Whether you’re standing up a branch LAN, troubleshooting “no Internet” at 2 a.m., or drafting a multi-tenant private cloud, a crisp mental model of IP addressing saves hours. This upgraded cheat sheet distills the essentials—private ranges, CIDR, special addresses, public DNS, and IPv6—with field-tested tips, corrected OCR slip-ups, and practical guardrails you can apply today.
1) RFC 1918 Private IPv4 Ranges — Your LAN’s Foundation
These blocks are non-routable on the public Internet and are translated (NAT) at the edge. Pick them with intent—future mergers and VPNs hate sloppy choices.
| IPv4 Range | CIDR | Typical Use Case | Max Addresses |
|---|---|---|---|
| 10.0.0.0 – 10.255.255.255 | 10.0.0.0/8 | Large enterprises, multi-site WANs | 16,777,216 |
| 172.16.0.0 – 172.31.255.255 | 172.16.0.0/12 | Mid-sized enterprise networks | 1,048,576 |
| 192.168.0.0 – 192.168.255.255 | 192.168.0.0/16 | Home/SOHO networks | 65,536 |
Field note: The world’s most common default gateway is 192.168.1.1. If your org uses 10.0.0.0/8, assume hierarchical subnetting and plan for site-unique subranges from day one (e.g., site-ID-based /22 or /23).
2) CIDR, Masks & Right-Sized Subnets — Classful Is Dead
Classless Inter-Domain Routing (CIDR) replaced legacy classes decades ago. Size for growth and broadcast domain health.
| CIDR | Subnet Mask | Usable Hosts | Typical Fit |
|---|---|---|---|
| /8 | 255.0.0.0 | 16,777,214 | Legacy, very large flat networks (avoid) |
| /16 | 255.255.0.0 | 65,534 | Big campus VLAN or core aggregation |
| /24 | 255.255.255.0 | 254 | Standard access VLAN / small office |
| /30 | 255.255.255.252 | 2 | Router point-to-point links |
| /32 | 255.255.255.255 | 1 | Host routes, loopback interfaces |
Why /30 matters: P2P L3 links need just two addresses—save space, reduce broadcast noise, simplify ACLs. For Ethernet P2P, /31 is also valid (RFC 3021) on many platforms.
3) Special IPv4 Addresses — The Protocol Side of Things
Keep these mental shortcuts handy; they explain 80% of “why is this happening?”
| Type | Address / Range | Meaning | Why You Care |
|---|---|---|---|
| Unspecified | 0.0.0.0 | “Any/none”; default route source | Edge default routes, DHCP discover |
| Limited broadcast | 255.255.255.255 | One-hop broadcast | ARP, DHCP |
| Loopback | 127.0.0.0/8 (127.0.0.1) | Localhost test path | Quick local stack check |
| APIPA | 169.254.0.0/16 | Auto IP when DHCP fails | “No DHCP response” indicator |
| CGNAT | 100.64.0.0/10 | ISP carrier-grade NAT pool | Can break inbound and some VPNs |
| Multicast | 224.0.0.0–239.255.255.255 | One-to-many delivery | mDNS, streaming, routing protocols |
| Documentation | 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24 | Examples only | Never route in production |
Triage tip: If an interface shows 169.254.x.x, DHCP didn’t answer. Check switch VLANs, trunk/native config, DHCP scope, and DHCP relay (IP helper).
4) Public DNS You Can Trust — Speed vs. Safety vs. Privacy
Pick DNS resolvers for your priority: latency, security filtering, or strict privacy. Beware “free” resolvers that monetize query logs.
| Provider | IPv4 | IPv6 | What Stands Out |
|---|---|---|---|
| Cloudflare | 1.1.1.1 / 1.0.0.1 | 2606:4700:4700::1111 / ::1001 | Fast, privacy-first, DoH/DoT support |
| 8.8.8.8 / 8.8.4.4 | 2001:4860:4860::8888 / ::8844 | Huge anycast footprint, rock-solid | |
| Quad9 | 9.9.9.9 / 149.112.112.112 | 2620:fe::fe / ::9 | Malware/phishing blocklists by default |
| OpenDNS (Cisco) | 208.67.222.222 / .220.220 | 2620:119:35::35 | Policy filtering & enterprise features |
| AdGuard | 94.140.14.14 / .15.15 | 2a10:50c0::ad1:ff / ::ad2:ff | Ad/tracker blocking resolvers |
Quick pick: Low-latency privacy? 1.1.1.1. Family safety with blocklists? Quad9. Enterprise policy and logging? OpenDNS.
5) IPv6 Essentials — Dual-Stack Like a Pro
IPv6 isn’t “nice to have” anymore; it’s the only way to scale addressing cleanly. Start in dual-stack and own your policy.
| Type | Range | What It’s For |
|---|---|---|
| Unspecified | :: | Equivalent of 0.0.0.0 |
| Loopback | ::1 | Equivalent of 127.0.0.1 |
| Link-local | fe80::/10 | Per-interface local comms (not routed) |
| ULA (private) | fc00::/7 (use fd00::/8) | Private IPv6 (RFC 4193) |
| Documentation | 2001:db8::/32 | Examples only (RFC 3849) |
Why link-locals matter: Every interface gets an fe80::—they underpin NDP (IPv6 neighbor discovery, the ARP equivalent). Logging them helps with L2/L3 triage.
Deployment choices:
- SLAAC (stateless autoconfig) for simplicity; add RA options for DNS.
- DHCPv6 where you need reservations and inventory.
- Use ULA internally and GUA (global unicast) from your ISP for Internet-facing subnets.
- Enforce IPv6 parity in firewalls and ACLs—don’t leave it “wide open” while locking down IPv4.
