Many engineers (at one time myself too) believe they understand wild card masks. If you ask someone they will most likely tell you that a wild card mask is just the opposite or reverse of a subnet mask. Unfortunately this isn’t quite correct. Yes, at first glance a wild card mask “looks” like the reverse and in some ways it really is. But a wild card mask can do so much more. I hope to explain in this article what a wild card is and how we can use it more effectively.
As the name states, a wild card mask matches (wildly with a zero) everything in the network portion of an IP address. As we dive into how this works it will becomes a bit more clear exactly how a wild card mask works and how we can use it.
THE RULES
So there are two basic rules of a wild card mask.
- 0-bit = match
- 1-bit = ignore
THE TARGETS
What can wild card masks target?
- A single host (or a single IP address)
- An entire network (i.e, Class A, B, or C)
- An entire subnet
- A range of IP addresses
Got it so far? …Good. But, what does this mean? How does it work?
Keep reading…
Targeting a Single Host
To target a single host with a wild card means that every bit within the IP address of the host must match. The bit that means we are matching is a zero (0-bit). So a wild card mask for a host would be — 0.0.0.0
Targeting an Entire Network
To target an entire network means that every bit within the NETWORK portion of the IP address must match. All others we can ignore. So for a Class-C network (i.e., 192.168.1.0) the wild card mask would be — 0.0.0.255
Targeting a Subnet
To target a particular subnet (not classful) we will still need to match on every bit on the NETWORK portion, however now we need to find the proper bit boundary in the last octet used by our network. So for example we need to find the wild card mask for the network 192.168.1.128/25. The easiest way to do this is to simply subtract the subnet mask (255.255.255.128) from 255.255.255.255. 255.255.255.255 minus 255.255.255.128 equals a wild card mask of — 0.0.0.127
Targeting a Range of IP Addresses
To target a range of IP address is where we begin to see how the wild card mask is different from just a reverse of a subnet mask. The same rules apply 0-match, 1-ignore. If we have a range of 192.168.0.0 through 192.168.1.255 we can match at the 23rd bit. This would allow only the two networks to be targeted. The wild card mask would be 0.0.1.255
Writing this out in binary helps. We know we want to match on the entire 1st and 2nd octets. That part is easy – both are zero’s. Its the third octet that is the trick. Lets break that third octect out in binary
192 168.0. ---- binary 00000000
192.168.1. ---- binary 00000001
If you look here the bit we want to match on is the 23rd bit. The subnet mask for a slash 23 is 255.255.254.0. We then subtract it from 255.255.255.255 to get our wild card which is 0.0.1.255
Pretty cool huh?
Target all even Networks or all odd Networks
With what we’ve learned so far, you might be able to see the possibilities. So now lets take this one last step further. Lets target just all even networks. (definitely a CCIE lab scenario)
Let say we need to route all even networks in the 192.168.0.0 block of space. Where can we match within the third octet that will allow us to do this. Once again we need to break it out in binary to see it more clearly.
192 168.0. ---- binary 00000000
192.168.1. ---- binary 00000001
192.168.2. ---- binary 00000010
192.168.3. ---- binary 00000011
192.168.4. ---- binary 00000100
192.168.5. ---- binary 00000101
192.168.6. ---- binary 00000110
192.168.7. ---- binary 00000111
If look you can see the last bit of the third octet (bit 24) is a zero for every even network. The value for this bit is 1. We can match on this last bit to target the even network by taking the inverse of 1 to get 254. (255-1).
The wild card mask for this would be 0.0.254.255.
————————————————————–
Summary
I’m sure your head is swimming about now, but I hope you can see the power of wild card masks and how they are different from subnet masks.
Do you have problems with wild card masks? Do you have a cool way to figure out wild cards mask or a cool trick you can use wild card masks for? Leave us a comment and let us know what you think? It comments that brings websites like these to life. I’d love to hear what you think.
FREAK!
41 Responses
Hi. We can also first summarize two networks 192.168.0.0 and 192.168.1.255, so the summarized network would be 192.168.0.0/23 or 255.255.254.0/23. Now the formula to calculate Wild card mask is= Block size – 1.
Here we can check the Block size of the network (192.168.0.0) is 2 (3rd octet). So the Wild card mask would be 2-1= 1.
Now the wild card address is 0.0.1.255 (255.255.255.255- 255.255.254.0)
Hi Sir,
Awesome explanation, In Targeting a Range of IP Addresses section, how IP address 192.168.0.0 (Class C) will will be under 255.255.254.0. subnet mask? it should be like 255.255.255.*** (/>24) right? please correct me if i am wrong.
Thanks Joe, thanks to your help I might actually be able to ace the exam I have in a week 😀
Very clear! Would be cool if you had some more advanced examples but still very very good!
Awesome explanation!!!Ty
Very clear explaination. Thank you very much.
If this article is still alive and being monitored, please go over wildcards that target more than one subnet.
In the “Target All Even Networks . . .” section, you state that “The wild card mask for this would be 0.0.254.255.”
This is obviously wrong, since it’s not possible to have a value of 254 in a wildcard mask. The correct wildcard mask to achieve this result would be 0.0.1.255.
Ignore previous post. My apologies, I get it now. However, it might be helpful to explain in more detail what’s actually happening here, and the fact that a Wildcard mask doesn’t always have to be a contiguous block of binary “1”s starting from right to left. Unfortunately, this is how Cisco explains it to most newbies, so when a “binary mask” is used to target specific addresses or networks, it can get confusing. Thanks for the great article.
Hello.
You say: To target a range of IP address is where we begin to see how the wild card mask is different from just a reverse of a subnet mask.
But I think it is not true. Because /23 is also a subnet. If we get the reverse of /23, we find the Wildcard Mask. That’s why we will be targeting the subnet.
So how different from just a reverse of a subnet mask it can be?
Saith
Its true that 0.0.1.255 is the same as /23. But 0.0.254.255 to match all even subnets is an example of a wildcard mask differing from a subnet mask
I would like to say thank you for this post, it has been very helpful and is very clear.
Good one nice..but still it is reverse of subnet mask no strong logic to support ur starting statement that they r not
For most cases day to day NetEng stuff, yes the wild card is simply the reverse of the Subnet mask. However if you need to split routing, as in the example, to send traffic for even networks one direction and all odd networks another direction, you will have to use a wild card mask. Hence the name wild card which causes the router to match all entries in the routing table on the wild card bits.
HINT – this may be on the CCIE exam.
hi sir ..
i want to why we need wildcard mask n acl .. some one know about ASA .. ASA doesn't support Wildcard still we r using ACL n EIGRP this service n it's working properly so why we need wildcard in router ?
You can do this with ASA:
access-list WILD_SIDE extended permit tcp 192.168.0.1 255.255.0.255 any
Awesome