Wildcard Masks in ACLs
Summary
This topic explain how ACLs use wildcard masks. Start learning CCNA 200-301 for free right now!!
Table of Contents
Wildcard Mask Overview
In the previous topic, you learned about the purpose of ACL. This topic explains how ACL uses wildcard masks. An IPv4 ACE uses a 32-bit wildcard mask to determine which bits of the address to examine for a match. Wildcard masks are also used by the Open Shortest Path First (OSPF) routing protocol.
A wildcard mask is similar to a subnet mask in that it uses the ANDing process to identify which bits in an IPv4 address to match. However, they differ in the way they match binary 1s and 0s. Unlike a subnet mask, in which binary 1 is equal to a match and binary 0 is not a match, in a wildcard mask, the reverse is true.
Wildcard masks use the following rules to match binary 1s and 0s:
- Wildcard mask bit 0 – Match the corresponding bit value in the address
- Wildcard mask bit 1 – Ignore the corresponding bit value in the address
The table lists some examples of wildcard masks and what they would identify.
Wildcard Mask | Last Octet (in Binary) | Meaning (0 – match, 1 – ignore) |
---|---|---|
0.0.0.0 |
00000000 |
Match all octets. |
0.0.0.63 |
00111111 |
|
0.0.0.15 |
00001111 |
|
0.0.0.252 |
11111100 |
|
0.0.0.255 |
11111111 |
|
Wildcard Mask Types
Using wildcard masks will take some practice. Refer to the examples to learn how the wildcard mask is used to filter traffic for one host, one subnet, and a range IPv4 addresses.
Wildcard Mask Calculation
Wildcard Mask Keywords
Working with decimal representations of binary wildcard mask bits can be tedious. To simplify this task, the Cisco IOS provides two keywords to identify the most common uses of wildcard masking. Keywords reduce ACL keystrokes and make it easier to read the ACE.
The two keywords are:
- host – This keyword substitutes for the 0.0.0.0 mask. This mask states that all IPv4 address bits must match to filter just one host address.
- any – This keyword substitutes for the 255.255.255.255 mask. This mask says to ignore the entire IPv4 address or to accept any addresses.
For example, in the command output, two ACLs are configured. The ACL 10 ACE permits only the 192.168.10.10 host and the ACL 11 ACE permits all hosts.
R1(config)# access-list 10 permit 192.168.10.10 0.0.0.0 R1(config)# access-list 11 permit 0.0.0.0 255.255.255.255 R1(config)#
Alternatively, the keywords host and any could have been used to replace the highlighted output.
The following commands accomplishes the same task as the previous commands.
R1(config)# access-list 10 permit host 192.168.10.10 R1(config)# access-list 11 permit any R1(config)#
Ready to go! Keep visiting our networking course blog, give Like to our fanpage; and you will find more tools and concepts that will make you a networking professional.