Cisco IP Access-List Wildcard Masks

So simple it will make you sick!

Copyright © 1999 Boson Software
by john@boson.com

 

We all know the rules and seen the literature on how to do wild card masks:
        The 32 bit wildcard mask consists of 1’s and 0’s
        1 =  ignore this bit
        0 = check this bit
        Yada, yada, yada………

 

BUT MOST OF THE TIME WE WANT TO DO ONE OF THESE THREE THINGS:

1.   MATCH A HOST

2.   MATCH AN ENTIRE SUBNET

3.   MATCH A RANGE
      or
4.   MATCH EVERYONE

Here are the easy ways to do that

 

1.  How to match an individual host

All wildcard mask bits are zero’s

For Standard Access-list

Access-list 1 permit 157.89.8.9  0.0.0.0

Access-list 1 permit 157.89.8.9   (standard access lists assume a 0.0.0.0 mask)

For Extended Access-lists

Access-list 101 permit ip 157.89.8.9 0.0.0.0 any

Access-list 101 permit ip host 157.89.8.9 any

   

2.  How to match an Entire Subnet

Wildcard mask = 255.255.255.255 – subnet mask

 

Example 1

Given 3.2.4.0 subnet mask 255.255.255.0

               255.255.255.255

- subnet mask  255.255.255.  0

Wildcard mask    0.  0.  0.255

Answer:

Access-list 1 permit 3.2.4.0 0.0.0.255

 

 

Example 2

Given 111.2.4.112 subnet mask 255.255.255.224

               255.255.255.255

- subnet mask  255.255.255.224

Wildcard mask    0.  0.  0. 31

Answer:

Access-list 1 permit 111.2.4.112 0.0.0.31

 

 

Example 3

Given 3.2.128.0 subnet mask 255.255.192.0

               255.255.255.255

- subnet mask  255.255.192.  0

Wildcard mask    0.  0. 63.255

Answer:

Access-list 1 permit 3.2.128.0 0.0.63.255

 

 

Example 4

Given 203.2.4.128 subnet mask 255.255.255.240

               255.255.255.255

- subnet mask  255.255.255.240

Wildcard mask    0.  0.  0. 15

Answer:

Access-list 1 permit 203.2.4.128 0.0.0.15

 

THAT IT………….. COOL!

 

3.  How to Match a range 

(Works when the range is an entire subnet)

Match the range

          157. 89. 16.0 – 157. 89. 31.255

To Find Wildcard Mask, Take the HIGHER minus the Lower:

          157. 89. 31.255

         -157. 89. 16.  0

wildcard    0.  0. 15.255

 

access-list 1 permit 157.89.16.0 0.0.15.255

Warning:  Each non-zero value must be ONE LESS than a power of 2

    (i.e. one of these:0,1,3,7,15,31,63,127,255)

 

Match the range

          157. 89. 16. 32 – 157. 89. 31. 63

To Find Wildcard Mask, Take the HIGHER minus the Lower:

          157. 89. 31. 63

         -157. 89. 16. 32

wildcard    0.  0. 15. 31

 

access-list 1 permit 157.89.16.32 0.0.15.31

Warning:  Each non-zero value must be ONE LESS than a power of 2

    (i.e. one of these:0,1,3,7,15,31,63,127,255)

 

4.   Matching everyone is easy:

 

Access-list 1 permit any

Or

Access-list 1 permit 0.0.0.0 255.255.255.255

 

Questions, comments? Email the Webmaster.
Copyright 1999 Boson Software, Inc.  All rights reserved
See our full disclaimer.