Many people have this question. Since there is already a subnet mask, why should wildcard masks be used and what is the difference between them?
The short answer is the following:
There is a basic rule for the wild card mask: '0' in the wildcard mask indicates MUST MATCH while '1' means IGNORE, '0' and '1' can be discontinuous.
So, the wildcard mask can match the addresses that are not on a subnet boundary, being more flexible than the subnet mask.
Let's take some examples.
Generally, the wildcard/subnet mask is used in the following scenarios:
1. A single IP address:
Subnet mask: 192.168.0.1 255.255.255.255
Wildcard mask: 192.168.0.1 0.0.0.0
2. A subnet
Subnet mask: 192.168.0.0 255.255.255.0
Wildcard mask: 192.168.0.0 0.0.0.255
In both cases, they can implement the same functions.
3. A range of IP addresses
In this case we can see there difference.
Assume that the device needs to allow the IP address 192.168.0.1、192.168.1.1…192.168.255.1 to pass through.
Subnet mask: can't represent
Wildcard mask: 192.168.0.1 0.0.255.0
The wildcard mask also has insufficient. It cannot accurately match the mask information.
For example, we want allow 10.1.1.0/24 to pass through and try to use ACL:
ACL 2000
Rule permit source 10.1.1.0 0.0.0.255
When applying this ACL, not only 10.1.1.1/24, but also 10.1.1.1/23,10.1.1.1/22… can match the ACL.
That's why in practice, we usually use ip-prefix instead of ACL to match the routing information.