diff --git a/deployed-server/deployed-neutron-port.yaml b/deployed-server/deployed-neutron-port.yaml
index c983d39c05..f490985e34 100644
--- a/deployed-server/deployed-neutron-port.yaml
+++ b/deployed-server/deployed-neutron-port.yaml
@@ -12,7 +12,10 @@ description: "
           fixed_ips:
             - ip_address: 127.0.0.1
           subnets:
-            - cidr: 127.0.0.0/24"
+            - cidr: 127.0.0.0/24
+          network:
+            tags:
+              - 127.0.0.0/24"
 
 parameters:
   name:
@@ -39,6 +42,9 @@ outputs:
   subnets:
     value:
       {get_param: [DeployedServerPortMap, {get_param: name}, subnets]}
+  network:
+    value:
+      {get_param: [DeployedServerPortMap, {get_param: name}, network]}
   name:
     value: {get_param: name}
   status:
diff --git a/deployment/memcached/memcached-container-puppet.yaml b/deployment/memcached/memcached-container-puppet.yaml
index b8c60e1aa9..ee6578d0ae 100644
--- a/deployment/memcached/memcached-container-puppet.yaml
+++ b/deployment/memcached/memcached-container-puppet.yaml
@@ -83,6 +83,7 @@ outputs:
       monitoring_subscription: {get_param: MonitoringSubscriptionMemcached}
       config_settings:
         memcached_network:
+          # TODO(hjensas): Replace with get_param: [ServiceData, net_cidr_map, {get_param: [ServiceNetMap, MemcachedNetwork]}
           str_replace:
             template:
               "%{hiera('$NETWORK_subnet')}"
diff --git a/deployment/snmp/snmp-baremetal-puppet.yaml b/deployment/snmp/snmp-baremetal-puppet.yaml
index 369ea5c362..2869f07feb 100644
--- a/deployment/snmp/snmp-baremetal-puppet.yaml
+++ b/deployment/snmp/snmp-baremetal-puppet.yaml
@@ -67,6 +67,7 @@ outputs:
         snmp::agentaddress: {get_param: SnmpdBindHost}
         snmp::snmpd_options: {get_param: SnmpdOptions}
         snmpd_network:
+          # TODO(hjensas): Replace with get_param: [ServiceData, net_cidr_map, {get_param: [ServiceNetMap, SnmpdNetwork]}
           str_replace:
             template: "%{hiera('$NETWORK_subnet')}"
             params:
diff --git a/docker/services/ceph-ansible/ceph-base.yaml b/docker/services/ceph-ansible/ceph-base.yaml
index 394fcef9b9..625c1348ef 100644
--- a/docker/services/ceph-ansible/ceph-base.yaml
+++ b/docker/services/ceph-ansible/ceph-base.yaml
@@ -231,9 +231,18 @@ resources:
           ceph_docker_image: {get_attr: [DockerImageUrlParts, value, image]}
           ceph_docker_image_tag: {get_attr: [DockerImageUrlParts, value, image_tag]}
           containerized_deployment: true
-          public_network: {get_param: [ServiceData, net_cidr_map, {get_param: [ServiceNetMap, CephMonNetwork]}]}
-          monitor_address_block: {get_param: [ServiceData, net_cidr_map, {get_param: [ServiceNetMap, CephMonNetwork]}]}
-          cluster_network: {get_param: [ServiceData, net_cidr_map, {get_param: [ServiceNetMap, CephClusterNetwork]}]}
+          public_network:
+            list_join:
+              - ','
+              - get_param: [ServiceData, net_cidr_map, {get_param: [ServiceNetMap, CephMonNetwork]}]
+          monitor_address_block:
+            list_join:
+              - ','
+              - get_param: [ServiceData, net_cidr_map, {get_param: [ServiceNetMap, CephMonNetwork]}]
+          cluster_network:
+            list_join:
+              - ','
+              - get_param: [ServiceData, net_cidr_map, {get_param: [ServiceNetMap, CephClusterNetwork]}]
           user_config: true
           ceph_stable: true
           ceph_origin: distro
diff --git a/docker/services/ceph-ansible/ceph-rgw.yaml b/docker/services/ceph-ansible/ceph-rgw.yaml
index 4645050a5c..5fbdba5ff1 100644
--- a/docker/services/ceph-ansible/ceph-rgw.yaml
+++ b/docker/services/ceph-ansible/ceph-rgw.yaml
@@ -58,7 +58,10 @@ resources:
         vars:
           radosgw_keystone: true
           radosgw_keystone_ssl: false
-          radosgw_address_block: {get_param: [ServiceData, net_cidr_map, {get_param: [ServiceNetMap, CephRgwNetwork]}]}
+          radosgw_address_block:
+            list_join:
+              - ','
+              - get_param: [ServiceData, net_cidr_map, {get_param: [ServiceNetMap, CephRgwNetwork]}]
           radosgw_civetweb_port: {get_param: [EndpointMap, CephRgwInternal, port]}
 
 outputs:
diff --git a/network/network.j2 b/network/network.j2
index b318cdfb70..92c303105f 100644
--- a/network/network.j2
+++ b/network/network.j2
@@ -195,10 +195,7 @@ outputs:
   OS::stack_id:
     description: {{network.name_lower}} network
     value: {get_resource: {{network.name}}Network}
-  subnet_cidr:
-    description: The {{network.name}} networks base subnet in CIDR notation.
-    value: {get_attr: [{{network.name}}Subnet, cidr]}
-  subnet_cidrs:
+  network_cidrs:
     description: List of {{network.name}} network's subnets in CIDR notation.
     value:
       list_concat:
diff --git a/network/networks.j2.yaml b/network/networks.j2.yaml
index 615f93baaf..e398238cac 100644
--- a/network/networks.j2.yaml
+++ b/network/networks.j2.yaml
@@ -2,6 +2,11 @@ heat_template_version: rocky
 
