Network Binary Math ExplainedI recognize that a majority of the members in this forum are relatively new to the Cisco world, and one of the most common topics I see in the discussion threads relates to either some form of subnetting or wildcard masks.  I wanted to dedicate this blog post to examining the operation of binary math, in relation to subnetting concepts and ACLs, in detail.

 

Converting Between Binary and Decimal Numbers

 

Binary is a base-2 numeral system, which represents each numerical value using a sequence of 0s and 1s.  The binary system implements a positional notation, increasing in powers of 2.  The following table depicts the binary system (including powers of 2n, and the binary/decimal representation of the respective number).

 

27

26

25

24

23

22

21

20

1000000

01000000

0010000

00010000

00001000

00000100

00000010

00000001

128

64

32

16

8

4

2

1

 

 

 

There are a number of different methods to convert from decimal into binary.  I prefer the table method, and I’m going to briefly demonstrate it here.  Essentially, the table method utilizes elementary mathematics (addition/subtraction).  Simple, effective, and most importantly, easy to learn with a bit of practice. 

 

All numbers between 0 and 255 can be represented as an 8-bit string.   When converting from decimal into binary, the idea is to find to right sequence of bits by marking placeholders as “on” (1) or “off” (0).  All 8 bits are represented, and each placeholder marked with 1 adds its value to the converted number, while 0s are ignored.  For example, 255 is represented by marking all placeholders with 1, meaning that summing up each placeholder value produces said decimal number: 128 + 64 + 32 + 16 + 8 + 4 + 2 + 1  = 255. 

 

The process of converting a decimal number into binary is simply marking the closest (lower) placeholder as “on” (1), and subtracting the corresponding value from the decimal number until there is no remainder.  Any unused, or skipped, placeholders are marked as “off” (0).  The binary representation of the decimal number is the “on” (1) and “off” (0) sequence that is produced. 

 

Example: Converting 147 into binary. 

 

1. Mark 128 as “on”. Remainder: 147 – 128 = 19

 

2. Mark 16 as “on”. Remainder: 19 – 16 = 3

 

3. Mark 2 as “on”. Remainder: 3 – 2 = 1

 

4. Mark 1 as “on”. Remainder: 1 – 1 = 0

 

5. Mark unused placeholders as “off”.

 

 

 

128

64

32

16

8

4

2

1

1

0

0

1

0

0

1

1

 

 

 

As is evident from the table, 147 is equal to 10010011 in binary.  To verify: 128 + 16 + 2 + 1 = 147.

 

Doing the conversion in the opposite direction is easier.  Simply write out the bit sequence in the table as is, and sum up the placeholder values.  Example: Converting 11011101 into decimal. 

 

128

64

32

16

8

4

2

1

1

1

0

1

1

1

0

1

 

 

All placeholders marked as “on” (1) are added together, and the summation yields the decimal product: 128 + 64 + 16 + 8 + 4 + 1 = 221.   

 

 

 

Finding the Network Address

 

An IP address is a 32-bit sequence, composed of four octets (each octet containing eight bits).  The IP address consists of network and host portions.  The network portion is dictated by the subnet mask.  More specifically, the number of consecutive 1s in the subnet mask determines the length of the network portion, i.e. the bits in the IP address that indicate the network prefix.  All devices in a common subnet share the same network bits, and the remaining available bits are reserved for host addressing.

 

The process of finding the network address is performed by a bitwise AND operation between the IP address and the subnet mask.  For reference:

 

0 AND 0 = 0


0 AND 1 = 0


1 AND 0 = 0


1 AND 1 = 1

 

The result of the AND operation yields the network address, or network prefix, and the remaining available bits are used to uniquely identify hosts.  Example: Find the network address for 192.168.5.154/26 (or 255.255.255.192). 

 

I will use color coding to indicate the different sections:  blue = network portion, red = host portion.  As with binary conversion, there are other methods to find the network address, like using the “magic number”, but I’m going to demonstrate everything in binary.

 

 

Binary Form

Decimal Notation

IP   Address   

11000000.10101000.00000101.10011010

192.168.5.154

Subnet   Mask

11111111.11111111.11111111.11000000

255.255.255.192

AND / Network Address  

11000000.10101000.00000101.10000000

192.168.5.128

 

 

 

As determined by the AND operation (comparing each bit position individually between the IP address and subnet mask), the network address is 192.168.5.128/26. 

 

Defining the Address Range for a Subnet

 

The address range is defined in the host portion.  The first address has all host bits set to 0 and the last address all 1s.  These are not usable host IP addresses but are specifically reserved for identifying the network address (0s) and broadcast address (1s) for a subnet, respectively.  The first usable host IP address is one higher than the network address, and the last usable host IP address is one lower than the broadcast address. 

