Point of Wildcard Mask

new2net · October 2010

hey guys...i cant understand the point of the wildcard mask...

i mean, i know how to configure it on an acl or when using eigrp ect., however i dont understand why a wildcard mask is used instead of using a subnet mask...

the wildcard masks determines what parts (bits) of the ip will be matched...

for example:

172.16.8.0 255.255.252.0 implies 172.16.8.0 - 172.16.11.255

and

172.16.8.0 0.0.3.255 implies that 172 must match, 16 must match, and the third octet looks like this: 00000100, where the 1 is fixed, leaving the last 2 bits to be either on or off. this will allow the third octet to be 8, 9, 10 or 11.

so when examining 172.16.8.0, the wildcard mask and subnet mask both imply the same range of ip addresses.... so why do we use a wildcard mask in certain places (acl configuration and eigrp/ospf ect), and use a subnet mask in others? why doesnt ios jus allow the use of one since both essentially accomplish the same thing...

rogue2shadow · October 2010

The simple answer is honestly "it is what it is"; I used to get confused with this a lot as well. Cisco happened to implement it this way. Over time you'll just naturally know which goes with what and if you're ever unsure just hit the "?" after the ip address and it will tell you which to use.

Heero · October 2010

dont worry about why. There really is no difference between wildcards and subnet masks other than the way they are formatted. For all intents and purposes they are the same. Just know when to use what.

Forsaken_GA · October 2010

Actually, that's not true. It may work out to the being the same in your practice sessions, but in the real world, wildcard masks differ greatly from subnet masks. The wildcard mask gives you great flexibility.

Let's say I have a /24, netmask is set to 255.255.255.0

Now, let's say I want to apply an ACL that applies to only the hosts .4 through .7 I can either configure 4 lines, one for each host, or I can use the wildcard mask 0.0.0.3

It's all just binary ANDing.

If you compare the values in binary, 4 through 7 have the first six bits in common, 000001, so you need those bits to match exactly, the last 2 bits can vary.

So instead of using 4 lines in ACL to match hosts in a subnet, I've used one.

You could also do stuff like make ACL's apply to only odd hosts, or only even hosts, or only hosts which are a multiple of 8.

To simply things, subnet masks are what you use to identify networks. Wildcard masks are what you use to identify the hosts within those networks.

wbosher · October 2010

Has anyone read the Sybex book where he does wildcard masks without using binary at all, seem much easier.

For example, want to apply an ACL that applies to only the hosts .4 through .7, rather than using binary you would use a block size of 4. Subtract 1 from 4 and you get 3, therefore you would use 3 in the wildcard mask in the appropriate octet.

Another example would be .16 through .31, this is a block size of 16. therefore you may have something like 192.168.1.16 0.0.0.15. This would apply to the addresses of .16 through to .31.

This seems to work a lot better for me, and faster that using binary.

Forsaken_GA · October 2010

Yeah, there are plenty of little tricks to apply to wildcard masking, just like subnetting, but it all boils down to that the router is doing a binary AND to determine match/no-match, and it's always good to understand the fundamentals.

Like alot of folks, the OP just didn't see the point of a wildcard mask, since it's usually taught at the CCNA level as an inverse mask for purposes of simplicity.

I just wanted to make sure folks understood that there is a point, and that the presence of wildcard masking is not just because some programmer at Cisco was feeling whimsical one day hehe

wbosher · October 2010

Forsaken_GA wrote: »

not just because some programmer at Cisco was feeling whimsical one day hehe

I often wonder about the people at Cisco haveing a couple of drinks late at night saying "hey, lets do this ha ha

". Take ACLs for example when applying to interfaces or vty lines - access-group, access-class.

Sure there'll be plenty more of these as we get deeper into Cisco.

mzinz · October 2010

Forsaken_GA wrote: »

Actually, that's not true. It may work out to the being the same in your practice sessions, but in the real world, wildcard masks differ greatly from subnet masks. The wildcard mask gives you great flexibility.

Let's say I have a /24, netmask is set to 255.255.255.0

Now, let's say I want to apply an ACL that applies to only the hosts .4 through .7 I can either configure 4 lines, one for each host, or I can use the wildcard mask 0.0.0.3

It's all just binary ANDing.

If you compare the values in binary, 4 through 7 have the first six bits in common, 000001, so you need those bits to match exactly, the last 2 bits can vary.

