Cisco IP Access-List Wildcard Masks

Copyright © 1999 Boson Software

by john@boson.com

We all know the rules and seen the literature on how to do wild card masks:
The 32 bit wildcard mask consists of l's and O's
1 = ignore this bit
o = check this bit
Yada, yada, yada .

BUT MOST OF THE TIME WE WANT TO DO ONE OF

THESE THREE THINGS:
1. MATCH A HOST
2. MATCH AN ENTIRE SUBNET
3. lVIATCHA RANGE
or
14. MATCH EVERYONE
I Here are the easy ways to do that

A22 wi2dcard mask bits are zero's

For Standard Access-2ist
Access-2ist 1 permit 157.89.8.9 0.0.0.0
Access-2ist 1 permit 157.89.8.9 (standard access 2ists assume
a O. O. O. 0 mask)
For Extended Access-2ists
Access-2ist 101 permit ip 157.89.8.9 0.0.0.0 any
Access-2ist 101 permit ip host 157.89.8.9 any

........ - - -.-----.-.- ---------- --------_ _---_._-.- ----------_ __ .. __ .__ ._---------.-- -------- ---- -.----_ _--.- --------- -.-.--.--_ -.--- -_ ..------.--.--

i2. How to match an Entire Subnet

(Wildcard mask = 255.255.255.255 - subnet mask
 ! Example 2

:Given 111.2.4.112 subnet mask 255.255.255.224

255.255.255.255

!, Wildcard mask

(Answer:

Example 3

,Given 3.2.128.0 subnet mask 255.255.192.0

255.255.255.255
 ! Given 203.2.4.128 subnet mask 255.255.255.240

255.255.255.255

~- subnet mask 255.255.255.240

(Wildcard mask O. O. O. 15

:Answer:

!ACcess-list 1 permit 203.2.4.128 0.0.0.15

3D How to Match a range

(Works when the range lS an entire subnet)

157. 89. 31.255

-157. 89. 16. a

Warning: Each non-zero value must be ONE LESS than a power of 2

(i.e. one of these:0,1,3,7,15,31,63,127,255)

157. 89. 16. 32 - 157. 89. 31. 63

http://www.boson.com/promo!guides!Cisco!acrclip-access-list.htm
IITo Find Wildcard Mask, Take the HIGHER minus the Lower:

14. Matching everyone is eSlsy: I

t~==~==·=====~~~~~=~~~===~==~·~=~=~~=~·~.·==
,Access-list
lor
1 permit any
I
I Access-list 1 permit 0.0.0.0 255.255.255.255

Questions, comments? Email the Webmaster.

Copyright 1999 Boson Software, Inc. All rights reserved
See our full disclaimer.
Using and Configuring QSPF Multi-Area
Components

Area 0 ABR
EO 10.64.0.2
10.2.1.1
10.64.0.1 EO
51

<Output Omitted>
interface EthernetO
ip address 10.64.0.2 255.255.255.0
1·
interface SerialO
ip address 10.2.1.2 255.255.255.0
<Output Omitted>

~Flf#~§~;~'
netwoik 10.2.1.2 0.0.0.0 :it~~;~fl!
network 10.64.0.2 0.0.0. O.;8.1:~~,'.9i

There are no special commands to make a router an ABR or ASBR. The router
takes on this role by virtue of the areas to which it is connected. As a reminder,
the basic OSPF configuration steps are as foHows:
Step 1 Enable OSPF on the router.

Step 2 Identify which IP ne~orks on the router are part of the OSPF network. For each
network, you must identify what area the network belongs to. When configuring
multiple OSPF areas, make sure to associate the correct network addresses with
the desired area ID, as shown in the graphic.

Step 3 (Optional) If the router has at least one interface connected into a non-OSPF
network, perform the proper configuration steps. At this point, the router will be
acting as an ASBR. How the router exchanges (redistributes) non-OSPF route
information with the other OSPF routers is discussed in Chapter 9, "Optimizing
Routing Update Operation."

Note Refer to Chapter 4, "Configuring OSPF for a Single Area," for details about basic
OSPF configuration commands.
 Controlling Inbound Access
access-list 12 permit 192.168.1.0 0.0.0.255
(implicit deny any)

line vty ° 4
access-class 12 in

• Permits only hosts in network 192.168.1.00.0.0.255 to

connect to the router vty

Example: vty Access

In this example, you are permitting any device on network 192.168.1.00.0.0.255 to establish a
virtual terminal (Telnet) session with the router. Of course, the user must know the appropriate
passwords to enter user mode and privileged mode.

Notice that identical restrictions have been set on every vty (0 to 4) because you cannot control
on which vty a user will connect.

The implicit deny any statement still applies to the ACL when it is used as an access-class
entry.