Wildcard Masks

A Part of the CCIE exam that seems to be a stumbling block for Many people is calculating the wildcard masks when trying to match discontigous network statement in a single line.  To hopefully help alleviate this, and provide what I believe to be a clear explanation, I have written a small techtorial which can be downloaded here.

Hope this helps you guys in your pursuit of the CCIE! – Tyson

Document Definitions

Octet: IPv4 addressing is broken into 4 octets totaling 8 bits per octet for a total of 32 bits. When referencing octet in the document it will be referencing one of these 4 octets.

Bit Boundary: Each octet consists of 8 bits. These bits are 128, 64, 32, 16, 8, 4, 2, and 1.

AND/OR: There are two logics in the approaches to determine network and wildcard masks to use. First is the AND Logic. This is the approach of figuring out all similarities in the bit boundaries for a given octet. The OR logic is just the opposite. It is to search for all differences between the bit boundaries. The AND logic is used to determine the network statement. The OR is used to determine the wildcard mask.

Wildcard Masks

A topic of the CCIE lab that you may not be accustomed to using from previous Cisco certification attempts is ACL wildcard masks. This is the capability of matching multiple network/host addresses in a single access-list which may not share any common subnet elements.

In the lab they most often want you to match multiple entries in a single line without matching additional networks. In this document we will go thru a few examples taking the address out to binary and then show a few shortcuts at the end of the document that you can use to save time but must be used with caution as this article will outline.

First some examples

192.168.1.0/24

192.168.2.0/24

192.168.3.0/24

Taking this out to Binary we have (Better viewed by downloading PDF)

Network	128	64	32	16	8	4	2	1	.	128	64	32	16	8	4	2	1	.	128	64	32	16	8	4	2	1	.	128	64	32	16	8	4	2	1
64.168.0.0	0	1	0	0	0	0	0	0	.	1	0	1	0	1	0	0	0	.	0	0	0	0	0	0	0	0	.	0	0	0	0	0	0	0	0
64.168.2.0	0	1	0	0	0	0	0	0	.	1	0	1	0	1	0	0	0	.	0	0	0	0	0	0	1	0	.	0	0	0	0	0	0	0	0
192.168.0.0	1	1	0	0	0	0	0	0	.	1	0	1	0	1	0	0	0	.	0	0	0	0	0	0	0	0	.	0	0	0	0	0	0	0	0
192.168.2.0	1	1	0	0	0	0	0	0	.	1	0	1	0	1	0	0	0	.	0	0	0	0	0	0	1	0	.	0	0	0	0	0	0	0	0

—–

Our goal with these networks is to combine them into a single network/inverse mask statement. To figure out the network you need to use the binary above and calculate the lowest common denominator of the networks. This lowest common denominator becomes the network statement for each octet. The lowest common denominator is all of the bits that are the SAME between each octet. Any bit that is different between the networks is not a common denominator.

So for the first example shown above, in the first octet the 64, 32, 16, 8, 4, 2, and 1 bit are the same between all statements, but the 64 bit is the only one turned on. In the third octet the 128, 64, 32, 16, 8, 4, and 1 bit are the same among all networks but only 128, 32, and 8 are turned on. The second and forth octets are equal among all 4 statements so we don’t need to account for differences in these (In future examples I will only take out to binary the octets with bit differences). So our network statement becomes:

64.168.0.0

Next we need to complete the inverse mask. We now apply the OR logic, meaning what are the differences among the addresses listed above. In the first octet the 128 bit is different (meaning at least two of the networks do not share this bit as being off or on) and the 2 bit in the third octet is different. So this means our wildcard mask is

128.0.2.0

This is NOT stating a netmask of 128. A netmask of 128 would mean that we would be matching 64, 65, 66, 67, etc. up to 192 (which is impossible to do as well since it is crossing a bit boundary, but that is irrelevant to this document). It is telling the router to check if the 128 bit is turned on or off and to account for this packet as long as the 64 bit is also turned on. So our answer is:

64.168.0.0 128.0.2.0

Or

64.168.0.0 128.0.2.255

The answer would be determined by; am I matching just the network, typically used if you are matching routing entries with an access-list? Or am I matching hosts with an access-list based on their network address as would typically be used by an ACL for security filtering? As the most typically use for wildcards is for security filtering we will use the second answer for all future examples.

Let’s try a little more difficult example:

183.16.76.0/24

183.80.76.0/24

191.16.72.0/24

191.80.72.0/24

191.80.76.0/24

183.16.72.0/24

183.80.72.0/24

191.16.76.0/24

First re-arrange these networks into a logical flow for yourself. My logic is shown below (Better viewed by downloading PDF)