So instead of using 4 lines in ACL to match hosts in a subnet, I've used one.

You could also do stuff like make ACL's apply to only odd hosts, or only even hosts, or only hosts which are a multiple of 8.

To simply things, subnet masks are what you use to identify networks. Wildcard masks are what you use to identify the hosts within those networks.

In your example, why couldn't I just use a subnet mask of 255.255.255.252?

I'm trying to understand how Wildcard masks offer any more functionality or flexibility than subnet masks.

Forsaken_GA · October 2010

mzinz wrote: »

In your example, why couldn't I just use a subnet mask of 255.255.255.252?

Well, for starters, that's the subnet mask for a /30, which only has 2 usable hosts. Remember, subnet masks identify networks, and each network *has* to have a network identifier and a broadcast address, with only a couple exceptions (ie, using /31's on point to point interfaces, and using /32's for host routes/loopbacks).

Let me throw you another example that may help illustrate it a bit more -

Assuming a /24 mask, I want a rule that will apply to all even numbered hosts on the network. So the wildcard mask in this case would be 0.0.0.254. The only bit I care about is the first bit, and I need it to match 0. The rest of the host bits could be whatever, the only way they could possibly be an odd number is if the first bit is on.

So how would you represent that with a subnet mask?

If you take the inverse mask like most of you are used to, it'd result in 255.255.255.1, which is not a valid subnet mask.

When your ACL's are being applied to an entire network, then yes, the inverse mask works fine, because both are essentially identifying the same thing, just through different methods.

But the second you start to need rules that apply to a subset of hosts within that network, the use of an inverse mask is probably not going to be applicable.

mzinz · October 2010

Forsaken_GA wrote: »

Well, for starters, that's the subnet mask for a /30, which only has 2 usable hosts. Remember, subnet masks identify networks, and each network *has* to have a network identifier and a broadcast address, with only a couple exceptions (ie, using /31's on point to point interfaces, and using /32's for host routes/loopbacks).

Let me throw you another example that may help illustrate it a bit more -

Assuming a /24 mask, I want a rule that will apply to all even numbered hosts on the network. So the wildcard mask in this case would be 0.0.0.254. The only bit I care about is the first bit, and I need it to match 0. The rest of the host bits could be whatever, the only way they could possibly be an odd number is if the first bit is on.

So how would you represent that with a subnet mask?

If you take the inverse mask like most of you are used to, it'd result in 255.255.255.1, which is not a valid subnet mask.

When your ACL's are being applied to an entire network, then yes, the inverse mask works fine, because both are essentially identifying the same thing, just through different methods.

But the second you start to need rules that apply to a subset of hosts within that network, the use of an inverse mask is probably not going to be applicable.

Thank you for the explanation, I never looked at it that way. Makes sense.

wbosher · October 2010

Assuming a /24 mask, I want a rule that will apply to all even numbered hosts on the network. So the wildcard mask in this case would be 0.0.0.254. The only bit I care about is the first bit, and I need it to match 0. The rest of the host bits could be whatever, the only way they could possibly be an odd number is if the first bit is on.

OK, I get that but what would be the wildcard mask for odd numbered hosts and why?

This is probably above CCNA level but it's interesting.

Forsaken_GA · October 2010

wbosher wrote: »

OK, I get that but what would be the wildcard mask for odd numbered hosts and why?

This is probably above CCNA level but it's interesting.

It'd be the same, but you'd match it against an IP that had the 1st bit turned on.

ie, if I apply the rule as 192.168.40.2 0.0.0.254, it matches all even numbered hosts, because that IP and that mask says that the first three octets have to match, and on the fourth octet, the first bit has to match (which in this case it would be off) and the other 7 bits can be whatever.

if I apply it against 192.168.40.3 0.0.0.254, it applies to all odd numbered hosts. Same thing, first three octets have to match, and the first bit has to match, which since this is an odd number, means the first bit is turned on, and the other 7 bits can be whatever.

wbosher · October 2010

Forsaken_GA wrote: »

It'd be the same, but you'd match it against an IP that had the 1st bit turned on.

ie, if I apply the rule as 192.168.40.2 0.0.0.254, it matches all even numbered hosts, because that IP and that mask says that the first three octets have to match, and on the fourth octet, the first bit has to match (which in this case it would be off) and the other 7 bits can be whatever.

if I apply it against 192.168.40.3 0.0.0.254, it applies to all odd numbered hosts. Same thing, first three octets have to match, and the first bit has to match, which since this is an odd number, means the first bit is turned on, and the other 7 bits can be whatever.

