Wildcard Masking – ACL

Share This

ACLsWildcard Mask is a string of 32 binary digits used by the router to determine which bits of the address to examine for a match. We use wildcard masking in several places, for example: To indicate the size of a network or subnet for some routing protocols, such as OSPF. The IPv6 ACLs uses prefix-length to indicate how much of an IPv6 source or destination address should be matched.

We identify the network portion, host portion and subnet of IP address using the subnet masks bits 0s and 1s. However, in the wildcard masking binary 1s and 0s filter particular IP addresses or groups of IP addresses to permit or deny access to resources. Wildcard masks use the following rules to match binary 1s and 0s:

  • Bit 0 – Match the corresponding bit value in the address.
  • Bit 1 – Ignore the corresponding bit value in the address.

Wildcard masking usually referred to as an inverse of the subnet mask. Because binary 1 is equal to a match and binary 0 is not a match in the subnet mask, but in a wildcard mask, it is reverse. Figure 1 illustrates the results of applying a wildcard mask to a 32-bit IPv4 address. Remember the rules mentioned above.

Wildcard Masking – ACL 13

Wildcard Masking Calculation

The shortcut method of calculating a wildcard mask is to subtract the subnet mask of the network or IP from

Example 1

If we have a network with subnet mask We want to permit access to all users. So we can subtract the subnet mask from as shown in figure 2. This is the easiest and shortest way of calculating the wildcard mask for any network. 

Wildcard Masking – ACL 14

Example 2

If we have a network with sub subnet mask So in this network, we have 32 network users and want to permit network access for all the users. Therefore take and subtract the subnet mask The solution this time produces the wildcard mask Figure-3 illustrates example-2 calculation.

Wildcard Masking – ACL 15

Example 3

In this example, the network address is with a subnet mask of and we want to calculate the wildcard mask for the network, so again take the and subtract the subnet mask of the network. This time the wildcard mask is Figure-4 illustrates example-3 calculation.

Wildcard Masking – ACL 16

How Wildcard Masking Work

For understanding the wildcard masking see the following examples. In the first example, the wildcard mask stipulates that every bit in the IPv4 address must match exactly. In the second example, the wildcard mask stipulates that anything will match and in the third example, the wildcard mask stipulates that any host within the network will match.

Wildcard Masking – ACL 17

The fourth example is a little complex. Where the first two octets and first two bits of the third octet must match exactly. The last six bits in the third octet and the last octet can be any valid number. This results in a mask that checks for the range of networks to

Wildcard Masking – ACL 18

Use of Wildcard Masking Keywords

The any and host Keywords

We can use key words any and host, for example, we can use the “any” keyword to substitute the IPv4 address with a wildcard mask of

Router1(config)# access-list 10 permit

This means that any host with IPv4 address permitted to the network. So we can replace the command with:

Router1(config)# access-list 10 permit any

Another example of a keyword that is “hos”, for example, if we want to permit a specific IPv4 address to the network as follow with wildcard mask:

Router1(config)# access-list 10 permit

We can configure this access-list using keyword host instead of wildcard mask for example:

Router1(config)# access-list 10 permit host

(Visited 47 times, 47 visits today)
Share This