How to create Complex Wildcard Masks

In one of my previous tutorials I explained how to calculate wildcard bits for access-lists that you can use to match network and subnet addresses. In this tutorial we will dive a bit deeper into the wildcards and I’ll teach you how to match on some more complex patterns.

Match all even or uneven subnets

We start with something simple, the goal is to match all “even” subnets. This is my list of subnets that I have to play with:

192.168.0.0 /24
192.168.1.0 /24
192.168.2.0 /24
192.168.3.0 /24
192.168.4.0 /24
192.168.5.0 /24
192.168.6.0 /24
192.168.7.0 /24
192.168.8.0 /24

So how are we going to approach this? What kind of wildcard mask do we need to match all the even subnets. To answer this question we have to look at it in binary:

192.168.0.0 1100 0000 1010 1000 0000 0000 0000 0000
192.168.1.0 1100 0000 1010 1000 0000 0001 0000 0000
192.168.2.0 1100 0000 1010 1000 0000 0010 0000 0000
192.168.3.0 1100 0000 1010 1000 0000 0011 0000 0000
192.168.4.0 1100 0000 1010 1000 0000 0100 0000 0000
192.168.5.0 1100 0000 1010 1000 0000 0101 0000 0000
192.168.6.0 1100 0000 1010 1000 0000 0100 0000 0000
192.168.7.0 1100 0000 1010 1000 0000 0101 0000 0000
192.168.8.0 1100 0000 1010 1000 0000 1000 0000 0000

The first and second octet is the same for all these subnets and we don’t care about the last octet since it’s for hosts. We need to look at the third octet to find a pattern. Let’s take a look at the even subnets:

0 0000 0000
2 0000 0010
4 0000 0100
6 0000 0110
8 0000 1000
8th bit is always a 0. Let’s look at the uneven subnets too:

1 0000 0001
3 0000 0011
5 0000 0101
7 0000 0111

To create an uneven subnet, the 8th bit is always a 1. This is something we can match with a wildcard. Let’s start with a wildcard that matches all even subnets:

192.168.0.0 1100 0000 1010 1000 0000 0000 0000 0000
192.168.2.0 1100 0000 1010 1000 0000 0010 0000 0000
192.168.4.0 1100 0000 1010 1000 0000 0100 0000 0000
192.168.6.0 1100 0000 1010 1000 0000 0110 0000 0000
192.168.8.0 1100 0000 1010 1000 0000 1000 0000 0000
wildcard 0000 0000 0000 0000 1111 1110 1111 1111

The first two octets are the same for all the subnets so we use all zeroes for the wildcard mask. In the third octet we use a 1 (don’t care) for all bits except for the 8th bit…it has to match. We don’t care at all about the 4th octet.

The wildcard that we can use will be 0.0.254.255.

Want to see a real life example? Let me show you an example of a router that is configured for EIGRP. This is what the routing table looks like, you see all the networks that I used in the example above:

R2#show ip route eigrp 
D    192.168.8.0/24 [90/409600] via 10.10.10.1, 00:09:51, FastEthernet0/0
D    192.168.4.0/24 [90/409600] via 10.10.10.1, 00:09:51, FastEthernet0/0
D    192.168.5.0/24 [90/409600] via 10.10.10.1, 00:00:03, FastEthernet0/0
D    192.168.6.0/24 [90/409600] via 10.10.10.1, 00:09:51, FastEthernet0/0
D    192.168.7.0/24 [90/409600] via 10.10.10.1, 00:00:03, FastEthernet0/0
D    192.168.0.0/24 [90/409600] via 10.10.10.1, 00:09:51, FastEthernet0/0
D    192.168.1.0/24 [90/409600] via 10.10.10.1, 00:00:03, FastEthernet0/0
D    192.168.2.0/24 [90/409600] via 10.10.10.1, 00:09:51, FastEthernet0/0
D    192.168.3.0/24 [90/409600] via 10.10.10.1, 00:00:03, FastEthernet0/0

Now we will make an access-list that uses the wildcard mask that we just found. I use 192.168.0.0 as the network address so it matches all subnets in the 192.168.x.x range.

R2(config)#ip access-list standard EVEN
R2(config-std-nacl)#permit 192.168.0.0 0.0.254.255

I can use a distribute-list and refer to the access-list to filter incoming routing updates:

R2(config)#router eigrp 10
R2(config-router)#distribute-list EVEN in

After applying the distribute-list the routing table looks like this:

R2#show ip route eigrp 
D    192.168.8.0/24 [90/409600] via 10.10.10.1, 00:03:57, FastEthernet0/0
D    192.168.4.0/24 [90/409600] via 10.10.10.1, 00:03:57, FastEthernet0/0
D    192.168.6.0/24 [90/409600] via 10.10.10.1, 00:03:57, FastEthernet0/0
D    192.168.0.0/24 [90/409600] via 10.10.10.1, 00:03:57, FastEthernet0/0
D    192.168.2.0/24 [90/409600] via 10.10.10.1, 00:03:57, FastEthernet0/0

Voila! Only the even subnets are here.

