Wildcard Masks

In these notes we have looked at IPv4 subnetting, VLSM and CIDR. Any normal human being will look at this as being unintuitive and needlessly complex. The underlying problem is dotted decimal notation. If you look at an IPv4 address and subnet mask in binary and draw a line down to separate the network and node part of the address, it is all straightforward. Unfortunately, the standard way to represent this information is by breaking up the 32 bits into octets, and then converting them to decimal.

This probably seemed like a great idea in the 1970s when everybody using networks was a computer scientist. Hopefully by now you understand these concepts, you can do the basic calculations required to figure out network sizes, subnet masks and the CIDR representation.

In this section, we can flip everything on its head and look at masks from the perspective of nodes, not of networks. We need this technique, it is used in a range of different network protocols, and it is used in configuring security on network devices.

It is not easy, it’s probably worse than learning subnetting!

Subnet masks were generally used to define networks, the hint in the name.

There are several use-cases for inverse masks, and they all involve around hosts rather than networks. We use wildcard masks in routing protocols like OSPF. Access Control Lists (ACLs) use wildcard masks.

In a normal subnet mask, the bits are 1 for the subnet part of the address and 0 for the node part of the address.

With inverse masks we are indicating which part of the address is a wildcard (wildcard means “can be anything”) by using 1.

For example, a class C network will be identified as 0.0.0.255 which means we need to match the first 24 bits of the address and the last 8 bits are a wildcard.

As another example, a /30 network has four IP addresses of which 2 are usable; the last two bits show node number and the first 30 bits show network number.

The subnet mask for this is 255.255.255.252 or in binary 1111 1111 1111 1111 1111 1111 1111 1100

The inverse subnet mask is 0.0.0.3 or in binary 0000 0000 0000 0000 0000 0000 0000 0011

Being completely honest, I can do subnet masks in my head regardless of complexity, after many years it is easy. After all those very many years, I still cannot to wildcard masks in my head!

If I am configuring access control lists or OSPF for complex subnets, I will invariably refer to table!