Hi Guys - simple couple of questions…
Are there any other instances we use subnet masks (rather than wildcard) other than BGP network statements and when summarising routes in BGP or an IGP?
And why do we use subnet masks with BGP network statements but wildcard masks with OSPF/EIGRP?
Thanks,
Gareth.
** and when configuring an IP address on an interface!!! **
Hello Gareth
Both the subnet mask and the wildcard mask essentially do the same thing. They are used to define the network portion and the host portion of a particular address. This is useful when defining the IP address of an interface, the range of addresses included in a particular subnet, the range of addresses participating in a routing protocol, as well as the range of addresses that are to be filtered using an access list. For IPv4, subnet and wildcard masks are used for many operations.
When using the subnet mask, it is always ANDed with the address in question to determine the associated range. When using a wildcard mask, it is NANDed. The results are exactly the same.
So why do we sometimes use one and sometimes the other? It all has to do with convention. Way back in 1985, when access lists were first used for IPv4 addresses, they were implemented using assembler language. It turns out that it was much easier to code a NAND operation than an AND operation. So the wildcard mask was used to define access lists.
For various other operations where these functions were necessary, they were either implemented in a more “user friendly” (subnet mask) manner or in a more “code friendly” (wildcard mask) manner depending on the vendor, the coder, and the CPU resources available.
Over the years, it turns out that the wildcard mask was used more for some features, while the subnet mask was used more for others. For configuring hosts, the subnet mask prevailed, because user friendliness was paramount. For configuring network devices, the winner was not so clear cut, so we use both for different features.
Today we don’t have such coding restrictions, so technically, both can be used as an implementation method. Even so, some features, such as the network command for various routing protocols will accept both wildcard and subnet masks. Some features, such as IP address configuration on an interface will only use subnet masks. Others still will use only wildcard masks. What is used today is largely due to the choices that vendors have made, and their attempt to make the CLI environments as familiar as possible for the professionals using them.
I hope this has been helpful!
Laz
What is wildcard mask to block this block ip add
192.168.1.4 - 192.168.1.8
can i assign the wildcard mask
192.168.1.4 0.0.0.4
thx
Hello Ravendrans
The short answer is, to include the whole range of 192.168.1.4 - 192.168.1.8 you would need a wildcard mask of 0.0.0.15.
The long answer is, that you would have to first convert the last octet of the range to binary. So you have:
Out of the eight bits, only the first four are all the same. The last four are all different for all values. So you need to make the last four bits ones like so:
00001111
This number in decimal is 15.
So the wildcard mask should be 0.0.0.15. Keep in mind however that this will also include additional addresses in the range. Specifically, it includes all addresses where the last octet is between 00000000 and 00001111 which is 192.168.1.0 and 192.168.1.15.
Take a look at this lesson for more information on how to create more complex wildcard masks.
I hope this has been helpful!
Laz
to calculate wildcard mask do i have to always write in binary ? is there any other way ?
Hello Sumnima
The wildcard mask is always calculated using binary because that’s what the devices understand, and that’s what the feature uses. However, you can always memorize the valid numbers in decimal. After a while, if you use it enough, you will memorize it quite quickly.
Take a look at the first nine possibilities for wildcard masks along with their binary counterparts::
00000000 00000000 00000000 00000000 0.0.0.0
00000000 00000000 00000000 00000001 0.0.0.1
00000000 00000000 00000000 00000011 0.0.0.3
00000000 00000000 00000000 00000111 0.0.0.7
00000000 00000000 00000000 00001111 0.0.0.15
00000000 00000000 00000000 00011111 0.0.0.31
00000000 00000000 00000000 00111111 0.0.0.63
00000000 00000000 00000000 01111111 0.0.0.127
00000000 00000000 00000000 11111111 0.0.0.255
Do you see a pattern? Take a look at this familiar sequence: 2 4 8 16 32 64 128 256. It’s just numbers doubled each time. Notice that the number that appears in each wildcard mask is simply the values found in this sequence minus 1.
