After reading this article, you should be able to answer the following questions:

  • * What are wildcard masks
  • * Where are they used
  • * How to calculate them

Also, a few examples will be provided in the context where the wildcard masks are used.

The topic of wildcard masks confuses and poses a lot of problems for CCNA students.

For the CCNA exam, you will come in contact with wildcard masks when you have to configure OSPF routing protocol and access control Lists.

Wildcard masks are used in OSPF to specify on which interfaces the OSPF protocol will run and in ACL to permit or deny hosts, ranges of hosts or subnets.

A wildcard mask offers an opportunity to ignore sections of the addresses when a comparison is performed. These ignored sections are treated as if they are already a match.

CCNA Training – Resources (Intense)

One would compare an IP address to a wildcard mask to see if that IP address matches what the operator is looking for.

A “0” bit in the wildcard mask means that the corresponding bit from the IP address has to match exactly. A “1” bit in the wildcard mask means that the corresponding bit from the IP address can be ignored or has already matched.

Before we go any further, keep in mind these two rules:

Decimal 0—the octet must be compared.

Decimal 255—the octet can be ignored as it can be safely treated as a match.

So let’s start with some basic examples of IP addresses that have to be matched using wildcard masks.

Example 1: match 192.168.1.1/32

Because we need to match this host IP exactly and only this one, then all bits of the wildcard mask should be “0,” therefore an ACL that should match only 192.168.1.1 will look like this:

192.168.1.1 0.0.0.0

Example 2: match 192.168.1.0/24

Because the prefix that we are trying to match is a /24, the last octet comparison is ignored. When the whole octet is ignored, then the wildcard mask will have, as the corresponding octet, the value 255.

So let’s break it down:

192.168.1.0 in binary is

1100000 10101000 00000001 00000000

And the wildcard mask will be

0000000 00000000 00000000 11111111

Therefore the ACL entry will look like

192.168.1.0 0.0.0.255

Example 3: match 192.168.1.0/26

This example is a combination of the first two examples: it’s neither a host match nor a full octet match. We have to match any host that falls in the range 192.168.1.0 through 192.168.1.63.

As you can see, we have to play only with the last octet of the subnet.

Let’s break it down.

Step 1: Convert the mask to binary.

Step 2: Reverse the result to get the wildcard bits.

Step 3: Convert the wildcard bits in decimal.

A network mask of /26 means that the mask in decimal is 192, so let’s convert it to binary.

Step 1: 11000000

Step 2: 00111111

Step 3: 63

Basically the ACL entry will look like this:

192.168.1.0 0.0.0.63

Let’s try one more example of this kind.

Match 192.168.1.64/28

A network mask of /28 means that the mask in decimal is 240, so let’s convert it in binary.

Step 1: 11110000

Step 2: 00001111

Step 3: 15

The ACL entry will look like this:

192.168.1.64 0.0.0.15

In many situations, you will need to match all hosts from a subnet. To do that, you can use the following math: subtract the subnet from 255.255.255.255.

For instance, you are required to find the wildcard mask to match the subnet 192.168.0.0/19.

The wildcard mask will be:

255.255.255.255
-255.255.224. 0
= 0. 0. 31.255

Therefore the ACL entry will be 192.168.0.0 0.0.31.255

You can remember the calculation for the wildcard mask like this:

28-X -1

Where X is the length of continuous bits set to 1 from that octet.

In the previous, example, the length of the subnet was 19, so from the third octet we used three bits set to 1; therefore, we have:

28-3-1 = 25-1 = 32 – 1 = 31

It’s better to remember how this is calculated, but you can also use the following table to get the value quickly.

0 1 2 3 4
SM Binary 00000000 10000000 11000000 11100000 11110000
SM Decimal 0 128 192 224 240
WM Binary 11111111 01111111 00111111 00011111 00001111
WM 255 127 63 31 15
5 6 7 8
SM Binary 11111000 11111100 11111111 11111111
SM Decimal 248 252 254 255
WM Binary 00000111 00000011 00000001 00000000
WM 7 3 1 0

Let’s continue with a more complex example.

