Mask comparison: subnet versus wildcard

Posted by stretch in Networking on Thursday, 11 Sep 2008 at 12:21 a.m. GMT

Many newbie network admins express difficulty with the subnet-versus-wildcard masking paradigm. It is a commonly held belief that a wildcard mask is simply the inverse of a subnet mask, and this is often the case, but not necessarily. Here's a brief rundown explaining the purpose of both mask types.

Subnet Masks

Subnet masking is an unfortunate product of the conversion from classful to classless IP routing that took place decades ago. When IP addresses were assigned a class (A through E) based on their first few bits, the class determined the scope of the network: /8 for class A, /16 for class B, and so forth. Classless Interdomain Routing (CIDR) was developed to provide a much more flexible, albeit more complex, address scheme involving the variable-length subnet masks we use today.

Subnet masks serve only to express a length of bits, matching the network portion of an IPv4 address from left to right. A subnet having a mask of 255.255.240.0 is the same as having a "length" of 20, or /20. In fact, there are only 33 possible IPv4 subnet masks, from 0.0.0.0 to 255.255.255.255, or from /0 to /32. So why go through the pain of dotted-decimal notation for such a simple array of values? Binary-to-decimal subnet mask calculation is taught in introductory networking classes simply to serve as a crucible to weed out the weaker network admins in training.*

Wildcard Masks

Wildcard masks are much more flexible than subnet masks, as there is no requirement for contiguity. In the Cisco world, the bits are opposite from subnet masks, so that a 0 matches and a 1 does not. It is common practice for access list wildcard masks to appear as the inverse to the subnet mask of the network being formed; for example, 0.0.0.255 matches any value for the last octet of an IP address in a 255.255.255.0 subnet. But this isn't strictly necessary. One can achieve all sorts of strange matches with a wildcard mask; some examples are given here in IOS ACL syntax:

Match all 192.168.x.1 addresses:

permit 192.168.0.1 0.0.255.0

Match only even 192.168.x.0/24 subnets:

permit 192.168.0.0 0.0.254.255

Note that neither of the wildcard masks above are contiguous; rather than matching a length from one side of the address to the other, each bit is matched (0) or ignored (1) independently.

A parting tip: you can determine the wildcard to match a subnet by subtracting each subnet mask octect from 255. Examples for /25 and /18 subnets are given below:

   255   255   255   255
 - 255 . 255 . 255 . 128   (/25)
 -----------------------
     0 .   0 .   0 . 127

   255   255   255   255
 - 255 . 255 . 192 .   0   (/18)
 -----------------------
     0 .   0 .  63 . 255

* Actually, I have no idea. Anyone who knows the real reason please post in the comments.

Seraphus commented on 11 Sep 2008 at 1:00 a.m.

"Binary-to-decimal subnet mask calculation is taught in introductory networking classes simply to serve as a crucible to weed out the weaker network admins in training.* " LOL LOL

I'll have to remember that one. Nice article though.

Plugging with credit.

Arne commented on 11 Sep 2008 at 7:28 a.m.

My guess is that it seemed easier to get the netmask in a format which could be directly used for calculations. Back in those days programmers tried to optimize everything, even if it might have been easy to convert from slash-notation to bitmask-notation on input, not all the time on use...

Stupid programmers, them :-)

einval commented on 11 Sep 2008 at 4:21 p.m.

It doesnt explain why people started with dotted decimal notation, but one reason telling they might be "useful" comes from RFC 950 (Page 4, masked bits and the explanation at Page 6) - so there could be the option for non-contiguous subnet masks.

I have never seen this in real life, even the authors recommended doing contiguous subnetting/subnet masks back in 1985.

scott commented on 11 Sep 2008 at 6:26 p.m.

I've heard it's due to memory space utilization, that the wildcard with mostly zeroes takes up less space...?

Ivan Barreda commented on 11 Sep 2008 at 11:37 p.m.

The reason for the confusion is that Cisco NEVER EVER truly defines a wildcard mask.

A wildcard mask defines a host or number of hosts in a subnet or octet. THAT IS IT,

I have to thank my CCNA Prof from MCC on that one. Hope this helps and I wish you can put that definition in your post.

As for learning binary, well it is nice to know but and I agree somewhat that is a weed out thing. But again, if you really get into networking (I mean hardcore networking) like creating ACLs. If you know the binary and the fact that a wildcard defines a host or # of hosts in a subnet or octet then you can play around with wildcards to get greater flexibility in your ACLs.

Snarkout commented on 15 Sep 2008 at 11:34 p.m.

I've always been thankful for the introduction to binary - I have to admit that subnets made no sense at all to me until I was clued about it being a binary xor. To this day, even though I use the length/boundary/blocksize method, if I'm having an off day, I'll drop back into binary mode (assuming I don't have ipcalc available).

Venkatesan commented on 25 Sep 2008 at 7:01 p.m.

can someone specify any scenario where wildcard mask is used/prefered rather than Subnet mask. If wildcard mask may not be contiguous,then it will eventually lead as to confusion in realtime environment. Am i right?

Teck commented on 28 Sep 2008 at 5:48 p.m.

Well, it is used in ACLs, which I still haven't learned yet.

Ayodele commented on 28 Sep 2008 at 11:13 p.m.

In realtime enviroment, especially in large ISP.. you will find out that you might require to allow subnet of Networks.. that are not contegious.. this is where wildcard come to play..The wildcard will reduces the number of entry in your ACL to accomplish this.

Michel commented on 2 Oct 2008 at 4:28 p.m.

Nice write up stretch, as always :)

For the binary to dec and dec to binary, try to summarize those networks into one statement without dec-to-binary :) 116.1.162.33 116.1.162.37 116.1.170.33 116.1.170.37 116.1.178.33 116.1.178.37 116.1.186.33 116.1.186.37

best regards

Michel