Wildcard masking question

Gauge · September 2008

I'm studying for the CCNA, and I seem to be seeing conflicting information regarding wildcard masking. My understanding of wildcard masks is that they are the exact opposite of subnet masks. The 1's are not indicating the network bits, but instead are indicating the bits that are "wildcards" to indicate a range of IPs.

However, some of the examples I'm seeing are showing wildcard masks that don't follow the description that I understand to be correct. They're showing masks in which the last bit is set to 0. Here's an example:

They're trying to set up NAT where the internal IPs are 192.168.6.65 through 192.168.6.126. Clearly, this is the subnet 192.168.6.64/26 and 192.168.6.64 and 192.168.6.127 are omitted because they are the network and broadcast addresses respectively. My understanding is that the wildcard mask for this would be 0.0.0.63, or 00000000.00000000.00000000.00111111.

The answer given for the problem shows the following access-list command

access-list 1 permit 192.168.6.65 0.0.0.62

Now, is that correct? I realize that the network and broadcast addresses need to be omitted, but you can't have a 1 followed by a 0 in a wildcard mask, can you? The mask they're giving would be 00000000.00000000.00000000.00111110. IF that is valid, wouldn't it omit all of the even-numbered addresses anyway?

Am I right in waving the BS flag in this practice question's general direction? Also, I'm assuming that the router (or multilayer switch) would be smart enough to ignore the network and broadcast addresses when you specify a range like this?

tech-airman · September 2008

Gauge,

Gauge wrote:

I'm studying for the CCNA, and I seem to be seeing conflicting information regarding wildcard masking. My understanding of wildcard masks is that they are the exact opposite of subnet masks. The 1's are not indicating the network bits, but instead are indicating the bits that are "wildcards" to indicate a range of IPs.

Unfortunately, your understanding is incomplete. A wildcard mask may be used as an "inverse subnet mask" but you can do more with a wildcard mask.

Gauge wrote:

However, some of the examples I'm seeing are showing wildcard masks that don't follow the description that I understand to be correct. They're showing masks in which the last bit is set to 0. Here's an example:

This is part of "...you can do more with a wildcard mask."

Gauge wrote:

They're trying to set up NAT where the internal IPs are 192.168.6.65 through 192.168.6.126. Clearly, this is the subnet 192.168.6.64/26 and 192.168.6.64 and 192.168.6.127 are omitted because they are the network and broadcast addresses respectively. My understanding is that the wildcard mask for this would be 0.0.0.63, or 00000000.00000000.00000000.00111111.

What is the exact question?

Gauge wrote:
The answer given for the problem shows the following access-list command
access-list 1 permit 192.168.6.65 0.0.0.62
Now, is that correct? I realize that the network and broadcast addresses need to be omitted, but you can't have a 1 followed by a 0 in a wildcard mask, can you? The mask they're giving would be 00000000.00000000.00000000.00111110. IF that is valid, wouldn't it omit all of the even-numbered addresses anyway?

It depends on the actual question and not a summary of the information that you interpreted from the actual question which is the only information about the question you provided above.

Gauge wrote:

Am I right in waving the BS flag in this practice question's general direction? Also, I'm assuming that the router (or multilayer switch) would be smart enough to ignore the network and broadcast addresses when you specify a range like this?

Since your initial "understanding" was based on wildcard masks being nothing more than backwards subnet masks is a weakness in your understanding. I look forward to finding out the actual question instead of an interpretation of data from the question.

iworms · September 2008

I, too, always thought that wildcard masks were just inverse subnet masks. But tech-airman's post prompted me to google a bit, and I found out that complex wildcard masks can be more specific. Here is a good article: http://www.internetworkpro.org/wiki/Wildcard_masks

Gauge · September 2008

tech-airman, thanks for pointing out that my understanding was incomplete. Here is the question:

You are required to perform configurations to enable internet access. The ISP has given you six public IP addresses in the 198.18.32.65 198.18.32.70/29 range. You have 62 clients that needs to have simultaneous internet access. These local hosts use private IP addresses in the 192.168.6.65 - 192.168.6.126/26 range. You have already made basic router configuration. You have also configured the appropriate NAT interfaces; NAT inside and NAT outside respectively. Now you are required to finish the configuration of the router.

And, here is the answer they provide:

Router1#Config t
Router1(Config)#interface fa0/0
Router1(Config-if)#ip nat inside
Router1(Config)#interface S0/0
Router1(Config-if)#ip nat outside
Router1(Config-if)#exit
Router1(Config)#access-list 1 permit 192.168.6.65 0.0.0.62
Router1(Config)#access-list 1 deny any
Router1(Config)#ip nat pool nat_test 198.18.32.65 198.18.32.70 prefix-length 29
Router1(Config)#ip nat inside source list 1 pool nat_test overload

I read the article that iworms linked, and it was very informative. I see now how my understanding was lacking. However, I still don't see how this answer is correct. If you were to give a wildcard mask of 0.0.0.62, then the binary representations would be:

11000000.10101000.00000110.01000001 <--- 192.168.6.65
11000000.10101000.00000110.01000010 <--- 192.168.6.66
00000000.00000000.00000000.00111110 <--- 0.0.0.62

The last bit does not match on the IPs with an even value in the last octet. Therefore, isn't the wildcard mask incorrect? Or, is even that article missing something about wildcard masks?

Also, if this is wrong, if you were to use the 0.0.0.63 wildcard mask that I was suggesting, would it be smart enough to omit 192.168.6.64 and 192.168.6.127?

iworms · September 2008

The 62 is very likely a typo. Leaving the right-most bit 0 means you are blocking all odd-numbered or all even-numbered hosts, depending on what address you put in front of the mask.

In this question, it should have been 63 because it's a nice block of 64 (from 64 to 127). And I don't think the router will "smartly" omit 64 and 127. But here these two addresses are OK -- one is the network address and the other is broadcast. The question says 65 - 126 because these are host addresses. Your network is 192.168.6.64/26.

dtlokee · September 2008

I would agree it should be 63. a wildcard mask of 0.0.0.62 with 192.168.6.65 would only allow the hosts with an odd 4th octet between 64 and 127. The router will not automatically drop a packet that was sourced from the subnet or broadcast address, routers will forward packets based on the destination address and typically don't care about the source address (PBR being an exception). You could mitigate this with and access list on the router that has the network directly connected to it.

Gauge · September 2008

Thanks for the replies, guys. I'm not sure it's a typo. I think that they're just straight up wrong. I've found the exact same question with the exact same wrong answer in other places. I've also seen another question on the same practice test in which they used 0.0.0.30 for a network of 32 IPs (30 hosts, obviously). That seems to be the same mistake. I didn't bother worrying about it until I saw this second example which is clearly suffering from the same incorrect logic.

Wildcard masking question

Comments