Links to helpful resources.
terbolee
Member
Posts:
191
Joined:
Sun Sep 23, 2007 7:43 am

Tutorial: Wild Card Masks On the Fly!

Wed Oct 03, 2007 10:16 am

It's not surprising to see even CCNP students struggle with wild card masks, so I thought this post might help. If you have other insights on wild card masks, share them here, okay? Hopefully, together, we can get our readers understand wild card masks for good!

Why students tend to get confused with wild card masks:
1. Wild card masks are usually taught within the context of Access Control Lists (ACLs) where two other "distracting" elements are included, permit & deny.
2. Students need a strong understanding of subnetting to tackle wild card masks.

So let's start by understanding a few conditions:
1. Wild card masks are used JUST to target an IP address or a group of IP addresses.
2. Wild card masks have NOTHING to do with permit or deny, so don't be confused by what ACLs use.
3. So, remember that wild card masks simply target an IP address or a group of IP addresses.

Two rules of wild card masks are:
1. 0-bit means MATCH
2. 1-bit means IGNORE

So what do wild card masks target?
1. A single host, that is, a single IP address
2. A whole network, either Class A, B, or C
3. A whole subnet
4. A consecutive range of IP addresses

If you can understand this far, you're doing just fine! Read on.

1. You want to target a single host
This means that EVERY bit in the host's IP address must MATCH. So the wild card mask is 0.0.0.0

2. You want to target a whole network
This means that EVERY bit in the network portion of the IP address must MATCH. So for Class-A, the wild card mask is 0.255.255.255. For Class-B, the wild card mask is 0.0.255.255. For Class-C, the wild card mask is 0.0.0.255.

3. You want to target a whole subnet
This means that EVERY bit in the network & the subnet portion of the IP address must MATCH. The easiest way to get your wild card mask is to subtract the subnet's subnet mask from 255.255.255.255. Here's an example: 192.168.16.16/28 has a subnet mask that looks like this, 255.255.255.240. Your wild card mask is simply 255.255.255.255 minus 255.255.255.240 which will get you 0.0.0.15. Here's another example: 172.16.4.0/24 has a subnet mask that looks like this, 255.255.255.0. Your wild card mask is simply 255.255.255.255 minus 255.255.255.0 which will get you 0.0.0.255.

4. You want to target a consecutive range of IP addresses
In this case, split the IP addresses into their networks or subnets first. Then, get your wild card mask for each network or subnet. Here's an example: For un-subnetted networks, your range is 10.1.2.3/8 to 11.3.4.5/8. Two un-subnetted Class-A networks are involved. So split into two wild card mask for each network. You now have 0.255.255.255, one for Class-A and another for Class-B network.

Well, there's yet other IP address ranges which fall WITHIN a network or a subnet. In this case, simply subtract the lower IP address from the higher IP address. To make this work, all the numbers of your resulting wild card mask must be 1 less than a multiple of two. This is beyond the scope of my post here...perhaps on another post.

Okay, I've posted this...now help me improve this content so our readers can benefit, alright? Many thanks.
Last edited by terbolee on Wed Oct 03, 2007 10:50 am, edited 1 time in total.

User avatar
Steve
Site Admin
Posts:
10617
Joined:
Mon Dec 06, 2004 6:46 pm
Certs:
CCNA

Wed Oct 03, 2007 10:20 am

Another great post!

User avatar
Steve
Site Admin
Posts:
10617
Joined:
Mon Dec 06, 2004 6:46 pm
Certs:
CCNA

Wed Oct 03, 2007 10:21 am

Stickied.

User avatar
dpocoroba
CCIE #18559
Posts:
826
Joined:
Thu Dec 09, 2004 6:38 pm
Certs:
CCIE R&S

Wed Oct 03, 2007 11:44 am

Wildcard masks are also useful for matching things like say all odd or even routes. They can also be used to match some non contiguous networks.


Odd and/or Even routes:
The key behind this is to look at this from a binary perspective. Say for example you have 6x networks.

