cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3986
Views
30
Helpful
9
Replies

Wildcard masks used in Cisco ACL's

keeleym
Level 5
Level 5

Hi All

This is just someting I came across in an other thread and as I do not wish to hijack the thread, I thought I would open up a new request for clarification.

A forum member posted the following question,

=======Forum members question =========

"I have 2 routers connected via serial link, RA and RB. RA has a pc in its lan with IP 10.1.1.30/24, RB has a pc with IP 10.2.1.30/24, now I am deploying a very SIMPLE site to site vpn with this access-list on both sides,

access-list 111 per ip 10.0.0.30 0.255.255.0 10.0.0.0 0.255.255.255,

now I think that it should work but it didnt, I want to know why is that ??? when traffic originates from 10.1.1.30 doesnt it match 10.0.0.30 0.255.255.0 ??, can someone clear my confusion ? "

============= End of Question =========

The wildcard mask 0.255.255.0 is totally alien to me.

In my studies to date (ccna & some CCNP) I learned that a wildcard mask is the inverse of the subnet mask. From this I thought that apart from the any host wildcard mask 255.255.255.255 which is comprised of contiguous "1's" and the single host wildcard mask 0.0.0.0 which is comprised of contiguous "0's", All wildcard masks read from left to right would have to be a contiguus number of "0's" followed by a contiguous number of "1's", depending on the range of hosts being matched.

Now it appears that this is not the case.

If I can indeed use a wild card mask of 0.255.255.0 to match as in the OP's question, 10.x.y.30, Where can I learn about this and why don't the teach the truth in the CCNA and CCNP study material?

Best Regards & TIA,

Michael

2 Accepted Solutions

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

Michael

A subnet mask has to be contiguous. However there is no requirement for an wildcard to be contiguous at all. So

10.0.0.30 0.255.255.0 means any host that has the first octet as 10 and the last octet of 30 with the middle 2 octets being anything at all.

99% of the time the wildcard mask is just the inverse of the subnet mask but it doesn't have to be.

Jon

View solution in original post

Istvan_Rabai
Level 7
Level 7

Hi Michael,

The subject is in the study materials but it is not explicit.

In wildcard masks a "0" means that the respective bit of the addresses must be COMPARED (and must match for the acl statement to be true).

A "1" means that we don't care about the respective bits, these bits do not have to be compared, this is why these are the "don't care bits".

In the above case 10.x.y.30, all bits of the 1st byte must match, and all bits of the last byte must match.

All bits of the 2nd and 3rd byte may be ignored during the evaluation of the acl statement.

So a wildcard mask can be discontiguous.

Cheers:

Istvan

View solution in original post

9 Replies 9

Jon Marshall
Hall of Fame
Hall of Fame

Michael

A subnet mask has to be contiguous. However there is no requirement for an wildcard to be contiguous at all. So

10.0.0.30 0.255.255.0 means any host that has the first octet as 10 and the last octet of 30 with the middle 2 octets being anything at all.

99% of the time the wildcard mask is just the inverse of the subnet mask but it doesn't have to be.

Jon

Istvan_Rabai
Level 7
Level 7

Hi Michael,

The subject is in the study materials but it is not explicit.

In wildcard masks a "0" means that the respective bit of the addresses must be COMPARED (and must match for the acl statement to be true).

A "1" means that we don't care about the respective bits, these bits do not have to be compared, this is why these are the "don't care bits".

In the above case 10.x.y.30, all bits of the 1st byte must match, and all bits of the last byte must match.

All bits of the 2nd and 3rd byte may be ignored during the evaluation of the acl statement.

So a wildcard mask can be discontiguous.

Cheers:

Istvan

Hi Jon/Istvan

Cheers for the response and the clarification, much appreciated.

This information leads me to ask how far can I take this?

Can I for instance have a wild card mask of 3.63.255.127?

Are there any documents which cover using wildcard masks discontiguously?

Best Regards,

Michael

Hi Michael,

I don't know of documents that would specifically cover the use of wildcard masks, although some may exist around the access-lists or the "network" statement used in ospf and eigrp.

What I know is that you can use the wildcard masks in a discontiguous manner freely whenever you need to, within the limits we described with Jon, as to the meaning of 0s and 1s in the mask.

Cheers:

Istvan

Michael

I saw your entry in the other thread first and answered it there - wish I had seen this thread before answering there.

In general I believe that the mask you ask about here of 3.63.255.127 would be correct syntax for a mask in an access list.

I would point out that there are different requirements for wildcard masks depending on how they are to be used. I believe that access list logic will accept a wildcard mask with any combination of binary 1s and 0s. However a wildcard mask used in an OSPF network statement must conform to the contiguous rule that governs subnet masks. I remember in older versions of IOS that OSPF would accept a wildcard mask with non-contiguous 1s and 0s but then the behavior changed and now they must be contiguous. So what is acceptable is dependent on how it is to be used.

HTH

Rick

HTH

Rick

Hi Istvan/Rick

Thank you for the information. I think it's time to fire up my lab and experiment :)

Best Regards & Thanks again,

Michael

Hi Michael,

I like your style and wording :)

Cheers:

Istvan

Hi JCoke

Many thanks for the response and the links, they are very informative and will be very useful.

Best Regards & Thanks again,

Michael

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco