I recognize that a majority of the members in this forum are relatively new to the Cisco world, and one of the most common topics I see in the discussion threads relates to either some form of subnetting or wildcard masks.  I wanted to dedicate this blog post to examining the operation of binary math, in relation to subnetting concepts and ACLs, in detail.

Converting Between Binary and Decimal Numbers

Binary is a base-2 numeral system, which represents each numerical value using a sequence of 0s and 1s.  The binary system implements a positional notation, increasing in powers of 2.  The following table depicts the binary system (including powers of 2n, and the binary/decimal representation of the respective number).

 27 26 25 24 23 22 21 20 1000000 01000000 0010000 00010000 00001000 00000100 00000010 00000001 128 64 32 16 8 4 2 1

There are a number of different methods to convert from decimal into binary.  I prefer the table method, and I’m going to briefly demonstrate it here.  Essentially, the table method utilizes elementary mathematics (addition/subtraction).  Simple, effective, and most importantly, easy to learn with a bit of practice.

All numbers between 0 and 255 can be represented as an 8-bit string.   When converting from decimal into binary, the idea is to find to right sequence of bits by marking placeholders as “on” (1) or “off” (0).  All 8 bits are represented, and each placeholder marked with 1 adds its value to the converted number, while 0s are ignored.  For example, 255 is represented by marking all placeholders with 1, meaning that summing up each placeholder value produces said decimal number: 128 + 64 + 32 + 16 + 8 + 4 + 2 + 1  = 255.

The process of converting a decimal number into binary is simply marking the closest (lower) placeholder as “on” (1), and subtracting the corresponding value from the decimal number until there is no remainder.  Any unused, or skipped, placeholders are marked as “off” (0).  The binary representation of the decimal number is the “on” (1) and “off” (0) sequence that is produced.

Example: Converting 147 into binary.

1. Mark 128 as “on”. Remainder: 147 – 128 = 19

2. Mark 16 as “on”. Remainder: 19 – 16 = 3

3. Mark 2 as “on”. Remainder: 3 – 2 = 1

4. Mark 1 as “on”. Remainder: 1 – 1 = 0

5. Mark unused placeholders as “off”.

 128 64 32 16 8 4 2 1 1 0 0 1 0 0 1 1

As is evident from the table, 147 is equal to 10010011 in binary.  To verify: 128 + 16 + 2 + 1 = 147.

Doing the conversion in the opposite direction is easier.  Simply write out the bit sequence in the table as is, and sum up the placeholder values.  Example: Converting 11011101 into decimal.

 128 64 32 16 8 4 2 1 1 1 0 1 1 1 0 1

All placeholders marked as “on” (1) are added together, and the summation yields the decimal product: 128 + 64 + 16 + 8 + 4 + 1 = 221.

An IP address is a 32-bit sequence, composed of four octets (each octet containing eight bits).  The IP address consists of network and host portions.  The network portion is dictated by the subnet mask.  More specifically, the number of consecutive 1s in the subnet mask determines the length of the network portion, i.e. the bits in the IP address that indicate the network prefix.  All devices in a common subnet share the same network bits, and the remaining available bits are reserved for host addressing.

The process of finding the network address is performed by a bitwise AND operation between the IP address and the subnet mask.  For reference:

0 AND 0 = 0

0 AND 1 = 0

1 AND 0 = 0

1 AND 1 = 1

The result of the AND operation yields the network address, or network prefix, and the remaining available bits are used to uniquely identify hosts.  Example: Find the network address for 192.168.5.154/26 (or 255.255.255.192).

I will use color coding to indicate the different sections:  blue = network portion, red = host portion.  As with binary conversion, there are other methods to find the network address, like using the “magic number”, but I’m going to demonstrate everything in binary.

