This chapter covers RFC 1918 private IP address ranges and Automatic Private IP Addressing (APIPA)—two fundamental concepts in IPv4 networking that conserve public address space and provide fallback connectivity. For the N10-009 exam, these topics appear in roughly 5-8% of questions, often in the context of IP addressing schemes, DHCP operation, and troubleshooting connectivity. Mastering these concepts is essential for understanding how devices obtain IP addresses and how private networks interact with the public internet.
Jump to a section
Imagine a large corporation with a single public phone number (the public IP address) and thousands of employees, each with a private extension (e.g., 1001, 1002). When an employee calls out, the receptionist (NAT) logs which extension placed the call and replaces the extension with the main company number. When the response comes back, she checks the log and routes it to the correct extension. From outside, nobody can dial an employee directly—they only see the company number. The extensions are reusable across different companies because they are not globally unique. APIPA is like a temporary extension assigned automatically when the phone system fails to get a proper extension from the central directory—it lets employees call within the office but not outside. This analogy shows how private IPs conserve public addresses and provide internal connectivity, while APIPA ensures local communication when DHCP fails.
What Are RFC 1918 Private IP Addresses?
RFC 1918 defines three ranges of IPv4 addresses reserved for use within private networks. These addresses are not routable on the public internet; routers on the internet are configured to drop packets with private source or destination addresses. The three ranges are: - 10.0.0.0/8 (10.0.0.0 – 10.255.255.255): 16,777,216 addresses - 172.16.0.0/12 (172.16.0.0 – 172.31.255.255): 1,048,576 addresses - 192.168.0.0/16 (192.168.0.0 – 192.168.255.255): 65,536 addresses
Organizations use these addresses internally, and Network Address Translation (NAT) allows multiple devices to share a single public IP when accessing the internet. The exam expects you to know these ranges and their subnet masks (e.g., /8, /12, /16) by heart.
Why Private Addresses Exist
The primary reason is IPv4 address exhaustion. Without private addresses, every device would need a globally unique public IP, which is impossible. Private addresses allow reuse across different organizations because they are not globally unique. They also provide a layer of security—internal hosts are not directly reachable from the internet unless NAT or a proxy is used.
How Private Addresses Work
When a host with a private IP sends a packet to the internet, the router (usually a home gateway or enterprise border router) performs NAT. The router replaces the private source IP with its own public IP and keeps a state table. Return packets are translated back. This process is transparent to the end host. Private addresses can also be used for internal communication without NAT, such as between servers in a data center.
APIPA: Automatic Private IP Addressing
APIPA is a feature of Windows (and other OSes) that automatically assigns an IP address in the 169.254.0.0/16 range when a DHCP server is unreachable. The range is 169.254.0.1 to 169.254.255.254 with a subnet mask of 255.255.0.0. The link-local address is used for local network communication only; it is not routable. APIPA uses a random address selection and performs ARP probing to avoid conflicts.
APIPA Mechanism
When a DHCP client fails to receive a lease (after DHCPDISCOVER timeouts), it self-assigns an address from 169.254.0.0/16. It picks a random address and sends an ARP probe to see if it's already in use. If no reply, it assigns the address. If a conflict is detected, it picks another. The client continues to retry DHCP every 5 minutes (default in Windows). APIPA is defined in RFC 3927.
Interaction with DHCP
APIPA is a fallback. If DHCP later becomes available, the client will eventually get a valid lease and switch. The client does not give up DHCP entirely; it keeps trying. On Windows, you can check if APIPA is active with ipconfig. The address will show as "Autoconfiguration IPv4 Address." APIPA is common on networks where DHCP is misconfigured or the DHCP server is down.
Key Exam Values
Private ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
APIPA range: 169.254.0.0/16
APIPA subnet mask: 255.255.0.0
DHCP retry interval: 5 minutes (Windows)
APIPA is not routable; it's link-local only.
Configuration and Verification
Private IPs are configured statically or via DHCP. On Cisco IOS, you might see:
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0For APIPA, no configuration is needed—it's automatic. To verify on Windows:
ipconfig /allLook for "Autoconfiguration Enabled" and "Autoconfiguration IPv4 Address." On Linux, use ip addr show or ifconfig; APIPA addresses appear as 169.254.x.x.
Interaction with Related Technologies
NAT: Required for private IPs to access the internet. Overload NAT (PAT) maps many private IPs to one public IP.
DHCP: Normally assigns private IPs. APIPA is a fallback when DHCP fails.
