Private vs Public IP Addresses

1. The Two Worlds of IPv4 Addressing

Every IPv4 address falls into one of two fundamental categories: private or public. Understanding the distinction is essential — it explains why your home network uses addresses like 192.168.1.x, why those addresses can never be reached directly from the internet, and why NAT exists at all.

The IPv4 address space contains approximately 4.3 billion addresses (2³²). That sounds enormous, but with billions of internet-connected devices worldwide it is nowhere near enough to give every device a unique globally routable address. The solution, formalised in RFC 1918 (1996), was to designate three ranges of addresses as private — reserved exclusively for use inside organisations, never routed on the public internet — and to use NAT to translate between private and public addresses at the network boundary.

Characteristic Private IP Address Public IP Address
Defined by RFC 1918 IANA and Regional Internet Registries (RIRs)
Globally routable? No — ISPs drop packets with private source/destination IPs Yes — routable across the public internet
Uniqueness requirement Unique only within your own organisation; multiple organisations can use the same private range simultaneously Globally unique — no two devices on the internet share the same public IP at the same time
Cost Free — use as many as you need internally Allocated / leased from ISPs or RIRs; IPv4 public addresses are a scarce, expensive resource
Internet access Requires NAT to reach the internet Can communicate directly with any internet host
Typical use Internal LANs, offices, homes, data centres Web servers, ISP infrastructure, internet-facing services

Related pages: Private vs Public IP – Overview | NAT Overview | Static NAT | Dynamic NAT | PAT (Overload) | IP Interface Brief | IPv6 Overview

2. RFC 1918 — The Three Private Address Ranges

RFC 1918 ("Address Allocation for Private Internets") defines exactly three IPv4 address blocks as private. These are the only RFC 1918 private ranges — every other address in the IPv4 space is either public or reserved for a special purpose.

Range CIDR Notation Subnet Mask Address Count Class Origin Common Uses
10.0.0.0 – 10.255.255.255 10.0.0.0/8 255.0.0.0 16,777,216 (≈ 16.7 million) Class A Large enterprise networks, data centres, cloud VPCs, network-of-networks (e.g., 10.x.x.x per site)
172.16.0.0 – 172.31.255.255 172.16.0.0/12 255.240.0.0 1,048,576 (≈ 1 million) Class B Medium-sized enterprises, Docker default bridge network (172.17.0.0/16), some ISP internal infrastructure
192.168.0.0 – 192.168.255.255 192.168.0.0/16 255.255.0.0 65,536 Class C Home routers (192.168.0.x or 192.168.1.x), small offices, the most widely recognised private range 
  The three RFC 1918 private blocks visualised within the IPv4 space:

  0.0.0.0                                               255.255.255.255
  ├─────────────────────────────────────────────────────────────────────┤
  │                     Full IPv4 Address Space                         │
  └─────────────────────────────────────────────────────────────────────┘
       │                       │                    │
       ▼                       ▼                    ▼
  ┌──────────┐          ┌────────────┐        ┌──────────────┐
  │10.0.0.0/8│          │172.16.0.0  │        │192.168.0.0   │
  │  ~16.7M  │          │   /12      │        │    /16       │
  │addresses │          │  ~1M addrs │        │  ~65K addrs  │
  └──────────┘          └────────────┘        └──────────────┘
  Class A private        Class B private        Class C private
  (1 huge block)         (16 class B blocks)    (256 class C blocks)
CCNA exam tip — memorise the three ranges:
10.0.0.0/8      — just remember "10 slash 8"
172.16.0.0/12 — 172.16 through 172.31 (12 bits of network)
192.168.0.0/16 — the "home network" range everyone recognises

A common exam trap: 172.15.x.x and 172.32.x.x are NOT private — they fall outside the /12 boundary. Only 172.16.x.x through 172.31.x.x are private.

Why Multiple Private Ranges?

The three ranges offer flexibility for different network sizes. A small home or office needs only a handful of addresses — 192.168.x.x is ideal. A large enterprise or cloud provider managing hundreds of thousands of internal devices needs the vast space of 10.0.0.0/8, which can be sub-divided into thousands of subnets. The 172.16.0.0/12 range sits between the two in scale.

