Categories
Welcome Center
Education & Development
Discussions
Certification Preparation
Recent Posts
Groups
Free Resources
Ebooks
Free Workshops
Trending Certifications Infographic
Infosec Training
IT & Security Training
Live Boot Camps
Security Awareness Training
About Infosec Institute
Home
Certification Preparation
Cisco
CCST & CCNA (Entry-level & Associate)
Wildcard mask ranges
Stotic
I understand how to get the wildcard mask when asked to find it for a particular address. Subtract it from 255.255.255.255. What confuses me is when they give a list of addresses and say to provide the wildcard mask for these addresses. Can anyone give me the simple explaination that I don't see in books?
Find more posts tagged with
Save $250 on 2025 certification boot camps from Infosec!
Book now with code EOY2025
Button
Comments
NeonNoodle
Sorry for the long lists, but hopefully this will help you. (As you are following along, think about why we can't use the subnet mask 0.0.0.15.)
Here's a group of addresses:
192.168.1.4
192.168.1.5
192.168.1.6
192.168.1.7
192.168.1.8
192.168.1.9
192.168.1.10
192.168.1.11
192.168.1.12
192.168.1.13
192.168.1.14
192.168.1.15
192.168.1.16
192.168.1.17
192.168.1.18
192.168.1.19
Convert the group of addresses to binary.
192.168.1.4 = 11000000.10101000.00000001.00000100
192.168.1.5 = 11000000.10101000.00000001.00000101
192.168.1.6 = 11000000.10101000.00000001.00000110
192.168.1.7 = 11000000.10101000.00000001.00000111
192.168.1.8 = 11000000.10101000.00000001.00001000
192.168.1.9 = 11000000.10101000.00000001.00001001
192.168.1.10 = 11000000.10101000.00000001.00001010
192.168.1.11 = 11000000.10101000.00000001.00001011
192.168.1.12 = 11000000.10101000.00000001.00001100
192.168.1.13 = 11000000.10101000.00000001.00001101
192.168.1.14 = 11000000.10101000.00000001.00001110
192.168.1.15 = 11000000.10101000.00000001.00001111
192.168.1.16 = 11000000.10101000.00000001.00010000
192.168.1.17 = 11000000.10101000.00000001.00010001
192.168.1.18 = 11000000.10101000.00000001.00010010
192.168.1.19 = 11000000.10101000.00000001.00010011
Where a bit varies in the addresses, the corresponding bit in the wildcard mask is assigned a 1. Where the bit doesn't vary in the addresses, the corresponding bit in the wildcard mask is assigned a 0.
We'll have to break up the above group into smaller groups because the number of bits that vary varies
(
if
you want to make sure your wildcard mask only include addresses in the original group, that is)!
Find the number bits in the group that vary. Here there are two:
192.168.1.4 = 11000000.10101000.00000001.000001
00
192.168.1.5 = 11000000.10101000.00000001.000001
01
192.168.1.6 = 11000000.10101000.00000001.000001
10
192.168.1.7 = 11000000.10101000.00000001.000001
11
Therefore, the wildcard mask is
0.0.0.3 = 00000000.00000000.00000000.000000
11
For this group three bits vary:
192.168.1.8 = 11000000.10101000.00000001.00001
000
192.168.1.9 = 11000000.10101000.00000001.00001
001
192.168.1.10 = 11000000.10101000.00000001.00001
010
192.168.1.11 = 11000000.10101000.00000001.00001
011
192.168.1.12 = 11000000.10101000.00000001.00001
100
192.168.1.13 = 11000000.10101000.00000001.00001
101
192.168.1.14 = 11000000.10101000.00000001.00001
110
192.168.1.15 = 11000000.10101000.00000001.00001
111
Therefore the wildcard mask is
0.0.0.7 = 00000000.00000000.00000000.00000
111
For this group two bits vary:
192.168.1.16 = 11000000.10101000.00000001.0001
0000
192.168.1.17 = 11000000.10101000.00000001.0001
0001
192.168.1.18 = 11000000.10101000.00000001.0001
0010
192.168.1.19 = 11000000.10101000.00000001.0001
0011
Therefore, the wildcard mask is
0.0.0.3 = 00000000.00000000.00000000.000000
11
That's the gist of it. Of course for the group above, we could've just used a wildcard mask of 0.0.0.31, but that's sloppy especially when working with access lists where you really need to be specific. So, try to group the addresses into the largest groups you can that only includes addresses in the list.
Another thing you need to think about when assigning IP addresses is minimizing the amount of groups you have. Had the above group been from 192.168.1.0 to 192.168.1.15, we would have had the same number of addresses, but we would have only needed one wildcard address, 0.0.0.15.
Once you understand how to group them in binary, you can do the computation in dotted decimal by using powers of two. It's a bit.
dtlokee
That's a lot of binary.
Remember your subnet ranges and you should be ok, try to take the block of addresses and see if you can arrange them into a single subnet (or block of networks or whatever)
192.168.4.0/24
192.168.5.0/24
192.168.6.0/24
192.168.7.0/24
That will all fit neatly into a 192.168.4.0/22 so the wildcard mask (using the method of subtracting from 255.255.255.255) would be 0.0.3.255
Usually any examples will fit into a single subnet range, but you may need to make multiple entries in the access list to meet the goals.
say we want to deny the following subnets
192.168.100.16/28
192.168.100.32/28
192.168.100.48/28
192.168.100.64/28
192.168.100.80/28
They don't fit into a single range so we need to make 3 entries in the ACL
192.168.100.16/28
192.168.100.32/27
192.168.100.64/27
Then convert them into wildacard masks
Stotic
Wow thanks alot! I'm very thankful.
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
INFOSEC Boot Camps
$250
OFF
Use code
EOY2025
to receive $250 off your 2025 certification boot camp!
BROWSE BOOT CAMPS