Routing: Private IPs are not routable on the internet. BGP routers typically filter them.
IPv6: IPv6 has link-local addresses (FE80::/10) that are similar to APIPA but always present.
Common Exam Scenarios
A user cannot access the internet but can access local resources. Check for a 169.254.x.x address.
A network uses 10.0.0.0/8 for internal devices. The exam may ask which addresses are private.
Understanding that APIPA does not provide a default gateway—only local subnet communication is possible.
Trap Patterns
Wrong range: Candidates confuse 169.254.0.0/16 with 169.254.0.0/24 or 172.16.0.0/12 with 172.16.0.0/16.
APIPA is not DHCP: APIPA is a client-side fallback, not a DHCP server feature.
APIPA is routable: It is not; it's link-local only.
Private addresses are secure: They are not inherently secure; they just aren't directly reachable from the internet without NAT.
DHCP Discovery Fails
The client broadcasts a DHCPDISCOVER message. If no DHCP server responds within a timeout (typically 1 second, with retries up to 4 times), the client assumes no DHCP server is available. The client waits for a total of about 5-10 seconds before moving to APIPA.
Client Selects Random APIPA Address
The client randomly picks an address from 169.254.0.0/16 (excluding 169.254.0.0/24 and 169.254.255.0/24 reserved ranges). It uses a pseudo-random algorithm to generate the host portion (16 bits). The chosen address is tentative.
ARP Probe for Conflict Detection
The client sends an ARP probe (ARP request with sender IP = 0.0.0.0 and target IP = the tentative address) to check if the address is already in use. It waits for an ARP reply. If no reply within 2 seconds, it retries up to 2 more times (total 3 probes).
Address Assigned if No Conflict
If no ARP reply is received after the probes, the client assigns the address to its interface. It then sends a gratuitous ARP to announce its new IP. The address is now active, but only for local subnet communication.
DHCP Retry Every 5 Minutes
The client continues to attempt DHCP discovery every 5 minutes (default in Windows). If a DHCP server responds, the client releases the APIPA address and obtains a proper lease. This ensures eventual recovery when DHCP becomes available.
Enterprise Deployment of Private IPs
In a large enterprise, private IPs from the 10.0.0.0/8 range are commonly used for internal networks. For example, a company with 50,000 employees might use 10.0.0.0/8 with VLANs and subnetting. Each department gets a /16 subnet (e.g., 10.1.0.0/16 for HR, 10.2.0.0/16 for Engineering). NAT at the border router allows internet access. A common problem is overlapping subnets when merging two companies—both might use 10.0.0.0/8, requiring re-addressing or NAT between them.
APIPA in a Corporate Environment
APIPA typically indicates a DHCP failure. For instance, if a DHCP server crashes, all clients on that subnet will eventually get 169.254.x.x addresses. Users can still print to local printers or access file shares on the same subnet (if they also have APIPA addresses) but cannot reach the internet or other subnets. Network engineers use APIPA as a diagnostic clue: if a user has a 169.254.x.x address, the first step is to check DHCP server availability and network connectivity between client and server.
Cloud and Virtualized Environments
In cloud VPCs (e.g., AWS), private IPs from RFC 1918 are used for instances. APIPA is rarely seen because cloud providers always provide DHCP. However, in on-premises virtualized environments, misconfigured virtual switches can cause APIPA. Performance is not a concern for private IPs themselves, but NAT can become a bottleneck under heavy load. Misconfiguration of ACLs can accidentally block DHCP traffic, causing widespread APIPA.
N10-009 Exam Focus
This topic falls under Objective 1.4: "Given a scenario, configure the appropriate IP addressing components." The exam tests your ability to identify private IP ranges, understand APIPA behavior, and troubleshoot related issues.
Common Wrong Answers
Confusing APIPA range with 169.254.0.0/24: The exam often includes 169.254.0.0/24 as a distractor. The correct range is /16.
Thinking APIPA is a DHCP server feature: APIPA is client-side. Candidates might choose an answer saying "DHCP server assigns 169.254.x.x when out of addresses." That is false.
Believing private IPs are secure: Private IPs are not inherently secure; they just aren't routable on the internet. An answer claiming "private IPs provide encryption" is wrong.
Mixing up 172.16.0.0/12 with 172.16.0.0/16: The /12 is correct; a /16 would exclude 172.17-172.31.
Specific Numbers and Terms
Memorize: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16.
APIPA subnet mask: 255.255.0.0.
DHCP retry interval: 5 minutes.