3. Why Private Addresses Cannot Be Routed on the Internet

Private addresses are not globally unique. Your home router and your neighbour's home router almost certainly both use 192.168.1.0/24 internally. A company's head office and its branch office may both use 10.10.x.x. This deliberate re-use is the whole point of private addressing — it multiplies the effective address space enormously.

However, this re-use creates an insurmountable problem for internet routing: if a packet with destination 192.168.1.10 arrived at an internet router, there would be no way to know which of the millions of networks using 192.168.1.0/24 the packet was intended for. The internet routing system relies on globally unique addresses to deliver packets to the right destination — an ambiguous private address makes that impossible. 

  Why private addresses cannot be internet-routed:

  Organisation A                  The Internet               Organisation B
  ─────────────                   ───────────                ─────────────
  192.168.1.10 (PC-A)                                        192.168.1.10 (PC-B)
       │                                                           │
  [Router A]─── 203.0.113.1 ─── [Internet] ─── 198.51.100.1 ─── [Router B]

  If PC-A sends a packet to 192.168.1.10:
  → Router A has no route to 192.168.1.0/24 on the internet
  → Even if it did, is the destination PC-B or one of billions
    of other hosts also at 192.168.1.10 worldwide?
  → Ambiguity is unresolvable — routing is impossible

  RFC 1918 solution:
  ISPs configure their border routers to DROP any packet whose
  source or destination is an RFC 1918 address. These routes are
  never advertised into BGP / the global routing table.

  The fix: NAT translates private → public at the network boundary,
  giving packets a globally unique source address before they
  enter the internet.
ISP filtering: Internet Service Providers implement ingress filtering (often described in BCP 38) that drops packets arriving from customer connections with RFC 1918 source addresses. Even if a private-addressed packet somehow escaped a local network, no ISP router would forward it. Private addresses are effectively invisible to the public internet.

4. Private Addresses and NAT — The Connection

Because private addresses are non-routable on the internet, any device with a private IP address that needs internet access must go through Network Address Translation (NAT). NAT runs on the border router or firewall and translates the private source address in outbound packets to a public IP address — one that the internet can route back to. 

  How NAT bridges private and public addressing:

  Private network (RFC 1918)        Border Router (NAT)      Internet (public)
  ──────────────────────────        ───────────────────      ─────────────────
  PC:  192.168.1.10   ──────────►  Inside interface:         Outside interface:
  (Inside Local addr)               192.168.1.1               203.0.113.1
                                   (ip nat inside)            (ip nat outside)
                                          │
                                          │  NAT translation:
                                          │  Src 192.168.1.10 → 203.0.113.1
                                          │
                                          ▼
                                   Packet on internet:
                                   Src: 203.0.113.1   ──────────► Dst: 8.8.8.8
                                   (publicly routable)

  Return traffic:
  Src: 8.8.8.8 → Dst: 203.0.113.1
  NAT router looks up translation table → delivers to 192.168.1.10

The three NAT types each handle this private-to-public translation differently:

NAT Type Mapping Best For
Static NAT One private IP ↔ one fixed public IP (permanent) Servers that must accept inbound internet connections
Dynamic NAT Private IP ↔ one address from a public pool (temporary) Outbound-only access with a pool of public IPs
PAT / Overload Many private IPs → one public IP (via port numbers) Outbound-only access; maximum address conservation

See full detail: NAT Overview | Static NAT Lab | Dynamic NAT & PAT Lab

5. IANA-Reserved Special Address Ranges

Beyond RFC 1918 private addresses, the Internet Assigned Numbers Authority (IANA) has reserved several other address blocks for specific technical purposes. None of these are routable on the public internet, and none should be assigned to normal hosts. Understanding them prevents configuration mistakes and is tested on the CCNA exam.

