Home > Articles > ACL Concepts

ACL Concepts

Chapter Description

In this sample chapter from Enterprise Networking, Security, and Automation Companion Guide (CCNAv7) for Cisco Networking Academy students, you will explore differences between standard and extended IPv4 ACLs.

Wildcard Masks in ACLs (4.2)

A wildcard mask is similar to a subnet mask but the reverse. In this section, you will learn how to calculate the inverse wildcard mask.

Wildcard Mask Overview (4.2.1)

In the previous section, you learned about the purpose of ACL. This section explains how ACLs use wildcard masks. An IPv4 ACE uses a 32-bit wildcard mask to determine which bits of the address to examine for a match. Wildcard masks are also used by the Open Shortest Path First (OSPF) routing protocol.

A wildcard mask is similar to a subnet mask in that it uses the ANDing process to identify which bits in an IPv4 address to match. However, a wildcard mask and a subnet mask differ in the way they match binary 1s and 0s. Unlike with a subnet mask, in which binary 1 is equal to a match, and binary 0 is not a match, with a wildcard mask, the reverse is true.

Wildcard masks use the following rules to match binary 1s and 0s:

  • Wildcard mask bit 0: Match the corresponding bit value in the address.

  • Wildcard mask bit 1: Ignore the corresponding bit value in the address.

Table 4-2 lists some examples of wildcard masks and what they would match and ignore.

Table 4-2 Examples of Wildcard Masks

Wildcard Mask

Last Octet (in Binary)

Meaning (0—match, 1—ignore)

0.0.0.0

00000000

  • Match all octets.

0.0.0.63

00111111

  • Match the first three octets

  • Match the 2 leftmost bits of the last octet

  • Ignore the last 6 bits

0.0.0.15

00001111

  • Match the first three octets

  • Match the 4 leftmost bits of the last octet

  • Ignore the last 4 bits of the last octet

0.0.0.248

11111100

  • Match the first three octets

  • Ignore the 6 leftmost bits of the last octet

  • Match the last 2 bits

0.0.0.255

11111111

  • Match the first three octets

  • Ignore the last octet

Wildcard Mask Types (4.2.2)

Using wildcard masks takes some practice. The following sections provide examples to help you learn how wildcard masks are used to filter traffic for one host, one subnet, and a range IPv4 addresses.

Wildcard to Match a Host

In this example, the wildcard mask is used to match a specific host IPv4 address. Say that ACL 10 needs an ACE that only permits the host with IPv4 address 192.168.1.1. Recall that 0 equals a match, and 1 equals ignore. To match a specific host IPv4 address, a wildcard mask consisting of all zeros (that is, 0.0.0.0) is required.

Table 4-3 lists, in decimal and binary, the host IPv4 address, the wildcard mask, and the permitted IPv4 address.

Table 4-3 Wildcard to Match a Host Example

 

Decimal

Binary

IPv4 address

192.168.1.1

11000000.10101000.00000001.00000001

Wildcard mask

0.0.0.0

00000000.00000000.00000000.00000000

Permitted IPv4 address

192.168.1.1

11000000.10101000.00000001.00000001

The 0.0.0.0 wildcard mask stipulates that every bit must match exactly. Therefore, when the ACE is processed, the wildcard mask will permit only the 192.168.1.1 address. The resulting ACE in ACL 10 would be access-list 10 permit 192.168.1.1 0.0.0.0.

Wildcard Mask to Match an IPv4 Subnet

In this example, ACL 10 needs an ACE that permits all hosts in the 192.168.1.0/24 network. The wildcard mask 0.0.0.255 stipulates that the very first three octets must match exactly, but the fourth octet does not need to match.

Table 4-4 lists, in decimal and binary, the host IPv4 address, the wildcard mask, and the permitted IPv4 addresses.

Table 4-4 Wildcard Mask to Match an IPv4 Subnet Example

 

Decimal

Binary

IPv4 address

192.168.1.1

11000000.10101000.00000001.00000001

Wildcard mask

0.0.0.255

00000000.00000000.00000000.11111111

Permitted IPv4 address

192.168.1.0/24

11000000.10101000.00000001.00000000

When the ACE is processed, the wildcard mask 0.0.0.255 permits all hosts in the 192.168.1.0/24 network. The resulting ACE in ACL 10 would be access-list 10 permit 192.168.1.0 0.0.0.255.

Wildcard Mask to Match an IPv4 Address Range

In this example, ACL 10 needs an ACE that permits all hosts in the 192.168.16.0/24, 192.168.17.0/24, …, 192.168.31.0/24 networks. The wildcard mask 0.0.15.255 would correctly filter that range of addresses.

Table 4-5 lists, in decimal and binary the host IPv4 address, the wildcard mask, and the permitted IPv4 addresses.

