ACL Wildcard Masks

| Home | Access Control Lists Overview | 10 Things to know about ACLs |
| Power Point ACL Tutorial | ACL PowerPoint | ACL Tutorial with Q&A | Demystifying ACLs |
| Cisco paper on ACLs | Anatomy of ACLs | ACL Wildcards |

Access Control Lists - Wildcard Masks

The rules are known and you have seen examples of how to generate wild card masks:
The 32 bit wildcard mask consists of 1’s and 0’ whereby:
a 1 equates to ignore this bit and
a 0 equates to check this bit.

Most of the time though, we just want to:
1. MATCH A HOST
2. MATCH AN ENTIRE SUBNET
3. MATCH A RANGE
4. MATCH EVERYONE

Here is how to accomplish each of the above, without too much pain….

1. TO MATCH A HOST

Set all the wildcard mask bits to zero

For a Standard Access-list

Access-list 1 permit 186.145.65.12 0.0.0.0
or
Access-list 1 permit 186.145.65.12 (standard access lists assume a 0.0.0.0 mask)

For Extended Access-lists

Access-list 101 permit ip 186.145.65.12 0.0.0.0 any
or
Access-list 101 permit ip host 186.145.65.12 any

Top

2. MATCH AN ENTIRE SUBNET

Wildcard mask = 255.255.255.255 – (minus) the subnet mask

Example 1
Given 42.64.86.0 subnet mask 255.255.255.0
255.255.255.255 - subnet mask 255.255.255.0 = Wildcard mask 0.0.0.255

Access-list 1 permit 42.64.86.0 0.0.0.255

Example 2
Given 202.22.66.99 subnet mask 255.255.255.240
255.255.255.255 - subnet mask 255.255.255.240 = Wildcard mask 0.0.0.15

Access-list 1 permit 202.22.66.99 0.0.0.15

Example 3
Given 55.66.77.0 subnet mask 255.255.224.0
255.255.255.255 - subnet mask 255.255.224.0 = Wildcard mask 0.0.31.255

Access-list 1 permit 55.66.77.0 0.0.31.255

Example 4
Given 211.95.32.128 subnet mask 255.255.255.248
255.255.255.255 - subnet mask 255.255.255.248 = Wildcard mask 0.0.0.7

Access-list 1 permit 211.95.32.128 0.0.0.7

Top

3. MATCH A RANGE (WITHIN A SINGLE (SUB)NETWORK)

To Find Wildcard Mask, take the HIGHER (end of the range) minus the LOWER (end of the range):

Example 1
Match the range from 132.43.48.0 to 132.43.63.255
132.43.63.255 - 132.43.48.0 = Wildcard mask 0.0.15.255

Access-list 1 permit 132.43.48.0 0.0.15.255

Example 2
Match the range from 132.43.16.32 to 132.43.31.63
132.43.31.63 - 132.43.16.32 = Wildcard mask 0.0.15.31

Access-list 1 permit 132.43.16.32 0.0.15.31

Pay Attention! Now hear this:
Each Wildcard mask value must be ONE LESS than a power of 2 using this approach.
(i.e. one of these: 0, 1, 3, 7, 15, 31, 63, 127, 255)
You will have to create a couple of ranges if this condition is not met.

4. MATCH EVERYONE

Access-list 1 permit any
or
Access-list 1 permit 0.0.0.0 255.255.255.255

Top