WildCard Masks

KMAN24 · January 2005

Could someone break down wildcard masks for me ? For instance what does the 0.0.0.7 Wildcard mask in the following access-list actually tell me ? access-list 105 deny tcp 192.168.1.4 0.0.0.7 eq 20 ?

Thanks

nethead · January 2005

Ok with the wildcard masks you just add up the bits in the other direction, ie. from right to left instead of left to right.

In order for an address to match the access list entry the bits are compared, if the bit in the wild card is 0 then it must be matched in the address being compared, if the bit in the wild card is 1 then this bit of the address does not have to match (it is ignored).

so with 192.168.1.4 0.0.0.7
7 = 1 + 2 + 4

So when comparing an address every bit except the last 3 bits must match.

Therefore 192.168.1.0-7 will match this access list.

Looking at these addresses in bit format for the last eight bits:

192.168.1.0 00000000
192.168.1.1 00000001
.....
192.168.1.4 00000100
...
192.168.1.6 00000110
192.168.1.7 00000111
192.168.1.8 00001000

The first 5 bits above all match for .0 - .7 so these addresses will match against the access list. The first 5 bits for .8 do not match so this address will be rejected against this access list.

HTH

KMAN24 · January 2005

That clears it up some, I need some more practice though !!

rossonieri#1 · January 2005

addition to basic wild card mask,
specify the subnet you want to filter : 128-192-224-240-248-252-254-255
the wildcard is :
255-128=127
255-192=63
255-224=31
255-240=15
255-252=7
255-254=1
255-255=0

tunerX · January 2005

Even easier. Broadcast mask minus the netmask.

255.255.255.255
- 255.255.255.248
0. 0. 0. 7

Then add the inverse mask to the network number to get the range.

192.168.1.0
0. 0.0.0
192.168.1.7

The range for your first net is 0-7.

fusebox · January 2005

KMAN24 wrote:

That clears it up some, I need some more practice though !!

I agree.... You asked an excellent question.

WildCard Masks

Comments