Some interesting binary math

I recently was watching a CBTNuggets video when I heard mention that you could use a careful wildcard mask to select odd or even numbered subnets for route advertisement; however, I noticed there was something off about the comment and investigated a little deeper.

We’re continuously taught early in our networking careers about having wildcard masks which end at byte boundaries or needing to be consecutive 1’s and 0’s; however, this is merely a teaching tool and not so much the case in real life. You see, a wildcard mask in an ACL is used to select routes based on the selected wildcard masks and what positions the 1’s line up to ensure matching, just remember that where you have a 0 you must match and where you have a 1 you don’t need to match exactly, the “I don’t care bit”.

Now, let’s get down to an example you’ve probably seen: You need to only redistribute odd number routes from one protocol to another using a distribute-list that references an ACL.

Let’s say we have: 10.0.[0-20].0/24 and these networks are the ones in question. You only want to select the odd number ranges to be redistributed. Let’s look at this from a binary perspective to see what all the odd numbers have in common in the third octet: = 00000001 = 00000011 = 00000101 00010001 00010011

Notice in the odd numbers the only bit remaining the same is the last bit, all the others are changing. Now, here is an interesting concept which may blow your mind, but we’ll move back to the old way from when you were probably learning subnetting:


Now, you can add up all those numbers except the last bit (1) and you’ll always have an even number; however, utilize the last bit and you have an odd number, always. So, what is the wildcard mask you ask? Not 0000001 like some people will tell you, no, in fact that is quite the opposite because you’re saying you don’t care about the last bit, it can be whatever, even or odd in the third octet. Instead, your wildcard mask looks like this:

00000000.00000000.11111110.00000000 = – The last bit in the third octet must always be the same from the start.

How does that work you ask? Quite simple, when you setup your ACL the key point isn’t so much the wildcard mask, it is the starting subnet you reference in the ACL: = Will match all odd number subnets = Will match all even number subnets

Why? Take a peek at the binary in the third octet: = 00000001 11111110

You see the last bit is one and must remain the same. What about even? = 00000000 11111110

Now, the last bit is zero, meaning any combination of bits used before it will always equal even numbers. How is this still all possible you ask? Well, we’re using standard ACLs, so we’re only referencing the host/source as a “starting point”. Think not of ACLs as “networks” but a tool which takes the portion you set in the “network” portion as a starting point to begin processing against the wildcard mask.