Validation

CIDR validation & security checks

Verify RFC compliance, flag CGNAT/bogons/multicast, detect risks before deploying.

Validate a single CIDR
Batch validate

Paste multiple CIDRs (one per line) to validate them all at once.

Common range reference

Private networks (RFC 1918)

10.0.0.0/8Class A privateRoutable in private nets
172.16.0.0/12Class B privateRoutable in private nets
192.168.0.0/16Class C privateRoutable in private nets

Special-use ranges

100.64.0.0/10CGNAT (RFC 6598)ISP carrier-grade NAT
169.254.0.0/16Link-local (RFC 3927)Auto-config only
127.0.0.0/8LoopbackLocal host only
224.0.0.0/4MulticastMulticast group only
240.0.0.0/4Reserved (Class E)Do not use
192.0.2.0/24TEST-NET-1 (RFC 5737)Documentation only

IPv6 special ranges

::1/128LoopbackLocal host only
fe80::/10Link-localLocal link only
fc00::/7Unique local (ULA)Private IPv6
2001:db8::/32Documentation (RFC 3849)Examples only
ff00::/8MulticastGroup addressing

What gets validated

This is the safety check that catches the boring-but-painful bugs. The validator inspects a CIDR against a battery of RFC compliance rules and well-known reserved-range checks. It flags:

When to use bulk validation

The single-CIDR validator is for spot-checking. The bulk validator takes a list of CIDRs and runs every check against each one — useful for auditing an existing network design, validating a firewall rule import, or screening an IP allowlist before deployment. Paste a list, get back a pass/warn/fail per line.

If you find conflicts between subnets (overlap, containment), the overlap tool in the main calculator handles pairwise checks, and the IPAM tool tracks an inventory and flags new conflicts as you add allocations.

Background reading

For the differences between the RFC 1918 private ranges and RFC 6598 CGNAT space (a common source of validation failures), see RFC 1918 vs RFC 6598. For the more obscure reserved ranges that show up in surprising places, bogon IP ranges covers the lot. If your validation surfaced a real overlap in production, troubleshooting overlapping CIDRs is the recovery playbook.

Related tools

CIDR Calculator
Inspect or run overlap checks on single blocks.
IPAM
Inventory and conflict tracking at scale.
Visualize
See validation problems on a topology diagram.
Learn
Lessons on RFC categories and special ranges.

Frequently asked questions

What does CIDR validation actually check?

The validator runs each CIDR through a battery of RFC compliance checks: host bits set in the input, reserved ranges (Class E, multicast, loopback, link-local), private vs public classification, CGNAT detection, TEST-NET ranges, and edge cases like /31 and /32. The bulk validator runs the same checks against an entire list at once.

Why does the validator warn about 100.64.0.0/10?

Because 100.64.0.0/10 is the CGNAT range reserved under RFC 6598 for Internet Service Providers, not for enterprise networks. Using CGNAT space in your own network can collide with your ISP's NAT and cause unpredictable routing. The validator flags it so you do not deploy a network that may conflict in production.

What is the difference between a bogon and a martian IP?

A bogon is an IP address that should not appear on the public internet — including unallocated ranges, reserved ranges, and addresses from RFC 1918 private space. A martian is a stricter category: an IP that should not appear as a packet source or destination in normal routing. All martians are bogons; not all bogons are martians. The validator flags both categories.

Can I validate an entire list of CIDRs at once?

Yes. The bulk validator on this page accepts a newline-separated list and returns pass/warn/fail results for each entry. Use it for auditing firewall rule imports, validating IP allowlists before deployment, or screening a network design.