Lesson Contents
In one of my previous lessons, I explained how to calculate wildcard bits for access lists that you can use to match network and subnet addresses. In this lesson, we will dive a bit deeper into the wildcards, and I’ll teach you how to match on some more complex patterns.
Match all even or uneven subnets
We start with something simple: the goal is to match all “even” subnets. This is my list of subnets that I have to play with:
192.168.0.0 /24
192.168.1.0 /24
192.168.2.0 /24
192.168.3.0 /24
192.168.4.0 /24
192.168.5.0 /24
192.168.6.0 /24
192.168.7.0 /24
192.168.8.0 /24
So, how are we going to approach this? What kind of wildcard mask do we need to match all the even subnets? To answer this question, we have to look at it in binary:
| 192.168.0.0 | 1100 0000 | 1010 1000 | 0000 0000 | 0000 0000 |
| 192.168.1.0 | 1100 0000 | 1010 1000 | 0000 0001 | 0000 0000 |
| 192.168.2.0 | 1100 0000 | 1010 1000 | 0000 0010 | 0000 0000 |
| 192.168.3.0 | 1100 0000 | 1010 1000 | 0000 0011 | 0000 0000 |
| 192.168.4.0 | 1100 0000 | 1010 1000 | 0000 0100 | 0000 0000 |
| 192.168.5.0 | 1100 0000 | 1010 1000 | 0000 0101 | 0000 0000 |
| 192.168.6.0 | 1100 0000 | 1010 1000 | 0000 0100 | 0000 0000 |
| 192.168.7.0 | 1100 0000 | 1010 1000 | 0000 0101 | 0000 0000 |
| 192.168.8.0 | 1100 0000 | 1010 1000 | 0000 1000 | 0000 0000 |
The first and second octet is the same for all these subnets, and we don’t care about the last octet since it’s for hosts. We need to look at the third octet to find a pattern. Let’s take a look at the even subnets:
| 0 | 0000 0000 |
| 2 | 0000 0010 |
| 4 | 0000 0100 |
| 6 | 0000 0110 |
| 8 | 0000 1000 |
</div
One thing that all these subnets have in common is that the 8th bit is always a 0. Let’s look at the uneven subnets too:
| 1 | 0000 0001 |
| 3 | 0000 0011 |
| 5 | 0000 0101 |
| 7 | 0000 0111 |
To create an uneven subnet, the 8th bit is always a 1. This is something we can match with a wildcard. Let’s start with a wildcard that matches all even subnets:
| 192.168.0.0 | 1100 0000 | 1010 1000 | 0000 0000 | 0000 0000 |
| 192.168.2.0 | 1100 0000 | 1010 1000 | 0000 0010 | 0000 0000 |
| 192.168.4.0 | 1100 0000 | 1010 1000 | 0000 0100 | 0000 0000 |
| 192.168.6.0 | 1100 0000 | 1010 1000 | 0000 0110 | 0000 0000 |
| 192.168.8.0 | 1100 0000 | 1010 1000 | 0000 1000 | 0000 0000 |
| wildcard | 0000 0000 | 0000 0000 | 1111 1110 | 1111 1111 |
The first two octets are the same for all the subnets, so we use all zeroes for the wildcard mask. In the third octet, we use a 1 (don’t care) for all bits except for the 8th bit…it has to match. We don’t care at all about the 4th octet.
The wildcard that we can use will be 0.0.254.255.
Want to see a real-life example? Let me show you an example of a router configured for EIGRP. This is what the routing table looks like. You see all the networks that I used in the example above:
R2#show ip route eigrp
D 192.168.8.0/24 [90/409600] via 10.10.10.1, 00:09:51, FastEthernet0/0
D 192.168.4.0/24 [90/409600] via 10.10.10.1, 00:09:51, FastEthernet0/0
D 192.168.5.0/24 [90/409600] via 10.10.10.1, 00:00:03, FastEthernet0/0
D 192.168.6.0/24 [90/409600] via 10.10.10.1, 00:09:51, FastEthernet0/0
D 192.168.7.0/24 [90/409600] via 10.10.10.1, 00:00:03, FastEthernet0/0
D 192.168.0.0/24 [90/409600] via 10.10.10.1, 00:09:51, FastEthernet0/0
D 192.168.1.0/24 [90/409600] via 10.10.10.1, 00:00:03, FastEthernet0/0
D 192.168.2.0/24 [90/409600] via 10.10.10.1, 00:09:51, FastEthernet0/0
D 192.168.3.0/24 [90/409600] via 10.10.10.1, 00:00:03, FastEthernet0/0Now, we will make an access-list using the wildcard mask we just found. I use 192.168.0.0 as the network address so it matches all subnets in the 192.168.x.x range.