 

Example: Find the address range for 192.168.5.128/26.

 

 

Binary Form

Decimal Notation

Subnet   Mask

11111111.11111111.11111111.11000000

255.255.255.192

Network   Address (0s)

11000000.10101000.00000101.10000000

192.168.5.128

Broadcast Address (1s)  

11000000.10101000.00000101.10111111

192.168.5.191

 

 

 

As demonstrated in the above table, the network address is 192.168.5.128 and the broadcast address is 192.168.5.191.  Therefore, the range of usable host IP addresses is 192.168.5.129-192.168.5.190.

 

It is crucial to understand that for the network and broadcast addresses all host bits must be set to either 0 or 1, respectively.  An IP address can strikingly resemble a network address, when in fact, it is a valid host IP address.  Example:  Can a host have the IP address 192.168.5.0?  Yes, it can, given a large enough IP address space (for example, 192.168.4.0/22).

 

 

Binary Form

Decimal Notation

Subnet   Mask

11111111.11111111.11111100.00000000

255.255.252.0

Network   Address

11000000.10101000.00000100.00000000

192.168.4.0

Valid Host IP  

11000000.10101000.00000101.00000000

192.168.5.0

 

 

 

Note that the requirement of all 0s or 1s in the host portion is not satisfied, i.e. 192.168.5.0 can be assigned to a host (or a router interface, as demonstrated below).

 

Router#show ip interface brief


Interface              IP-Address      OK? Method Status                Protocol


 


FastEthernet0/1        192.168.5.0     YES manual up                    up


 


Router#show interface fa0/1


FastEthernet0/1 is up, line protocol is up (connected)


  Internet address is 192.168.5.0/22

 

 

 

 

On the contrary, an IP address that might look like a valid host IP address can, in reality, be a broadcast address for a subnet.  Like the IP address 192.168.5.191/26 from a previous example may at first appear as a normal IP address, but as already proven, it is actually a broadcast address.  If you try to configure it on a PC, you will receive the following error:

 

 

Similarly, if you try to apply a network address on the PC, the same warning message will pop up, indicating that all host bits are set to 0.

 

 

A router will also not accept either IP address but is not as intuitive or descriptive about the matter.


Router(config)#interface fa0/1


Router(config-if)#ip address 192.168.5.128 255.255.255.192


Bad mask /26 for address 192.168.5.128


Router(config-if)#ip address 192.168.5.191 255.255.255.192


Bad mask /26 for address 192.168.5.191

 

 

 

Finding a Common Subnet

 

The trick in defining a common subnet is to find the bit boundary where the two IP addresses match.  Once the bit boundary is found, the subnet mask is derived by marking all consecutive matching bits with 1.  Finally, as demonstrated earlier, the network address (all 0s) and broadcast address (all 1s) are easily deduced in the host portion. 

 

Example: Find the common subnet between 192.168.201.245 and 192.168.209.153.

 

 

Binary Form

Decimal Notation

IP A

11000000.10101000.11001001.11110101

192.168.201.245

IP B

11000000.10101000.11010001.10011001

192.168.209.153

Subnet   Mask

11111111.11111111.11100000.00000000

255.255.224.0

Network   Address (0s)

11000000.10101000.11000000.00000000

192.168.192.0

Broadcast   Address (1s)

11000000.10101000.11011111.11111111

192.168.223.255

 

 

As shown in the table, the two IP addresses have a matching bit pattern until the 19th bit.  That is the bit boundary that dictates the network prefix.  The common network for the two IP addresses is 192.168.192.0/19. 

 

Access Lists and Wildcard Masks

 

It is a common misconception that a wildcard mask is the inverse of a subnet mask.  True, often it is.  However, there is no absolute dependence between subnet masks and wildcard masks in access lists.  Wildcard masks are typically designed to match entire subnets, which results in the common use of “inverse subnet masks”. This fundamental relation between subnet masks and wildcard masks leads to the false notion that the two are directly dependent on each other, which is not true.  Essentially, wildcard masks are simply matching against individual bits, 0 signifying that the compared bits must match, and 1 denoting indifference in the value.  That’s it.  A wildcard mask does not have to be engineered from a subnet mask.  But be warned that this fundamental logic enables the creation of evil bit patterns, and as a consequence, diabolic matching scenarios. 

 

Again, I will apply color coding to clarify the output.  This time, I will use green to mark so called “interesting bits”/”don’t care bits”, or 1s in the wildcard masks. 

