The Mask of Sorrow

The purpose of this post is to discuss the differences between a subnet mask and wildcard mask, when they are each used and what tricks you can do with them. This post does not go in to any real depth on subnetting and assumes you know how to subnet already. You probably won’t be surprised from that last sentence to learn that this post covers wildcard masks in a little more detail than their subnet cousins.

I recently saw a tweet asking about wildcard masks and if anybody had a good system for working them out. I keenly replied and, whilst my answer was correct, it turns out that it was quite limited in scope. It sparked an interesting discussion and in the end I learned something that I didn’t know, as did a couple of others, so it seemed like a good topic for a post.

Subnet masks

Let’s start with subnet masks as they are the easiest to understand and are the less ‘funky’ of the two masks being discussed here. They should also be more familiar to non-networking IT types. If you know any sysadmins who don’t know what a subnet mask is, you have my permission to flick them on the forehead very hard. Repeatedly.

Matt’s definition

A subnet mask, in conjunction with an IP address, tells you which subnet that IP address belongs to. Another way to put it is that the subnet mask tells you which part of the IP address refers to the network (or subnet) and which part refers to the host specifically within that subnet.

To give an example, I will lay out my thinking on the page step by step with descriptions of what I am doing.

  1. Let’s take a random example: (using slash notation)
  2. I’ll convert this to dotted notation:
  3. Now to convert to binary: 11000000.10101000.00101010.01001111 11111111.11111111.11111111.11000000
  4. Now I’ll put the subnet mask under the IP address. This makes the next step, doing a binary AND operation, easier to visualise:
    11000000.10101000.00101010.01001111 <IP address
    11111111.11111111.11111111.11000000 <subnet mask
    11000000.10101000.00101010.01000000 <binary AND operation
  5. This is still a /26 remember so we can now convert this AND result back to a decimal number which represents the network or subnet that the original IP address ( belongs to:
  6. As you should know from your subnetting studies, the range of this subnet will be from

From the steps above, the first three all have the goal of getting the IP address and mask converted to binary. Why? Well, in the example above, its to show how the binary AND operation works. When the maths becomes more comprehensible, you should find that working this out in decimal and eventually in your head is second nature. The result of the binary AND gives you the network ID or subnet number that the host belongs to. That is what the subnet mask does, it masks the IP address in such a way to reveal the subnet. The subnet mask should always be a consecutive collection of 1’s, followed by all 0’s if any are required (i.e. anything other than

So where is a subnet mask used? The table at the end of this post gives examples (not a definitive list by any means) of where both masks are to be found. One thing to note is that the subnet mask isn’t sent out in the IP header with the IP address. There is no need for the destination host to know what subnet the source host belongs to so no need to send it. The destination only needs to know whether the source is on its own subnet or another one so it knows whether to communicate directly or via its own next hop gateway. Again, it calculates this by doing a binary AND to compare the network part of the source and destination. If they match, they must be on the same subnet.

Right, I’ve drifted closer to where I said I wouldn’t than I would have liked i.e. in to  a subnetting discussion. The key part of this post is the next topic.

Wildcard masks

I should perhaps make a feeble attempt to defend my ignorance on Twitter here, as stated at the start of this post, and say that I am currently working towards my CCNP and at no point during my studies to date had I seen wildcard masks used as anything other than an inverse subnet mask but in fact I’ve just heard Jeremy Cioara make a passing reference to them in one of his redistibution videos in the CBTNuggets Route series. Always new things to learn! Before I explain what I mean by inverse subnet mask, let me give my quick definition of a wildcard mask.

Matt’s definition

A wildcard mask, in conjunction with an IP address, lets you specify which bits of the IP address you are interested in and which you aren’t.

First, let’s see what a wildcard mask looks like:

What just happened there? That looks different from a subnet mask. Yes it does…because it is. Before I do some magical conversion to binary again to clarify, keep in mind that with a wildcard mask, the following rules apply:

For a binary 0, match
For a binary 1, ignore

Or put another way:

For a binary 0 in the mask, we care what the corresponding bit in the IP address is
For a binary 1 in the mask, we don’t care what the corresponding bit in the IP address is

Now read my definition again to see what the mask above might be trying to achieve. Still a bit unclear? Then let’s break it down.

  1. Let’s convert the IP address\wildcard mask pair above to binary:
    10001011.00101110.11011101.00101000 00000000.00000000.00000000.11111111
  2. Put the wildcard mask under the IP address to see how the masking is in effect
  3. Remember the basic rules to remember above? Applied to this example, that means that we are only interested in the first three octets of the IP address and we can ignore the last octet. (0=match, 1=ignore)
  4. That means that this wildcard mask will apply to any IP addresses that have 139.46.221.x in the address, where x in the last octet could be 0-255 (because the mask doesn’t care). We are ignoring the last octet as dictated by the mask
  5. Remember before I used the term inverse subnet mask? When wildcard masks contain a contiguous series of 0’s only ( or a contiguous series of 0’s followed by a contiguous series of 1’s, this is exactly how a wildcard mask works. In this example, the wildcard mask of would match any IP addresses in the subnet defined by the following IP address\subnet mask pair:
  6. Before I get to the groovy part of wildcard masks, an easy to remember calculation for working out the equivalent wildcard mask (inverse mask) from a subnet mask is to subtract the subnet mask from, octet by octet as below: <all 255’s
    <subtract the subnet mask <the result is the wildcard mask, an inverse of the subnet mask

I used a mask for this example that not only falls on the octet boundary but also is all 0’s followed by all 1’s to keep things simple but it gets more interesting when we take things further. Yes, just like a subnet mask a wildcard mask does not need to fall on an octet boundary but whereas a subnet mask has a contiguous series of 1’s followed by a contiguous series of 0’s, a wildcard mask can be pretty much anything you want and this is where the fun begins.

