Wildcard masks are used to specify a range of network addresses. They are commonly used with routing protocols (like OSPF) and access lists.
Just like a subnet mask, a wildcard mask is 32 bits long. It acts as an inverted subnet masks, but with wildcard mask, the zero bits indicate that the corresponding bit position must match the same bit position in the IP address. The one bits indicate that the corresponding bit position doesn’t have to match the bit position in the IP address.
Here is an example of using a wildcard mask to include only the desired interfaces in the OSPF routing process:
Router R1 has three networks directly connected. To include only the 10.0.1.0 subnet in the OSPF routing process, the following network command can be used:
Let’s break down the wildcard part of the command. To do that, we need to use binary numbers instead of decimal notation.
10.0.1.0 = 00001010.00000000.00000001.00000000 0.0.0.255 = 00000000.0000000.00000000.11111111
The theory says that the zero bits of the wildcard mask have to match the same position in the IP address. So, let’s write the wildacard mask below the IP address:
As you can see from the output above, the last octet doesen’t have to match, because the wildcard mask bits are all ones. The first 24 bits have to match, because of the wildcard mask bits of all zeros. So, in this case, wildcard mask will match all addresses that begins with 10.0.1.X. In our case, only one network will be matched, 10.0.1.0/24.
What is we want to match both 10.0.0.0/24 and 10.0.1.0/24? Than we will have to use different wildcard mask. We need to use the wildcard mask of 0.0.1.255. Why is that? Well, we again need to write down the addresses in binary:
00001010.00000000.00000000.00000000 = 10.0.0.0 00001010.00000000.00000001.00000000 = 10.0.1.0 00000000.00000000.00000001.11111111 = 0.0.1.255
From the output above, we can see that only the first 23 bits have to match (notice that the third octet of the wildcard mask has a 1 at the end). That means that all addresses in the range of 10.0.0.0 – 10.0.1.255 will be matched. So, in our case, we have successfully matched both addresses, 10.0.0.0 and 10.0.1.0.