Wildcard Masking – ACL

ACLsWildcard Mask is a string of 32 binary digits used by the router to determine which bits of the address to examine for a match. We use wildcard masking in several places, for example: To indicate the size of a network or subnet for some routing protocols, such as OSPF. The IPv6 ACLs uses prefix-length to indicate how much of an IPv6 source or destination address should be matched.

We identify the network portion, host portion and subnet of IP address using the subnet masks bits 0s and 1s. However, in the wildcard masking binary 1s and 0s filter particular IP addresses or groups of IP addresses to permit or deny access to resources. Wildcard masks use the following rules to match binary 1s and 0s:

  • Bit 0 – Match the corresponding bit value in the address.
  • Bit 1 – Ignore the corresponding bit value in the address.

Wildcard masking usually referred to as an inverse of the subnet mask. Because binary 1 is equal to a match and binary 0 is not a match in the subnet mask, but in a wildcard mask, it is reverse. Figure 1 illustrates the results of applying a 0.0.255.255 wildcard mask to a 32-bit IPv4 address. Remember the rules mentioned above.

Wildcard Masking – ACL 7

Wildcard Masking Calculation

The shortcut method of calculating a wildcard mask is to subtract the subnet mask of the network or IP from 255.255.255.255.

Example 1

If we have a network 172.16.0.0 with subnet mask 255.255.255.0. We want to permit access to all users. So we can subtract the subnet mask from 255.255.255.255 as shown in figure 2. This is the easiest and shortest way of calculating the wildcard mask for any network. 

Wildcard Masking – ACL 8

Example 2

If we have a network 172.16.1.0 with sub subnet mask 255.255.255.224. So in this network, we have 32 network users and want to permit network access for all the users. Therefore take 255.255.255.255 and subtract the subnet mask 255.255.255.224. The solution this time produces the wildcard mask 0.0.0.31. Figure-3 illustrates example-2 calculation.

Wildcard Masking – ACL 9

Example 3

In this example, the network address is 172.16.4.0 with a subnet mask of 255.255.252.0 and we want to calculate the wildcard mask for the network, so again take the 255.255.255.255 and subtract the subnet mask of the network. This time the wildcard mask is 0.0.3.255. Figure-4 illustrates example-3 calculation.

Wildcard Masking – ACL 10

How Wildcard Masking Work

For understanding the wildcard masking see the following examples. In the first example, the wildcard mask stipulates that every bit in the IPv4 address 172.16.10.10 must match exactly. In the second example, the wildcard mask stipulates that anything will match and in the third example, the wildcard mask stipulates that any host within the 172.16.10.0/24 network will match.

Wildcard Masking – ACL 11

The fourth example is a little complex. Where the first two octets and first two bits of the third octet must match exactly. The last six bits in the third octet and the last octet can be any valid number. This results in a mask that checks for the range of networks 172.16.64.0 to 172.16.127.255.

Wildcard Masking – ACL 12

Use of Wildcard Masking Keywords

The any and host Keywords

We can use key words any and host, for example, we can use the “any” keyword to substitute the IPv4 address 0.0.0.0 with a wildcard mask of 255.255.255.255.

Router1(config)# access-list 10 permit 0.0.0.0 255.255.255.255

This means that any host with IPv4 address permitted to the network. So we can replace the command with:

Router1(config)# access-list 10 permit any

Another example of a keyword that is “hos”, for example, if we want to permit a specific IPv4 address to the network as follow with wildcard mask:

Router1(config)# access-list 10 permit 172.16.10.100 0.0.0.0

We can configure this access-list using keyword host instead of wildcard mask 0.0.0.0 for example:

Router1(config)# access-list 10 permit host 172.16.10.100