Mask comparison: subnet versus wildcard

By stretch | Thursday, September 11, 2008 at 12:21 a.m. UTC

Many newbie network admins express difficulty with the subnet-versus-wildcard masking paradigm. It is a commonly held belief that a wildcard mask is simply the inverse of a subnet mask, and this is often the case, but not necessarily. Here's a brief rundown explaining the purpose of both mask types.

Subnet Masks

Subnet masking is an unfortunate product of the conversion from classful to classless IP routing that took place decades ago. When IP addresses were assigned a class (A through E) based on their first few bits, the class determined the scope of the network: /8 for class A, /16 for class B, and so forth. Classless Interdomain Routing (CIDR) was developed to provide a much more flexible, albeit more complex, address scheme involving the variable-length subnet masks we use today.

Subnet masks serve only to express a length of bits, matching the network portion of an IPv4 address from left to right. A subnet having a mask of is the same as having a "length" of 20, or /20. In fact, there are only 33 possible IPv4 subnet masks, from to, or from /0 to /32. So why go through the pain of dotted-decimal notation for such a simple array of values? Binary-to-decimal subnet mask calculation is taught in introductory networking classes simply to serve as a crucible to weed out the weaker network admins in training.*

Wildcard Masks

Wildcard masks are much more flexible than subnet masks, as there is no requirement for contiguity. In the Cisco world, the bits are opposite from subnet masks, so that a 0 matches and a 1 does not. It is common practice for access list wildcard masks to appear as the inverse to the subnet mask of the network being formed; for example, matches any value for the last octet of an IP address in a subnet. But this isn't strictly necessary. One can achieve all sorts of strange matches with a wildcard mask; some examples are given here in IOS ACL syntax:

Match all 192.168.x.1 addresses:
Match only even 192.168.x.0/24 subnets:

Note that neither of the wildcard masks above are contiguous; rather than matching a length from one side of the address to the other, each bit is matched (0) or ignored (1) independently.

A parting tip: you can determine the wildcard to match a subnet by subtracting each subnet mask octect from 255. Examples for /25 and /18 subnets are given below:

   255   255   255   255
 - 255 . 255 . 255 . 128   (/25)
     0 .   0 .   0 . 127
   255   255   255   255
 - 255 . 255 . 192 .   0   (/18)
     0 .   0 .  63 . 255

* Actually, I have no idea. Anyone who knows the real reason please post in the comments.

About the Author

Jeremy Stretch is a network engineer living in the Raleigh-Durham, North Carolina area. He is known for his blog and cheat sheets here at Packet Life. You can reach him by email or follow him on Twitter.

Posted in Design


Seraphus (guest)
September 11, 2008 at 1:00 a.m. UTC

"Binary-to-decimal subnet mask calculation is taught in introductory networking classes simply to serve as a crucible to weed out the weaker network admins in training.* " LOL LOL

I'll have to remember that one. Nice article though.

Plugging with credit.

Arne (guest)
September 11, 2008 at 7:28 a.m. UTC

My guess is that it seemed easier to get the netmask in a format which could be directly used for calculations. Back in those days programmers tried to optimize everything, even if it might have been easy to convert from slash-notation to bitmask-notation on input, not all the time on use...

Stupid programmers, them :-)

einval (guest)
September 11, 2008 at 4:21 p.m. UTC

It doesnt explain why people started with dotted decimal notation, but one reason telling they might be "useful" comes from RFC 950 (Page 4, masked bits and the explanation at Page 6) - so there could be the option for non-contiguous subnet masks.

I have never seen this in real life, even the authors recommended doing contiguous subnetting/subnet masks back in 1985.

scott (guest)
September 11, 2008 at 6:26 p.m. UTC

I've heard it's due to memory space utilization, that the wildcard with mostly zeroes takes up less space...?

Ivan Barreda (guest)
September 11, 2008 at 11:37 p.m. UTC

The reason for the confusion is that Cisco NEVER EVER truly defines a wildcard mask.

A wildcard mask defines a host or number of hosts in a subnet or octet. THAT IS IT,

I have to thank my CCNA Prof from MCC on that one. Hope this helps and I wish you can put that definition in your post.

As for learning binary, well it is nice to know but and I agree somewhat that is a weed out thing. But again, if you really get into networking (I mean hardcore networking) like creating ACLs. If you know the binary and the fact that a wildcard defines a host or # of hosts in a subnet or octet then you can play around with wildcards to get greater flexibility in your ACLs.

Snarkout (guest)
September 15, 2008 at 11:34 p.m. UTC

I've always been thankful for the introduction to binary - I have to admit that subnets made no sense at all to me until I was clued about it being a binary xor. To this day, even though I use the length/boundary/blocksize method, if I'm having an off day, I'll drop back into binary mode (assuming I don't have ipcalc available).

Venkatesan (guest)
September 25, 2008 at 7:01 p.m. UTC

can someone specify any scenario where wildcard mask is used/prefered rather than Subnet mask. If wildcard mask may not be contiguous,then it will eventually lead as to confusion in realtime environment. Am i right?

