Networking, Routers and Routing


  •  

     Chapter 11


    Access Control Lists and Wildcard Masks

    These notes guide you through the use of wildcards masks in Access Control Lists.

    Introduction

    Understanding Wildcard Masks

    Caclulating Wildcard Masks from Subnet Masks

    Summary

     
     

    Introduction

    Wildcard masks are used with ACLs to define a range of IP addresses. This is similar to the job of subnet masks but be warned, wildcard masks work in an opposite fashion to subnet masks. Mastering ACLs requires a good understanding of wildcard masks. This means you must be able to figure out which particular range of IP addresses an ACL applies to when reading an ACL written by someone else. You must also be able to calculate your own wildcard masks for when you need to write your own ACLs..

     

    Understanding Wildcard Masks

    Th point of a wildcard mask is to specify which bits in an IP address should be ignored when comparing that address with another IP address and which bits should match exactly. 'Don't care bits' are represented by binary 1's whilst the 'Do care bits' are represented by binary 0's. Looking at the following example:-

    172.16.1.2 0.0.0.0

    The 0s in the mask indicate that all bit positions must match exactly. Therefore, the ACL will only be applied to host 172.16.0.2. Another way of specifying a particular host is by using the host command. So these two commands specify the same thing and will be applied to a particular host.

    access-list 10 172.16.1.2 0.0.0.0

    access-list 10 host 172.16.1.2

    Now for another example,

    172.16.1.0 0.0.0.255

    The 0's in the in the first three octets of the wildcard mask indicate that all bit positions must match exactly, but the last octet can be any valid number. In this case, the ACL will apply to all hosts in the 172.16.1.0 subnet.

    The table below shows the last octet of the address and wildcard mask in binary

    IP Address 172 16 1 00000000
    Wildcard Mask 0 0 0 11111111
    What Must Match! 172 16 1 Dont' care about any
    of these bits

     

     

     

     

     

    Now for a more difficult one:-

    172.16.1.0 0.0.0.3

    The 0's in the in the first three octets indicate that all bit positions must match exactly, as must the first 6 bit positions in the last octet. The least significant two bits in the last octet can be any valid number. So, this mask would apply to hosts with addresses ranging from 172.16.1.0 to 172.16.1.3.
    I.e. the following addresses would match

    172.16.1.0000011
    172.16.1.0000010
    172.16.1.0000001
    172.16.1.0000000

    Note: I am ignoring the fact that the first address is a broadcast address and the last is a network address and so cannot be used as host IP addresses.

    The table below shows the last octet of the address and wildcard mask in binary

    IP Address 172 16 1 00000000
    Wildcard Mask 0 0 0 00000011
    What Must Match! 172 16 1
    Dont' care about the last 2 bits as long as the first 6 are 0's

     

     

     

     

     

    To summarize so far, the 0 bits in an ACL wildcard mask cause the ACL to check the corresponding bits in the IP address. The 1 bits in an ACL wildcard mask cause the ACL to ignore the corresponding bits in the IP address.

     

    Calculating Wildcard Masks from Subnet Masks

    As stated previous, a wildcard mask is used to specify a group of one or more IP addresses and can be considered similar to a subnet mask, except the 1s and 0s are reversed. The wildcard mask for the standard classes of network are:-

    Standard Class A network wildcard mask - 0.255.255.255

    Standard Class B network wildcard mask - 0.0.255.255

    Standard Class C network wildcard mask - 0.0.255.255

    You should be able to see that the wildcard mask for each class is the opposite of the subnet mask for that class. The question now is, can you calculate a wildcard mask from a subnet mask? Well yes, easily!

    Example 1

    For example, suppose we have the subnet mask of 255.255.255.0. Then the inverse of this is 0.0.0.255. To see this...

    11111111.11111111.11111111.00000000 = 255.255.255.0

    The inverse is...

    00000000.00000000.00000000.11111111 = 0.0.0.255

    Example 2

    Here is another example. For a network with a subnet mask of 255.255.255.192, we have...

    11111111.11111111.11111111.11000000 = 255.255.255.192

    The inverse is...

    00000000.00000000.00000000.00111111 = 0.0.0.63

    If you are confident with calculating subnet masks, then calculating wildcard masks will be easy for you and the next trick will be all that you need. -->

    If you already know the subnet mask, the easiest way to calculate the wildcard mask is to...

     

    SUBTRACT EACH OCTET IN THE SUBNET MASK FROM 255 
    
    

    As an example, let's find the wildcard mask for the subnet 255.255.255.240.

    255 255 255 255
    Subnet Mask 255 255 255 240 -
    Wildcard Mask 0 0 0 15

    Here's another example:-

    255 255 255 255
    Subnet Mask 255 255 255 224 -
    Wildcard Mask 0 0 0 31

    Here's a final example:-

    255 255 255 255
    Subnet Mask 255 255 255 248 -
    Wildcard Mask 0 0 0 7

    ~~Activity~~

     Activity A

       Now answer the following questions:- 

    1. Specify the wildcard for a network with the subnet mask of 255.255.240  Ans

    2. Specify the wildcard for a network with the subnet mask of 255.255.252  Ans

    3. Specify the wildcard for network 192.168.14.0/25  Ans

    4. Specify the wildcard for network 172.16.0.0/18  Ans

     

    Summary

    On completing these notes you should be understand the following points:-

    • Wildcard masks are the inverse of subnet masks
    • 0's in a wildcard mask cause the ACL to check the corresponding bits in the IP address.
    • 1's in a wildcard mask cause the ACL to ignore the corresponding bits in the IP address
    • To calculate a wildcard mask from a subnet mask, subtract each octet in the subnet mask from 255.
     
     

    Site Home

    Top

    Unit Home


       


      

     

     

       
    This Unit 

    Unit Information

    Assessment

    Syllabus

    Scheme of Work

    Learning Resources

    Notes & Lessons

    Assignments

    Quizzes

    Activities

    Resources

    Books & Things

    Links