Wildcard Masks in ACLs

4.2.1

Wildcard Mask Overview

In the previous topic, you learned about the purpose of ACL. This topic explains how ACL uses wildcard masks. An IPv4 ACE uses a 32-bit wildcard mask to determine which bits of the address to examine for a match. Wildcard masks are also used by the Open Shortest Path First (OSPF) routing protocol.

A wildcard mask is similar to a subnet mask in that it uses the ANDing process to identify which bits in an IPv4 address to match. However, they differ in the way they match binary 1s and 0s. Unlike a subnet mask, in which binary 1 is equal to a match and binary 0 is not a match, in a wildcard mask, the reverse is true.

Wildcard masks use the following rules to match binary 1s and 0s:

Wildcard mask bit 0 – Match the corresponding bit value in the address
Wildcard mask bit 1 – Ignore the corresponding bit value in the address

The table lists some examples of wildcard masks and what they would identify.

Wildcard MaskLast Octet (in Binary)Meaning (0 – match, 1 – ignore)0.0.0.000000000Match all octets.0.0.0.6300111111Match the first three octets.Match the two left most bits of the last octet.Ignore the last 6 bits.0.0.0.1500001111Match the first three octets.Match the four left most bits of the last octet.Ignore the last 4 bits of the last octet.0.0.0.24811111100Match the first three octets.Ignore the six left most bits of the last octet.Match the last two bits.0.0.0.25511111111Match the first three octets.Ignore the last octet.
Wildcard Mask	Last Octet (in Binary)	Meaning (0 – match, 1 – ignore)
0.0.0.0	00000000	Match all octets.
0.0.0.63	00111111	Match the first three octets Match the two left most bits of the last octet Ignore the last 6 bits
0.0.0.15	00001111	Match the first three octets Match the four left most bits of the last octet Ignore the last 4 bits of the last octet
0.0.0.252	11111100	Match the first three octets Ignore the six left most bits of the last octet Match the last two bits
0.0.0.255	11111111	Match the first three octet Ignore the last octet

4.2.2

Wildcard Mask Types

Using wildcard masks will take some practice. Refer to the examples to learn how the wildcard mask is used to filter traffic for one host, one subnet, and a range IPv4 addresses.

Wildcard to Match a Host

In this example, the wildcard mask is used to match a specific host IPv4 address. Assume ACL 10 needs an ACE that only permits the host with IPv4 address 192.168.1.1. Recall that “0” equals a match and “1” equals ignore. To match a specific host IPv4 address, a wildcard mask consisting of all zeroes (i.e., 0.0.0.0) is required.

The table lists in binary, the host IPv4 address, the wildcard mask, and the permitted IPv4 address.

The 0.0.0.0 wildcard mask stipulates that every bit must match exactly. Therefore, when the ACE is processed, the wildcard mask will permit only the 192.168.1.1 address. The resulting ACE in ACL 10 would be access-list 10 permit 192.168.1.1 0.0.0.0.


	Decimal	Binary
IPv4 address	192.168.1.1	11000000.10101000.00000001.00000001
Wildcard Mask	0.0.0.0	00000000.00000000.00000000.00000000
Permitted IPv4 Address	192.168.1.1	11000000.10101000.00000001.00000001

Wildcard Mask to Match an IPv4 Subnet

In this example, ACL 10 needs an ACE that permits all hosts in the 192.168.1.0/24 network. The wildcard mask 0.0.0.255 stipulates that the very first three octets must match exactly but the fourth octet does not.

The table lists in binary, the host IPv4 address, the wildcard mask, and the permitted IPv4 addresses.

When processed, the wildcard mask 0.0.0.255 permits all hosts in the 192.168.1.0/24 network. The resulting ACE in ACL 10 would be access-list 10 permit 192.168.1.0 0.0.0.255.


	Decimal	Binary
IPv4 address	192.168.1.1	11000000.10101000.00000001.00000001
Wildcard Mask	0.0.0.255	00000000.00000000.00000000.11111111
Permitted Host IPv4 Addresses	192.168.1.1 to 192.168.1.254	11000000.10101000.00000001.00000000 11000000.10101000.00000001.11111111

Wildcard Mask to Match an IPv4 Address Range

In this example, ACL 10 needs an ACE that permits all hosts in the 192.168.16.0/24, 192.168.17.0/24, …, 192.168.31.0/24 networks. The wildcard mask 0.0.15.255 would correctly filter that range of addresses.

