Understanding Wildcard Masks
Th point of a wildcard mask is to specify which bits in an IP address should be ignored when comparing that address with another IP address and which bits should match exactly. 'Don't care bits' are represented by binary 1's whilst the 'Do care bits' are represented by binary 0's. Looking at the following example:-
172.16.1.2 0.0.0.0
The 0s in the mask indicate that all bit positions must match exactly. Therefore, the ACL will only be applied to host 172.16.0.2. Another way of specifying a particular host is by using the host command. So these two commands specify the same thing and will be applied to a particular host.
access-list 10 172.16.1.2 0.0.0.0
access-list 10 host 172.16.1.2
Now for another example,
172.16.1.0 0.0.0.255
The 0's in the in the first three octets of the wildcard mask indicate that all bit positions must match exactly, but the last octet can be any valid number. In this case, the ACL will apply to all hosts in the 172.16.1.0 subnet.
The table below shows the last octet of the address and wildcard mask in binary
|
IP Address |
172 |
16 |
1 |
00000000 |
|
Wildcard Mask |
0 |
0 |
0 |
11111111 |
|
What Must Match! |
172 |
16 |
1 |
Dont' care about any
of these bits |
Now for a more difficult one:-
172.16.1.0 0.0.0.3
The 0's in the in the first three octets indicate that all bit positions must match exactly, as must the first 6 bit positions in the last octet. The least significant two bits in the last octet can be any valid number. So, this mask would apply to hosts with addresses ranging from 172.16.1.0 to 172.16.1.3.
I.e. the following addresses would match
172.16.1.0000011
172.16.1.0000010
172.16.1.0000001
172.16.1.0000000
Note: I am ignoring the fact that the first address is a broadcast address and the last is a network address and so cannot be used as host IP addresses.
The table below shows the last octet of the address and wildcard mask in binary
|
IP Address |
172 |
16 |
1 |
00000000 |
|
Wildcard Mask |
0 |
0 |
0 |
00000011 |
|
What Must Match! |
172 |
16 |
1 |
Dont' care about the last 2 bits as long as the first 6 are 0's
|
To summarize so far, the 0 bits in an ACL wildcard mask cause the ACL to check the corresponding bits in the IP address. The 1 bits in an ACL wildcard mask cause the ACL to ignore the corresponding bits in the IP address. |