Table 4-5 Wildcard Mask to Match an IPv4 Address Range Example

 

Decimal

Binary

IPv4 address

192.168.16.0

11000000.10101000.00010000.00000000

Wildcard mask

0.0.15.255

00000000.00000000.00001111.11111111

Permitted IPv4 address

192.168.16.0/24 to 192.168.31.0/24

11000000.10101000.00010000.00000000 11000000.10101000.00011111.00000000

The highlighted wildcard mask bits identify which bits of the IPv4 address must match. When the ACE is processed, the wildcard mask 0.0.15.255 permits all hosts in the 192.168.16.0/24 to 192.168.31.0/24 networks. The resulting ACE in ACL 10 would be access-list 10 permit 192.168.16.0 0.0.15.255.

Wildcard Mask Calculation (4.2.3)

Calculating wildcard masks can be challenging. One shortcut method is to subtract the subnet mask from 255.255.255.255. The following sections provide examples to help you learn how to calculate the wildcard mask using the subnet mask.

Example 1

Say that you wanted an ACE in ACL 10 to permit access to all users in the 192.168.3.0/24 network. To calculate the wildcard mask, subtract the subnet mask (that is, 255.255.255.0) from 255.255.255.255, as shown in Table 4-6.

The solution produces the wildcard mask 0.0.0.255. Therefore, the ACE would be access-list 10 permit 192.168.3.0 0.0.0.255.

Table 4-6 Wildcard Mask Calculation—Example 1

Starting value

255.255.255.255

Subtract the subnet mask

–255.255.255. 0

Resulting wildcard mask

0. 0. 0.255

Example 2

In this example, say that you wanted an ACE in ACL 10 to permit network access for the 14 users in the subnet 192.168.3.32/28. Subtract the subnet (that is, 255.255.255.240) from 255.255.255.255, as shown in Table 4-7.

This solution produces the wildcard mask 0.0.0.15. Therefore, the ACE would be access-list 10 permit 192.168.3.32 0.0.0.15.

Table 4-7 Wildcard Mask Calculation—Example 2

Starting value

255.255.255.255

Subtract the subnet mask

–255.255.255.240

Resulting wildcard mask

0. 0. 0. 15

Example 3

In this example, say that you needed an ACE in ACL 10 to permit only networks 192.168.10.0 and 192.168.11.0. These two networks could be summarized as 192.168.10.0/23, which is a subnet mask of 255.255.254.0. Again, you subtract 255.255.254.0 subnet mask from 255.255.255.255, as shown in Table 4-8.

This solution produces the wildcard mask 0.0.1.255. Therefore, the ACE would be access-list 10 permit 192.168.10.0 0.0.1.255.

Table 4-8 Wildcard Mask Calculation—Example 3

Starting value

255.255.255.255

Subtract the subnet mask

–255.255.254. 0

Resulting wildcard mask

0. 0. 1.255

Example 4

Consider an example in which you need an ACL number 10 to match networks in the range 192.168.16.0/24 to 192.168.31.0/24. This network range could be summarized as 192.168.16.0/20, which is a subnet mask of 255.255.240.0. Therefore, subtract 255.255.240.0 subnet mask from 255.255.255.255, as shown in Table 4-9.

This solution produces the wildcard mask 0.0.15.255. Therefore, the ACE would be access-list 10 permit 192.168.16.0 0.0.15.255.

Table 4-9 Wildcard Mask Calculation—Example 4

Starting value

255.255.255.255

Subtract the subnet mask

– 255.255.240. 0

Resulting wildcard mask

0. 0. 15.255

Wildcard Mask Keywords (4.2.4)

Working with decimal representations of binary wildcard mask bits can be tedious. To simplify this task, Cisco IOS provides two keywords to identify the most common uses of wildcard masking. Keywords reduce ACL keystrokes and make it easier to read an ACE.

The two keywords are

  • host: This keyword substitutes for the 0.0.0.0 mask and indicates that all IPv4 address bits must match to filter just one host address.

  • any: This keyword substitutes for the 255.255.255.255 mask and indicates to ignore the entire IPv4 address or to accept any addresses.

In the command output in Example 4-1, two ACLs are configured. The ACL 10 ACE permits only the 192.168.10.10 host, and the ACL 11 ACE permits all hosts.

Example 4-1 ACLs Configured Without Keywords

R1(config)# access-list 10 permit 192.168.10.10 0.0.0.0
R1(config)# access-list 11 permit 0.0.0.0 255.255.255.255
R1(config)#

Alternatively, the keywords host and any could be used to replace the highlighted output. The commands in Example 4-2 accomplishes the same task as the commands in Example 4-1.

Example 4-2 ACLs Configured Using Keywords

R1(config)# access-list 10 permit host 192.168.10.10
R1(config)# access-list 11 permit any
R1(config)#
6. Guidelines for ACL Creation (4.3) | Next Section Previous Section

There are currently no related articles. Please check back later.