Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Silver

Wildcard masks used in Cisco ACL's

Hi All

This is just someting I came across in an other thread and as I do not wish to hijack the thread, I thought I would open up a new request for clarification.

A forum member posted the following question,

=======Forum members question =========

"I have 2 routers connected via serial link, RA and RB. RA has a pc in its lan with IP 10.1.1.30/24, RB has a pc with IP 10.2.1.30/24, now I am deploying a very SIMPLE site to site vpn with this access-list on both sides,

access-list 111 per ip 10.0.0.30 0.255.255.0 10.0.0.0 0.255.255.255,

now I think that it should work but it didnt, I want to know why is that ??? when traffic originates from 10.1.1.30 doesnt it match 10.0.0.30 0.255.255.0 ??, can someone clear my confusion ? "

============= End of Question =========

The wildcard mask 0.255.255.0 is totally alien to me.

In my studies to date (ccna & some CCNP) I learned that a wildcard mask is the inverse of the subnet mask. From this I thought that apart from the any host wildcard mask 255.255.255.255 which is comprised of contiguous "1's" and the single host wildcard mask 0.0.0.0 which is comprised of contiguous "0's", All wildcard masks read from left to right would have to be a contiguus number of "0's" followed by a contiguous number of "1's", depending on the range of hosts being matched.

Now it appears that this is not the case.

If I can indeed use a wild card mask of 0.255.255.0 to match as in the OP's question, 10.x.y.30, Where can I learn about this and why don't the teach the truth in the CCNA and CCNP study material?

Best Regards & TIA,

Michael

2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Blue

Re: Wildcard masks used in Cisco ACL's

Michael

A subnet mask has to be contiguous. However there is no requirement for an wildcard to be contiguous at all. So

10.0.0.30 0.255.255.0 means any host that has the first octet as 10 and the last octet of 30 with the middle 2 octets being anything at all.

99% of the time the wildcard mask is just the inverse of the subnet mask but it doesn't have to be.

Jon

Re: Wildcard masks used in Cisco ACL's

Hi Michael,

The subject is in the study materials but it is not explicit.

In wildcard masks a "0" means that the respective bit of the addresses must be COMPARED (and must match for the acl statement to be true).

A "1" means that we don't care about the respective bits, these bits do not have to be compared, this is why these are the "don't care bits".

In the above case 10.x.y.30, all bits of the 1st byte must match, and all bits of the last byte must match.

All bits of the 2nd and 3rd byte may be ignored during the evaluation of the acl statement.

So a wildcard mask can be discontiguous.

Cheers:

Istvan

9 REPLIES
Hall of Fame Super Blue

Re: Wildcard masks used in Cisco ACL's

Michael

A subnet mask has to be contiguous. However there is no requirement for an wildcard to be contiguous at all. So

10.0.0.30 0.255.255.0 means any host that has the first octet as 10 and the last octet of 30 with the middle 2 octets being anything at all.

99% of the time the wildcard mask is just the inverse of the subnet mask but it doesn't have to be.

Jon

Re: Wildcard masks used in Cisco ACL's

Hi Michael,

The subject is in the study materials but it is not explicit.

In wildcard masks a "0" means that the respective bit of the addresses must be COMPARED (and must match for the acl statement to be true).

A "1" means that we don't care about the respective bits, these bits do not have to be compared, this is why these are the "don't care bits".

In the above case 10.x.y.30, all bits of the 1st byte must match, and all bits of the last byte must match.

All bits of the 2nd and 3rd byte may be ignored during the evaluation of the acl statement.

So a wildcard mask can be discontiguous.

Cheers:

Istvan

Silver

Re: Wildcard masks used in Cisco ACL's

Hi Jon/Istvan

Cheers for the response and the clarification, much appreciated.

This information leads me to ask how far can I take this?

Can I for instance have a wild card mask of 3.63.255.127?

Are there any documents which cover using wildcard masks discontiguously?

Best Regards,

Michael

Re: Wildcard masks used in Cisco ACL's

Hi Michael,

I don't know of documents that would specifically cover the use of wildcard masks, although some may exist around the access-lists or the "network" statement used in ospf and eigrp.

What I know is that you can use the wildcard masks in a discontiguous manner freely whenever you need to, within the limits we described with Jon, as to the meaning of 0s and 1s in the mask.

Cheers:

Istvan

Hall of Fame Super Silver

Re: Wildcard masks used in Cisco ACL's

Michael

I saw your entry in the other thread first and answered it there - wish I had seen this thread before answering there.

In general I believe that the mask you ask about here of 3.63.255.127 would be correct syntax for a mask in an access list.

I would point out that there are different requirements for wildcard masks depending on how they are to be used. I believe that access list logic will accept a wildcard mask with any combination of binary 1s and 0s. However a wildcard mask used in an OSPF network statement must conform to the contiguous rule that governs subnet masks. I remember in older versions of IOS that OSPF would accept a wildcard mask with non-contiguous 1s and 0s but then the behavior changed and now they must be contiguous. So what is acceptable is dependent on how it is to be used.

HTH

Rick

Silver

Re: Wildcard masks used in Cisco ACL's

Hi Istvan/Rick

Thank you for the information. I think it's time to fire up my lab and experiment :)

Best Regards & Thanks again,

Michael

Re: Wildcard masks used in Cisco ACL's

Hi Michael,

I like your style and wording :)

Cheers:

Istvan

Bronze

Re: Wildcard masks used in Cisco ACL's

Silver

Re: Wildcard masks used in Cisco ACL's

Hi JCoke

Many thanks for the response and the links, they are very informative and will be very useful.

Best Regards & Thanks again,

Michael

1854
Views
15
Helpful
9
Replies