1.0.0.0/8
2.0.0.0/8
3.0.0.0/8
4.0.0.0/8
5.0.0.0/8
6.0.0.0/8

writing them out in binary you will get the following

0000001 = 1
0000010 = 2
0000011 = 3
0000100 = 4
0000101 = 5
0000110 = 6

Knowing that is you take all the bits and add them up you get a total of 255. When you look at the odd numbered prefix's you will see they all end with the last bit turned on. Taking the inverse of 1 you will get 254 (255-1). In this case the inverse mask would be

254.0.0.0

The full ACL to match all first octet odd routes is:
access-list 1 per 1.0.0.0 254.0.0.0

To match all first octet even routes. a 0 ( lowest even number ) will be used as the matching bit in the ACL:
access-list 1 per 0.0.0.0 254.0.0.0

Code: Select all
R1(config)#do show ip route rip
R    1.0.0.0/8 [120/1] via 10.10.100.2, 00:00:00, Ethernet0/0
R    2.0.0.0/8 [120/1] via 10.10.100.2, 00:00:00, Ethernet0/0
R    3.0.0.0/8 [120/1] via 10.10.100.2, 00:00:00, Ethernet0/0
R    4.0.0.0/8 [120/1] via 10.10.100.2, 00:00:00, Ethernet0/0
R    5.0.0.0/8 [120/1] via 10.10.100.2, 00:00:00, Ethernet0/0
R    6.0.0.0/8 [120/1] via 10.10.100.2, 00:00:00, Ethernet0/0
R1(config)#access-list 1 per 0.0.0.0 254.0.0.0
R1(config)#do clear ip route *
R1(config)#do show ip route rip
R    2.0.0.0/8 [120/1] via 10.10.100.2, 00:00:02, Ethernet0/0
R    4.0.0.0/8 [120/1] via 10.10.100.2, 00:00:02, Ethernet0/0
R    6.0.0.0/8 [120/1] via 10.10.100.2, 00:00:02, Ethernet0/0
R1(config)#no access-list 1 per 0.0.0.0 254.0.0.0
R1(config)# access-list 1 per 1.0.0.0 254.0.0.0
R1(config)#do clear ip route *
R1(config)#do show ip route rip
R    1.0.0.0/8 [120/1] via 10.10.100.2, 00:00:02, Ethernet0/0
R    3.0.0.0/8 [120/1] via 10.10.100.2, 00:00:02, Ethernet0/0
R    5.0.0.0/8 [120/1] via 10.10.100.2, 00:00:02, Ethernet0/0
R1(config)#




Non contiguous networks:


wildcard ACL's can also be used to match things that at first glance appear to have nothing in common.

Given the following subnet's

192.168.5.0/24
192.168.7.0/24

When you write them out in binary you will really see they have all but 1 bit in common

00000101
00000111

From here you can see all the bits are in common except the second least significant bit. Following the same steps you can build a wildcard ACL to match these as well.

access-list 1 permit 192.168.5.0 0.0.2.255

Code: Select all
R1(config)#access-l 1 per 192.168.5.0 0.0.2.255
R1(config)#do clear ip route *
R1(config)#do show ip route rip
R    192.168.5.0/24 [120/1] via 10.10.100.2, 00:00:02, Ethernet0/0
R    192.168.7.0/24 [120/1] via 10.10.100.2, 00:00:02, Ethernet0/0
R1(config)#


HTH
-Derek
"Knowledge is contagious, infect"

User avatar
wraith
Ultimate Member
Posts:
887
Joined:
Thu Aug 30, 2007 9:48 am

Wed Oct 03, 2007 6:59 pm

I always get hung up on discontiguous networks.
Here's how I figured it to be: (the | character to separate the bits)

000001|01
000001|11

The two least significant bits are the "I don't care" bits so the sum of the first 6 bits is 252. 255-252 = 3...
So shoudn't the wildcard mask be 0.0.3.255??
What would the expected answer be on the CCNA exam?

User avatar
dpocoroba
CCIE #18559
Posts:
826
Joined:
Thu Dec 09, 2004 6:38 pm
Certs:
CCIE R&S

Wed Oct 03, 2007 10:41 pm

wraith wrote:I always get hung up on discontiguous networks.
Here's how I figured it to be: (the | character to separate the bits)

000001|01
000001|11

The two least significant bits are the "I don't care" bits so the sum of the first 6 bits is 252. 255-252 = 3...
So shoudn't the wildcard mask be 0.0.3.255??
What would the expected answer be on the CCNA exam?



