Is there really any simply and quick way to obtain an wildcard mask in minute or so?
To seek the answer let first understand what is wildcard mask.A wildcard mask is a mask of bits that indicates which parts of an IP address should be used for evaluating the matching criteria.
In the Cisco IOS, they are used in various places, for example:
For example, a subnet mask of 255.255.255.0 (binary equivalent = 11111111.11111111.11111111.00000000) inverts to a wildcard mask of 0.0.0.255.
A wild card mask defines matching rule like a 0 in a bit position means that the corresponding bit position in the address of the Access Control Lists (ACL) statement must match the bit position in the IP address in the examined packet.
• "1" bit means that the corresponding part in IP address can be ignored.
• "0" bit in the wildcard mask means that corresponding part in the IP address should exactly match.
How to specify a single host using wildcard mask
To specify a single host using ACL Wildcard mask, the IP address and wildcard mask should be as below.
172.16.0.12 0.0.0.0
The four zeros in the wildcard mask represent each octet of the address. As we discussed above, whenever a zero is present in wildcard mask, correspoding part in IP address must match exactly.
The keyword "host" can also be used to accomplish the same result as shown below.
host 172.16.0.12
How to specify an entire network using wildcard mask
To specify an entire network using ACL Wildcard mask, use a wild card mask of 255 (all bits "1" in that octet). The following example can be used to specify all IP addresses in 172.16.0.0/16 network.
172.16.0.0 0.0.255.255
The above example states that the values of only first two octects should exactly match and the values of the last two octets can be any. This statement can match all the IP addresses of 172.16.0.0/16 network.
How to specify a range of IP addresses in a network using wildcard mask
To specify a range of IP addresses in a network using Access Control List (ACL) Wildcard mask, use the "1" bit only for the subnetted bits.
Example 1: The following example can be used to specify all IP addresses of a classs B network, 172.16.0.0, which is subnetted by using a class C subnet mask (172.16.0.0/24).
The binary representation of above network address, subnet mask and wild card mask is as shown below.
IP address - 10101100.00010000.00000000.00000000
Subnet Mask - 11111111.11111111.11111111.00000000
Wildcard Mask - 00000000.00000000.00000000.11111111
The decimal representation of the above IP Address and wildcard mask is given below.
172.16.0.0 0.0.0.255
The above example states that the values of first three octects should exactly match and the values of the last octet can be any. This statement can match all the IP addresses of 172.16.0.0/24 network.
Example 2: The following example can be used to specify all IP addresses of a classs B network, 172.16.240.0/20 (Subnet Mask 255.255.240.0). Click the following link to learn more about class B subnetting.
The binary representation of above network address, subnet mask and wild card mask is as shown below.
IP address - 10101100.00010000.0000 | 0000.00000000
Subnet Mask - 11111111.11111111.1111 | 0000.00000000
Wildcard Mask - 00000000.00000000.0000 | 1111.11111111
The decimal representation of the above IP Address, Subnet Mask and Wildcard mask are given below.
IP address - 172.16.240.0
Subnet Mask - 255.255.240.0
Wildcard Mask -0.0.15.255
The above example states that the values of first 20 bits must exactly match and the last 12 bits can be any. This statement can match all the IP addresses of 172.16.240.0/20 network shown below.
Network address - 172.16.240.0/20
First usable IP address - 172.16.240.1/20
Last usable IP Address - 172.16.255.254/20
Broadcast address - 172.16.255.255/20
Wildcard masks are used in situations where subnet masks may not apply. For example, when two affected hosts fall in different subnets, the use of a wildcard mask will group them together.
Calculating wildcard mask for your ACL has always been a complex task involving conversions between binary and decimals or simply using some software tool which still requires few steps to performed before we get an answer.
Simply subtract your mask from 255.255.255.255 to get your wildcard mask.
Example:
The wilcard mask of /26 is: 255.255.255.255 - 255.255.255.192 = 0.0.0.63
The wilcard mask of /19 is: 255.255.255.255 - 255.255.224.0 = 0.0.31.255
The wildcard mask of /12 is: 255.255.255.255 - 255.240.0.0 = 0.15.255.255
There is an alternative way of calculating your wildcard mask which is as follows.
For example, if you had a /28, your next boundary is /32 so 32 - 28 = 4 and
1. /28 gives us 15 in the last octet (i.e. 32 - 28 = 4 and 24 - 1 = 15)
2. All octets before that octet have to be 0 (i.e. 1st, 2nd, and 3rd octets)
3. All octets after that octet have to be 255 (not applicable here as /28 is in the last octet)
4. We therefore have 0.0.0.15 as our wildcard mask.
Let's do it with a /21:
1. /21 gives us 7 in the third octet (i.e. 24 - 21 = 3 and 23 - 1 = 7)
2. All octets before that octet have to be 0 (i.e. 1st and 2nd octets)
3. All octets after that octet have to be 255 (i.e. the 4th octet)
4. We therefore have 0.0.7.255 as our wildcard mask.
Let's do it with a /9:
1. /9 gives us 127 in the second octet (i.e. 16 - 9 = 7 and 27- 1 = 127
2. All octets before that octet have to be 0 (i.e. the 1st octet)
3. All octets after that octet have to be 255 (i.e. the 3rd and 4th octet)
4. We therefore have 0.127.255.255 as our wildcard mask
Now you would agree the Answer the yes there is a simple and quickest way to calculate the wildcard mask for your ACL
To seek the answer let first understand what is wildcard mask.A wildcard mask is a mask of bits that indicates which parts of an IP address should be used for evaluating the matching criteria.