If you can memorize this sequence, and remember to subtract one each time, you can easily determine the dot decimal format of the wildcard mask from the number of bits you want to mask.
How about a more difficult mask like this one?
00000000 00000000 00111111 11111111
You can simply look at each octet and determine the number in decimal for each. The first two octets are zero, the third is 63 and the fourth is 255 for an answer of 0.0.63.255.
I hope this has been helpful!
Laz
Hello Rene,
Was wondering if you could help me understand the following wildcard masks from an access-lists that I come across:
permit ip 10.10.0.0 0.0.3.255 10.10.4.0 0.0.3.255
permit ip 10.10.0.0 0.0.3.255 10.10.16.0 0.0.7.255
On the interfaces I’m advertising 10.10.4.1/30 and 10.10.0.2/30.
Thanks for your help
Hello Willie
You can use wildcard masks to indicate a range of addresses. Wildcard masks indicate which bits of an address can be anything, and which should remain unchanged. Let’s take your example:
10.10.0.0 0.0.3.255
Let’s see the wildcard mask in binary:
00000000.00000000.00000011.11111111
Let’s take a look at the network address in binary as well:
00001010.00001010.00000000.00000000
Now, the wildcard mask has the last 10 bits set to 1, and the rest set to zero. This means that the range that is being defined allows those 10 bits to be anything while the rest of the bits must stay the same.
Let’s look at the IP address in binary once again, and mark out those 10 bits indicated by the wildcard mask"
00001010.00001010.00000000.00000000
Those marked out bits can be anything. So essentially they can range from all zeros to all ones like so:
00001010.00001010.00000000.00000000
…
00001010.00001010.00000011.11111111
What is that in decimal?
Range from 10.10.0.0 to 10.10.3.255.
So that is the range being defined.
Similarly, looking at this range:
10.10.16.0 0.0.7.255
We can use the same logic. The wildcard mask in binary:
00000000.00000000.00000111.11111111
Note, 11 bits are set to 1 while the rest are set to 0. Taking a look at the IP address of 10.10.16.0 in binary with those 11 bits marked out, we get:
00001010.00001010.00010000.00000000
So the range being defined is between:
00001010.00001010.00010000.00000000
and
00001010.00001010.00010111.11111111
which in binary is 10.10.16.0 and 10.10.23.255.
Now I’m not sure how you are applying the access list in which the statements appear (route filtering? traffic filtering?), so I don’t know how the final configuration will behave. However, the first network you shared matches the destination range of the first permit statement, while the second network matches the source range of both permit statements. In order to understand what is actually happening in your particular configuration, we would need to know how you are applying the ACL.
I hope this has been helpful!
Laz
Lazaros,
Many thanks for the prompt reply. Your advice was very helpful. I worked out a few examples in my lab and I think I understand it now.
Many Thanks.
Hi Rene,
Regardig the above question, we donot have a CIDR or Subnet Mask given, so how do we know the subnet mask for this address (192.168.147.0). I believe we find the wildcard bits by flipping subnet mask bits…
Hello Mohsin
You are correct that the initial question does not include any subnet mask information, however, the context of the question indicates that each “network” is a /24 network. Look at the initial question from the original post again:
A network administrator is configuring ACLs on a Cisco router, to allow traffic from hosts on networks 192.168.146.0, 192.168.147.0, 192.168.148.0, and 192.168.149.0 only. Which two ACL statements, when combined, would you use to accomplish this task? (Choose two)
It would have been more correct to include the subnet masks, but the context of the question is clear enough.
So, you need two ACL statements that will include the full range of these four /24 subnets which range from 192.168.146.0 to 192.168.149.255.
Rene’s response covers how to determine the correct answers, which are indeed options A and C, again from the original post.
I hope this has been helpful!
Laz