Not quite.. See the difference's below

Code: Select all
R1(config)#do show ip route rip
R    192.168.8.0/24 [120/1] via 10.10.100.2, 00:00:01, Ethernet0/0
R    192.168.9.0/24 [120/1] via 10.10.100.2, 00:00:01, Ethernet0/0
R    192.168.10.0/24 [120/1] via 10.10.100.2, 00:00:01, Ethernet0/0
R    200.1.2.0/24 [120/1] via 10.10.100.2, 00:00:01, Ethernet0/0
R    192.168.4.0/24 [120/1] via 10.10.100.2, 00:00:01, Ethernet0/0
R    192.168.5.0/24 [120/1] via 10.10.100.2, 00:00:01, Ethernet0/0
R    192.168.6.0/24 [120/1] via 10.10.100.2, 00:00:01, Ethernet0/0
R    192.168.7.0/24 [120/1] via 10.10.100.2, 00:00:01, Ethernet0/0
R    192.168.1.0/24 [120/1] via 10.10.100.2, 00:00:01, Ethernet0/0
R    192.168.2.0/24 [120/1] via 10.10.100.2, 00:00:01, Ethernet0/0
R    192.168.3.0/24 [120/1] via 10.10.100.2, 00:00:01, Ethernet0/0
R1(config)# access-l 1 per 192.168.5.0 0.0.3.255
R1(config)#do clear ip route *
R1(config)#do show ip route rip
R    192.168.4.0/24 [120/1] via 10.10.100.2, 00:00:03, Ethernet0/0
R    192.168.5.0/24 [120/1] via 10.10.100.2, 00:00:03, Ethernet0/0
R    192.168.6.0/24 [120/1] via 10.10.100.2, 00:00:03, Ethernet0/0
R    192.168.7.0/24 [120/1] via 10.10.100.2, 00:00:03, Ethernet0/0
R1(config)#no access-l 1 per 192.168.5.0 0.0.3.255
R1(config)#do clear ip route *
R1(config)# access-l 1 per 192.168.5.0 0.0.2.255
R1(config)#do clear ip route *
R1(config)#do show ip route rip
R    192.168.5.0/24 [120/1] via 10.10.100.2, 00:00:02, Ethernet0/0
R    192.168.7.0/24 [120/1] via 10.10.100.2, 00:00:02, Ethernet0/0
R1(config)#


This is a type of case where you are saying "I don't care if the second least significant bit is a 1 or 0"

For this example if its a 0 the subnet is 192.168.5.0 if it was a 1 it would end up being 192.168.7.0. Remember that bit has a value of 2.

Another example:
192.168.207.0/24
192.168.223.0/24

11001111 = 207
11011111 = 223

The bit we don't care about in this case is the 5th least significant. That has a value of 16.

In this case the inverse mask to match just these two subnets would be.
access-list 1 permit 192.168.207.0 0.0.16.255

HTH
-Derek Pocoroba
"Knowledge is contagious, infect"

User avatar
wraith
Ultimate Member
Posts:
887
Joined:
Thu Aug 30, 2007 9:48 am

Thu Oct 04, 2007 7:59 am

Derek,
I understand how you got to your answer. What about this example:

192.168.12.0/24
192.168.17.0/24

Third octets are:
00001100
00001001


Your method doesn't seem to work here as there are many 'mismatched' bits. The mask I'm calculating for this one would be 0.0.7.255. Is there a rule of thumb to determine when to use the method in your examples???

terbolee
Member
Posts:
191
Joined:
Sun Sep 23, 2007 7:43 am

Thu Oct 04, 2007 9:26 am

wraith wrote:Derek,
I understand how you got to your answer. What about this example:

192.168.12.0/24
192.168.17.0/24

Third octets are:
00001100
00001001


Your method doesn't seem to work here as there are many 'mismatched' bits. The mask I'm calculating for this one would be 0.0.7.255. Is there a rule of thumb to determine when to use the method in your examples???


If you re-read my initial post, you'd see that your wildcard mask MUST target "whole" networks. 192.168.12.0/24 and 192.168.17.0/24 are two separate WHOLE Class-C networks. As such, you cannot try to create a wildcard mask for both, alright? Keep them separate and use the wildcard mask 0.0.0.255.