 Binary Form Decimal Notation IP   Address `11000000.10101000.00000101.10``011010` `192.168.5.154` Subnet   Mask `11111111.11111111.11111111.11``000000` `255.255.255.192` AND / Network Address `11000000.10101000.00000101.10``000000` `192.168.5.128`

As determined by the AND operation (comparing each bit position individually between the IP address and subnet mask), the network address is 192.168.5.128/26.

Defining the Address Range for a Subnet

Example: Find the address range for 192.168.5.128/26.

 Binary Form Decimal Notation Subnet   Mask `11111111.11111111.11111111.11``000000` `255.255.255.192` Network   Address (0s) `11000000.10101000.00000101.10``000000` `192.168.5.128` Broadcast Address (1s) `11000000.10101000.00000101.10``111111` `192.168.5.191`

As demonstrated in the above table, the network address is 192.168.5.128 and the broadcast address is 192.168.5.191.  Therefore, the range of usable host IP addresses is 192.168.5.129-192.168.5.190.

It is crucial to understand that for the network and broadcast addresses all host bits must be set to either 0 or 1, respectively.  An IP address can strikingly resemble a network address, when in fact, it is a valid host IP address.  Example:  Can a host have the IP address 192.168.5.0?  Yes, it can, given a large enough IP address space (for example, 192.168.4.0/22).

 Binary Form Decimal Notation Subnet   Mask `11111111.11111111.111111``00.00000000` `255.255.252.0` Network   Address `11000000.10101000.000001``00.00000000` `192.168.4.0` Valid Host IP `11000000.10101000.000001``01.00000000` `192.168.5.0`

Note that the requirement of all 0s or 1s in the host portion is not satisfied, i.e. 192.168.5.0 can be assigned to a host (or a router interface, as demonstrated below).

Router#show ip interface brief

Interface              IP-Address      OK? Method Status                Protocol

FastEthernet0/1        192.168.5.0     YES manual up                    up

Router#show interface fa0/1

FastEthernet0/1 is up, line protocol is up (connected)

On the contrary, an IP address that might look like a valid host IP address can, in reality, be a broadcast address for a subnet.  Like the IP address 192.168.5.191/26 from a previous example may at first appear as a normal IP address, but as already proven, it is actually a broadcast address.  If you try to configure it on a PC, you will receive the following error:

Similarly, if you try to apply a network address on the PC, the same warning message will pop up, indicating that all host bits are set to 0.

A router will also not accept either IP address but is not as intuitive or descriptive about the matter.

Router(config)#interface fa0/1

Finding a Common Subnet

The trick in defining a common subnet is to find the bit boundary where the two IP addresses match.  Once the bit boundary is found, the subnet mask is derived by marking all consecutive matching bits with 1.  Finally, as demonstrated earlier, the network address (all 0s) and broadcast address (all 1s) are easily deduced in the host portion.

Example: Find the common subnet between 192.168.201.245 and 192.168.209.153.

 Binary Form Decimal Notation IP A `11000000.10101000.110``01001.11110101` 192.168.201.245 IP B `11000000.10101000.110``10001.10011001` 192.168.209.153 Subnet   Mask 11111111.11111111.11100000.00000000 255.255.224.0 Network   Address (0s) 11000000.10101000.11000000.00000000 192.168.192.0 Broadcast   Address (1s) 11000000.10101000.11011111.11111111 192.168.223.255

As shown in the table, the two IP addresses have a matching bit pattern until the 19th bit.  That is the bit boundary that dictates the network prefix.  The common network for the two IP addresses is 192.168.192.0/19.

Again, I will apply color coding to clarify the output.  This time, I will use green to mark so called “interesting bits”/”don’t care bits”, or 1s in the wildcard masks.

For the sake of simplicity, let’s first consider a simple standard ACL: access-list 1 permit 192.168.1.0 0.0.0.255.  The wildcard mask 0.0.0.255 denotes that the first 24 bits must match, while the last 8 bits can have any combination of 0s and 1s.