APIPA is defined in RFC 3927.
Edge Cases
APIPA on non-Windows: Linux and macOS also support link-local addressing (usually via Avahi or similar), but the exam focuses on Windows.
Duplicate APIPA addresses: The ARP probe makes conflicts rare but possible if two clients probe simultaneously.
APIPA with multiple interfaces: Each interface gets its own APIPA address if DHCP fails on that interface.
Eliminating Wrong Answers
If a question mentions "169.254.x.x" and an answer says "DHCP server is out of addresses," eliminate it because APIPA is not assigned by DHCP.
If a question asks for private ranges, watch for 172.16.0.0/12—a /16 is incomplete.
If a question says "APIPA provides internet connectivity," it's false; APIPA is link-local only.
Memorize the three RFC 1918 private ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16.
APIPA uses the 169.254.0.0/16 range with subnet mask 255.255.0.0.
APIPA is a client-side fallback when DHCP fails, not a server feature.
APIPA addresses are link-local and not routable; they do not provide internet access.
Windows clients retry DHCP every 5 minutes while using APIPA.
Private IPs are not inherently secure; they are just not publicly routable.
Common exam trap: confusing 172.16.0.0/12 with /16, and 169.254.0.0/16 with /24.
APIPA uses ARP probing to avoid address conflicts before assignment.
These come up on the exam all the time. Here's how to tell them apart.
RFC 1918 Private IPs
Used for internal networks, routable within organization.
Assigned by DHCP or static configuration.
Three ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16.
Can communicate with other subnets via routers.
Requires NAT for internet access.
APIPA (Link-Local)
Used as fallback when DHCP fails, link-local only.
Self-assigned by client automatically.
Single range: 169.254.0.0/16.
Can only communicate on the same subnet (no routing).
Cannot access internet; no default gateway.
Mistake
APIPA addresses are assigned by the DHCP server when it runs out of addresses.
Correct
APIPA is a client-side fallback mechanism. The DHCP server never assigns 169.254.x.x addresses. The client self-assigns after DHCP fails.
Mistake
Private IP addresses are secure because they are hidden from the internet.
Correct
Private IPs are not routable on the internet, but they do not provide encryption or authentication. Security depends on firewalls and NAT.
Mistake
The APIPA range is 169.254.0.0/24.
Correct
The correct range is 169.254.0.0/16 (subnet mask 255.255.0.0). The first and last /24 subnets are reserved but the range is /16.
Mistake
A device with an APIPA address can access the internet.
Correct
APIPA addresses are link-local and not routable. The device can only communicate with other devices on the same subnet.
Mistake
The 172.16.0.0/12 private range is actually 172.16.0.0/16.
Correct
The private range is 172.16.0.0/12, which includes 172.16.0.0 through 172.31.255.255. A /16 would only cover 172.16.0.0/16.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The APIPA range is 169.254.0.0/16 (169.254.0.1 to 169.254.255.254) with a subnet mask of 255.255.0.0. It is defined in RFC 3927. The first and last 256 addresses (169.254.0.0/24 and 169.254.255.0/24) are reserved but the overall block is /16.
Your computer has self-assigned an APIPA address because it could not reach a DHCP server. This usually happens when the DHCP server is down, the network cable is unplugged, or there is a VLAN mismatch. You can only communicate with other devices on the same subnet. Check your DHCP server and network connectivity.
No. APIPA addresses are link-local, meaning they are not routable. Routers will not forward packets with source or destination IP in the 169.254.0.0/16 range. They are only valid on a single broadcast domain.
Private IPs (RFC 1918) are used for internal networks and can be routed within an organization. They are assigned by DHCP or statically. APIPA is a temporary self-assigned address when DHCP fails, and it is only for local subnet communication. Private IPs can access the internet via NAT; APIPA cannot.
Before assigning an APIPA address, the client sends ARP probes (ARP requests with sender IP 0.0.0.0 and target IP the tentative address). If no ARP reply is received after three probes (each 2 seconds apart), the address is considered free. If a conflict is detected, the client picks another random address.
Windows clients retry DHCP every 5 minutes by default. The client continues to attempt DHCP discovery in the background. Once a DHCP server responds, the client releases the APIPA address and obtains a proper lease.
Yes, Linux supports link-local addressing via the Avahi daemon or systemd-networkd. It uses the same 169.254.0.0/16 range. However, the exam focuses on Windows behavior. The mechanism is similar: random selection and ARP probing.
You've just covered RFC 1918 Private IP Ranges and APIPA — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?