Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
792
Views
0
Helpful
4
Replies

Subnet mask vs. wild card mask when using an access-list

jemorton
Level 1
Level 1

‎07-16-2003 06:25 AM - edited ‎03-02-2019 08:54 AM

Please help..

In an access-list similar to the following:

access-list 198 permit tcp 172.20.15.0 255.255.255.0 172.30.0.0 255.248.0.0

Question: when does one want to use wild card mask instead of subnet masks and why?

Any replies would be greatly appreciated.

thank you very much.

Labels:
0 Helpful
4 Replies 4

milan.kulik
Level 10
Level 10

‎07-16-2003 06:44 AM

Hi,

generally:

Wildcard mask should be used in access lists.

Subnet masks won't work the way you expect (they would be treated like wildcard masks - IOS expects wildcard mask in an access list).

Regards,

Milan

0 Helpful

edmonds_robert
Level 1
Level 1

‎07-16-2003 06:51 AM

I usually use wildcard masks for access-lists all the time, because if offers you much greater granularity in the control you have over traffic.

With subnet masks all of the ones and zeroes must be contiguous, as you know, and so you can permit or deny traffic in groups of 2, 4, 8, 16, 32, etc. only. With wildcard masks, you can permit or deny in groups of 1, 2, 3, 4, 5, odd numbers only, even numbers only, every other Thursday...Ok, so maybe not every other Thursday, but just about any other combination you can think of. The control is so much greater because the ones and zeroes do NOT have to be contiguous.

For example, the network 172.16.0.0 with a wildcard mask of 0.0.0.254 will match all of the even numbered IP address from 172.16.0.0 to 172.16.0.254. Try that with a subnet mask. And if you just want to allow, say the first four IP address in the same subnet, use the wildcard mask 0.0.0.3. Finally, assume you want to match the IP addresses 172.16.0.0 through 172.16.31.255 (the private class b's), use 0.15.255.255.

http://www.twpm.com/internet/ccna/wildcardmasks.htm

I'll post more links as I find them.

0 Helpful

jemorton
Level 1
Level 1
In response to edmonds_robert

‎07-16-2003 06:59 AM

Thank you both for your replies.

You've been very helpful.

thank you.

0 Helpful

edmonds_robert
Level 1
Level 1

‎07-16-2003 12:55 PM

The link I was looking for earlier, from Cisco's website.

http://www.cisco.com/warp/public/707/confaccesslists.html#sum

0 Helpful
Customers Also Viewed These Support Documents