Recently I was reading the Cisco Press CCIE R & S Certification Guide v4. On page 787 is a brief section on wildcard masks – one of which is 17.44.97.33. Well I don’t know about you, but I’d never seen a wildcard mask like that before, so after thinking it through here is my explanation of it:
Wildcard masks can be broken down into two camps; contiguous and discontiguous.
Contiguous Wildcard Masks
In the networking world contiguous wildcard masks are well known in access lists. A couple of examples are as follows:
1) 0.0.0.255. Here the wildcard mask in binary is:
00000000.00000000.00000000.11111111
The forth octet matches all 1’s, meaning the 4th octet will match anything. 1’s are referred to as don’t care bits. For example if we take the network address 10.1.1.0 and applied the wildcard 0.0.0.255 we will match 10.1.1.0 – 10.1.1.255
2) 0.0.0.15. Here the wildcard mask in binary is:
00000000.00000000.00000000.00001111
The forth octet doesn’t care what the first 4 bits are (set to 1), but does care about the remaining bits (set to zero). For example 10.1.1.0 0.0.0.15 will match 10.1.1.0 – 10.1.1.15 and 10.1.1.16 0.0.0.15 will match will match 10.1.1.16 – 10.1.1.31
Discontiguous Wildcard Masks
The thing to note in the above examples is, in binary, all the 1’s are contiguous. For discontiguous wildcard masks the 1’s are essentially not ordered. An example of a discontiguous mask is 0.0.1.3
The wildcard mask in binary is:
00000000.00000000.00000001.00000011
We know that we don’t care about the 1’s but do care about the 0’s. So if we look at the 3rd octet we don’t care if this is 0 or 1 (in decimal), and if we look at the 4th octet we don’t care if this is 0,1,2 or 3 (in decimal)
If we take a network address such as 10.1.2.4 and match against this wildcard the easiest way to see which IP addresses match is to write down the binary.
10.1.2.4 = 00001010 00000001 00000010 00000100 0.0.1.3 = 00000000 00000000 00000001 00000011
The “don’t care bits” can be 1 or 0 (and zero always matches). To determine which IP addresses match we need to AND (http://en.wikipedia.org/wiki/Bitwise_operation#Bitwise_operators) the various wildcard combinations to the network address as follows:
10.1.2.4 = 00001010 00000001 00000010 00000100
00000000 00000000 00000000 00000000
10 1 2 4
10.1.2.4 = 00001010 00000001 00000010 00000100
00000000 00000000 00000000 00000001
10 1 2 5
10.1.2.4 = 00001010 00000001 00000010 00000100
00000000 00000000 00000000 00000010
10 1 2 6
10.1.2.4 = 00001010 00000001 00000010 00000100
00000000 00000000 00000000 00000011
10 1 2 7
10.1.2.4 = 00001010 00000001 00000010 00000100
00000000 00000000 00000001 00000000
10 1 3 4
10.1.2.4 = 00001010 00000001 00000010 00000100
00000000 00000000 00000001 00000001
10 1 3 5
10.1.2.4 = 00001010 00000001 00000010 00000100
00000000 00000000 00000001 00000010
10 1 3 6
10.1.2.4 = 00001010 00000001 00000010 00000100
00000000 00000000 00000001 00000011
10 1 3 7
So the wildcard 0.0.1.3 applied to the network address 10.1.2.4 matches 10.1.2.4/30 and 10.1.3.4/30
To get back to the original wildcard mask 17.44.97.33 – clearly there are a number of combinations available for matches. The R & S book gave the answer “A valid WC mask, it means all bits except bits 4,8,11,13,14,18,19,24,27, and 32”. This essentially means these bits are the don’t care bits, and all the other bits are 0.
17.44.97.33 = 00010001 00101100 01100001 00100001
Counting from the left going right we see the 1’s are in position 4,8,11,13,14,18,19,24,27, and 32
The Traceroute Blog 