Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

(netmask is ? Why is it written like this?

-- from cisco router access-list

permit ip any


Why is the netmask written by ?



Re: (netmask is ? Why is it written like this?

This is the decimal representation of a binary digit. The last eight bits of the mask are 0000 0110. The number 105 in binary is: 0110 1001.

Your access-list matches all odd numbers between 105 an 111.


New Member

Re: (netmask is ? Why is it written like this?

This is not a subnet mask. The are access list parameters to define the portion of the Ip address that should be examined. This is also called wildcard mask. If we convert this into binary we will have the following:

Decimal Binary

Ip 11010001.01101110.00100000.01101001

Mask 00000000.00000000.00000000.00000110

Result to 111 11010001.01101110.00100000.01101xx1

The last two x means that every address that does not have these binary positions in 1s will be blocked, thus, address between 105 and 111 will be allowed.

More generally, the wildcard mask means the following:

Bit positions of binary 0 mean that the access list compares the corresponding bit position in the IP address and makes sure it is equal to the same bit position in the address configured in the access-list statement. Bit positions of binary 1 are wildcards, those bit positions are immediately considered to be a match.

Re: (netmask is ? Why is it written like this?

You make one mistake in your reasoning:

as the least significant bit is not in the wildcard, the numbers will have to end with a one to pass the access-list. Thus as I already stated, this list only matches the odd numbers between 105 and 111.

105, 107, 109, 111 will pass.

106, 108, 110 wil fail while their LSB equals zero.

New Member

Re: (netmask is ? Why is it written like this?

You're right. I assumed it was understood that since the last bit ends in 1 all binary numbers to be allowed would have to end in 1 for the given range. Now I understand why there was something "odd" missing in my answer.:-)

New Member

Re: (netmask is ? Why is it written like this?

Looks like some sharp networkers beat me to it. I will add some comments to reiterate in a different way. In networking we have two types of masks: one is a subnet mask and the other is a network mask. A subnet mask is used for things like router table entries where any bit in the mask that is a one matches that bit position and any bit with a zero is known as don't care. Subnet masks are used to network networks or basically tell a router which network an address belongs to so that it knows which direction traffic should be directed. Routers care about networks, not the individual hosts. So, if we have an address: with a subnet mask I know this is a class B network with a class C mask, but I am using it to prove a point), the network would be, and the host would be In other words, the first three octets would match the mask thus identifying what the network is.

In access lists, we use a network mask or wildcard mask. In this case, it is an exact opposite of a subnet mask. If I wanted to use the same example, I would have with a wildcard mask of Hope this helps!

CreatePlease to create content