Is this correct regarding Wildcard Masks?

Is this correct regarding Wildcard Masks?

Mainly the last section "Example #2 (Medium)"

Wildcard masks - Internetworkpro

Much Appreciated

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

peanutnoggin

IMO... the easiest way to determine your wildcard mask is to subtract your subnet mask from all 255s. As an example... if your network is 192.168.1.0 /28 and you want to write an acl for this network... you would subtract 255.255.255.240 from all 255.255.255.255:

255.255.255.255
-255.255.255.240

0 . 0 . 0 . 15 --> this would be your wildcard mask. I couldn't pull up the link... so I hope this helps some!

V/r

~Peanut

losso

I think what hes trying to determine is the more advanced option.

is

Access-list 101 permit tcp 10.0.0.0 0.255.255.255 128.15.12.8 64.16.0.3 eq 80

so 65.16.0.3 is it a valid wildcard mask?

I know subnet masks have to be 128,192,224 etc. and follow in order of the bits e.g you cant have 1111111.00001111 as on octets in a subnet mask, is this the inverse case for wilcards? i.e you cannot have 00001111.00011111.00011111.00001111 but you can have 00000000.0000000.00000111.11111111 ??

fly351

Given the information we have so far we can come up with the following wildcard mask: 64.16.0.3. When we compare 128.15.12.8 with wildcard mask 64.16.0.3 we see that we can only come up with the 16 networks defined above thus the final ACL would be: Access-list 101 permit tcp 10.0.0.0 0.255.255.255 128.15.12.8 64.16.0.3 eq 80

Unless that is some off the wall CCIE level craziness... than yes it's wrong.

Forsaken_GA

fly351 wrote: »

Given the information we have so far we can come up with the following wildcard mask: 64.16.0.3. When we compare 128.15.12.8 with wildcard mask 64.16.0.3 we see that we can only come up with the 16 networks defined above thus the final ACL would be: Access-list 101 permit tcp 10.0.0.0 0.255.255.255 128.15.12.8 64.16.0.3 eq 80

Unless that is some off the wall CCIE level craziness... than yes it's wrong.

It's not wrong. Look at the actual example as to what they're trying to accomplish. He wants to ensure that one network can access a very particular number of IP's, and to do it in as few ACL statements as possible. It's a good exercise in binary bit masking

fly351

Forsaken_GA wrote: »

It's not wrong. Look at the actual example as to what they're trying to accomplish. He wants to ensure that one network can access a very particular number of IP's, and to do it in as few ACL statements as possible. It's a good exercise in binary bit masking

I was wrong... I never seen this at the CCNA level... however, I am still studying so maybe I haven't gotten to that part yet

fly351

So my instructor had taught me the "subtract 255.255.255.255" method, which is why I never seen/read this before.

I am a little confused though on how the Wildcard Mask on the example 2 works.

To permit access, the 0 bit's must be on, and the 1 bit's do not matter.
Access-list 101 permit tcp 10.0.0.0 0.255.255.255 128.15.12.8 64.16.0.3 eq 80

I think it's wrong.. here is what I broke into binary:

10000000.00001111.00001100.00001000- 128.15.12.8
10000000.00001111.00001100.00001001 - 128.15.12.9
10000000.00001111.00001100.00001010 - 128.15.12.10
10000000.00001111.00001100.00001011 - 128.15.12.11
11000000.00001111.00001100.00001000- 192.15.12.8
11000000.00001111.00001100.00001001 - 192.15.12.9
11000000.00001111.00001100.00001010 - 192.15.12.10
11000000.00001111.00001100.00001011 - 192.15.12.11
10000000.00011111.00001100.00001000- 128.31.12.8
10000000.00011111.00001100.00001001 - 128.31.12.9
10000000.00011111.00001100.00001010 - 128.31.12.10
10000000.00011111.00001100.00001011 - 128.31.12.11
11000000.00011111.00001100.00001000 - 192.31.12.8
11000000.00011111.00001100.00001001 - 192.31.12.9
11000000.00011111.00001100.00001010 - 192.31.12.10
11000000.00011111.00001100.00001011 - 192.31.12.11
01111111.11110000.11110011.11110111 - 127.240.243.247 (my Wildcard mask)
01000000.00010000.00000000.00000011 - 64.16.0.3 (The examples Wildcard mask)

Am I wrong??

Forsaken_GA

Yes, you're wrong.

When wildcard masking, a 0 means the bit must match, and a 1 means it doesnt matter whether it's on or not.

With your wildcard mask, the only requirement is that the first bit must be on. So the first octet of your wildcard mask will match on values from 128 to 255

In the examples wildcard mask, only the bit value for 64 is optional, everything else must match exactly. Since it's being wildcarded against 128, that means that the last bit must be on, and the second to last bit can be on or off, and all the rest of the values must be off. This means the only possible values on that octet are 128 and 192, which is inline with the example.

The flaw in you understanding is that you think the 0 bits must be 'on', that's not the case, they simply have to match the on/off status on the IP that it's being wildcarded against. A 1 means the state of the bit in the original IP is of no consequence.

fly351

Thanks Forsaken, I get it now.

Cheesewaffle

Yea the main query I had is that I was taught the "Wildcard Mask" is an inverted "Subnet Mask".

I always thought... why? What is the point....

So when I came across this website I was quite excited, but then I thought it may be lies/wrong.

Now I think its right but,
1. Is this practical?
2. Is there any other difference between Wildcards and Subnets?

Cheers

mikej412

fly351 wrote: »

I never seen this at the CCNA level

At the CCNA level they start out simple with "allow only odd numbered host IP Addresses" -- but it depends on what you used to study.

Forsaken_GA

Cheesewaffle wrote: »

So when I came across this website I was quite excited, but then I thought it may be lies/wrong.

Now I think its right but,
1. Is this practical?
2. Is there any other difference between Wildcards and Subnets?

Well, yes it's practical. The alternative solution is to create multiple ACL statements. Doing it on the one line makes the configuration leaner, and lessens processing time, as it doesn't have to go down the line and check until it finds a statement that matches, or gets hit with the implicity deny. The oneline results in one check, either the IP matches the wildcard mask, or it doesn't.

Subnet masks identify ranges of IP's. The reverse subnet mask method is the quick and dirty method, and applicable to alot of situations, but the wildcard masking allows for a bit more flexibility