ACLs and wild cards on cisco routers (part 2)

"You want to match on this network (172.16.16.0/21) in an ACL. Enter the wildcard mask to do this."

This was a question on a CCNA practice exam. Can anyone shed any light?
thanks
dissolvedAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
lrmooreConnect With a Mentor Commented:
Good explanation of an inverse mask, but inverse masks and wildcard masks are not necessarily the same.
With an inverse mask as well as with a subnet mask, all mask bits are contiguous.

With a wildcard mask, that is not necessarily the case.
Consider a network id 172.16.1.0, wildcard mask 0.0.254.255
Binary shows non-continguous mask bits
 00000000.00000000.11111110.11111111

Used in an access-list, this wildcard will match all networks with an odd number in the 3d octect and not match any even numbered subnets.
 access-list 121 permit ip 172.16.0.0 0.0.254.255 any

Routing protocols (i.e. OSPF) use inverse masks, while access-lists use wildcard masks. You can get quite creative with wildcard masking in acls.

There is an excellent discussion of the wildcard masking here:
http://64.233.187.104/search?q=cache:7cJfkzR8aWUJ:www.techsoup.org/forums/index.cfm%3Fforum%3D2030%26fuseaction%3Dread%26id%3D52344+wildcard+mask+even+numbered+networks&hl=en&lr=lang_en
Good basic reference:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml

0
 
-Leo-Connect With a Mentor Commented:
Wildcard masks are used to match against bits in a packet. A 0 in a bit position means match, and a 1 means ignore. If you want to match against a subnet, take the corresponding subnet mask and invert it. The trick is to substract each octet in the mask fom 255, resulting the wildcard mask.

Your example: /21 = 255.255.248.0

Calculation:        255-255=0; 255-255=0; 255-248=7; 255-0=255
Wildcard mask:   0.0.7.255
0
 
Dr-IPCommented:
I have a simple rule for wildcard masks for the subnets of 24 bits or less, it’s allowable hosts plus 1.

10.0.0.0/24 254 hosts, 0.0.0.255

10.0.0.0/25 126 hosts, 0.0.0.127

10.0.0.0/26 62 hosts, 0.0.0.63

For larger subnets you can use this formula. 255.255.255.255 minus subnet mask equals wildcard.

 255.255.255.255
-255.255.254.0
=0.0.1.255

 255.255.255.255
-255.255.224.0
=0.0.31.255





0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
dissolvedAuthor Commented:
Thanks guys. A few more questions
1. lrmoore:  What is the difference between inverse masks and wildcard masks?  Also, in the example you posted:
Used in an access-list, this wildcard will match all networks with an odd number in the 3d octect and not match any even numbered subnets.
 access-list 121 permit ip 172.16.0.0 0.0.254.255 any

Is there an easy explanation as to why the third octet of the host must be odd to match?

2.  Leo and Dr IP: I'm assuming I cannot use the 255-x formula for all of the questions? I can only use them on /24 or bigger ?

Thanks
0
 
lrmooreCommented:
In an inverse mask, all mask digits are contiguous.
In a wildcard mask, that is not necessarily the case.

Consider:
IP Address 172.22.5.0 / 24
Binary 10101100.00010110.00000101.00000000

Subnet Mask:
Decimal 255.255.255.0
Binary 11111111.11111111.11111111.00000000

Inverse (Wildcard) Mask
Decimal 0.0.0.255
Binary 00000000.00000000.00000000.11111111

Wildcard Mask
Decimal 0.0.254.255
Binary 00000000.00000000.11111110.11111111
                                                   ^^
All bit positions occupied by a 0 in the wildcard mask are significant and must match when a packet is examined by the router for access list criteria.

Decimal 172.22.1.0
Binary 10101100.00010110.00000001.00000000
                                                    ^ = match
Decimal 172.22.2.1
Binary 10101100.00010110.00000010.00000001
                                                    ^ = no match
Decimal 172.16.3.1
Binary 10101100.00010110.00000011.00000001
                                                    ^ =match


0
 
Dr-IPConnect With a Mentor Commented:
The 255-x formula works for smaller networks too, but if you know how many hosts a smaller subnet has it's easer to just do plus one. The plus one formula can be expanded out to larger subnets, but it’s easer to just use the 255-x formula instead.  
0
 
dissolvedAuthor Commented:
thanks! and my final question
255.255.255.255 means match all packets
0.0.0.0 means match a specific host

0.0.0.255 means the last octet can be anything?

Great explanations guys
thanks
0
 
minmeiConnect With a Mentor Commented:
Yes.

Wherever you have a 1 (bit lavel) in the wildcard mask it will match anything.

0.0.0.255 has all 8 bits in the last octet set to 1, so anything in the last octet will match it. That's why it's called a wildcard.
0
 
dissolvedAuthor Commented:
thanks everyone.
0
All Courses

From novice to tech pro — start learning today.