Address Range CIDR Purpose RFC
0.0.0.0/8 0.0.0.0 – 0.255.255.255 "This network" / unspecified address. Used as source IP in DHCP Discover (client has no address yet). Not assignable. RFC 1122
10.0.0.0/8 10.0.0.0 – 10.255.255.255 RFC 1918 private range (Class A) RFC 1918
100.64.0.0/10 100.64.0.0 – 100.127.255.255 Shared Address Space — used by ISPs for Carrier-Grade NAT (CGN/CGNAT). Not routable on the public internet and not for private network use. RFC 6598
127.0.0.0/8 127.0.0.0 – 127.255.255.255 Loopback — traffic sent here stays on the local host and never leaves the NIC. 127.0.0.1 is the standard loopback address. RFC 1122
169.254.0.0/16 169.254.0.0 – 169.254.255.255 Link-Local / APIPA — self-assigned by a host when DHCP fails. Not routable; only valid on the local link segment. RFC 3927
172.16.0.0/12 172.16.0.0 – 172.31.255.255 RFC 1918 private range (Class B) RFC 1918
192.0.0.0/24 192.0.0.0 – 192.0.0.255 IETF Protocol Assignments — reserved for protocol testing and documentation. Not for general use. RFC 6890
192.0.2.0/24 192.0.2.0 – 192.0.2.255 TEST-NET-1 — documentation and example use only (used in RFCs and textbooks). Never assigned to real hosts. RFC 5737
192.168.0.0/16 192.168.0.0 – 192.168.255.255 RFC 1918 private range (Class C) RFC 1918
198.18.0.0/15 198.18.0.0 – 198.19.255.255 Benchmarking — for network device performance testing. Not routable. RFC 2544
198.51.100.0/24 198.51.100.0 – 198.51.100.255 TEST-NET-2 — documentation and example use only. RFC 5737
203.0.113.0/24 203.0.113.0 – 203.0.113.255 TEST-NET-3 — documentation and example use only. You will see this range in RFCs, textbooks, and labs (including this site). RFC 5737
224.0.0.0/4 224.0.0.0 – 239.255.255.255 Multicast — addresses for one-to-many group communication. Not assignable as host addresses. RFC 5771
240.0.0.0/4 240.0.0.0 – 255.255.255.254 Reserved for future use (Class E). Not used in practice. RFC 1112
255.255.255.255/32 255.255.255.255 Limited broadcast — sent to all hosts on the local segment. Not routed by any router. RFC 919
Documentation addresses (TEST-NET): The three ranges 192.0.2.0/24, 198.51.100.0/24, and 203.0.113.0/24 are specifically set aside for use in examples, documentation, and labs. You will see them throughout this site and in Cisco learning materials. If you ever see these addresses in a real network, someone has made a configuration error — they should never appear in production.

6. Special Addresses You Must Know — Loopback and APIPA

6.1 Loopback — 127.0.0.1

The entire 127.0.0.0/8 block is reserved for loopback. Any packet sent to an address in this range is processed entirely within the local host's network stack — it never leaves the device, not even to the physical NIC. The address 127.0.0.1 is the universally recognised loopback address, often called localhost. 

  Loopback use cases:

  1. Testing the local TCP/IP stack:
     ping 127.0.0.1
     → If this responds, the host's IP stack is functioning correctly.
     → If this fails, there is a fundamental OS networking problem.

  2. Local service communication:
     A web server and database on the same host communicate via 127.0.0.1
     without traffic ever hitting the physical network.

  3. Cisco router loopback interfaces:
     Router(config)# interface loopback 0
     Router(config-if)# ip address 10.0.0.1 255.255.255.255
     → Always up as long as the router is running (no physical link to fail)
     → Used as stable router IDs for OSPF, BGP, and management access
Cisco loopback interfaces vs the loopback address: Cisco routers use logical loopback interfaces (e.g., interface loopback 0) which are typically assigned private or public IP addresses — not necessarily 127.0.0.1. These are different from the OS-level loopback address. The Cisco loopback interface is simply a virtual interface that never goes down, used for stability in routing protocols.

6.2 APIPA — 169.254.0.0/16

APIPA (Automatic Private IP Addressing), also called link-local addressing (RFC 3927), is the mechanism by which a Windows or macOS host self-assigns an IP address when it fails to receive a response from a DHCP server. The host randomly selects an address in the 169.254.0.0/16 range and uses ARP to verify it is not already in use on the local segment. 

  APIPA address characteristics:

  Range:   169.254.0.0 – 169.254.255.255  (/16)
  Mask:    255.255.0.0
  Gateway: None (no default gateway is configured with APIPA)
  DNS:     None

  What APIPA means in practice:
  ┌────────────────────────────────────────────────────────────┐
  │  Host receives 169.254.x.x                                 │
  │  → DHCP server was not reachable                           │
  │  → Host CAN communicate with other APIPA hosts on the      │
  │    same segment (same 169.254.0.0/16)                      │
  │  → Host CANNOT reach any other subnet                      │
  │  → Host CANNOT reach the internet                          │
  │  → No default gateway = no routing beyond local segment    │
  └────────────────────────────────────────────────────────────┘

  Diagnosis: an APIPA address on a workstation almost always means
  a DHCP problem — check the DHCP server, pool exhaustion,
  ip helper-address configuration, and physical connectivity.

