- Silver, 250 points or more
This is just someting I came across in an other thread and as I do not wish to hijack the thread, I thought I would open up a new request for clarification.
A forum member posted the following question,
=======Forum members question =========
"I have 2 routers connected via serial link, RA and RB. RA has a pc in its lan with IP 10.1.1.30/24, RB has a pc with IP 10.2.1.30/24, now I am deploying a very SIMPLE site to site vpn with this access-list on both sides,
access-list 111 per ip 10.0.0.30 0.255.255.0 10.0.0.0 0.255.255.255,
now I think that it should work but it didnt, I want to know why is that ??? when traffic originates from 10.1.1.30 doesnt it match 10.0.0.30 0.255.255.0 ??, can someone clear my confusion ? "
============= End of Question =========
The wildcard mask 0.255.255.0 is totally alien to me.
In my studies to date (ccna & some CCNP) I learned that a wildcard mask is the inverse of the subnet mask. From this I thought that apart from the any host wildcard mask 255.255.255.255 which is comprised of contiguous "1's" and the single host wildcard mask 0.0.0.0 which is comprised of contiguous "0's", All wildcard masks read from left to right would have to be a contiguus number of "0's" followed by a contiguous number of "1's", depending on the range of hosts being matched.
Now it appears that this is not the case.
If I can indeed use a wild card mask of 0.255.255.0 to match as in the OP's question, 10.x.y.30, Where can I learn about this and why don't the teach the truth in the CCNA and CCNP study material?
Best Regards & TIA,
The subject is in the study materials but it is not explicit.
In wildcard masks a "0" means that the respective bit of the addresses must be COMPARED (and must match for the acl statement to be true).
A "1" means that we don't care about the respective bits, these bits do not have to be compared, this is why these are the "don't care bits".
In the above case 10.x.y.30, all bits of the 1st byte must match, and all bits of the last byte must match.
All bits of the 2nd and 3rd byte may be ignored during the evaluation of the acl statement.
So a wildcard mask can be discontiguous.
A subnet mask has to be contiguous. However there is no requirement for an wildcard to be contiguous at all. So
10.0.0.30 0.255.255.0 means any host that has the first octet as 10 and the last octet of 30 with the middle 2 octets being anything at all.
99% of the time the wildcard mask is just the inverse of the subnet mask but it doesn't have to be.