13 Replies Latest reply: Jul 14, 2014 3:00 PM by phil morgan RSS

    Wildcard masks vs subnet masks ?

    Yashpal

      Why do we use Wildcard masks, what is the actual difference between Wildcard and subnet masks ?

         
        • 1. Re: Wildcard masks vs subnet masks ?
          Conwyn

          No Yashpal

          No difference just mirrors of each other.   0.0.0.7  255.255.255.(255-7=248).

          They are both methods of identifying bits in a string of bits.

          Regards Conwyn

          • 2. Re: Wildcard masks vs subnet masks ?
            mohit teotia

            As I understand it, the question is what is the reason for the two different masks, not what are the differences between the masks. The two questions overlap somewhat, but it comes down to binary math (as YLearn hits on).

            First, a netmask:

            IP:   1100 0000 . 1010 1000 . 1111 1000 . 0110 0100 = 192.168.248.100Mask: 1111 1111 . 1111 1111 . 1111 1111 . 1111 1000 = 255.255.255.248AND:  1100 0000 . 1010 1000 . 1111 1000 . 0110 0000 = 192.168.248.96

            The AND operation on the IP address with the netmask results in the network 192.168.248.96/29.

            Next, a wildcard:

            NET:  1100 0000 . 1010 1000 . 1111 1000 . 0110 0000 = 192.168.248.96WC:   0000 0000 . 0000 0000 . 0000 0000 . 0000 0111 = 0.0.0.7OR:   1100 0000 . 1010 1000 . 1111 1000 . 0110 0111 = 192.168.248.103

            performing an OR operation on the network results in the range of IPs (192.168.248.96-103) that may be permitted or blocked in an ACL or OSPF network statement (remember that OSPF only looks for interfaces that fall within the specified ranges -- i.e. it doesn't match IP and netmask, just the IP). It's very easy to check whether an IP is in range with:

            IP OR WC == NET OR WC

            This is useful to the router because the netmask does not easily give you this information (without additional operations).

            • 3. Re: Wildcard masks vs subnet masks ?
              mohit teotia

              Subnet Mask:


              • When applying an IP to an interface
              • Routing protocol summary addresses
              • BGP
              • PIX security appliance ACL's
              • ASA security appliance ACL's
              • When creating DHCP pools on a Switch or Router

              Wildcard Mask:

              • EIGRP network statements
              • OSPF network statements
              • VPN concentrator network lists (when setting the local and remote allowed networks)
              • Router ACL's
              • 4. Re: Wildcard masks vs subnet masks ?
                Mouhammad

                Actually there is a difference.

                 

                With a wildcard mask you can filter packets with a range of ip addresses so it can be examined, so not only one ip address would be examined.

                 

                Example. 192.168.10.128 0.0.0.3 would examine ip packets from 192.168.10.128 to 192.168.10.130.

                • 5. Re: Wildcard masks vs subnet masks ?
                  Racharla Chandra Kanth

                  Hi Yashpal,

                   

                  The intention of subnet mask and wild card masks is same. They are used to tell the router which bits needed a match and which doesn't. The only difference is the way of reperesentation.

                  In general:

                  In subnet mask:

                  1-> Represents that there should be a match.

                  0->Says no need to bother about the match

                   

                  WildCard Mask:

                  It is just the reverse of the subnet mask:

                  0->Represents that there should be a match.

                  1->Says no need to bother about the match.

                   

                  Eg: Let's take the network: 192.168.1.0/24.

                  Masks In binary:

                  Subnet: 11111111   .  11111111  .  11111111   .   00000000

                  Wild:      00000000 .  0000000  .  00000000 .  11111111

                   

                  Now if you wanna tell the router that a route exists for the network 192.168.1.0/24 you will use subnet mask.

                  Eg: ip route 192.168.1.0 255.255.255.0 <next hop/exit int>

                   

                  Now if you wanna tell the route to block this range/network using acl, you would use wildcard mask.