In the Cisco IOS, they are used in various places, for example:
- To indicate the size of a network or subnet for some routing protocols, such as OSPF for defining the ospf network.
- To indicate what IP addresses should be permitted or denied in access control lists (ACLs).
For example, a subnet mask of 255.255.255.0 (binary equivalent = 11111111.11111111.11111111.00000000) inverts to a wildcard mask of 0.0.0.255.
A wild card mask defines matching rule like a 0 in a bit position means that the corresponding bit position in the address of the Access Control Lists (ACL) statement must match the bit position in the IP address in the examined packet.
• "1" bit means that the corresponding part in IP address can be ignored.
• "0" bit in the wildcard mask means that corresponding part in the IP address should exactly match.
How to specify a single host using wildcard mask
To specify a single host using ACL Wildcard mask, the IP address and wildcard mask should be as below.
172.16.0.12 0.0.0.0
The four zeros in the wildcard mask represent each octet of the address. As we discussed above, whenever a zero is present in wildcard mask, correspoding part in IP address must match exactly.
The keyword "host" can also be used to accomplish the same result as shown below.
host 172.16.0.12
How to specify an entire network using wildcard mask
To specify an entire network using ACL Wildcard mask, use a wild card mask of 255 (all bits "1" in that octet). The following example can be used to specify all IP addresses in 172.16.0.0/16 network.
172.16.0.0 0.0.255.255
The above example states that the values of only first two octects should exactly match and the values of the last two octets can be any. This statement can match all the IP addresses of 172.16.0.0/16 network.
How to specify a range of IP addresses in a network using wildcard mask
To specify a range of IP addresses in a network using Access Control List (ACL) Wildcard mask, use the "1" bit only for the subnetted bits.
Example 1: The following example can be used to specify all IP addresses of a classs B network, 172.16.0.0, which is subnetted by using a class C subnet mask (172.16.0.0/24).
The binary representation of above network address, subnet mask and wild card mask is as shown below.
IP address - 10101100.00010000.00000000.00000000
Subnet Mask - 11111111.11111111.11111111.00000000
Wildcard Mask - 00000000.00000000.00000000.11111111
The decimal representation of the above IP Address and wildcard mask is given below.
172.16.0.0 0.0.0.255
The above example states that the values of first three octects should exactly match and the values of the last octet can be any. This statement can match all the IP addresses of 172.16.0.0/24 network.
Example 2: The following example can be used to specify all IP addresses of a classs B network, 172.16.240.0/20 (Subnet Mask 255.255.240.0). Click the following link to learn more about class B subnetting.
The binary representation of above network address, subnet mask and wild card mask is as shown below.
IP address - 10101100.00010000.0000 | 0000.00000000
Subnet Mask - 11111111.11111111.1111 | 0000.00000000
Wildcard Mask - 00000000.00000000.0000 | 1111.11111111
The decimal representation of the above IP Address, Subnet Mask and Wildcard mask are given below.
IP address - 172.16.240.0
Subnet Mask - 255.255.240.0
Wildcard Mask -0.0.15.255
The above example states that the values of first 20 bits must exactly match and the last 12 bits can be any. This statement can match all the IP addresses of 172.16.240.0/20 network shown below.
Network address - 172.16.240.0/20
First usable IP address - 172.16.240.1/20
Last usable IP Address - 172.16.255.254/20
Broadcast address - 172.16.255.255/20
Wildcard masks are used in situations where subnet masks may not apply. For example, when two affected hosts fall in different subnets, the use of a wildcard mask will group them together.
Calculating wildcard mask for your ACL has always been a complex task involving conversions between binary and decimals or simply using some software tool which still requires few steps to performed before we get an answer.
Simply subtract your mask from 255.255.255.255 to get your wildcard mask.
Example:
The wilcard mask of /26 is: 255.255.255.255 - 255.255.255.192 = 0.0.0.63
The wilcard mask of /19 is: 255.255.255.255 - 255.255.224.0 = 0.0.31.255
The wildcard mask of /12 is: 255.255.255.255 - 255.240.0.0 = 0.15.255.255
There is an alternative way of calculating your wildcard mask which is as follows.
For example, if you had a /28, your next boundary is /32 so 32 - 28 = 4 and
24 = 16. If we subtract 1 from the block size it gives us 15 which is what we put into our wildcard mask in the octet that we are subnetting in. All octets before the one we are subnetting in are 0 and all octets after the octet we are subnetting in should be 255.
Let's follow that again:1. /28 gives us 15 in the last octet (i.e. 32 - 28 = 4 and 24 - 1 = 15)
2. All octets before that octet have to be 0 (i.e. 1st, 2nd, and 3rd octets)
3. All octets after that octet have to be 255 (not applicable here as /28 is in the last octet)
4. We therefore have 0.0.0.15 as our wildcard mask.
Let's do it with a /21:
1. /21 gives us 7 in the third octet (i.e. 24 - 21 = 3 and 23 - 1 = 7)
2. All octets before that octet have to be 0 (i.e. 1st and 2nd octets)
3. All octets after that octet have to be 255 (i.e. the 4th octet)
4. We therefore have 0.0.7.255 as our wildcard mask.
Let's do it with a /9:
1. /9 gives us 127 in the second octet (i.e. 16 - 9 = 7 and 27- 1 = 127
2. All octets before that octet have to be 0 (i.e. the 1st octet)
3. All octets after that octet have to be 255 (i.e. the 3rd and 4th octet)
4. We therefore have 0.127.255.255 as our wildcard mask
Now you would agree the Answer the yes there is a simple and quickest way to calculate the wildcard mask for your ACL
Comments
Post a Comment