3.4 Implementing Private IP Addresses

3.4.1 Private IP Addressing

Private addressing is one of the solutions the Internet community began to implement when it became apparent that there was a severe limitation to the number of IP addresses available on the Internet. Private addressing was originally designed for organizations that had no intention of connecting to the Internet. As Internet connectivity was not required, there was no need for a globally unique IP address from the Internet. The individual organization could address its network without any reference to the Internet, using one of the private IP address ranges. The advantage to the Internet was that none of the routers within the Internet would recognize any of the addresses designated as private addresses. Therefore, if an organization that had deployed private IP addressing connected to the Internet, all its traffic would be dropped. The ISPs' routers are configured to filter all network routing updates from networks using private addressing.

Private IP Address Ranges

Class IP Address Range Subnet Mask
Class A to 255.0. 0.0
Class B to
Class C to

The Class A private IP address range uses the default subnet mask to provide a single contiguous block of IP addresses, i.e., a single subnet. The Class B private IP address range uses a 12-bit prefix mask (/12) while the Class C private IP address range uses a 16-bit prefix mask (/16). Therefore the Class B range supports 16 subnets and the Class C range supports 256 subnets.

The use of private addressing has become widespread among companies connected to the Internet and has become the means by which an organization does not have to apply to the Internet for an address. Because these addresses have not unique addresses, a company cannot just connect to the Internet, but it must first go through a gateway that can form a translation to a valid, unique address. This is called a network address translation (NAT) gateway.

3.4.2 The Logical AND Operation

When an IP address is assigned to an interface, it is configured with the subnet mask. Although represented in a dotted decimal format, the router converts the IP address and the subnet mask into binary and performs a logical AND operation to find the network portion of the address, i.e., the network ID. To perform a logical AND, the IP address is written out in binary, with the subnet or Internet mask written beneath it in binary. Each binary digit of the address is then ANDed with the corresponding binary digit of the mask. The AND operation has two rules: 1 AND 1 is 1; and 0 AND 1 or 0 remains 0. Essentially, the logical AND operation removes the host ID from the IP address, as illustrated below.

IP address:
IP subnet mask:
IP address in binary: 10001100.00001100.00011010.10000000
IP subnet mask in binary: 11111111.11111111.11110000.00000000
The result of the logical AND in binary: 10001100.00001100.00000000.00000000
The result of the logical AND in dotted decimal format:

The Logical AND Operation

In the above example, the network to which the host belongs has the network ID of Once the network ID is determined, the router can perform a search on the routing table to see whether it can route to the remote network. Therefore, the correct mask is essential to ensure that traffic can be directed through the overall network.