See also: DHCP Overview | Troubleshooting DHCP Clients Lab

7. Public IP Addresses — Allocation and Assignment

Public IP addresses are globally unique, IANA-managed addresses that are routable across the internet. IANA allocates large blocks to five Regional Internet Registries (RIRs), which in turn allocate smaller blocks to ISPs and large organisations. End users and businesses typically receive public IPs by leasing them from their ISP.

RIR Full Name Region Served
ARIN American Registry for Internet Numbers North America, parts of the Caribbean
RIPE NCC Réseaux IP Européens Network Coordination Centre Europe, Middle East, Central Asia
APNIC Asia-Pacific Network Information Centre Asia-Pacific
LACNIC Latin America and Caribbean Network Information Centre Latin America, Caribbean
AFRINIC African Network Information Centre Africa

How Public IPs Are Assigned to End Users

  IANA
    │  Allocates large blocks (e.g., /8 or larger)
    ▼
  Regional Internet Registry (e.g., RIPE NCC for Middle East)
    │  Allocates smaller blocks (e.g., /16 or /24) to ISPs
    ▼
  ISP (Internet Service Provider)
    │  Assigns individual IPs or small blocks to customers
    ▼
  Customer / Organisation
    │  One public IP (for home/SMB, shared via PAT)
    │  Or a block of IPs (for larger orgs with servers)
    ▼
  End devices use public IP(s) directly (servers, firewalls)
  or access internet via NAT/PAT from private addresses

Static vs Dynamic Public IP Assignment

Type Description Typical User
Static public IP A fixed public IP permanently assigned to a customer. Never changes unless manually updated. Required for hosting public-facing services (web, mail, VPN). Businesses, data centres, VPN endpoints, hosted servers
Dynamic public IP A public IP assigned by the ISP via DHCP when the customer's router connects. May change each time the router reconnects or on a periodic schedule set by the ISP. Home users, small offices — cost-effective; no hosting needs
IPv4 exhaustion: All five RIRs have exhausted their free pools of IPv4 addresses. New public IPv4 addresses are effectively unavailable for most new allocations — existing addresses are transferred on a secondary market. This scarcity is a key driver of IPv4 address prices and the push toward IPv6 adoption, where the address space is astronomically larger.

8. When Public IPs Are Assigned Directly to Hosts

While most end-user devices use private addresses behind NAT, there are scenarios where a device receives a public IP address directly, without any NAT between it and the internet.

Scenario Why a Public IP Is Used Directly
Internet-facing web or mail server Must be reachable by any host on the internet via a fixed, known public IP. NAT is not practical for high-volume inbound connections from arbitrary sources.
ISP CPE (Customer Premises Equipment) The WAN interface of a home router or business gateway receives a public IP from the ISP. All internal devices share it via PAT.
ISP backbone infrastructure Routers and links within the ISP's own network use public IPs (or the Shared Address Space 100.64.0.0/10 for CGNAT deployments).
Cloud virtual machines A cloud instance (AWS EC2, Azure VM) can be assigned a public "Elastic IP" or public IPv4 directly. It may also have a private IP for internal VPC communication.
VPN endpoints IPsec or other VPN tunnel endpoints need public IPs so peers can establish tunnels from the internet.
DNS / NTP / CDN infrastructure Servers that must be universally reachable (e.g., 8.8.8.8 for Google DNS) are assigned public IPs directly. 
  Comparison — private behind NAT vs public IP directly:

  Home / SMB (typical):
  [PC 192.168.1.10] → [Home Router NAT 203.0.113.1] → Internet
   Private IP            Public IP on WAN port
   (RFC 1918)            (ISP-assigned, shared by all home devices via PAT)

  Hosted web server:
  [Server 203.0.113.50] ──────────────────────────────► Internet
   Public IP directly on NIC — no NAT involved
   Internet users reach it at 203.0.113.50 directly

