Courses  Forum Support Welcome, Landry!

 Search … 

You are here: Home » Cisco » CCNA 200-301

Wildcard Bits explained 

When you are studying Cisco and access-lists you will encounter the so-called Wildcard Bits. Most CCNA Course Contents
students nd these very confusing so I’m here to help you and explain to you how they work. Let’s take a
CCNA 200-301
look at an example access-list:

 Unit 1: Introduction
Router#show access-lists  Unit 2: Network Fundamentals
Standard IP access list 1  Unit 3: Network Access
10 permit 192.168.1.0, wildcard bits 0.0.0.255  Unit 4: IP Connectivity
20 permit 192.168.2.0, wildcard bits 0.0.0.255  Unit 5: IP Services
30 permit 172.16.0.0, wildcard bits 0.0.255.255  Unit 6: IPv6

 Unit 7: Security Fundamentals

Access-lists don’t use subnet masks but wildcard bits. This means that in binary a “0” will be replaced by  7.1 Access-Lists

a “1” and vice versa. Introduction to Access-Lists

Wildcard Bits
Let me show you some examples: Standard Access-List

Extended Access-List

Time-based Access-List

 7.2 Misc

 Unit 8: Network Management

 Unit 9: Network Design

Unit 10: Automation and


Programmability

 Unit 11: Cloud Computing

 Unit 12: Practice Exam

Subnet mask 255.255.255.0 would be 0.0.0.255 as the wildcard mask. To explain this I need to show you
some binary:

Bits 128 64 32 16 8 4 2 1

255 1 1 1 1 1 1 1 1

This is the the rst octet of the subnet mask (255.255.255.0) in binary, as you can see all values have a 1
making the decimal number 255.

Bits 128 64 32 16 8 4 2 1

0 0 0 0 0 0 0 0 0

This is also the rst octet but now with wildcard bits. If you want the wildcard-equivalent you need to ip
the bits, if there’s a 1 you need to change it into a 0. That’s why we now have the decimal number 0.

Let me show you another subnet mask…let’s take 255.255.255.128. What would be the wildcard-equivalent
of this? We know the 255.255.255.X part so I’m only showing you the .128 part.

Bits 128 64 32 16 8 4 2 1

128 1 0 0 0 0 0 0 0

That’s the last octet of our subnet mask, let’s ip the bits:

Bits 128 64 32 16 8 4 2 1

127 0 1 1 1 1 1 1 1

Just ip the bits over and this is the wildcard-equivalent. This gives us the decimal number 127.

The subnet mask 255.255.255.128 will be 0.0.0.127 as a wildcard.

Just one more!

Subnet mask 255.255.255.224…what is the wildcard?

Bits 128 64 32 16 8 4 2 1

224 1 1 1 0 0 0 0 0

Flip those bits!

Bits 128 64 32 16 8 4 2 1

31 0 0 0 1 1 1 1 1

Our wildcard will be 0.0.0.31

Are you following me? It will take some practice by con guring access-lists to become familiar with these
wildcards.

« Previous Lesson
Introduction to Access-Lists
Next Lesson
Standard Access-List »
 Tags: Security

Forum Replies

dsimpson

Having trouble with the following example: Not clear why A and C are the correct answers.

A network administrator is con guring ACLs on a Cisco router, to allow tra c from hosts on networks 192.168.146.0, 192.168.147.0, 192.168.148.0, and 192.168.149.0 only. Which two
ACL statements, when combined, would you use to accomplish this task? (Choose two)

A. access-list 10 permit ip 192.168.146.0 0.0.1.255

B. access-list 10 permit ip 192.168.147.0 0.0.255.255
C. access-list 10 permit ip 192.168.148.0 0.0.1.255
D. access-list 10 permit ip 192.168.149.0 0.0.255.255

... Continue reading in our forum

dsimpson

Having trouble with the following example: Not clear why A and C are the correct answers.

A network administrator is con guring ACLs on a Cisco router, to allow tra c from hosts on networks 192.168.146.0, 192.168.147.0, 192.168.148.0, and 192.168.149.0 only. Which two
ACL statements, when combined, would you use to accomplish this task? (Choose two)

A. access-list 10 permit ip 192.168.146.0 0.0.1.255

B. access-list 10 permit ip 192.168.147.0 0.0.255.255
C. access-list 10 permit ip 192.168.148.0 0.0.1.255
D. access-list 10 permit ip 192.168.149.0 0.0.255.255

... Continue reading in our forum

dsimpson

I think I have the idea. The point was re-enforced after reading the link below where he mentions “You want to target a consecutive range of IP addresses” in usage example number 4.

http://www.networking-forum.com/viewtopic.php?t=3596

Thanks

ReneMolenaar

Hi Donald,

You can do some funny things with wildcard masks, you can even match networks that are not contiguous. Something to keep in mind is that your rst network has to be an even
number. Example #1:

148 – 10010100
149 – 10010101

In this case the rst 7 bits are the same so you can use wildcard 00000001

Example #2:

149 - 10010101
150 - 10010110

Only the rst 6 bits are the same so the wildcard would be 00000011. The problem of this wildcard is that it will match 4 networks:

148 - 10010100
149 - 10010101
150 - 10010110
151 - 10010111

These 4 networks have

... Continue reading in our forum

aujla3

just to add to Rene’s comments above, the other reason to choose wild card mask over subnet mask is that subnet masks have contiguous number of bits for the network portion and
host portions. for example as subnet mask of 255.255.255.0 is 11111111.11111111.11111111.00000000. You can never have a subnet mask of 11110111.00111111.11110111.00000000,
however this is not the case with wild card masks. With wild card mask we can turn bits on and o where we want to and therefore having a great deal of exibility over what we want to
match. you can get really creat

... Continue reading in our forum

 21 more replies! Ask a question or join the discussion by visiting our Community Forum

© 2013 - 2021 NetworkLessons.com 38423 Disclaimer Privacy Policy Support About