Last Updated on November 10, 2017 by Valerio Plessi
Many engineers (at one time myself too) believe they understand wild card masks. If you ask someone they will most likely tell you that a wild card mask is just the opposite or reverse of a subnet mask. Unfortunately this isn’t quite correct. Yes, at first glance a wild card mask “looks” like the reverse and in some ways it really is. But a wild card mask can do so much more. I hope to explain in this article what a wild card is and how we can use it more effectively.
As the name states, a wild card mask matches (wildly with a zero) everything in the network portion of an IP address. As we dive into how this works it will becomes a bit more clear exactly how a wild card mask works and how we can use it.
THE RULES
So there are two basic rules of a wild card mask.
- 0-bit = match
- 1-bit = ignore
THE TARGETS
What can wild card masks target?
- A single host (or a single IP address)
- An entire network (i.e, Class A, B, or C)
- An entire subnet
- A range of IP addresses
Got it so far? …Good. But, what does this mean? How does it work?
Keep reading…
Targeting a Single Host
To target a single host with a wild card means that every bit within the IP address of the host must match. The bit that means we are matching is a zero (0-bit). So a wild card mask for a host would be — 0.0.0.0
Targeting an Entire Network
To target an entire network means that every bit within the NETWORK portion of the IP address must match. All others we can ignore. So for a Class-C network (i.e., 192.168.1.0) the wild card mask would be — 0.0.0.255
Targeting a Subnet
To target a particular subnet (not classful) we will still need to match on every bit on the NETWORK portion, however now we need to find the proper bit boundary in the last octet used by our network. So for example we need to find the wild card mask for the network 192.168.1.128/25. The easiest way to do this is to simply subtract the subnet mask (255.255.255.128) from 255.255.255.255. 255.255.255.255 minus 255.255.255.128 equals a wild card mask of — 0.0.0.127
Targeting a Range of IP Addresses
To target a range of IP address is where we begin to see how the wild card mask is different from just a reverse of a subnet mask. The same rules apply 0-match, 1-ignore. If we have a range of 192.168.0.0 through 192.168.1.255 we can match at the 23rd bit. This would allow only the two networks to be targeted. The wild card mask would be 0.0.1.255
Writing this out in binary helps. We know we want to match on the entire 1st and 2nd octets. That part is easy – both are zero’s. Its the third octet that is the trick. Lets break that third octect out in binary
192 168.0. ---- binary 00000000
192.168.1. ---- binary 00000001
If you look here the bit we want to match on is the 23rd bit. The subnet mask for a slash 23 is 255.255.254.0. We then subtract it from 255.255.255.255 to get our wild card which is 0.0.1.255
Pretty cool huh?
Target all even Networks or all odd Networks
With what we’ve learned so far, you might be able to see the possibilities. So now lets take this one last step further. Lets target just all even networks. (definitely a CCIE lab scenario)
Let say we need to route all even networks in the 192.168.0.0 block of space. Where can we match within the third octet that will allow us to do this. Once again we need to break it out in binary to see it more clearly.
192 168.0. ---- binary 00000000
192.168.1. ---- binary 00000001
192.168.2. ---- binary 00000010
192.168.3. ---- binary 00000011
192.168.4. ---- binary 00000100
192.168.5. ---- binary 00000101
192.168.6. ---- binary 00000110
192.168.7. ---- binary 00000111
If look you can see the last bit of the third octet (bit 24) is a zero for every even network. The value for this bit is 1. We can match on this last bit to target the even network by taking the inverse of 1 to get 254. (255-1).
The wild card mask for this would be 0.0.254.255.
————————————————————–
Summary
I’m sure your head is swimming about now, but I hope you can see the power of wild card masks and how they are different from subnet masks.
Do you have problems with wild card masks? Do you have a cool way to figure out wild cards mask or a cool trick you can use wild card masks for? Leave us a comment and let us know what you think? It comments that brings websites like these to life. I’d love to hear what you think.
FREAK!
41 Responses
Tim,
I don't understand this one. When I look at the bits, I see 0 0 0 1 1 0 1 in the 2nd octet, represents networks 10.26 and 10.27 a 1 would be a 254. Wouldn't this allow many more networks than you need?
