Professional Documents
Culture Documents
Search …
When you are studying Cisco and access-lists you will encounter the so-called Wildcard Bits. Most CCNA Course Contents
students nd these very confusing so I’m here to help you and explain to you how they work. Let’s take a
CCNA 200-301
look at an example access-list:
Unit 1: Introduction
Router#show access-lists Unit 2: Network Fundamentals
Standard IP access list 1 Unit 3: Network Access
10 permit 192.168.1.0, wildcard bits 0.0.0.255 Unit 4: IP Connectivity
20 permit 192.168.2.0, wildcard bits 0.0.0.255 Unit 5: IP Services
30 permit 172.16.0.0, wildcard bits 0.0.255.255 Unit 6: IPv6
Access-lists don’t use subnet masks but wildcard bits. This means that in binary a “0” will be replaced by 7.1 Access-Lists
Wildcard Bits
Let me show you some examples: Standard Access-List
Extended Access-List
Time-based Access-List
7.2 Misc
Subnet mask 255.255.255.0 would be 0.0.0.255 as the wildcard mask. To explain this I need to show you
some binary:
Bits 128 64 32 16 8 4 2 1
255 1 1 1 1 1 1 1 1
This is the the rst octet of the subnet mask (255.255.255.0) in binary, as you can see all values have a 1
making the decimal number 255.
Bits 128 64 32 16 8 4 2 1
0 0 0 0 0 0 0 0 0
This is also the rst octet but now with wildcard bits. If you want the wildcard-equivalent you need to ip
the bits, if there’s a 1 you need to change it into a 0. That’s why we now have the decimal number 0.
Let me show you another subnet mask…let’s take 255.255.255.128. What would be the wildcard-equivalent
of this? We know the 255.255.255.X part so I’m only showing you the .128 part.
Bits 128 64 32 16 8 4 2 1
128 1 0 0 0 0 0 0 0
That’s the last octet of our subnet mask, let’s ip the bits:
Bits 128 64 32 16 8 4 2 1
127 0 1 1 1 1 1 1 1
Just ip the bits over and this is the wildcard-equivalent. This gives us the decimal number 127.
Bits 128 64 32 16 8 4 2 1
224 1 1 1 0 0 0 0 0
Bits 128 64 32 16 8 4 2 1
31 0 0 0 1 1 1 1 1
Are you following me? It will take some practice by con guring access-lists to become familiar with these
wildcards.
« Previous Lesson
Introduction to Access-Lists
Next Lesson
Standard Access-List »
Tags: Security
Forum Replies
dsimpson
Having trouble with the following example: Not clear why A and C are the correct answers.
A network administrator is con guring ACLs on a Cisco router, to allow tra c from hosts on networks 192.168.146.0, 192.168.147.0, 192.168.148.0, and 192.168.149.0 only. Which two
ACL statements, when combined, would you use to accomplish this task? (Choose two)
dsimpson
Having trouble with the following example: Not clear why A and C are the correct answers.
A network administrator is con guring ACLs on a Cisco router, to allow tra c from hosts on networks 192.168.146.0, 192.168.147.0, 192.168.148.0, and 192.168.149.0 only. Which two
ACL statements, when combined, would you use to accomplish this task? (Choose two)
dsimpson
I think I have the idea. The point was re-enforced after reading the link below where he mentions “You want to target a consecutive range of IP addresses” in usage example number 4.
http://www.networking-forum.com/viewtopic.php?t=3596
Thanks
ReneMolenaar
Hi Donald,
You can do some funny things with wildcard masks, you can even match networks that are not contiguous. Something to keep in mind is that your rst network has to be an even
number. Example #1:
148 – 10010100
149 – 10010101
In this case the rst 7 bits are the same so you can use wildcard 00000001
Example #2:
149 - 10010101
150 - 10010110
Only the rst 6 bits are the same so the wildcard would be 00000011. The problem of this wildcard is that it will match 4 networks:
148 - 10010100
149 - 10010101
150 - 10010110
151 - 10010111
aujla3
just to add to Rene’s comments above, the other reason to choose wild card mask over subnet mask is that subnet masks have contiguous number of bits for the network portion and
host portions. for example as subnet mask of 255.255.255.0 is 11111111.11111111.11111111.00000000. You can never have a subnet mask of 11110111.00111111.11110111.00000000,
however this is not the case with wild card masks. With wild card mask we can turn bits on and o where we want to and therefore having a great deal of exibility over what we want to
match. you can get really creat
21 more replies! Ask a question or join the discussion by visiting our Community Forum