We can also use the same wildcard but apply it the other way around so it matches all the uneven subnets:

192.168.1.0 1100 0000 1010 1000 0000 0001 0000 0000
192.168.3.0 1100 0000 1010 1000 0000 0011 0000 0000
192.168.5.0 1100 0000 1010 1000 0000 0101 0000 0000
192.168.7.0 1100 0000 1010 1000 0000 0111 0000 0000
wildcard 0000 0000 0000 0000 1111 1110 1111 1111

We use the exact same wildcard mask but we will use another subnet address in the access-list (192.168.1.0):

192.168.1.0 1100 0000 1010 1000 0000 0001 0000 0000
wildcard 0000 0000 0000 0000 1111 1110 1111 1111

When we use this subnet as the network address then the 8th bit of the 3rd octet has to be a 1. This is what the access-list will look like:

R2(config)#ip access-list standard UNEVEN
R2(config-std-nacl)#deny 192.168.1.0 0.0.254.255
R2(config-std-nacl)#permit any

We deny all the uneven subnets and permit everything else. Let’s apply it so you can see it in action:

R2(config)#router eigrp 10
R2(config-router)#no distribute-list EVEN in
R2(config-router)#distribute-list UNEVEN in

The results will be the same:

R2#show ip route eigrp 
D    192.168.8.0/24 [90/409600] via 10.10.10.1, 00:00:02, FastEthernet0/0
D    192.168.4.0/24 [90/409600] via 10.10.10.1, 00:00:02, FastEthernet0/0
D    192.168.6.0/24 [90/409600] via 10.10.10.1, 00:00:02, FastEthernet0/0
D    192.168.0.0/24 [90/409600] via 10.10.10.1, 00:00:02, FastEthernet0/0
D    192.168.2.0/24 [90/409600] via 10.10.10.1, 00:00:02, FastEthernet0/0

Are you following me so far? Let’s try a more complex example!

Matching “random” subnets

This is an example that you might encounter on a test. Let me show you a couple of subnets:

192.168.10.0 /24
192.168.26.0 /24
192.168.42.0 /24
192.168.58.0 /24

These subnets look random to us but on a binary level they have something in common. To see this, we need to dive into the binary world:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Full Access to our 662 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

515 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags:


Forum Replies

  1. Having trouble with the following example: Not clear why A and C are the correct answers.

    A network administrator is configuring ACLs on a Cisco router, to allow traffic from hosts on networks 192.168.146.0, 192.168.147.0, 192.168.148.0, and 192.168.149.0 only. Which two ACL statements, when combined, would you use to accomplish this task? (Choose two)

    A. access-list 10 permit ip 192.168.146.0 0.0.1.255
    B. access-list 10 permit ip 192.168.147.0 0.0.255.255
    C. access-list 10 permit ip 192.168.148.0 0.0.1.255
    D. access-list 10 permit ip 192.168.149.0 0.0.255.255

    ... Continue reading in our forum

  2. Having trouble with the following example: Not clear why A and C are the correct answers.

    A network administrator is configuring ACLs on a Cisco router, to allow traffic from hosts on networks 192.168.146.0, 192.168.147.0, 192.168.148.0, and 192.168.149.0 only. Which two ACL statements, when combined, would you use to accomplish this task? (Choose two)

    A. access-list 10 permit ip 192.168.146.0 0.0.1.255
    B. access-list 10 permit ip 192.168.147.0 0.0.255.255
    C. access-list 10 permit ip 192.168.148.0 0.0.1.255
    D. access-list 10 permit ip 192.168.149.0 0.0.255.255

    ... Continue reading in our forum

  3. Hi Donald,

    You can do some funny things with wildcard masks, you can even match networks that are not contiguous. Something to keep in mind is that your first network has to be an even number. Example #1:

    148 – 10010100
    149 – 10010101

    In this case the first 7 bits are the same so you can use wildcard 00000001

    Example #2:

    149 - 10010101
    150 - 10010110

    Only the first 6 bits are the same so the wildcard would be 00000011. The problem of this wildcard is that it will match 4 networks:

    148 - 10010100
    149 - 10010101
    150 - 10010110
    151 - 10010111

    These 4 networks have

    ... Continue reading in our forum

  4. just to add to Rene’s comments above, the other reason to choose wild card mask over subnet mask is that subnet masks have contiguous number of bits for the network portion and host portions. for example as subnet mask of 255.255.255.0 is 11111111.11111111.11111111.00000000. You can never have a subnet mask of 11110111.00111111.11110111.00000000, however this is not the case with wild card masks. With wild card mask we can turn bits on and off where we want to and therefore having a great deal of flexibility over what we want to match. you can get really creat

    ... Continue reading in our forum

11 more replies! Ask a question or join the discussion by visiting our Community Forum