?
Solved

ACLs and wild cards on cisco routers (part 2)

Posted on 2005-03-18
9
Medium Priority
?
490 Views
Last Modified: 2008-02-01
"You want to match on this network (172.16.16.0/21) in an ACL. Enter the wildcard mask to do this."

This was a question on a CCNA practice exam. Can anyone shed any light?
thanks
0
Comment
Question by:dissolved
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 11

Assisted Solution

by:-Leo-
-Leo- earned 200 total points
ID: 13581284
Wildcard masks are used to match against bits in a packet. A 0 in a bit position means match, and a 1 means ignore. If you want to match against a subnet, take the corresponding subnet mask and invert it. The trick is to substract each octet in the mask fom 255, resulting the wildcard mask.

Your example: /21 = 255.255.248.0

Calculation:        255-255=0; 255-255=0; 255-248=7; 255-0=255
Wildcard mask:   0.0.7.255
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 800 total points
ID: 13582059
Good explanation of an inverse mask, but inverse masks and wildcard masks are not necessarily the same.
With an inverse mask as well as with a subnet mask, all mask bits are contiguous.

With a wildcard mask, that is not necessarily the case.
Consider a network id 172.16.1.0, wildcard mask 0.0.254.255
Binary shows non-continguous mask bits
 00000000.00000000.11111110.11111111

Used in an access-list, this wildcard will match all networks with an odd number in the 3d octect and not match any even numbered subnets.
 access-list 121 permit ip 172.16.0.0 0.0.254.255 any

Routing protocols (i.e. OSPF) use inverse masks, while access-lists use wildcard masks. You can get quite creative with wildcard masking in acls.

There is an excellent discussion of the wildcard masking here:
http://64.233.187.104/search?q=cache:7cJfkzR8aWUJ:www.techsoup.org/forums/index.cfm%3Fforum%3D2030%26fuseaction%3Dread%26id%3D52344+wildcard+mask+even+numbered+networks&hl=en&lr=lang_en
Good basic reference:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml

0
 
LVL 13

Expert Comment

by:Dr-IP
ID: 13582160
I have a simple rule for wildcard masks for the subnets of 24 bits or less, it’s allowable hosts plus 1.

10.0.0.0/24 254 hosts, 0.0.0.255

10.0.0.0/25 126 hosts, 0.0.0.127

10.0.0.0/26 62 hosts, 0.0.0.63

For larger subnets you can use this formula. 255.255.255.255 minus subnet mask equals wildcard.

 255.255.255.255
-255.255.254.0
=0.0.1.255

 255.255.255.255
-255.255.224.0
=0.0.31.255





0
ATEN's HDBaseT Presentation at InfoComm 2017

Hear ATEN Product Manager YT Liang review HDBaseT technology, highlighting ATEN’s latest solutions as they relate to real-world applications during her presentation at the HDBaseT booth at InfoComm 2017.

 

Author Comment

by:dissolved
ID: 13582461
Thanks guys. A few more questions
1. lrmoore:  What is the difference between inverse masks and wildcard masks?  Also, in the example you posted:
Used in an access-list, this wildcard will match all networks with an odd number in the 3d octect and not match any even numbered subnets.
 access-list 121 permit ip 172.16.0.0 0.0.254.255 any

Is there an easy explanation as to why the third octet of the host must be odd to match?

2.  Leo and Dr IP: I'm assuming I cannot use the 255-x formula for all of the questions? I can only use them on /24 or bigger ?

Thanks
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13582514
In an inverse mask, all mask digits are contiguous.
In a wildcard mask, that is not necessarily the case.

Consider:
IP Address 172.22.5.0 / 24
Binary 10101100.00010110.00000101.00000000

Subnet Mask:
Decimal 255.255.255.0
Binary 11111111.11111111.11111111.00000000

Inverse (Wildcard) Mask
Decimal 0.0.0.255
Binary 00000000.00000000.00000000.11111111

Wildcard Mask
Decimal 0.0.254.255
Binary 00000000.00000000.11111110.11111111
                                                   ^^
All bit positions occupied by a 0 in the wildcard mask are significant and must match when a packet is examined by the router for access list criteria.

Decimal 172.22.1.0
Binary 10101100.00010110.00000001.00000000
                                                    ^ = match
Decimal 172.22.2.1
Binary 10101100.00010110.00000010.00000001
                                                    ^ = no match
Decimal 172.16.3.1
Binary 10101100.00010110.00000011.00000001
                                                    ^ =match


0
 
LVL 13

Assisted Solution

by:Dr-IP
Dr-IP earned 800 total points
ID: 13582546
The 255-x formula works for smaller networks too, but if you know how many hosts a smaller subnet has it's easer to just do plus one. The plus one formula can be expanded out to larger subnets, but it’s easer to just use the 255-x formula instead.  
0
 

Author Comment

by:dissolved
ID: 13582585
thanks! and my final question
255.255.255.255 means match all packets
0.0.0.0 means match a specific host

0.0.0.255 means the last octet can be anything?

Great explanations guys
thanks
0
 
LVL 7

Assisted Solution

by:minmei
minmei earned 200 total points
ID: 13582679
Yes.

Wherever you have a 1 (bit lavel) in the wildcard mask it will match anything.

0.0.0.255 has all 8 bits in the last octet set to 1, so anything in the last octet will match it. That's why it's called a wildcard.
0
 

Author Comment

by:dissolved
ID: 13582836
thanks everyone.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question