We need to match all odd numbered hosts of 192.168.1.0/24.

I will list only a few of these hosts here:

192.168.1.1
192.168.1.3
192.168.1.5
192.168.1.7
192.168.1.9
192.168.1.253
192.168.1.255

Let’s break down each one of them and see what they have in common:

11000000 10101000 00000001 00000001
11000000 10101000 00000001 00000011
11000000 10101000 00000001 00000101
11000000 10101000 00000001 00000111
11000000 10101000 00000001 00001001
11000000 10101000 00000001 11111101
11000000 10101000 00000001 11111111

Because we are dealing with a /24 network, the first three octets will be the same always. Only the fourth octet will change. If you look at the binary conversion of the fourth octet, you will notice that the first seven bits are changing and the eighth is always 1. So we can translate this like “ignore the first seven bits and match the eight one.”

So, going back to our example, we will have this:

11000000 10101000 00000001 00000001
11000000 10101000 00000001 00000011
11000000 10101000 00000001 00000101
11000000 10101000 00000001 00000111
11000000 10101000 00000001 00001001
11000000 10101000 00000001 11111101
11000000 10101000 00000001 11111111
______________________________
00000000 00000000 00000000 11111110
0.                  0.                  o.         254

 

Therefore, the ACL entry will be:

192.168.1.0 0.0.0.254

Let’s try an even more complex example that will combine the wildcard mask calculation along with ACL logic.

Configure an ACL with the minimum entries that will permit the IP addresses in subnets 192.168.X.0/24, where X is an even number and is greater or equal to 1 and less than or equal to 6.

Keep in mind the wording of the requirement: “minimum.”

Basically, we should match only 192.168.2.0/24, 192.168.4.0/24, 192.168.6.0/24 subnets.

Because the fourth octet can take any value, we will ignore it and this means that the wildcard mask will have the value 255 for the fourth octet.

Because the first and the second octets have to be 192 and 168, the wildcard mask will have the value 0 in the corresponding octets.

Therefore, from what we know so far, the wildcard mask will look like this:

192.168.0.0 0.0.X.255

with the X value remaining to be calculated.

Because we have only three possible values, only the last three bits of the third octet can change.

So, let’s convert into binary the octets that we need to match:

2 = 00000010
4 = 00000100
6 = 00000110

As you can see, only bits from the second and third positions (starting from the right) are changing. To cover all possible combinations, we can put the value “1” at the positions where the bits can change.

Therefore the value of the third octet of the wildcard mask will be:

00000110 = 6

Hence, the ACL will have this configuration:

permit 192.168.0.0 0.0.6.255

However, this is not exactly what we were asked and here the ACL logic comes into play.

The wildcard mask permits the 192.168.0.0/24 subnet as well, so we have to deny it within the ACL configuration:

deny 192.168.0.0 0.0.0.255

permit 192.168.0.0 0.0.6.255

As you can see, we were able to configure an ACL with only two entries and this is the minimum that we could have.

The other possibility is to permit each specific subnet and deny everything else afterwards, but this would be an ACL with four entries.

Let’s see how the wildcard masks are involved in OSPF routing protocol configuration and operation.

We will assume the topology below with the depicted addressing.

Each router has a Loopback interface with the addressing x.x.x.x/32, where x is the router number. For instance, R1 has a Loopback interface configured with IP address 1.1.1.1/32.

We are required to configure all three routers in OSPF area 0.

Cisco routers use the wildcard masks in OSPF operation as they are used in ACL context. They are used for matching which networks will be advertised in OSPF and therefore on which interfaces OSPF will run.