Great explanation, thanks.

erfolg255 · October 2010

Wboshrer your trick with wild card mask is great thx

now will be for me much more easy

wbosher · October 2010

erfolg255 wrote: »

Wboshrer your trick with wild card mask is great thx now will be for me much more easy

It is a good trick and will probably save some time on the CCNA exam, but looking at the posts by Forsaken_GA, it loos as though it really pays to understand the binary side of it as well, especially for more advanced studies.

DevilWAH · October 2010

here's a thread from the same kind of question asked a while back. with an example of a way to use wildcard masks to achieve something subnet masks could never do.

http://www.techexams.net/forums/ccnp/55750-wildcard-subnet-mask.html#post426643

earweed · October 2010

I'm not even "officially" studying for the CCNA yet but I still learn something new practically every day from reading stuff here in the Cisco forum.

Forsaken_GA · October 2010

wbosher wrote: »

It is a good trick and will probably save some time on the CCNA exam, but looking at the posts by Forsaken_GA, it loos as though it really pays to understand the binary side of it as well, especially for more advanced studies.

Wildcard masking is one of those things that made me go 'wtf' the first time I encountered a situation where the inverse mask wouldn't work. That was another one of those 'well Cisco lied to me!' moments, just because it can be a difficult concept to grasp. The fact that the way it's displayed to us end users so closely mirrors a subnet mask only adds to the confusion.

I'd love to see Cisco move IOS to CIDR notation in all places requiring a subnet mask, along with the CCNA instructors explaining how wildcard masking really works.

but until then, that's what forums like these are for! I applaud the OP for standing up and saying 'this @$$! doesn't make any sense, could someone explain it?' rather than memorizing something they don't really understand in order to pass the exam

new2net · October 2010

thanks for all the responses...it is making a lot more sense now...

still have a question though..

Forsaken_GA wrote: »

Actually, that's not true. It may work out to the being the same in your practice sessions, but in the real world, wildcard masks differ greatly from subnet masks. The wildcard mask gives you great flexibility.

Let's say I have a /24, netmask is set to 255.255.255.0

Now, let's say I want to apply an ACL that applies to only the hosts .4 through .7 I can either configure 4 lines, one for each host, or I can use the wildcard mask 0.0.0.3

It's all just binary ANDing.

If you compare the values in binary, 4 through 7 have the first six bits in common, 000001, so you need those bits to match exactly, the last 2 bits can vary.

So instead of using 4 lines in ACL to match hosts in a subnet, I've used one.

You could also do stuff like make ACL's apply to only odd hosts, or only even hosts, or only hosts which are a multiple of 8.

To simply things, subnet masks are what you use to identify networks. Wildcard masks are what you use to identify the hosts within those networks.

Thanks forsaken!

I am having a little trouble understanding this example when specifying the .4 - .7 host. Here is how i am looking at it:

we have an ip 172.16.10.0/24. we want to match 172.16.10.4 to 172.16.10.7, and not the entire /24 subnet

if we take 172.16.10.0 and apply 0.0.0.3, it will match the following:
172.16.10.0
172.16.10.1
172.16.10.2
172.16.10.3
and the fourth octet will look like this: 00000011, where the orange bits have been frozen.

if we wanted to match specifically hosts .4 to .7, then we would need to take the ip 172.16.10.4 and apply 0.0.0.3 to it.

so in the first case we took 172.16.10.0 and applied 0.0.0.3 to it
and in the second case we took 172.16.10.4 and applied 0.0.0.3 to it

correct....?

wbosher · October 2010

You got it!

Forsaken_GA · October 2010

new2net wrote: »

so in the first case we took 172.16.10.0 and applied 0.0.0.3 to it
and in the second case we took 172.16.10.4 and applied 0.0.0.3 to it

correct....?

Exactly. The IP that you're sourcing the wildcard mask against is what ultimately determines what IP's are matched, as that's the IP that the wildcard is AND'ed against. The wildcard mask just says which bits must match and which bits we don't care about. It sounds like you've got it!

veritas_libertas · May 2012

I know, I know, I just replied to a thread that is very dead.

I just wanted to say thanks. This has helped clear up some of my misconceptions about Wildcards.

Point of Wildcard Mask

Comments