Wildcard Masks in ACLs
Wildcard Mask Overview
In the previous topic, you learned about the purpose of ACL. This topic explains how ACL uses wildcard masks. An IPv4 ACE uses a 32-bit wildcard mask to determine which bits of the address to examine for a match. Wildcard masks are also used by the Open Shortest Path First (OSPF) routing protocol.
A wildcard mask is similar to a subnet mask in that it uses the ANDing process to identify which bits in an IPv4 address to match. However, they differ in the way they match binary 1s and 0s. Unlike a subnet mask, in which binary 1 is equal to a match and binary 0 is not a match, in a wildcard mask, the reverse is true.
Wildcard masks use the following rules to match binary 1s and 0s:
- Wildcard mask bit 0 – Match the corresponding bit value in the address
- Wildcard mask bit 1 – Ignore the corresponding bit value in the address
The table lists some examples of wildcard masks and what they would identify.
Wildcard Mask | Last Octet (in Binary) | Meaning (0 – match, 1 – ignore) |
---|---|---|
0.0.0.0 |
00000000 |
Match all octets. |
0.0.0.63 |
00111111 |
|
0.0.0.15 |
00001111 |
|
0.0.0.252 |
11111100 |
|
0.0.0.255 |
11111111 |
|
Wildcard Mask Types
Using wildcard masks will take some practice. Refer to the examples to learn how the wildcard mask is used to filter traffic for one host, one subnet, and a range IPv4 addresses.