Network	128	64	32	16	8	4	2	1	.	128	64	32	16	8	4	2	1	.	128	64	32	16	8	4	2	1
183.16.72.0	1	0	1	1	0	1	1	1	.	0	0	0	1	0	0	0	0	.	0	1	0	0	1	0	0	0
183.16.76.0	1	0	1	1	0	1	1	1	.	0	0	0	1	0	0	0	0	.	0	1	0	0	1	1	0	0
183.80.72.0	1	0	1	1	0	1	1	1	.	0	1	0	1	0	0	0	0	.	0	1	0	0	1	0	0	0
183.80.76.0	1	0	1	1	0	1	1	1	.	0	1	0	1	0	0	0	0	.	0	1	0	0	1	1	0	0
191.16.72.0	1	0	1	1	1	1	1	1	.	0	0	0	1	0	0	0	0	.	0	1	0	0	1	0	0	0
191.16.76.0	1	0	1	1	1	1	1	1	.	0	0	0	1	0	0	0	0	.	0	1	0	0	1	1	0	0
191.80.72.0	1	0	1	1	1	1	1	1	.	0	1	0	1	0	0	0	0	.	0	1	0	0	1	0	0	0
191.80.76.0	1	0	1	1	1	1	1	1	.	0	1	0	1	0	0	0	0	.	0	1	0	0	1	1	0	0

—–

So again the bits that are the same, or the lowest common denominator: in octet one, the 128, 32, 16, 4, 2, and 1 bit, add up to a total of 183 after adding all the zeroes and ones.

In Octet two 128, 32, 16, 8, 4, 2, and 1 bit which are a total of 16, and octet three 64 and 8 which is a total of 72.

Now the reverse logic for the Subnet Mask or the OR logic; Octet one has the 8 bit as a difference so the first octet is 8. The second octet is 64 and the third octet is 4. So here the answer would be.

183.16.72.0 8.64.4.255

Now we have been able to match all networks in the first two examples because we have the correct number of networks to match in a single line. How do you determine if you have the correct number of networks to match them all in a single line? Here you need to rely on the equation 2n = total networks. Where (n) = the number of bit differences. This is a sum of all bit differences among all octets. In the first example we had 4 networks and two bit differences. In octet 1 we had bit 128 and octet 3 we had bit 2 as being the differences. 22 = 4. The second example we had 3 bit differences, 8, 64 and 4. 23 = 8. Because in our first example we had 4 networks and in the second example we had 8 networks we knew we would be able to match it all to one line based on our equation. Knowing this if you ever have an odd number of networks you will never be able to match it in one line. It will always require at least two lines as 2n is always going to be a power of 2 or an even number.

To show a quick example if we were missing 191.16.76.0/24 from the second example the most simple method to meet the requirement is to first apply the opposite action to the network you don’t want to match and then apply the task action to the wider range. In example if we wanted to deny all IP traffic from the networks listed in our second example but 191.16.76.0/24 was missing we could do.

access-list 101 permit ip 191.16.76.0 0.0.0.255 any

access-list 101 deny ip 13.16.72.0 8.64.4.255 any

The Shortcut

Now the shortcut method that I like to use is to use simple arithmetic when possible. Using our second example I can use simple arithmetic to also come to the same conclusion

191 – 183 = 8 (8 is a bit boundary so I know I have one bit difference)

80 – 16 = 64 (64 is a bit boundary so I know I have one difference)

76 – 72 = 4 (And last 4 is a bit boundary so I know I also have just one difference here)

Now by again quickly using the lowest common denominator or what we subtracted here I come up with 183.16.72.0 and my wildcard mask is the answer to the equation 8.64.4.255.

Be very cautious in using this shortcut method as it will not always work for you. You need to be aware of where the bit boundaries are. For example if I had the numbers 192 and 184. If I subtract these two the answer is 8 but I don’t have just 1 bit difference between 192 and 184

192 = 11000000

184 = 10111000

There I have 4 bit differences or 24 = 32 numbers I would match.

So with this method you need to be cautious but it can still be very useful. Let’s say I have multiple numbers in the same octet as long and I am aware of the bit boundaries. So we have 16, 80, 144, and 208. Here we have 4 different numbers which means that we have at least 2 bit differences. What is the lowest common denominator of the 4 numbers? It is 16. So:

208 – 16 = 192 (128 + 64 = 192)

144 – 16 = 128 (128 is a bit boundary)

80 – 16 = 64 (64 is a bit boundary)

16 – 16 = 0

So we can see we have 2 bit differences. The 16 bit is always on and then 64 and 128 is either on or off. So the network for this octet is 16 and the wildcard mask is 192.

SAMPLES For You

Here are some examples to now work out on your own.

205.49.166.0/24

207.49.166.0/24

208.49.166.0/24

205.49.167.0/24

207.49.167.0/24

192.49.166.0/24

Hint: The answer for the above is two lines.

192.168.31.0/24

192.168.32.0/24

192.168.33.0/24

192.168.34.0/24

192.168.35.0/24

Hint: The answer above will be three lines as we need to account for crossing the bit boundaries.

Answers

205.49.166.0 2.0.1.255

192.168.31.0 0.0.0.255

192.168.32.0 0.0.1.255

192.168.34.0 0.0.1.255

To download a version of this document in PDF format, please visit this URL:

Regards,  Tyson (Blog written by Tyson Scott)

Wildcard Masks, 5.0 out of 5 based on 1 rating

Tags: CCIE, ccie lab, Wilcard Masks