Working out ACL wildcard masks

You learn to both create ACLs as well as how to subnet while you’re learning for your CCNA. You also may learn about wildcard masks and how to configure them. Wildcard masks are a lot more powerful than they lead you to believe. They are NOT simply inverted subnet masks. A wildcard mask can be used to pretty much match any value you so desire in a subnet address.

As an example take 192.168.0.0 0.0.0.20 – This matches either 192.168.0.4; 192.168.0.16 or 192.168.0.20 – How else could you match 3 non-consecutive addresses in a single line?

So, how do we actually create them? Let’s say you’re given a task which states that you have the following few address: 217.196.48.51; 200.150.3.5 and 155.135.18.11
Write them all out in binary like so:

217.196.48.50 - 11011001.11000100.00110000.00110011
200.150.3.4 - 11001000.10010110.00000011.00000101
155.135.18.10 - 10011011.10000111.00010010.00001011

Line up all the binary. You need to do a bit of logic. If all 3 values are 1, put a 1 in. If all 3 are 0, put a 0 in. If any of the digits in the 3 numbers are different, put an X in like so:

11011001.11000100.00110000.00110011
11001000.10010110.00000011.00000101
10011011.10000111.00010010.00001011
-----------------------------------
1X0X10XX.1XXX11X0.00XX00XX.00XXXXX1

We are now left with 1X0X10XX.1XXX11X0.00XX00XX.00XXXXX1 – Now convert back to binary. X’s can be anything, but to make it easier I consider them to be 0 for now.

1X0X10XX.1XXX11X0.00XX00XX.00XXXXX1 = 136.140.0.1

To now work out the wildcard mask, ensure every X is a 1, while all others are 0:

1X0X10XX.1XXX11X0.00XX00XX.00XXXXX1 = 01010011.01110010.00110011.00111110 = 83.114.51.62

So therefore, to match the 3 original addresses in a single line with minimum overlap we would use the subnet address of 136.140.0.1 with a wildcard mask of 83.114.51.62

Basically what we’re trying to do is tell the IOS that anything in the X above could be any digit. i.e. X could be a 0 or 1. The numbers we are sure of will get a 0. This tells IOS that it HAS to match the subnet address in this part of the byte.

If we take the first octet above we can break it down.
136 with a wildcard mask of 83

136 - 10001000
83  - 01010011

This tells IOS that the first bit HAS to be 1; the third bit HAS to be 0; the fifth bit HAS to be 1 and the sixth bit HAS to be 0. All the other bits can be anything at all, in any combination. So a wildcard 0 HAS to match, a wilcard 1 can mean anything.

Hence the term ‘wildcard’

It takes a little bit of time and practice to get good at it, just like regular subnetting when you started out. Once you understand what it is you’re looking at, it’s not that hard :)

© 2009-2020 Darren O'Connor All Rights Reserved -- Copyright notice by Blog Copyright