In order to gain the benefits of using a wildcard mask, the mask bits in the octet of distinction shold be contiguous.
Doing so allows you to address a block or range of interesting items with a single statement, saving processing cycles, time, and memory resources.
One of the more common examples is the blocking of RFC1918 addresses at the choke router:
The 10.0.0.0 address is easy (0.255.255.255). The 192.168.X.0 addresses are easy (0.0.255.255). The range of Class B addresses is where it comes in handy ...
Access-list 101 deny ip 172.16.0.0 0.15.255.255 any (applied to the inbound interface)
172.16.0.0 is the root address. "172" is matched exactly (the Zero). The "15" (which is the four low-order bits set to one) will match the next 15 networks (from 172.17.0.0 - 172.31.0.0). A simple, single access-list line will save a great deal of processor time and memory. Remember, every packet must be compared to an access-list and evalulated. The more lines it must compare, the longer it takes and the more processor cycles will be consumed.
If we had to match up to 172.32.0.0, an additional access-list line would be needed, becasue the root bit pattern would be changed (00100000 versus 00010000 - ranging up to 00011111 with the wildcard mask).
As soon as the bit pattern changes for the root, another line would be needed (possibly another block definition if the addresses allow it).
THIS is why planning an IP address schema is so important. Done properly it allows summarization ... which saves processor time and (in the case of routing protocols) bandwidth.
Hopefully this helps ....
FWIW
Scott
Facebook
Twitter