11111111.11111111.11110001 is not valid.
10111111.11111111.00000000.00000000 is not valid.
(Netmasks must also make sense in relation to the class of the network address, but for our purposes that shouldn't be an issue.)
From the discussion above you will note that the 1s must be in a continuous string. When using the CIDR notation (/#), the # refers to the number of bits in the netmask that are set to 1. For example, if you see /32 that means that there are 32 bits of 1s, or 11111111.11111111.11111111.11111111, or 255.255.255.255.
A /24 would mean 24 bits of 1s, or 11111111.11111111.11111111.00000000 or 255.255.255.0.
Netmasks from /24 (including 256 hosts) to /31 (including 2 hosts) will give you the best granularity levels for arranging your groups:
|Binary||Decimal||CIDR||Number of hosts included|
NOTE: This information is now considered
legacy. Moving forward with both IPv4 and IPv6 networks, it is strongly
encouraged to specify only a single firewall policy for the entire
Refer to this page for more details: Networking, Firewall, Service Participation
The hosts in the various firewall groups must be able to be represented by a network number and netmask. Each network is allowed up to six IP ranges for placing hosts on the firewalls.
Each block of hosts:
- Must be contiguous (no numbers can be skipped).
- Must start and end on a boundary that can be described with a combination of an IP address and a netmask.
- Must contain a power of 2 number of hosts.