How to create Complex Wildcard Masks

In one of my previous lessons, I explained how to calculate wildcard bits for access lists that you can use to match network and subnet addresses. In this lesson, we will dive a bit deeper into the wildcards, and I’ll teach you how to match on some more complex patterns.

Match all even or uneven subnets

We start with something simple: the goal is to match all “even” subnets. This is my list of subnets that I have to play with:

192.168.0.0 /24
192.168.1.0 /24
192.168.2.0 /24
192.168.3.0 /24
192.168.4.0 /24
192.168.5.0 /24
192.168.6.0 /24
192.168.7.0 /24
192.168.8.0 /24

So, how are we going to approach this? What kind of wildcard mask do we need to match all the even subnets? To answer this question, we have to look at it in binary:

192.168.0.0 1100 0000 1010 1000 0000 0000 0000 0000
192.168.1.0 1100 0000 1010 1000 0000 0001 0000 0000
192.168.2.0 1100 0000 1010 1000 0000 0010 0000 0000
192.168.3.0 1100 0000 1010 1000 0000 0011 0000 0000
192.168.4.0 1100 0000 1010 1000 0000 0100 0000 0000
192.168.5.0 1100 0000 1010 1000 0000 0101 0000 0000
192.168.6.0 1100 0000 1010 1000 0000 0100 0000 0000
192.168.7.0 1100 0000 1010 1000 0000 0101 0000 0000
192.168.8.0 1100 0000 1010 1000 0000 1000 0000 0000

The first and second octet is the same for all these subnets, and we don’t care about the last octet since it’s for hosts. We need to look at the third octet to find a pattern. Let’s take a look at the even subnets:

0 0000 0000
2 0000 0010
4 0000 0100
6 0000 0110
8 0000 1000

</div
One thing that all these subnets have in common is that the 8th bit is always a 0. Let’s look at the uneven subnets too:

1 0000 0001
3 0000 0011
5 0000 0101
7 0000 0111

To create an uneven subnet, the 8th bit is always a 1. This is something we can match with a wildcard. Let’s start with a wildcard that matches all even subnets:

192.168.0.0 1100 0000 1010 1000 0000 0000 0000 0000
192.168.2.0 1100 0000 1010 1000 0000 0010 0000 0000
192.168.4.0 1100 0000 1010 1000 0000 0100 0000 0000
192.168.6.0 1100 0000 1010 1000 0000 0110 0000 0000
192.168.8.0 1100 0000 1010 1000 0000 1000 0000 0000
wildcard 0000 0000 0000 0000 1111 1110 1111 1111

The first two octets are the same for all the subnets, so we use all zeroes for the wildcard mask. In the third octet, we use a 1 (don’t care) for all bits except for the 8th bit…it has to match. We don’t care at all about the 4th octet.

The wildcard that we can use will be 0.0.254.255.

Want to see a real-life example? Let me show you an example of a router configured for EIGRP. This is what the routing table looks like. You see all the networks that I used in the example above:

R2#show ip route eigrp 
D    192.168.8.0/24 [90/409600] via 10.10.10.1, 00:09:51, FastEthernet0/0
D    192.168.4.0/24 [90/409600] via 10.10.10.1, 00:09:51, FastEthernet0/0
D    192.168.5.0/24 [90/409600] via 10.10.10.1, 00:00:03, FastEthernet0/0
D    192.168.6.0/24 [90/409600] via 10.10.10.1, 00:09:51, FastEthernet0/0
D    192.168.7.0/24 [90/409600] via 10.10.10.1, 00:00:03, FastEthernet0/0
D    192.168.0.0/24 [90/409600] via 10.10.10.1, 00:09:51, FastEthernet0/0
D    192.168.1.0/24 [90/409600] via 10.10.10.1, 00:00:03, FastEthernet0/0
D    192.168.2.0/24 [90/409600] via 10.10.10.1, 00:09:51, FastEthernet0/0
D    192.168.3.0/24 [90/409600] via 10.10.10.1, 00:00:03, FastEthernet0/0

Now, we will make an access-list using the wildcard mask we just found. I use 192.168.0.0 as the network address so it matches all subnets in the 192.168.x.x range.

