Networking Exam Academy

You will need to become familiar with how wildcard masks work in order to properly configure many different Cisco IOS commands. Mostly you will encounter wildcard masks with access control lists and when configuring the dynamic routing protocol OSPF. ACL’s are also used when configuring NAT and PAT settings. Because wildcard masks come up often they are a very important topic to understand for your ICND2 and CCNA Exam.

Wild card masks are considered a reverse subnet address. Here is a simple example to illustrate what I mean:

Subnet Mask 255.255.255.0
Wild Card Mask 0.0.0.255

With a subnet mask of 255.255.255.0 applied to the ip address 192.168.1.1 means that the first 3 octets are the network portion and the last octet is the host portion. 255.255.255.0 written in binary looks like 1111111.1111111.111111.00000000. The 1′s signify the network and the 0′s mean that they can be pretty much any number in that range. If we configure a host to be 192.168.1.3, it will still be in the same network. But if we assign a host to have 192.168.3.1 it will be in a different network because we changed one of the numbers in the third octet.

With a wild card mask the 1′s and 0′s mean the exact opposite of what they do with a subnet mask. So a wild card mask ’0′ means that it must match exactly and a ’1′ means that it can be any value within that specific range.

As an example lets look at the configuration of a Standard Access List:

Configure Standard Numbered ACL
access-list 1 deny 192.168.1.3 0.0.0.0
access-list 1 permit 192.168.2.0 0.0.0.255
interface ethernet 0/1
ip access-group 1 out

Lets look at the first line of the configuration above. The wildcard mask is the last set of numbers following the ip address. The wildcard mask 0.0.0.0 means that each number must match exactly to the ip address 192.168.1.3 or it won’t be denied.

Now lets look at the second line in the configuration above. The wildcard mask is 0.0.0.255. This means that the first 3 octets must match exactly to 192.168.2 in order for the permit statement to be true. The last octet can be any number from 0 to 255.

A little bit trickier example will break up the wildcard mask to include a smaller ip address range. Lets create a mask that is only valid for ranges 192.168.2.4-5.

First write out the bit values 128, 64, 32, 16, 8, 4, 2, 1 and then underneath write out the .4 and .5 ip addresses.

128 64 32  16 8 4 2 1
0  0  0  0 0 1 0 0
0  0  0  0 0 1 0 1

from the above table you can see that the .4 and the .5 ip addresses have every bit in common except for the last bit (1). So, when creating the wildcard mask you will include every bit that they do not have in common. Keeping this in mind the new wild card mask looks like

ip access-list 192.168.2.4 0.0.0.0.1

Now lets do another example that is a bit larger of a range. How about 192.168.2.16-31?

128 64 32 16 8 4 2 1
0  0  0  1 0 0 0 0
0  0  0  1 0 0 0 1
0  0  0  1 0 0 1 0
0  0  0  1 0 0 1 1
0  0  0  1 0 1 0 0
0  0  0  1 0 1 0 1
0  0  0  1 0 1 1 1
0  0  0  1 1 0 0 0
0  0  0  1 1 0 0 1
0  0  0  1 1 0 1 0
0  0  0  1 1 0 1 1
0  0  0  1 1 1 0 0
0  0  0  1 1 1 0 1
0  0  0  1 1 1 1 0
0  0  0  1 1 1 1 1

From the above table you can see that this range of ip addresses has the first 4 bits in common. This means that you will use the last 4 bits for the wildcard mask. If you add up the values of the last 4 bits 8 + 4 + 2 + 1 = 15. So your new wildcard mask for the ACL will look like:

access-list 1 permit 192.168.2.16 0.0.0.15

The above ACL will permit or allow only the ip address from 192.168.2.16 to 192.168.2.31. All other ip addresses will be discarded.

Related Topics:

ICND1 Study Guide – The Fastest Way To Get Cisco Certified Guaranteed!