ACLs Wildcard Mask is a string of 32 binary digits used by the router to determine which bits of the address to examine for a match. We use wildcard masking in several places, for example, To indicate the size of a network or subnet for some routing protocols, such as OSPF. The IPv6 ACLs use prefix length to indicate how much of an IPv6 source or destination address should be matched.
We identify the network portion, host portion, and subnet of IP address using the subnet mask bits 0s and 1s. However, in the wildcard masking binary 1s and 0s, particular IP addresses or groups of IP addresses are filtered to permit or deny access to resources. Wildcard masks use the following rules to match binary 1s and 0s:
Bit 0 – Match the corresponding bit value in the address.
Bit 1 – Ignore the corresponding bit value in the address.
Wildcard masking usually referred to as an inverse of the subnet mask. Because binary 1 is equal to a match and binary 0 is not a match in the subnet mask, but in a wildcard mask, it is reverse. Figure 1 illustrates the results of applying a 0.0.255.255 wildcard mask to a 32-bit IPv4 address. Remember the rules mentioned above.
Wildcard Masking Calculation
The shortcut method of calculating a wildcard mask is to subtract the subnet mask of the network or IP from 255.255.255.255.
Example 1
If we have a network 172.16.0.0 with subnet mask 255.255.255.0. We want to permit access to all users. So we can subtract the subnet mask from 255.255.255.255 as shown in figure 2. This is the easiest and shortest way of calculating the wildcard mask for any network.
Example 2
If we have a network 172.16.1.0 with sub subnet mask 255.255.255.224. So in this network, we have 32 network users and want to permit network access for all the users. Therefore take 255.255.255.255 and subtract the subnet mask 255.255.255.224. The solution this time produces the wildcard mask 0.0.0.31. Figure 3 illustrates the example-2 calculation.
Example 3
In this example, the network address is 172.16.4.0 with a subnet mask of 255.255.252.0 and we want to calculate the wildcard mask for the network, so again take the 255.255.255.255 and subtract the subnet mask of the network. This time the wildcard mask is 0.0.3.255. Figure 4 illustrates the example-3 calculation.
How Wildcard Masking Works
For understanding the wildcard masking see the following examples. In the first example, the wildcard mask stipulates that every bit in the IPv4 address 172.16.10.10 must match exactly. In the second example, the wildcard mask stipulates that anything will match and in the third example, the wildcard mask stipulates that any host within the 172.16.10.0/24 network will match.
The fourth example is a little complex. Where the first two octets and the first two bits of the third octet must match exactly, the last six bits in the third octet and the last octet can be any valid number. This results in a mask that checks for networks 172.16.64.0 to 172.16.127.255.
Use of Wildcard Masking Keywords
The any and host Keywords
We can use key words any and host, for example, we can use the “any” keyword to substitute the IPv4 address 0.0.0.0 with a wildcard mask of 255.255.255.255.
OSPFv2 is a link-state routing protocol Introduced in 1991 for IPv4 as an alternative to Routing Information Protocol (RIP). Figure 1 is a reference topology for configuring OSPFv2.
The routers in the topology have a starting configuration, including interface address and password configurations. None of the routers has static or dynamic routing configured. All routers are in a single area.
Router OSPF Configuration Mode and Process ID
To enable OSPFv2 on routers in the topology we should use the command “router ospf process-id” in global configuration mode. The value of the process-id is the number between 1 and 65,535. More students confused with process ID.
It is only important locally, meaning it does not have to be the same value on the other OSPF routers to set up adjacencies with those neighbors. The process ID has no bearing on the structure of any OSPF packet or LSA update, so you can have a separate process-id on every single router in your network if you so wish!
OSPF Router ID
Every router in the OSPF network requires a router ID to give in the domain. We can define the router ID manually or automatically assigned by the router. The router ID is also essential in enabling the OSPF router to:
The router ID uniquely identifies routers each other within the OSPF domain and all packets that initiate from them.
The router ID is also essential in a multi-access LAN environment for the election of the DR and BDR during the initial establishment of the OSPF network. When OSPF links turn into an active state, the router with the highest priority is elected as DR. If priority is not configured on the routers or the same priority has been configured for the routers, then the router with the highest router ID is elected as a DR, and the routing device with the second-highest router ID is elected as a BDR.
Determining Router ID
There is a three-way for Cisco routers to find the router ID as described:
The router ID is configured using the OSPF“router-id rid” command in router configuration mode. The value rid is any 32-bit value expressed as an IPv4 address. This is the recommended method for assigning a router ID.
If the router ID is not configured, the router chooses the highest IPv4 address of any configured loopback interfaces. This is the second-best method of assigning a router ID.