R2(config)#ip access-list standard EVEN
R2(config-std-nacl)#permit 192.168.0.0 0.0.254.255

I can use a distribute list and refer to the access-list to filter incoming routing updates:

R2(config)#router eigrp 10
R2(config-router)#distribute-list EVEN in

After applying the distribute list, the routing table looks like this:

R2#show ip route eigrp 
D    192.168.8.0/24 [90/409600] via 10.10.10.1, 00:03:57, FastEthernet0/0
D    192.168.4.0/24 [90/409600] via 10.10.10.1, 00:03:57, FastEthernet0/0
D    192.168.6.0/24 [90/409600] via 10.10.10.1, 00:03:57, FastEthernet0/0
D    192.168.0.0/24 [90/409600] via 10.10.10.1, 00:03:57, FastEthernet0/0
D    192.168.2.0/24 [90/409600] via 10.10.10.1, 00:03:57, FastEthernet0/0

Voila! Only the even subnets are here.

We can also use the same wildcard but apply it the other way around so it matches all the uneven subnets:

192.168.1.0 1100 0000 1010 1000 0000 0001 0000 0000
192.168.3.0 1100 0000 1010 1000 0000 0011 0000 0000
192.168.5.0 1100 0000 1010 1000 0000 0101 0000 0000
192.168.7.0 1100 0000 1010 1000 0000 0111 0000 0000
wildcard 0000 0000 0000 0000 1111 1110 1111 1111

We use the exact same wildcard mask, but we will use another subnet address in the access-list (192.168.1.0):

192.168.1.0 1100 0000 1010 1000 0000 0001 0000 0000
wildcard 0000 0000 0000 0000 1111 1110 1111 1111

When we use this subnet as the network address then the 8th bit of the 3rd octet has to be a 1. This is what the access-list will look like:

R2(config)#ip access-list standard UNEVEN
R2(config-std-nacl)#deny 192.168.1.0 0.0.254.255
R2(config-std-nacl)#permit any

We deny all the uneven subnets and permit everything else. Let’s apply it so you can see it in action:

R2(config)#router eigrp 10
R2(config-router)#no distribute-list EVEN in
R2(config-router)#distribute-list UNEVEN in

The results will be the same:

R2#show ip route eigrp 
D    192.168.8.0/24 [90/409600] via 10.10.10.1, 00:00:02, FastEthernet0/0
D    192.168.4.0/24 [90/409600] via 10.10.10.1, 00:00:02, FastEthernet0/0
D    192.168.6.0/24 [90/409600] via 10.10.10.1, 00:00:02, FastEthernet0/0
D    192.168.0.0/24 [90/409600] via 10.10.10.1, 00:00:02, FastEthernet0/0
D    192.168.2.0/24 [90/409600] via 10.10.10.1, 00:00:02, FastEthernet0/0

Are you following me so far? Let’s try a more complex example!

Matching “random” subnets

This is an example that you might encounter on a test. Let me show you a couple of subnets:

192.168.10.0 /24
192.168.26.0 /24
192.168.42.0 /24
192.168.58.0 /24

These subnets look random to us, but on a binary level, they have something in common. To see this, we need to dive into the binary world:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 785 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

1502 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,


Forum Replies

  1. René,

    great article about wildcard masks :slight_smile: People ask me “Daniel, what is the need for a wildcard? We have Subnetmasks, haven’t we?”
    Especially when configuring EIGRP and using the network-command the first time, it is a bit confusing for others.

    This is a perfect example of the powerful value of wildcards.

    Thank you for that good post.

    Greetings,
    Daniel

  2. Hi Daniel,

    It is confusing for sure :slight_smile: Wildcards let us do some of these funky things…glad you liked it!

    Rene

  3. Hi Rene. your site is really useful. it is comprehensive and I really enjoy reading your articles. I have a question, I’m a bit confused about wildcard mask for even and odd networks. I calculated the WC as “0.0.14.0” but you have calculated “0.0.254.255”.
    what was my mistake? could you plz explaint it more?

  4. Hi Parastoo,

    Let’s say we have the following networks:

    192.168.0.0 /24
    192.168.1.0 /24
    192.168.2.0 /24
    192.168.3.0 /24

    This is what the 3rd octet looks like in binary:

    0 = 0000 0000
    1 = 0000 0001
    2 = 0000 0010
    3 = 0000 0011

    What the even networks have in common is that the last bit is always a 0, the uneven networks always have a 1 as the last bit. That’s something we can match on:

    Wildcard 254 = 1111 1110 and means “don’t look at the first 7 bits but the last bit HAS to match”.

    Wildcard 14 = 0000 1110 and means that the first 4 bits have to match, we don’t car

    ... Continue reading in our forum

  5. Tx alot, I got it.excellent explanation.

22 more replies! Ask a question or join the discussion by visiting our Community Forum