And yes, I admire your understanding of Route Summarization but do not let it confuse you with wildcard masks, okay?

User avatar
dpocoroba
CCIE #18559
Posts:
826
Joined:
Thu Dec 09, 2004 6:38 pm
Certs:
CCIE R&S

Thu Oct 04, 2007 10:48 am

wraith wrote:Derek,
I understand how you got to your answer. What about this example:

192.168.12.0/24
192.168.17.0/24

Third octets are:
00001100
00001001


Your method doesn't seem to work here as there are many 'mismatched' bits. The mask I'm calculating for this one would be 0.0.7.255. Is there a rule of thumb to determine when to use the method in your examples???


For the examples I used. I should have been more clear and stated that only 1 of the bits could be different. If more then one are different then you will not be able to do it using this method. Sorry for the confusion on that

HTH
-Derek
"Knowledge is contagious, infect"

ladyrain
New Member
Posts:
18
Joined:
Tue Oct 02, 2007 5:47 pm

Re: Tutorial: Wild Card Masks On the Fly!

Fri Dec 14, 2007 8:20 am

thanks alot guys,

terbolee, i'm grateful if you can continue :)
i'm trying to understand this, but sorry still cannot figure this out. example pls?

terbolee wrote:
Well, there's yet other IP address ranges which fall WITHIN a network or a subnet. In this case, simply subtract the lower IP address from the higher IP address. To make this work, all the numbers of your resulting wild card mask must be 1 less than a multiple of two. This is beyond the scope of my post here...perhaps on another post.

terbolee
Member
Posts:
191
Joined:
Sun Sep 23, 2007 7:43 am

Re: Tutorial: Wild Card Masks On the Fly!

Fri Dec 14, 2007 10:53 am

ladyrain wrote:thanks alot guys,

terbolee, i'm grateful if you can continue :)
i'm trying to understand this, but sorry still cannot figure this out. example pls?

terbolee wrote:
Well, there's yet other IP address ranges which fall WITHIN a network or a subnet. In this case, simply subtract the lower IP address from the higher IP address. To make this work, all the numbers of your resulting wild card mask must be 1 less than a multiple of two. This is beyond the scope of my post here...perhaps on another post.


Hi ladyrain

By all means, post your questions here, alright? Let me know what you understood from this post and which areas you might need help with. Using wildcard masks to target IP address ranges can be tricky.

ladyrain
New Member
Posts:
18
Joined:
Tue Oct 02, 2007 5:47 pm

Sat Dec 15, 2007 9:02 am

hi,

i understand the point 1-3 from your first post.
But i dont get it when you write: " there's yet other IP address ranges which fall WITHIN a network or a subnet. In this case, simply subtract the lower IP address from the higher IP address. To make this work, all the numbers of your resulting wild card mask must be 1 less than a multiple of two."
Maybe if you can give example like the other points, i can understand :oops:
sorry ;)

terbolee
Member
Posts:
191
Joined:
Sun Sep 23, 2007 7:43 am

Sat Dec 15, 2007 9:10 am

ladyrain wrote:hi,

i understand the point 1-3 from your first post.
But i dont get it when you write: " there's yet other IP address ranges which fall WITHIN a network or a subnet. In this case, simply subtract the lower IP address from the higher IP address. To make this work, all the numbers of your resulting wild card mask must be 1 less than a multiple of two."
Maybe if you can give example like the other points, i can understand :oops:
sorry ;)


Hi ladyrain. Sounds like you've understood most of it...great! As I posted, an IP range within a network or a subnet can be quite tricky to set up a wildcard mask for. Actually, I'd not be concerned with it...since they are not used much anyway.

If the post helped you...great!

ladyrain
New Member
Posts:
18
Joined:
Tue Oct 02, 2007 5:47 pm

Sat Dec 15, 2007 9:42 am

oh ok then :D
yeah maybe for now those 3 points enough for me. If later i bump into those problems i wud ask again here :D Yeah your post is great. thanks! ;)

'

Return to Useful Links/Tutorials

Who is online

Users browsing this forum: No registered users and 14 guests