                  Eg: access-list 10 deny 192.168.1.0 0.0.0.255

                   

                  To get the wildcard mask from a subnet mask, you just need to subtract each octet of the subnet mask with 255.

                  Eg;

                  Subnet mask: 255       .     255     .     128      .   0

                  Wildcard     : 255-255   . 255-255 . 255-128   . 255-0  = 0.0.0.255

                   

                   

                  Regards,

                  Chandu

                  • 7. Re: Wildcard masks vs subnet masks ?
                    Paul Stewart  -  CCIE Security

                    I don't know why we use them, but wildcards are more flexible. Subnet masks has contiguous 1's then contiguous 0's. Wildcard masks can have any combination of 1's (don't care) and 0's (care) bits. So we can do strange things like--

                     

                    192.168.0.200 0.0.255.0 - match any 192.168.x.200

                    192.168.0.0 0.0.0.1 - match even hosts on 192.168.0.0/24

                    192.168.0.1 0.0.0.1 - match odd hosts on 192.168.0.0/24

                    192.168.0.0 0.0.0.2 - 192.168.0.[0,1,4,5,8,9,12,13...] < very strange

                    0.0.0.200 255.255.255.0  - x.x.x.200

                    192.168.0.0 0.0.255.255 - 192.168.x.x (could be achieved with a subnet mask)

                     

                    With that being said, the ASA cannot do this. My guess is that wildcards were created by a separate group of developers than those that built the code for IP Subnet masks. There could've also been some initial hardware limitations or gains by using wildcards. Obviously there are many ways this could've been done differently. However, wildcards work well and they've stuck with us.

                    • 8. Re: Wildcard masks vs subnet masks ?
                      mohit teotia

                      thanks for do hard work for searching a souce link of my answer: Miss Sarah.......

                      • 9. Re: Wildcard masks vs subnet masks ?
                        Navneet.Gaur

                        Hi Paul Stewart

                         

                        1. I got this from an old thread a while ago, by Scott Morris and I had summarized it over here. Your reasoning is similar with the actual reasons.

                         

                        https://learningnetwork.cisco.com/docs/DOC-22500

                         

                        Regards,

                        Navneet.

                        7,187 posts since
                        Jul 19, 2008

                        I don't know  why we use them, but wildcards are more flexible. Subnet masks has  contiguous 1's then contiguous 0's. Wildcard masks can have any  combination of 1's (don't care) and 0's (care) bits. So we can do  strange things like--

                         

                        192.168.0.200 0.0.255.0 - match any 192.168.x.200

                        192.168.0.0 0.0.0.1 - match even hosts on 192.168.0.0/24

                        192.168.0.1 0.0.0.1 - match odd hosts on 192.168.0.0/24

                        192.168.0.0 0.0.0.2 - 192.168.0.[0,1,4,5,8,9,12,13...] < very strange

                        0.0.0.200 255.255.255.0  - x.x.x.200

                        192.168.0.0 0.0.255.255 - 192.168.x.x (could be achieved with a subnet mask)

                         

                        With  that being said, the ASA cannot do this. My guess is that wildcards  were created by a separate group of developers than those that built the  code for IP Subnet masks. There could've also been some initial  hardware limitations or gains by using wildcards. Obviously there are  many ways this could've been done differently. However,
                        • 10. Re: Wildcard masks vs subnet masks ?
                          mohit teotia

                          hey bro thanks: Navneet

                          • 11. Re: Wildcard masks vs subnet masks ?
                            Navneet.Gaur

                            You are welcome.

                            • 12. Re: Wildcard masks vs subnet masks ?
                              Yashpal

                              Thanks to all of you.

                              • 13. Re: Wildcard masks vs subnet masks ?
                                phil morgan

                                This is how I remember it:

                                Network

                                0=ignore

                                1=important

                                 

                                Wildcard

                                0=important

                                1=ignore

                                 

                                hth Phil