If loopback interfaces are not configured on the router, it chooses the highest active IPv4 address of any of its physical interfaces. This method is not recommended by many network administrators because it makes it very difficult for administrators to differentiate between specific routers when assigning an ID.
If the highest IPv4 address is used as the router ID, the interface is not required to be OSPF-enabled. It is not necessary to configure that interface for OSPF protocol.
The only requirement is that the interface is active and in the upstate. The router ID is an IP address, but it is not routable, So it is not integrated into the routing table unless the OSPF routing process chooses an interface that is properly defined by a network command.
Configuring an OSPF Router ID
As I say prior that we can configure Router ID using the “router-id rid” command in routerconfiguration mode. An OSPF router identifies itself to other routers using the router ID. The rid is any 32-bit number in the form of IPv4 address.
As shown in Figure 1, Router1 has been configured with a router ID of 10.10.10.1, Router2 with 10.10.20.1, Router2 with 10.10.30.1, and R4 with 10.10.40.1. We can verify the router ID using the “show ip protocols” command.
The figure-2 illustrates the rid assignment to Router2 and figure-3 illustrates the verification of the router ID to Router2. You can see that when we enter the router ID, the router must reload to clear IP OSPF process. If the router ID is the same on two neighboring routers, the router displays an error message for duplicate router ID. To resolve this problem configure all routers with unique OSPF router IDs.
Modifying Router ID
Sometimes we need to modify the router ID. Due to wrong configuration or network change. For example, if we want to assign a new ID to router2 in the above topology due to the new router ID scheme. So, an active OSPF router does not allow the router ID; to be changed; until the router reloaded or the OSPF process cleared.
The way to assign a new router ID to a router is the same; only it requires reloading the router to kill the OSPF active process due to active adjacencies. The adjacencies must be renegotiated and established with the new router ID.
The preferred method for changing router ID is clearing the OSPF process. The command for killing the OSPF process is “ clear ip ospf process” inprivileged EXEC mode.
This command down the OSPF to Init states, displaying the adjacency change messages from full to down and then from loading to full. Now again you can verify the ID changing using “show ip protocols”. The figure-4 illustrates the clearing OSPF process.
Using a Loopback Interface as the Router ID
We can also use a loopback interface as a router ID. The IPv4 address of the loopback interface required configuration using subnet mask 255.255.255.255. This is a 32-bit subnet mask that does not advertise as a route to other OSPF routers.
Configure Single-Area OSPFv2
The network command in router mode adds the interfaces in the OSPF area. Interfaces that match the network address in the network command are enabled to send and receive OSPF packets. As a result, the network (or subnet) address for the interface has been included in OSPF routing updates. The command syntax is <network network-address wildcard-mask area area-id>.
The area area-id is the OSPF area planned by the network administrator. When configuring single-area OSPF, the network command must be configured with the same area-id on all routers. Though we can use any area ID, it is good to use an area ID of 0 with a single-area OSPF. This principle changes the later network from a single area to a multi-area OSPF.
Wild Card Mask
The wildcard-mask with the network address of the interface enable OSPF. We know that OSPF is a classless protocol by design; So, the wildcard mask always required to find interfaces which participating in a routing process. So, it is the inverse of the subnet mask configured on that interface. It is a string of 32 binary digits.
The wildcard mask decides the bits of the address to check for a match. In a subnet mask, binary 1 is equal to a match and binary 0 is not a match but In a wildcard mask, the reverse is true. To calculate a wild card mask is to subtract the network subnet mask from 255.255.255.255.
For example, if we have a /24 and /25 network as shown in the figure-5 below the wildcard mask from the /24 subnet mask 0.0.0.255 and the wildcard mask from /25 network is 0.0.0.127. We simply subtract the subnet mask from 32-bit string.
The example in Figure 2 calculates the wildcard mask from the network address of 192.168.10.64/26. Again, the subnet mask 255.255.255.192 was subtracted from 255.255.255.255, resulting in 0.0.0.63. Therefore, 192.168.10.0/26 is 192.168.10.0 with a wildcard mask of 0.0.0.63.
The Network Command
Router1 participates in the OSPFv2 routing process for an area. The wildcard masks identify the respective interfaces based on their network addresses. Because this is a single-area OSPF network, all area IDs have been set to 0. We enable the interface into OSPFv2 using the <network intf-ip-address 0.0.0.0 area area-id> router configuration mode command.
The benefit of specifying the interface is that the wildcard mask calculation is not important. OSPFv2 uses the interface address and subnet mask to resolve the network to advertise.
Some IOS versions also allow the subnet mask instead of the wildcard mask. The IOS then converts the subnet mask automatically to the wildcard mask format. The figure-6 illustrates the configuration of networks on Router2.
