Network Basics: Variable Length Subnet Masks (VLSM)
Building a Small Network with Static Routing
Cisco Adaptive Security Appliance (ASA) Configuration: Standard Firewall Ports

Working with Wildcard Masks

When working with wildcard masks, Cisco recommends sticking to the interface address with all zeros (0) in the mask. If you want to deviate from this method, breaking the mask at 8-bit boundaries is the next recommendation because it reduces the chance of making errors.

With the exception of the global wildcard mask of all zeros — which is special — there is the matching rule. With the matching rule, where there is a binary zero in the mask, the mask requires a match, but where there is a binary 1 in the mask, the mask does not care about the address.

Wildcard masks work differently than subnet masks do. Subnet masks remove the host section of an address, leaving you with a network ID, whereas wildcard masks identify the portions of an address that need to match. If you reverse the bits and perform the logical AND process, you end up matching the same network.


If the figure matches the scope of your entire network, and Router1 can use these two network lines:

network area 192
network area 10

Whereas Router2, which has no network segments, can use this network command:

network area 192

In this example, all networks in the range can be routed through Router1, and Router2 can route all of the networks. If you add another router to the network and use an address from the or network blocks, you may encounter routing issues implementing these wildcard masks.

Although you do less typing with the class-based address masks (one network mask, rather than four, for all of Router2), you must do more planning around the network addresses (which you should be doing anyway). So, you can be more limiting in how you assign masks for these network commands. Router1’s commands are as follows:

network area 192
network area 10

Router2’s network commands are as follows:

network area 192
network area 192
network area 192

In this set of examples, you end up with two big differences. Based on the mask now assigned to the network block of Router1, your router identifies itself as the router from all addresses from through, which is fine as long as you do not plan to use on another area of your network.

On Router2, the router now routes for through If you were not using the network segments on your network, you would identify it as the router for through with this single command:

Network area 192

Although you can reduce your typing a little bit by using wildcard masks, doing so can cause a lot of confusion, so using the interface addresses will make life easier.

blog comments powered by Disqus
Cisco Router Passwords: Enable and Secret
Preventing Count to Infinity Issues on Your Network
VLAN Trunking Protocol (VTP) Tree Optimization
Documenting Your Cisco Network Configuration with CDP
Setting up Network Address Translation (NAT)