 Binary Form Decimal Notation IP   Address `11000000.10101000.00000001.00000000` `192.168.1.0` Wildcard   Mask `00000000.00000000.00000000.11111111` `0.0.0.255`

Will IP address 192.168.1.134 match the statement?  Many of you probably already know the answer but let’s see the bit-level proof of that.  The idea is to take the “interesting bits” (1s) in the wildcard mask, as already defined as the last 8 bits, and not care about them.  As long as the other bits (the first 24 bits) between two IP addresses are equal, there is a match.

 Binary Form Decimal Notation Network   Address `11000000.10101000.00000001.10000010` `192.168.1.0` IP Address `11000000.10101000.00000001.10000110` `192.168.1.134`

IP address 192.168.1.134 does indeed agree on the first 24 bits against 192.168.1.0, as required, and therefore matches the access list.

 Binary Form Decimal Notation Network   Address `1100``0000.10101000.00000001.10000010` `192.168.1.0` IP Address `11000000.10101000.00000101.01001100` `192.168.3.76`

No, it won’t.  Why?  Because the IP address does not comply with the ACL rule that the first 24 bits must match.  The 22nd bit breaks the sequence.

The previous examples were easy for many of you, so let’s complicate things a little bit.  Let’s do access-list 10 permit 192.168.1.0 0.0.0.6.  Not so easy anymore, right?  Which IP addresses will that statement match?

 Binary Form Decimal Notation IP   Address `11000000.10101000.00000001.00000000` `192.168.1.0` Wildcard   Mask `00000000.00000000.00000000.00000110` `0.0.0.6`

Again, the purpose of a wildcard mask is only to mark bits that must match (0) and bits that don’t matter (1).  The following table lists all the possible IP addresses that will be matched by the statement:

 Binary Form Decimal Notation IP   Address `11000000.10101000.00000001.00000000` `192.168.1.0` `11000000.10101000.00000001.0000``0010` `192.168.1.2` `11000000.10101000.00000001.00000100` `192.168.1.4` `11000000.10101000.00000001.00000110` `192.168.1.6`

That’s it.  The statement matches only four options, which are every combination that a 2-bit sequence can produce.  Marking only two bits as interesting results in this limited scope.

Let’s take this trickery one step further with access-list 6 permit 192.168.1.0 6.6.6.6.  Now that is starting to look scary, wouldn’t you agree?  But what does it match?

 Binary Form Decimal Notation IP   Address `11000000.10101000.00000001.00000000` `192.168.1.0` Wildcard   Mask `00000110.00000110.00000110.00000110` `6.6.6.6`

The following table includes some (not all!) possible IP addresses that fall within the boundaries of the ACL statement.  If you want, you can try to find the rest on your own.

 Binary Form Decimal Notation IP   Address `11000010.10101100.00000111.00000010` `194.172.7.2` `11000100.10101110.00000011.000``00110` `196.174.3.6` `11000000.10101010.00000101.00000100` `192.170.5.4` `11000110.10101110.00000111.00000110` `198.174.7.6`

Contrary to what many of you might think, this is a valid configuration, and a router happily accepts the required commands.

Router#show access-list

Standard IP access list 6

10 permit 192.168.1.0, wildcard bits 6.6.6.6

Luckily, such access-list statements are seldom, if ever, used.  Regardless, it is imperative to be aware of this fundamental ACL processing logic, and understand that such wickedness can exist.

As proven in the previous examples, wildcard masks are truly designed to match individual bits.  Nothing more.

Bonus: Fun with Binary

Without getting into any detail, here are a few tidbits about binary numbers:

1 binary digit = bit

2 bits = crumb

4 bits = nibble

8 bits = byte

If the last bit = 0, the equivalent decimal number is even.

If the last bit = 1, the equivalent decimal number is odd.

The first usable host IP address in a subnet is always odd.

The last usable host IP address in a subnet is always even.

Practice your binary skills with Cisco Binary Game: http://forums.cisco.com/CertCom/game/binary_game_page.htm