Typically when we use a subnet mask, it is telling us which parts of the IP address are deemed as the network portion and which parts are deemed as the host portion of the address. Simply, which numbers in the IP address can be used as addresses for hosts on the network and which numbers are reserved as defining what network we are on.

The wildcard mask is a bit different and can be confusing until you get it, but really it is simple enough once you understand.

For example if we are configuring EIGRP, to stick with something we done in a previous post, we get into EIGRP config mode and we need to enter a network command to let it know what networks we want to advertise.

So if we are trying to advertise the 10.1.1.0/24 network, and we want all the hosts using that network to be able to have their traffic routed through EIGRP we can use the wildcard mask. As an aside, using a wildcard for EIGRP is optional and if you do not use a mask for it, it will default to a classful network, i.e. if I just typed

RT1(config-router)# network 10.1.1.0

The IOS will change the command (and you can view this in the running config) to be

RT1(config-router)# network 10.0.0.0

and all interfaces with IP addresses that begin with 10 on that router will be enabled on EIGRP.

But we only want the 10.1.1.0/24 network to be enabled. This is where we use the wildcard mask.

The wildcard mask will tell the router which octets (and which range of numbers in the octets when we break it down past using just 255), to care about. Take our 10.1.1.0 network, we want to allow all traffic from 10.1.1.0-10.1.1.255 to be enabled. We would enter a wildcard mask in our network command like so

RT1(config-router)# network 10.1.1.0 0.0.0.255

So the wildcard is telling the router, the first 3 octets are significant, I want you to ensure only what is specified in the given address is advertised. It is also telling the router that in the 4th octet, we don’t care what comes through, allow everything.

Let’s look at another example, what if we wanted to enable for anything from 10.1.0.0 - 10.1.255.255 to pass through, well the command is like so

RT1(config-router)# network 10.1.0.0 0.0.255.255

So you can see how the wildcard is kind of like the reverse of the subnet mask, it is telling the router what portion of the IP address is significant and what portion is not significant.

A last example that is a bit more tricky, say we have the 10.1.0.0/26 to work with (we start with 10.1.0.0/16 and are breaking it down to the 10.1.0.0/26, giving us 62 useable addresses in ranges incrementing by 64 from 10.1.0.0 through to 10.1.255.192), if we wanted to, for whatever reason, limit EIGRP to only allow traffic from the interface with the network 10.1.5.64/26 to pass through, we would enter the command like so

RT1(config-router)# network 10.1.5.64 0.0.0.63

So you can see, from our network 10.1.5.64 which has a subnet mask of 255.255.255.192, we are flipping the subnet mask. To understand this further lets look at the binary.

The wildcard mask is 00000000.00000000.00000000.00111111 so we are telling the router, don’t worry about what is in those last 6 bits, they can be on or off in any configuration. But all the 0 bits, must match exactly.

We are giving the IP address 10.1.5.64 which in binary is 00001010.00000001.00000101.01000000 so all the first 26 bits must match exactly but we can change any of the last 6 bits in that network and the wildcard will still let traffic through. If we turned on all the last 6 bits, we would end up with 10.1.5.127 or 00001010.00000001.00000101.01111111 and we know from subnetting class that our 10.1.5.64/26 network has the range 10.1.5.64 through to 10.1.5.127 - the .64 is our network address and the .127 is our broadcast address and our hosts are from .65 - .126 and with this setup, EIGRP is going to allow all the addresses on this network to pass from the interface which has 10.1.5.64/26 assigned as the IP address.