  Large enterprise DMZ:
  [Web Server 192.168.100.10] → [Firewall Static NAT] → [203.0.113.50] → Internet
   Private IP on server         Firewall translates      Public IP seen by internet
   (easier to manage internally) inbound/outbound

See also: Static NAT | IPsec VPN | ACL/Firewall Overview

9. Carrier-Grade NAT (CGNAT) — Running Out of Public IPs

With IPv4 public addresses exhausted, many ISPs now practice Carrier-Grade NAT (CGNAT), also called Large-Scale NAT (LSN). Instead of giving each customer a unique public IP, the ISP shares a single public IP across multiple customers simultaneously — adding a second layer of NAT on top of the customer's own home NAT. 

  Double NAT — CGNAT architecture:

  Your PC               Home Router              ISP CGNAT Router        Internet
  ──────                ───────────              ────────────────        ────────
  192.168.1.10  ──PAT──► 100.64.x.x  ──────PAT──► 203.0.113.1  ────────► 8.8.8.8
  (RFC 1918)             (RFC 6598)               (public IP)
                         Shared Address            Shared across
                         Space — assigned          many customers
                         by ISP to CPE

  Your PC's traffic appears to the internet as coming from 203.0.113.1,
  shared with possibly hundreds of other customers.

  Implications of CGNAT:
  → Port forwarding for home servers becomes extremely difficult or impossible
  → Some online games and P2P applications break or degrade
  → Logging and law enforcement tracing requires ISP cooperation
  → The CGNAT range 100.64.0.0/10 (RFC 6598) is NOT RFC 1918 — it is a
    separate reservation specifically for ISP internal use
The long-term solution is IPv6. With 128-bit addresses providing 340 undecillion unique addresses, every device can have a globally unique public IPv6 address — making NAT largely unnecessary. CGNAT is an expensive stopgap that adds complexity, latency, and operational cost. See: IPv6 Overview

10. Identifying Address Types — Quick Reference

Given any IPv4 address, you should be able to instantly classify it. Here is a rapid identification guide for the CCNA exam and real-world troubleshooting: 

  Address identification flowchart:

  Given an IPv4 address — what type is it?

  Starts with 10.           → RFC 1918 private (Class A)
  Starts with 172.16–172.31 → RFC 1918 private (Class B)
  Starts with 192.168.      → RFC 1918 private (Class C)
  Starts with 127.          → Loopback (never leaves the host)
  Starts with 169.254.      → APIPA / Link-local (DHCP failed)
  Starts with 100.64–100.127→ CGNAT Shared Address Space (RFC 6598)
  Starts with 0.            → "This network" / unspecified (DHCP Discover src)
  Starts with 224–239.      → Multicast
  Starts with 240–255.      → Reserved (Class E, not used)
  192.0.2.x, 198.51.100.x,
  203.0.113.x               → Documentation / TEST-NET (never in production)
  255.255.255.255           → Limited broadcast
  Anything else             → Public (globally routable)
Address Type Routable on Internet? Notes
10.5.20.1 RFC 1918 Private No Needs NAT to reach internet
172.16.0.1 RFC 1918 Private No Needs NAT to reach internet
172.32.0.1 Public Yes Outside the /12 private range — this is a public address
192.168.100.5 RFC 1918 Private No Needs NAT to reach internet
127.0.0.1 Loopback No Stays on local host, never transmitted
169.254.10.5 APIPA / Link-local No DHCP failure; local segment only
100.72.0.1 CGNAT Shared Space No ISP internal / CGNAT use only (RFC 6598)
203.0.113.1 Documentation (TEST-NET-3) No (reserved) For examples/docs only; never assigned in production
8.8.8.8 Public Yes Google DNS — globally routable
224.0.0.5 Multicast Limited OSPF All-Routers multicast address; not a host address

See also: IP Interface Brief | Wildcard Masks | IPv6 Overview

Test Your Knowledge — Private vs Public IP Quiz

1. Which of the following correctly lists all three RFC 1918 private address ranges?

Correct answer is B. The three RFC 1918 ranges are 10.0.0.0/8 (~16.7 million addresses), 172.16.0.0/12 (172.16.0.0 through 172.31.255.255, ~1 million addresses), and 192.168.0.0/16 (~65,536 addresses). A common exam trap is listing 172.0.0.0/12 or using the wrong prefix length for the middle range — it is /12, not /16.