Here is another example of some connections we have. They have 2 subnets, again /25, that are vastly different.
10.26.0.0 0.1.0.127
This line gives me the following subnets:
10.26.0.0/25
10.27.0.0/25
The real big key is to use subnets/networks that are on CIDR nets, such as the 10.26.0.0. If you had a single bit change, you would get the 2 subnets you are looking for.
I had to work this one out to be sure when trying to understand wildcard masks (the comment combined with the post made everything much clearer).
10.26.0.0 0.1.0.127
Last octet is straightforward: .127 means must match on 25th bit (always a 0), meaning a /25 mask.
2nd octet in binary, then wildcard in binary:
octet: 0 0 0 1 1 0 1 0
wildcard 0 0 0 0 0 0 0 1
Force match on all the 0's means it must be:
0 0 0 1 1 0 1 X, where X can be 1 or 0, so 26 or 27.
i have a question. i have to configure a serial 0/0/1 (192.168.10.10)on a router with a correct wild card mask the correct answer is: network 192.168.10.8 0.0.0.3 area 0 ….how did they come up with that 0.0.0.3?
It a serial link between two routers and subnet (prefix) of /30 so you get subnet mask of 255.255.255.252. You subtract 255.255.255.255
– 255.255.255.252
Then you get 0.0.0.3.
It helped alot..perfect explanation with good reasoning.
Thanx for the lesson,However Why subnet mask & wild card are two different concept instead of one…
Hey Joe, subnet mask can't be *.*.250.0
Doh! I feel dumb. I corrected my comment above to be 255.255.240.0. Thanks for catching that 🙂
I CAN't get!!!!!
Hey Karen,
Its okay… wild card masks can be tough. Without getting into the advanced ways to use wildcards let me explain a simple way to find the wildcard (also known as reverse)
When I'm in a jam and need to figure out a wildcard mask fast and I know what the subnet mask is, all I do is subtract the mask from 255.255.255.255
So for example… if the subnet mask is 255.255.240.0 the wildcard can be figured out
255.255.255.255
– 255.255.240.0
= 0 . 0 . 15 . 255
I hope this helps!
Joe
hey i am happy with the lesson but i think you should do more complex example for people to understand better. i really do enjoy the explanation and hope you do something about what i said. thanks
Thanks for the great explanation. That's helped clear up a lot of my confusion. I also recommend the Boson Subnet calculator, this has a great wildcard mask checker that also allows for more complicated masks. http://preview.tinyurl.com/2vbfp4a
Thanks a lot for you're explanation I was trying to learn the correct form to calculate the wildcards
its awsome .i read from books and even i consult my seniors as well but could understand but from this website i could understand easily thank you so much.
i appreciate..
Thank you very much! It's clearly understood.
I use wildcard in ACL entries all the time. We have conenctions that use four (4) /25 subnets. Fortunately for us, they are maskable with a bit of a wierd mask:
10.10.0.0 0.0.192.127
This line gives/denies access to the following subnets:
10.10.0.0/25
10.10.64.0/25
10.10.128.0/25
10.10.192.0/25
Access is now in a single line.
Here is another example of some connections we have. They have 2 subnets, again /25, that are vastly different.
10.26.0.0 0.1.0.127
This line gives me the following subnets:
10.26.0.0/25
10.27.0.0/25
The real big key is to use subnets/networks that are on CIDR nets, such as the 10.26.0.0. If you had a single bit change, you would get the 2 subnets you are looking for.
Tim
Thank you!!
Has anyone found a subnet calculator which supports this kind of wildcard calculation? All the ones I've tried error as they try and validate the subnetmask as CIDR.
Here is a good calculator for WC mask: http://www.subnet-calculator.com/wildcard.php
That’s a terrible calculator for complicated wildcard masks – that’s only good if you’re doing inverse subnet masks, which are super simple wildcard masks. This is exactly what Steve said he was *not* looking for. I, too, have yet to find one that does this.
The search continues…
i read around 10 to 15 website to read the wildcard mask,but i am not understand any thing from there,but when i come your site and read the entire portion of wildcard mask,its a "awesome"
i just make u a one request ,i just need the configuration or example of wildcard mask
thanks