Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Wildcard Mask

Hi!

I want to know about wildcard mask,

1) what is that and why do we use it?

2) wildcard mask that we use in OSPF and in ACL, what is difference between both of them?

I mean in OSPF we say network 1.1.1.1  0.1.0.1 and in ACL we say access-control 5 1.1.1.1'  '0.1.0.1 area 1.

my question is same command is invalid in case of OSPF but valid in ACL, what is the reason behind that?

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Wildcard Mask

Hi,

The use of wildcard masks in the network command is controversial and in my opinion, Cisco should not have done that in the first place. It unnecessarily confuses people because they think they can use any wildcard mask in the network command while in reality, the mask must either be a subnet mask (the command will accept it), or it must be a wildcard mask that corresponds to a valid subnet mask. It is not possible to use wildcard masks in the network command that do not directly correspond to a valid subnet mask.

In ACLs, that's a different story. In an ACL, you compare the source/destination IP address of packets to the addresses in the ACL entry. You need to have a means of saying what bits you want to compare between the packet addresses and the ACL entry addresses, and which bits you want to ignore. This is accomplished by the use of wildcard masks - in an ACL entry, a wildcard masks tells the router which bits of the packet's addresses shall be compared, and the addresses in the ACL entry tell the router what value should the compared bits be set to. Note that this has no direct relation to subnet masks at all. I may want, for whatever purposes, compare only the 1st, 8th-15th and 23rd bit. This does not create any sensible subnet, though the need to compare just these bits may be perfectly valid. That is why subnet masks and wildcard masks are two different things - because they have different purposes.

Best regards,

Peter

4 REPLIES
New Member

Wildcard Mask

0.1.0.1 is wrong wildcard mask.

read about subnet mask.

New Member

Wildcard Mask

then why it is acceptabe in access-control ??

access-control 1 permit 1.1.1.1 1.0.1.0

this command is valid in router, why ?? where 1.0.1.0 is wildcard mask

Cisco Employee

Wildcard Mask

Hi,

The use of wildcard masks in the network command is controversial and in my opinion, Cisco should not have done that in the first place. It unnecessarily confuses people because they think they can use any wildcard mask in the network command while in reality, the mask must either be a subnet mask (the command will accept it), or it must be a wildcard mask that corresponds to a valid subnet mask. It is not possible to use wildcard masks in the network command that do not directly correspond to a valid subnet mask.

In ACLs, that's a different story. In an ACL, you compare the source/destination IP address of packets to the addresses in the ACL entry. You need to have a means of saying what bits you want to compare between the packet addresses and the ACL entry addresses, and which bits you want to ignore. This is accomplished by the use of wildcard masks - in an ACL entry, a wildcard masks tells the router which bits of the packet's addresses shall be compared, and the addresses in the ACL entry tell the router what value should the compared bits be set to. Note that this has no direct relation to subnet masks at all. I may want, for whatever purposes, compare only the 1st, 8th-15th and 23rd bit. This does not create any sensible subnet, though the need to compare just these bits may be perfectly valid. That is why subnet masks and wildcard masks are two different things - because they have different purposes.

Best regards,

Peter

Re:Wildcard Mask

Wildcard mask often used routers switches

Two rules of WC mask

0bit mean match
1 bit mean ignore



Sent from Cisco Technical Support Android App

Jawad
888
Views
0
Helpful
4
Replies