 description: Create networks to split out Overcloud traffic
 
+parameters:
+  CtlplaneNetworkCidrs:
+    type: json
+    description: Cidrs for the ctlplane network.
+
 resources:
   {%- for network in networks %}
   {%- set network_name = network.compat_name|default(network.name) %}
@@ -16,12 +21,14 @@ resources:
 outputs:
   net_cidr_map:
     value:
-      # NOTE(gfidente): we need to replace the null value with a
-      # string to work around https://bugs.launchpad.net/heat/+bug/1700025
+      # NOTE(hjensas): If a network does not have any network_cidrs, fall back
+      # to the ctlplane (provisioning) network.
       {%- for network in networks %}
       {%- set network_name = network.compat_name|default(network.name) %}
       {{network.name_lower}}:
         yaql:
-          data: {get_attr: [{{network_name}}Network, subnet_cidr]}
-          expression: str($.data).replace('null', 'disabled')
+          data:
+            network_cidrs: {get_attr: [{{network_name}}Network, network_cidrs]}
+            ctlplane_cidrs: {get_param: CtlplaneNetworkCidrs}
+          expression: switch(not isList($.data.network_cidrs) => $.data.ctlplane_cidrs, $.data.network_cidrs => $.data.network_cidrs)
       {%- endfor %}
diff --git a/overcloud.j2.yaml b/overcloud.j2.yaml
index da18dfee42..3d422ed967 100644
--- a/overcloud.j2.yaml
+++ b/overcloud.j2.yaml
@@ -350,11 +350,11 @@ resources:
         map_replace:
         - map_merge:
           - {get_attr: [Networks, net_cidr_map]}
-          - ctlplane: {get_attr: [ControlVirtualIP, subnets, 0, cidr]}
+          # NOTE(hjensas): When ctlplane network and subnets are created by the
+          # undercloud installer, the subnet cidrs are added as tags.
+          - ctlplane: {get_attr: [ControlVirtualIP, network, tags]}
         - keys:
             ctlplane: {get_param: NeutronControlPlaneID}
-          values:
-            disabled: {get_attr: [ControlVirtualIP, subnets, 0, cidr]}
 
   ServiceNetMap:
     type: OS::TripleO::ServiceNetMap
@@ -811,9 +811,11 @@ resources:
   # creates the network architecture
   Networks:
     type: OS::TripleO::Network
+    properties:
+      CtlplaneNetworkCidrs: {get_attr: [ControlVirtualIP, network, tags]}
 
   ControlVirtualIP:
-    depends_on: [Networks, ServiceNetMap]
+    depends_on: ServiceNetMap
     type: OS::TripleO::Network::Ports::ControlPlaneVipPort
     properties:
       name: control_virtual_ip
diff --git a/puppet/services/apache.j2.yaml b/puppet/services/apache.j2.yaml
index cec5790b53..fbdf3d3fcf 100644
--- a/puppet/services/apache.j2.yaml
+++ b/puppet/services/apache.j2.yaml
@@ -91,6 +91,7 @@ outputs:
             apache::server_signature: 'Off'
             apache::server_tokens: 'Prod'
             apache_remote_proxy_ips_network:
+              # TODO(hjensas): Replace with get_param: [ServiceData, net_cidr_map, {get_param: [ServiceNetMap, ApacheNetwork]}
               str_replace:
                 template:
                   "%{hiera('$NETWORK_subnet')}"
diff --git a/puppet/services/designate-worker.yaml b/puppet/services/designate-worker.yaml
index 446882d851..786936bdf0 100644
--- a/puppet/services/designate-worker.yaml
+++ b/puppet/services/designate-worker.yaml
@@ -94,6 +94,7 @@ outputs:
               params:
                 $NETWORK: {get_param: [ServiceNetMap, DesignateApiNetwork]}
           tripleo::profile::base::designate::rndc_allowed_addresses:
+            # TODO(hjensas): Replace with get_param: [ServiceData, net_cidr_map, {get_param: [ServiceNetMap, DesignateApiNetwork]}
             - str_replace:
                 template:
                   "%{hiera('$NETWORK_subnet')}"
diff --git a/releasenotes/notes/make-NetCidrMapValue-contain-lists-of-cidrs-19bc98dc9bc6b819.yaml b/releasenotes/notes/make-NetCidrMapValue-contain-lists-of-cidrs-19bc98dc9bc6b819.yaml
new file mode 100644
index 0000000000..b98b389690
--- /dev/null
+++ b/releasenotes/notes/make-NetCidrMapValue-contain-lists-of-cidrs-19bc98dc9bc6b819.yaml
@@ -0,0 +1,29 @@
+---
+upgrade:
+  - |
+    Tags are now used on the ``ctlplane`` network to store the list of cidrs
+    associated with the subnets on the ``ctlplane`` network. Users of
+    Deployed Server (pre-provisioned servers) need to update the port map
+    (``DeployedServerPortMap``) to include the required data. For example::
+
+      parameter_defaults:
+        DeployedServerPortMap:
+          controller0-ctlplane:
+            fixed_ips:
+              - ip_address: 192.168.24.9
+            subnets:
+              - cidr: 192.168.24.0/24
+            network:
+              tags:
+                - 192.168.24.0/24
+                - 192.168.25.0/24
+          compute0-ctlplane:
+            fixed_ips:
+              - ip_address: 192.168.25.8
+            subnets:
+              - cidr: 192.168.25.0/24
+            network:
+              tags:
+                - 192.168.24.0/24
+                - 192.168.25.0/24
+