R2(config)#ip access-list standard EVEN
R2(config-std-nacl)#permit 192.168.0.0 0.0.254.255I can use a distribute list and refer to the access-list to filter incoming routing updates:
R2(config)#router eigrp 10
R2(config-router)#distribute-list EVEN inAfter applying the distribute list, the routing table looks like this:
R2#show ip route eigrp
D 192.168.8.0/24 [90/409600] via 10.10.10.1, 00:03:57, FastEthernet0/0
D 192.168.4.0/24 [90/409600] via 10.10.10.1, 00:03:57, FastEthernet0/0
D 192.168.6.0/24 [90/409600] via 10.10.10.1, 00:03:57, FastEthernet0/0
D 192.168.0.0/24 [90/409600] via 10.10.10.1, 00:03:57, FastEthernet0/0
D 192.168.2.0/24 [90/409600] via 10.10.10.1, 00:03:57, FastEthernet0/0Voila! Only the even subnets are here.
We can also use the same wildcard but apply it the other way around so it matches all the uneven subnets:
| 192.168.1.0 | 1100 0000 | 1010 1000 | 0000 0001 | 0000 0000 |
| 192.168.3.0 | 1100 0000 | 1010 1000 | 0000 0011 | 0000 0000 |
| 192.168.5.0 | 1100 0000 | 1010 1000 | 0000 0101 | 0000 0000 |
| 192.168.7.0 | 1100 0000 | 1010 1000 | 0000 0111 | 0000 0000 |
| wildcard | 0000 0000 | 0000 0000 | 1111 1110 | 1111 1111 |
We use the exact same wildcard mask, but we will use another subnet address in the access-list (192.168.1.0):
| 192.168.1.0 | 1100 0000 | 1010 1000 | 0000 0001 | 0000 0000 |
| wildcard | 0000 0000 | 0000 0000 | 1111 1110 | 1111 1111 |
When we use this subnet as the network address then the 8th bit of the 3rd octet has to be a 1. This is what the access-list will look like:
R2(config)#ip access-list standard UNEVEN
R2(config-std-nacl)#deny 192.168.1.0 0.0.254.255
R2(config-std-nacl)#permit anyWe deny all the uneven subnets and permit everything else. Let’s apply it so you can see it in action:
R2(config)#router eigrp 10
R2(config-router)#no distribute-list EVEN in
R2(config-router)#distribute-list UNEVEN inThe results will be the same:
R2#show ip route eigrp
D 192.168.8.0/24 [90/409600] via 10.10.10.1, 00:00:02, FastEthernet0/0
D 192.168.4.0/24 [90/409600] via 10.10.10.1, 00:00:02, FastEthernet0/0
D 192.168.6.0/24 [90/409600] via 10.10.10.1, 00:00:02, FastEthernet0/0
D 192.168.0.0/24 [90/409600] via 10.10.10.1, 00:00:02, FastEthernet0/0
D 192.168.2.0/24 [90/409600] via 10.10.10.1, 00:00:02, FastEthernet0/0Are you following me so far? Let’s try a more complex example!
Matching “random” subnets
This is an example that you might encounter on a test. Let me show you a couple of subnets:
192.168.10.0 /24
192.168.26.0 /24
192.168.42.0 /24
192.168.58.0 /24
These subnets look random to us, but on a binary level, they have something in common. To see this, we need to dive into the binary world:
René,
great article about wildcard masks
People ask me “Daniel, what is the need for a wildcard? We have Subnetmasks, haven’t we?”
Especially when configuring EIGRP and using the network-command the first time, it is a bit confusing for others.
This is a perfect example of the powerful value of wildcards.
Thank you for that good post.
Greetings,
Daniel
Hi Daniel,
It is confusing for sure
Wildcards let us do some of these funky things…glad you liked it!
Rene
Hi Rene. your site is really useful. it is comprehensive and I really enjoy reading your articles. I have a question, I’m a bit confused about wildcard mask for even and odd networks. I calculated the WC as “0.0.14.0” but you have calculated “0.0.254.255”.
what was my mistake? could you plz explaint it more?
Hi Parastoo,
Let’s say we have the following networks:
192.168.0.0 /24
192.168.1.0 /24
192.168.2.0 /24
192.168.3.0 /24
This is what the 3rd octet looks like in binary:
0 = 0000 0000
1 = 0000 0001
2 = 0000 0010
3 = 0000 0011
What the even networks have in common is that the last bit is always a 0, the uneven networks always have a 1 as the last bit. That’s something we can match on:
Wildcard 254 = 1111 1110 and means “don’t look at the first 7 bits but the last bit HAS to match”.
Wildcard 14 = 0000 1110 and means that the first 4 bits have to match, we don’t car
... Continue reading in our forumTx alot, I got it.excellent explanation.