 

For the sake of simplicity, let’s first consider a simple standard ACL: access-list 1 permit 192.168.1.0 0.0.0.255.  The wildcard mask 0.0.0.255 denotes that the first 24 bits must match, while the last 8 bits can have any combination of 0s and 1s.

 

 

Binary Form

Decimal Notation

IP   Address   

11000000.10101000.00000001.00000000

192.168.1.0

Wildcard   Mask

00000000.00000000.00000000.11111111

0.0.0.255

 

 

 

Will IP address 192.168.1.134 match the statement?  Many of you probably already know the answer but let’s see the bit-level proof of that.  The idea is to take the “interesting bits” (1s) in the wildcard mask, as already defined as the last 8 bits, and not care about them.  As long as the other bits (the first 24 bits) between two IP addresses are equal, there is a match.

 

 

Binary Form

Decimal Notation

Network   Address   

11000000.10101000.00000001.10000010

192.168.1.0

IP Address  

11000000.10101000.00000001.10000110

192.168.1.134

 

IP address 192.168.1.134 does indeed agree on the first 24 bits against 192.168.1.0, as required, and therefore matches the access list.

 

How about IP address 192.168.3.76?  Will it match the ACL statement? 

 

 

Binary Form

Decimal Notation

Network   Address   

11000000.10101000.00000001.10000010

192.168.1.0

IP Address  

11000000.10101000.00000101.01001100

192.168.3.76

 

 

No, it won’t.  Why?  Because the IP address does not comply with the ACL rule that the first 24 bits must match.  The 22nd bit breaks the sequence. 

 

The previous examples were easy for many of you, so let’s complicate things a little bit.  Let’s do access-list 10 permit 192.168.1.0 0.0.0.6.  Not so easy anymore, right?  Which IP addresses will that statement match?

 

 

Binary Form

Decimal Notation

IP   Address   

11000000.10101000.00000001.00000000

192.168.1.0

Wildcard   Mask

00000000.00000000.00000000.00000110

0.0.0.6

 

 

Again, the purpose of a wildcard mask is only to mark bits that must match (0) and bits that don’t matter (1).  The following table lists all the possible IP addresses that will be matched by the statement: 

 

 

Binary Form

Decimal Notation

IP   Address   

11000000.10101000.00000001.00000000

192.168.1.0

 

11000000.10101000.00000001.00000010

192.168.1.2

 

11000000.10101000.00000001.00000100

192.168.1.4

 

11000000.10101000.00000001.00000110

192.168.1.6

 

 

That’s it.  The statement matches only four options, which are every combination that a 2-bit sequence can produce.  Marking only two bits as interesting results in this limited scope. 

 

Let’s take this trickery one step further with access-list 6 permit 192.168.1.0 6.6.6.6.  Now that is starting to look scary, wouldn’t you agree?  But what does it match? 

 

 

Binary Form

Decimal Notation

IP   Address   

11000000.10101000.00000001.00000000

192.168.1.0

Wildcard   Mask

00000110.00000110.00000110.00000110

6.6.6.6

 

 

The following table includes some (not all!) possible IP addresses that fall within the boundaries of the ACL statement.  If you want, you can try to find the rest on your own.

 

 

Binary Form

Decimal Notation

IP   Address   

11000010.10101100.00000111.00000010

194.172.7.2

 

11000100.10101110.00000011.00000110

196.174.3.6

 

11000000.10101010.00000101.00000100

192.170.5.4

 

11000110.10101110.00000111.00000110

198.174.7.6

 

 

Contrary to what many of you might think, this is a valid configuration, and a router happily accepts the required commands. 

 

Router#show access-list


Standard IP access list 6


    10 permit 192.168.1.0, wildcard bits 6.6.6.6

 

 

 

Luckily, such access-list statements are seldom, if ever, used.  Regardless, it is imperative to be aware of this fundamental ACL processing logic, and understand that such wickedness can exist.

 

As proven in the previous examples, wildcard masks are truly designed to match individual bits.  Nothing more. 

 

 

Bonus: Fun with Binary

 

Without getting into any detail, here are a few tidbits about binary numbers:

 

1 binary digit = bit

 

2 bits = crumb

 

4 bits = nibble

 

8 bits = byte

 

If the last bit = 0, the equivalent decimal number is even.

 

If the last bit = 1, the equivalent decimal number is odd.

 

The first usable host IP address in a subnet is always odd.

 

The last usable host IP address in a subnet is always even.

 

 

 

Practice your binary skills with Cisco Binary Game: http://forums.cisco.com/CertCom/game/binary_game_page.htm