13 Replies Latest reply: Jul 14, 2014 3:00 PM by phil morgan

Why do we use Wildcard masks, what is the actual difference between Wildcard and subnet masks ?

No Yashpal

No difference just mirrors of each other.   0.0.0.7  255.255.255.(255-7=248).

They are both methods of identifying bits in a string of bits.

Regards Conwyn

As I understand it, the question is what is the reason for the two different masks, not what are the differences between the masks. The two questions overlap somewhat, but it comes down to binary math (as YLearn hits on).

``IP:   1100 0000 . 1010 1000 . 1111 1000 . 0110 0100 = 192.168.248.100Mask: 1111 1111 . 1111 1111 . 1111 1111 . 1111 1000 = 255.255.255.248AND:  1100 0000 . 1010 1000 . 1111 1000 . 0110 0000 = 192.168.248.96``

The AND operation on the IP address with the netmask results in the network `192.168.248.96/29`.

Next, a wildcard:

``NET:  1100 0000 . 1010 1000 . 1111 1000 . 0110 0000 = 192.168.248.96WC:   0000 0000 . 0000 0000 . 0000 0000 . 0000 0111 = 0.0.0.7OR:   1100 0000 . 1010 1000 . 1111 1000 . 0110 0111 = 192.168.248.103``

performing an OR operation on the network results in the range of IPs (192.168.248.96-103) that may be permitted or blocked in an ACL or OSPF network statement (remember that OSPF only looks for interfaces that fall within the specified ranges -- i.e. it doesn't match IP and netmask, just the IP). It's very easy to check whether an IP is in range with:

IP OR WC == NET OR WC

This is useful to the router because the netmask does not easily give you this information (without additional operations).

• When applying an IP to an interface
• BGP
• PIX security appliance ACL's
• ASA security appliance ACL's
• When creating DHCP pools on a Switch or Router

• EIGRP network statements
• OSPF network statements
• VPN concentrator network lists (when setting the local and remote allowed networks)
• Router ACL's

Actually there is a difference.

With a wildcard mask you can filter packets with a range of ip addresses so it can be examined, so not only one ip address would be examined.

Example. 192.168.10.128 0.0.0.3 would examine ip packets from 192.168.10.128 to 192.168.10.130.

Hi Yashpal,

The intention of subnet mask and wild card masks is same. They are used to tell the router which bits needed a match and which doesn't. The only difference is the way of reperesentation.

In general:

1-> Represents that there should be a match.

0->Says no need to bother about the match

It is just the reverse of the subnet mask:

0->Represents that there should be a match.

1->Says no need to bother about the match.

Eg: Let's take the network: 192.168.1.0/24.

Subnet: 11111111   .  11111111  .  11111111   .   00000000

Wild:      00000000 .  0000000  .  00000000 .  11111111

Now if you wanna tell the router that a route exists for the network 192.168.1.0/24 you will use subnet mask.

Eg: ip route 192.168.1.0 255.255.255.0 <next hop/exit int>

Now if you wanna tell the route to block this range/network using acl, you would use wildcard mask.

Eg: access-list 10 deny 192.168.1.0 0.0.0.255

To get the wildcard mask from a subnet mask, you just need to subtract each octet of the subnet mask with 255.

Eg;

Subnet mask: 255       .     255     .     128      .   0

Wildcard     : 255-255   . 255-255 . 255-128   . 255-0  = 0.0.0.255

Regards,

Chandu

mohit teotia,

You migh want to credit the actual source. It's only fair to the OP.

I don't know why we use them, but wildcards are more flexible. Subnet masks has contiguous 1's then contiguous 0's. Wildcard masks can have any combination of 1's (don't care) and 0's (care) bits. So we can do strange things like--

192.168.0.200 0.0.255.0 - match any 192.168.x.200

192.168.0.0 0.0.0.1 - match even hosts on 192.168.0.0/24

192.168.0.1 0.0.0.1 - match odd hosts on 192.168.0.0/24

192.168.0.0 0.0.0.2 - 192.168.0.[0,1,4,5,8,9,12,13...] < very strange

0.0.0.200 255.255.255.0  - x.x.x.200

192.168.0.0 0.0.255.255 - 192.168.x.x (could be achieved with a subnet mask)

With that being said, the ASA cannot do this. My guess is that wildcards were created by a separate group of developers than those that built the code for IP Subnet masks. There could've also been some initial hardware limitations or gains by using wildcards. Obviously there are many ways this could've been done differently. However, wildcards work well and they've stuck with us.

thanks for do hard work for searching a souce link of my answer: Miss Sarah.......

1. I got this from an old thread a while ago, by Scott Morris and I had summarized it over here. Your reasoning is similar with the actual reasons.

https://learningnetwork.cisco.com/docs/DOC-22500

Regards,

Navneet.

7,187 posts since
Jul 19, 2008

I don't know  why we use them, but wildcards are more flexible. Subnet masks has  contiguous 1's then contiguous 0's. Wildcard masks can have any  combination of 1's (don't care) and 0's (care) bits. So we can do  strange things like--

192.168.0.200 0.0.255.0 - match any 192.168.x.200

192.168.0.0 0.0.0.1 - match even hosts on 192.168.0.0/24

192.168.0.1 0.0.0.1 - match odd hosts on 192.168.0.0/24

192.168.0.0 0.0.0.2 - 192.168.0.[0,1,4,5,8,9,12,13...] < very strange

0.0.0.200 255.255.255.0  - x.x.x.200

192.168.0.0 0.0.255.255 - 192.168.x.x (could be achieved with a subnet mask)

With  that being said, the ASA cannot do this. My guess is that wildcards  were created by a separate group of developers than those that built the  code for IP Subnet masks. There could've also been some initial  hardware limitations or gains by using wildcards. Obviously there are  many ways this could've been done differently. However,

hey bro thanks: Navneet

You are welcome.

Thanks to all of you.

This is how I remember it:

Network

0=ignore

1=important

Wildcard

0=important

1=ignore

hth Phil