Teck (guest)
September 28, 2008 at 5:48 p.m. UTC

Well, it is used in ACLs, which I still haven't learned yet.

Ayodele (guest)
September 28, 2008 at 11:13 p.m. UTC

In realtime enviroment, especially in large ISP.. you will find out that you might require to allow subnet of Networks.. that are not contegious.. this is where wildcard come to play..The wildcard will reduces the number of entry in your ACL to accomplish this.

Michel (guest)
October 2, 2008 at 4:28 p.m. UTC

Nice write up stretch, as always :)

For the binary to dec and dec to binary, try to summarize those networks into one statement without dec-to-binary :)

best regards


Danny Tsai (guest)
January 29, 2009 at 4:10 a.m. UTC

The difference between the two, netmask and a wildcard mask is that a wildcash mask is for matching ranges by using bit matching in the mask. 0 means it must match the value of the corresponding address bit and 1 means to ignore. It used mainly to identify or classify a range of matching bits in a group of addresses.

For example I want to match every 4th IP address on the 4th octet of network I can write that using the wildcard bit mask using the decimal value of access-list 1 permit

Danny Tsai (guest)
January 29, 2009 at 4:11 a.m. UTC

Example of my previous comment post.

Broken down in bits to show what matches, read table below of 4th octet in bits.

128 64 32 16 8 4 2 1
 0    0   0   0  0 0 0 0 = 0
 0    0   0   0  0 0 0 1 = 1
 0    0   0   0  0 0 1 0 = 2
 0    0   0   0  0 0 1 1 = 3
 0    0   0   0  0 1 0 0 = 4
 0    0   0   0  0 1 0 1 = 5
 0    0   0   0  0 1 1 0 = 6
 0    0   0   0  0 1 1 1 = 7
 0    0   0   0  1 0 0 0 = 8
 0    0   0   0  1 0 0 1 = 9
------------------------------- = 0 means match bit, 1 means vary
 1    1   1   1  1 1 0 0 = 252.

So as you can see there is a pattern here we can hit by using wildcard masks where you cannot do with a subnet mask. The example is not really practical, I do not know why the heck you would want to match every 4th IP address in the 4th octet but its an example demonstrating I can do it in one ACL line!

NotaCCIEjustbeenaroundawhile (guest)
January 21, 2013 at 2:22 a.m. UTC

There are 2 differences.

1: Subnet masks must be contiguous, Wildcard masks don't.

Subnet Masks Originate from Gateway masks, and are used to match Network Bits for the purpose of determining whether or not your destination MAC address is your Gateway or a node on your network.

Host X wants to send a packet to a destination, it performs 2 operations.

A: Does an AND operation between the Gateway IP Address and the Gateway Mask.
B: Does an AND operation between the Destination IP address and the Gateway Mask.

If A = B, then the destination is on the local subnet, and the ARP Table is consulted. If no entry is in the ARP Table, Some systems flood ARP requests, some systems send to the Gateway to consult it's ARP Table, and listen to traffic to learn.

If A != B (Is not equal), then the Destination MAC address is set to the Default Gateway and the packet is sent there.

2: Wildcard and Subnet masks both match via AND Statements, however the Wildcard mask was originally intended to match HOST Bits, whereas the Subnet mask matches NETWORK bits. You can see this in the early implementation of ACL's when all addresses were assumed to be classfull. E.g. you want to block hosts 0-128 of a class C subnet from getting to another class C Subnet. You didn't need to input the subnet mask into the ACL YEARS Ago. Now, things have changed.

The EASIEST way to convert a wildcard to a subnet mask is to reverse the bits, and for some applications this is exactly what the router does. In reality there are 3 kinds of Wildcard masks:

Wildcard masks that match 1's for Host bits.
Wildcard masks that match 0's for Network bits
Wildcard masks that match 1's for Network bits (Finess OS in the ASA's)

So you need to be very sure of the type of wildcards your using because Cisco has really f-ed up this implementation for the sake of attempting to keep some kind of continuity with legacy configurations. I'd wish they'd leave the defaults as-is and give you the option of doing it whatever way you wanted but then that'd be too easy.

July 30, 2013 at 8:52 p.m. UTC

Hey all, I thought I'd add my 2 cents about the WHY of wildcard masks.
Subnet masks are left to right, once the 0 appears all subsequent octets must also be off or 0 as well.
This has the effect of forcing an admin to define an OSPF or EIGRP route classfully, meaning use the whole class C address space as the advertised network.
As we know OSPF and EIGRP are classless AND whenever possible we need to preserve IP address space and not waste numbers.
Enter VLSM, VLSM allows us to use a network number like as a /8 as well as /16, 24, etc., so we can slice up the addresses into the size we need depending on the segment sizes.
So since we have all different size subnet numbers we also need a bit by bit way (Wildcard Mask) to articulate that to the routers and ACL's as opposed to the contiguious octet to octet limitations that subnet masks provide.

Make sense?

Comments have closed for this article due to its age.