6) Subnet Size Quick Reference (IPv4)
| CIDR | Usable Hosts | Typical Use |
|---|---|---|
| /30 | 2 | Router P2P links |
| /29 | 6 | Small edge segments, firewall legs |
| /28 | 14 | Compact DMZ |
| /27 | 30 | Small VLANs |
| /26 | 62 | Medium access VLANs |
| /24 | 254 | Standard access VLAN |
| /23 | 510 | Aggregated access or large VoIP/Wi-Fi |
Rule of thumb: Keep access VLANs /24 or smaller for broadcast hygiene and simpler troubleshooting. Use routing at distribution/core to contain failures.
7) Day-to-Day Playbook (What Actually Saves You Time)
- Home/Small Office: Use
192.168.1.0/24. Set DHCP scope to, say,192.168.1.20–.200. Reserve static IPs outside that pool (APs, NAS, printers). - Multi-site/VPN: Pick a non-overlapping plan (e.g., 10.10.0.0/16 site A, 10.20.0.0/16 site B). Don’t reuse
192.168.0.0/24everywhere; mergers will hurt. - NAT sanity: Avoid double NAT (ISP router + your router). Ask ISP for bridge mode or CGNAT opt-out.
- DNS slowness: Switch router resolvers to 1.1.1.1/9.9.9.9 and measure with
dig +trace,drill, ornamebench. - Monitoring: Alert on DHCP scope exhaustion, gateway flaps, and DNS timeouts. 90% of “Internet is down” is one of those.
8) Security & Governance — Easy Wins Most Shops Miss
- Segmentation by function: User, server, IoT, guest—all separate VLANs/subnets. Apply default-deny between them.
- Firewall parity: Mirror IPv4 policy in IPv6. Don’t leave IPv6 as a backdoor.
- DNS hygiene: Prefer DoT/DoH for privacy; consider DNSSEC-validating resolvers.
- Logging & audit: Centralize DHCP/DNS logs; they are your Forensics 101.
- MAC spoofing awareness: Tie DHCP reservations to MAC + 802.1X/MPSK where feasible.
- Edge hardening: Disable unused services; rate-limit ICMP/ND where sensible; protect control-plane (SSH/API) with ACLs and MFA.
9) IPv6 Rollout Checklist (Dual-Stack Without Drama)
- Obtain an IPv6 prefix from ISP (e.g., /56 or /48).
- Enable IPv6 on WAN; verify SLAAC and DHCPv6-PD (prefix delegation).
- Advertise ULA internally; enable RA with DNS options.
- Duplicate firewall policy in IPv6; test with
ping -6,traceroute -6,curl -6. - Validate apps (mail, web, VPN) for IPv6 reachability and logs.
- Update monitoring (SNMPv3 over v6, Prometheus targets).
- Document. Future-you will say thanks.
10) Common Pitfalls (and How to Avoid Them)
- Reusing 192.168.0.0/24 everywhere → Collisions across VPNs. Assign site-unique blocks.
- Letting DHCP “run wild” → Static-needing devices collide. Reserve and document.
- Ignoring IPv6 → ISP flips a switch, your firewall doesn’t. Turn it on and manage it.
- Over-subnetting for “simplicity” → Giant /16 access VLANs balloon broadcasts and blast radii. Route instead.
- Mystery latency → MTU/MSS issues over tunnels; set MSS clamping on VPN interfaces.
- NTP neglect → Out-of-sync clocks break Kerberos, logs, TLS. Always set NTP.
FAQs
What private range should I pick if I expect to add sites later?
Start with 10.0.0.0/8 and assign site-specific supernets (e.g., /16 per region, /22 per site). Never reuse the same /24 in two places destined to be tunnelled.
Why does my PC get 169.254.x.x?
That’s APIPA—your NIC auto-assigned because DHCP didn’t reply. Check L2 (VLANs/port), L3 (helpers), and DHCP scope health.
Which public DNS is “best”?
Depends: Cloudflare (1.1.1.1) for privacy/latency; Quad9 (9.9.9.9) for malware filtering; Google (8.8.8.8) for global robustness. Test all three from your edge.
Do I need IPv6 today?
Yes—at least enable it in dual-stack. Even without a public prefix, use ULA (fd00::/8) internally, understand NDP, and mirror your IPv4 policy. You’ll avoid rushed, risky changes later.
Quick Reference Tables (print & pin)
CIDR ↔ Mask ↔ Usable Hosts (IPv4)
/30 → 255.255.255.252 → 2
/29 → 255.255.255.248 → 6
/28 → 255.255.255.240 → 14
/27 → 255.255.255.224 → 30
/26 → 255.255.255.192 → 62
/24 → 255.255.255.0 → 254
/23 → 255.255.254.0 → 510
Special IPv6:: (unspecified), ::1 (loopback), fe80::/10 (link-local), fd00::/8 (ULA), 2001:db8::/32 (docs)
Public DNS (IPv4/IPv6)
Cloudflare: 1.1.1.1 / 1.0.0.1 — 2606:4700:4700::1111 / ::1001
Google: 8.8.8.8 / 8.8.4.4 — 2001:4860:4860::8888 / ::8844
Quad9: 9.9.9.9 / 149.112.112.112 — 2620:fe::fe / ::9
Sources & Standards
- RFC 1918 (Private IPv4), RFC 5737 (IPv4 documentation ranges), RFC 3849 (IPv6 documentation), RFC 3021 (/31 on point-to-point), RFC 4193 (ULA).
- IANA special-purpose address registries.
- Public docs from Cloudflare, Google, Quad9, OpenDNS, AdGuard.
Pin it. Share it. And the next time someone says “the Internet is down”, you’ll know exactly where to look first.