2. Is 172.32.0.1 a private address?

Correct answer is D. This is one of the most common CCNA exam traps. The RFC 1918 Class B range is 172.16.0.0/12 — which covers 172.16.x.x through 172.31.x.x only. 172.32.x.x and above are public addresses. The easiest way to remember the boundary: the last private second-octet value is 31 (16 + 15 = 31, because /12 gives 4 bits in the second octet, 2⁴ = 16 blocks of /16 starting at 172.16).

3. Why can't packets with RFC 1918 private source addresses be routed across the public internet?

Correct answer is C. RFC 1918 addresses are intentionally reused across millions of organisations worldwide. Because the same address (e.g., 192.168.1.10) exists in countless private networks simultaneously, the internet routing system has no way to deliver a packet to the "correct" destination. ISPs enforce BCP 38 ingress filtering to drop packets with private source addresses, preventing them from ever entering the global routing table. See: NAT Overview

4. A workstation boots and is assigned 169.254.33.7. What does this indicate, and what is the key limitation of this address?

Correct answer is A. The 169.254.0.0/16 range is reserved for APIPA (Automatic Private IP Addressing). A host self-assigns an address from this range only when DHCP fails — either the server is down, unreachable, or the pool is exhausted. APIPA addresses have no default gateway configured, so the host cannot communicate beyond the local network segment. Seeing 169.254.x.x is always a sign to investigate DHCP. See: DHCP Overview

5. What is the purpose of the 127.0.0.0/8 address block?

Correct answer is B. The entire 127.0.0.0/8 block is reserved for loopback communication. Any packet addressed to 127.x.x.x is immediately delivered back to the sending host's own network stack — it never reaches the physical NIC or any network cable. The most well-known address in this range is 127.0.0.1 (localhost). This block is commonly used to test a host's own TCP/IP stack without needing any network infrastructure.

6. Which organisation is responsible for allocating public IPv4 address blocks to the Regional Internet Registries (RIRs)?

Correct answer is D. IANA sits at the top of the IP address allocation hierarchy. It allocates large blocks to five Regional Internet Registries: ARIN (North America), RIPE NCC (Europe/Middle East), APNIC (Asia-Pacific), LACNIC (Latin America/Caribbean), and AFRINIC (Africa). RIRs then sub-allocate to ISPs and large organisations. ARIN is one of the five RIRs, not the top-level authority.

7. What is the 100.64.0.0/10 address range used for?

Correct answer is C. RFC 6598 reserves 100.64.0.0/10 as Shared Address Space, specifically for use by ISPs implementing Carrier-Grade NAT (CGNAT). When an ISP cannot give every customer a unique public IP, it assigns addresses from this range to CPE devices and NATs them at the ISP level. This range is not one of the three RFC 1918 private ranges and should not be used inside private enterprise networks.

8. A company has a web server at 192.168.10.50 that must be accessible from the internet. Which approach is required?

Correct answer is A. Because 192.168.10.50 is an RFC 1918 private address, it is not routable on the internet. To make the server internet-accessible, Static NAT creates a permanent one-to-one mapping between the private address and a public IP. Internet users connect to the public IP and the border device translates inbound traffic to the server's private IP. PAT (overload) does not support unsolicited inbound connections without port forwarding, making Static NAT the correct choice here. See: Static NAT

9. Which address ranges are used for documentation and examples in RFCs and networking textbooks, and should never appear in a production network?

Correct answer is B. RFC 5737 defines three TEST-NET ranges — 192.0.2.0/24, 198.51.100.0/24, and 203.0.113.0/24 — as documentation-only address blocks. They appear in RFCs, textbooks, vendor documentation, and on this site in configuration examples. They are explicitly not routable on the internet and should never be assigned to real hosts or used in production configurations. If you see these addresses in a live network, it is a misconfiguration.

10. What is the key difference between a static public IP and a dynamic public IP assigned by an ISP?

Correct answer is C. A static public IP remains constant — it is the same address every time the router connects to the ISP. This is essential for hosting web servers, mail servers, or VPN endpoints because external clients need a predictable, unchanging address to connect to. A dynamic public IP is reassigned by the ISP each session and is cheaper, making it suitable for home users and businesses that only need outbound internet access. See: NAT Overview

← Back to Home