The table lists in binary the host IPv4 address, the wildcard mask, and the permitted IPv4 addresses.

The highlighted wildcard mask bits identify which bits of the IPv4 address must match. When processed, the wildcard mask 0.0.15.255 permits all hosts in the 192.168.16.0/24 to 192.168.31.0/24 networks. The resulting ACE in ACL 10 would be access-list 10 permit 192.168.16.0 0.0.15.255.


	Decimal	Binary
IPv4 address	192.168.16.0	11000000.10101000.00010000.00000000
Wildcard Mask	0.0.15.255	00000000.00000000.00001111.11111111
Permitted Host IPv4 Addresses	192.168.16.1 to 192.168.31.254	11000000.10101000.00010000.00000000 11000000.10101000.00011111.11111111

4.2.3

Wildcard Mask Calculation

Calculating wildcard masks can be challenging. One shortcut method is to subtract the subnet mask from 255.255.255.255. Refer to the examples to learn how to calculate the wildcard mask using the subnet mask.

Example 1

Assume you wanted an ACE in ACL 10 to permit access to all users in the 192.168.3.0/24 network. To calculate the wildcard mask, subtract the subnet mask (i.e., 255.255.255.0) from 255.255.255.255, as shown in the table.

The solution produces the wildcard mask 0.0.0.255. Therefore, the ACE would be access-list 10 permit 192.168.3.0 0.0.0.255.



Starting value	255.255.255.255
Subtract the subnet mask	- 255.255.255. 0
Resulting wildcard mask	0. 0. 0.255

Example 2

In this example, assume you wanted an ACE in ACL 10 to permit network access for the 14 users in the subnet 192.168.3.32/28. Subtract the subnet (i.e., 255.255.255.240) from 255.255.255.255, as shown in the table.

This solution produces the wildcard mask 0.0.0.15. Therefore, the ACE would be access-list 10 permit 192.168.3.32 0.0.0.15.


Starting value	255.255.255.255
Subtract the subnet mask	- 255.255.255.240
Resulting wildcard mask	0. 0. 0. 15

Example 3

In this example, assume you needed an ACE in ACL 10 to permit only networks 192.168.10.0 and 192.168.11.0. These two networks could be summarized as 192.168.10.0/23 which is a subnet mask of 255.255.254.0. Again, you subtract 255.255.254.0 subnet mask from 255.255.255.255, as shown in the table.

This solution produces the wildcard mask 0.0.1.255. Therefore, the ACE would be access-list 10 permit 192.168.10.0 0.0.1.255.



Starting value	255.255.255.255
Subtract the subnet mask	- 255.255.254. 0
Resulting wildcard mask	0. 0. 1.255

Example 4

Consider an example in which you need an ACL number 10 to match networks in the range between 192.168.16.0/24 to 192.168.31.0/24. This network range could be summarized as 192.168.16.0/20 which is a subnet mask of 255.255.240.0. Therefore, subtract 255.255.240.0 subnet mask from 255.255.255.255, as shown in the table.

This solution produces the wildcard mask 0.0.15.255. Therefore, the ACE would be access-list 10 permit 192.168.16.0 0.0.15.255.



Starting value	255.255.255.255
Subtract the subnet mask	- 255.255.240. 0
Resulting wildcard mask	0. 0. 15.255

4.2.4

Wildcard Mask Keywords

Working with decimal representations of binary wildcard mask bits can be tedious. To simplify this task, the Cisco IOS provides two keywords to identify the most common uses of wildcard masking. Keywords reduce ACL keystrokes and make it easier to read the ACE.

The two keywords are:

host – This keyword substitutes for the 0.0.0.0 mask. This mask states that all IPv4 address bits must match to filter just one host address.
any – This keyword substitutes for the 255.255.255.255 mask. This mask says to ignore the entire IPv4 address or to accept any addresses.

For example, in the command output, two ACLs are configured. The ACL 10 ACE permits only the 192.168.10.10 host and the ACL 11 ACE permits all hosts.

R1(config)# access-list 10 permit 192.168.10.10  0.0.0.0
R1(config)# access-list 11 permit  0.0.0.0 255.255.255.255
R1(config)#

Alternatively, the keywords host and any could have been used to replace the highlighted output.

The following commands accomplishes the same task as the previous commands.

R1(config)# access-list 10 permit host 192.168.10.10

R1(config)# access-list 11 permit  any
R1(config)#

4.2.5 Check Your Understanding – Wildcard Masks in ACLs

Guidelines for ACL Creation