Time for an example. Let’s say you have multiple physical sites and you assign a subnet to each of those for management IPs i.e. source IPs that can access your networking kit throughout your company. You assign the following /24 network to each site:


where x represents the site number. You have three sites so you create the following config on every device:

[sourcecode language=”plain”]
ip access-list standard DeviceManagement
line vty 0 4
access-class DeviceManagement in

To clarify the config, we have an ACL that says the management range of IPs on sites 1-3 can telnet on to the devices configured as above. That’s all well and good but what if we have 20 sites, 100 sites or even more? What if the number of sites is only three now but will grow by one site a week? These scenarios highlight two key problems. Firstly, with each new site, the ACL gets bigger; an extra line for each site. Secondly, you need a process to update the ACL on every device every single time a new site comes online. Even with a configuration management tool, this isn’t ideal. With the power of a well crafted wildcard mask and just as importantly a carefully designed IP addressing scheme, we can instead use a one line ACL:

[sourcecode language=”plain”]
ip access-list standard DeviceManagement
line vty 0 4
access-class DeviceManagement in

You should be able to see, without a conversion to binary, that the single permit statement is saying that as long as the source IP matches:


then permit access i.e. we don’t care about the 2nd or 4th octets, just that the 1st and 3rd octets must match ’10’. This answers both our previous key problems. The single line ACL matches our three sites ranges and as long as we use the same addressing scheme for each new site, the existing ACL will match any new site, at least up to 255.

OK, I hope this isn’t making your ears bleed and if you’ve made it this far, I have one more example that shows another cool use of wildcard masks. This example is actually the one that Marko Milivojevic (@icemarkom) slapped me with on Twitter when I gave my inverse mask answer and it’s a cracker for showing the power of the wildcard mask. Marko posed the question, how would you use a wildcard mask to select all of the odd-numbered /24 subnets of the following range:

  1. Let’s convert to binary: 10000100.00101001.00100000.00000000
  2. The bold and underlined 0’s represent the subnet bits, the three bits I can use from the original /21 to create my /24 subnets. With three bits, I can create 8 subnets:
  3. The only bit set in the 3rd octet is the 6th, giving a base value of 32. It should be obvious that to create a mask that targets only the odd-numbered /24 subnets, the first bit should be fixed at a value of 1.
  4. This means from the eight subnets in point 2, the ones that match this requirement are:
  5. So for the 3rd octet, the only bits we care about would be 00100xx1. We don’t care what the values of the two ‘x’ bits are, but the other values must be as listed
  6. So we now know the network address:
  7. To calculate the mask, we need to ask ourselves which bits we care about and must match, and which we don’t. For the 1st two octets, the values must match 132 and 41 and for a /24, the last octet must match 0. Point 5 above tells us which points we can ignore in the 3rd octet, so using the wildcard rules I stated at the start of the wildcard mask section (0=match, 1=ignore), I can come up with the following IP address\wildcard mask pair:
  8. Putting this in binary form, with the mask underneath the IP address should show this more clearly:
  9. The mask is effectively saying ‘I dont care what the bits of the subnet are (bits 1-3 of octet 3) as long as the 1st bit is 1’

Sometimes, listing things in a logical order like above helps enormously, other times it just muddies the waters. Read over the post again to determine what the purpose of the wildcard mask is first, then look at the two examples above to get a feel of how they can be applied. Try looking online for further examples of powerful wildcard masks to see if they can perhaps answer a problem you have. Hopefully this post will have at least given you a clear definition of a subnet mask and wildcard mask, how to calculate and use them and where you can find them. If you have any questions, feel free to leave a comment below.

The table below contains a few, non-exhaustive, examples of where subnet masks (S) and wildcard masks (W) are used on networking kit (Cisco specifically)

Type Where and description
S On a NIC, physical interface, SVI. Wherever an IP address is assigned
S On an ASA, ACLs use subnet masks rather than wildcard masks
W In IOS, ACLs use wildcard masks
W In RIP, EIGRP, OSPF, as part of the network statement
S In BGP as part of the network statement
S Most summarisation type commands e.g. area range command in OSPF
 S Static routes in IOS and on ASAs

Finally, I’d like to thank Marko and Bob McCouch (@bobmccouch) for bringing me up to speed on wildcard masks beyond the inverse mask, especially Bob who went further and gave this post a quick once over and also provided one of the examples for me to work with. I find the help of the networking community very motivational and it’s the primary reason why I decided to start blogging myself to hopefully give something back.

Till the next time…

One Reply to “The Mask of Sorrow”

  1. Great post that goes into an often glossed-over subject. Another use for subnet masks is to verify summarization. You should be able to apply your new subnet mask (summarized mask) to the subnets you mean to summarize and get the same answer (NetID). If you do not, you summarized incorrectly. One of the nice things about wild-card masks is that they are not bound by the same rules as subnet masks (which must be a string of 1s followed by a string of 0s. This would allow you, for instance, to load-balance outbound traffic by sending IPs with an odd first octet one direction and even first octet another direction.
    On another note, I really like the “::1 of networking”.

Please let me know your thoughts!

This site uses Akismet to reduce spam. Learn how your comment data is processed.