R1 and R2 routers have already been configured to run OSPF on all their interfaces:

R1#show running-config | section ospf
router ospf 1
log-adjacency-changes
network 1.1.1.1 0.0.0.0 area 0
network 10.10.0.0 0.0.0.255 area 0
R1#

R3#show running-config | section ospf
router ospf 1
log-adjacency-changes
network 3.3.3.3 0.0.0.0 area 0
network 10.10.0.0 0.0.0.255 area 0
R3#

Let’s configure R2 to run OSPF only on FastEthernet1/0 interface:

R2#show running-config interface FastEthernet1/0

Building configuration…

Current configuration : 96 bytes
!
interface FastEthernet1/0
ip address 10.10.0.9 255.255.255.252
duplex auto
speed auto
end

R2#

What wildcard mask is needed to match only this subnet in order to avoid running OSPF on any other interface?

Using the information presented in the examples from the beginning of the article, you should be able to figure this out.

As you can see, the subnet configured is 10.10.0.8/30. So we have to calculate what the fourth octet of the wildcard mask would be.

We can either convert the mask in binary, reverse the result, and convert it back to decimal, or we can use the formula 28-X -1.

Either way, the wildcard mask would be 10.10.0.8 0.0.0.3.

Let’s configure this and confirm that OSPF will run only on FastEthernet1/0 interface:

R2#show running-config | section ospf
router ospf 1
log-adjacency-changes
network 2.2.2.2 0.0.0.0 area 0
network 10.10.0.8 0.0.0.3 area 0
R2#show ip ospf interface brief
Interface   PID   Area    IP Address/Mask    Cost    State   Nbrs F/C
Fa1/0         1         0          10.10.0.9/30            1           BDR     1/1
Lo0             1         0          2.2.2.2/24                1           LOOP   0/0
R2#show ip ospf neighbor

Neighbor ID    Pri      State           Dead Time     Address      Interface
3.3.3.3              1         FULL/DR    00:00:30      10.10.0.10   FastEthernet1/0
R2#

The next task will be to configure OSPF to run on both interfaces towards R1, using only one statement.

R2#show running-config interface FastEthernet0/0
Building configuration…

Current configuration : 96 bytes
!
interface FastEthernet0/0
ip address 10.10.0.2 255.255.255.252
duplex auto
speed auto
end

R2#show running-config interface FastEthernet2/0
Building configuration…

Current configuration : 96 bytes
!
interface FastEthernet2/0
ip address 10.10.0.6 255.255.255.252
duplex auto
speed auto
end

R2#

We have two /30 subnets. This means that they can be summarized in one /29 subnet.

Basically, we have to create a wildcard mask to match the 10.10.0.0/29 subnet.

As you have already figured out, the wildcard mask should be:

R2#show running-config | section ospf
router ospf 1
log-adjacency-changes
network 2.2.2.2 0.0.0.0 area 0
network 10.10.0.0 0.0.0.7 area 0
network 10.10.0.8 0.0.0.3 area 0
R2#show ip ospf interface brief
Interface    PID    Area    IP Address/Mask    Cost    State    Nbrs F/C
Fa2/0          1          0         10.10.0.6/30            1          BDR       1/1
Fa0/0          1          0         10.10.0.2/30            1          BDR       1/1
Fa1/0          1          0          10.10.0.9/30            1          BDR       1/1
Lo0             1           0          2.2.2.2/24                1         LOOP     0/0
R2#show ip ospf neighbor

Neighbor ID    Pri    State            Dead Time    Address     Interface
10.10.0.5          1        FULL/DR   00:00:32      10.10.0.5   FastEthernet2/0
10.10.0.5          1        FULL/DR   00:00:32      10.10.0.1   FastEthernet0/0
3.3.3.3              1        FULL/DR    00:00:37     10.10.0.10 FastEthernet1/0
R2#

At this point of the article, you should know what wildcard masks are, where they are used, and how to calculate them.

However, to master the wildcard masks and to be able to answer quickly to any possible questions during the CCNA exam, you need some practice. It won’t hurt you to memorize the wildcard values related to decimal representation.

Reference:
Cisco ICND1 100-101: Official Cert Guide – Wendell Odom