TCP/IP Access Control List Wildcard Masks

The rules are known and you have seen examples of how to generate wild card masks:
The 32 bit wildcard mask consists of 1’s and 0’ whereby a 1 equates to ignore this bit and a 0, to
check this bit.

Most of the time though, we just want to:

1. MATCH A HOST
2. MATCH AN ENTIRE SUBNET
3. MATCH A RANGE
4. MATCH EVERYONE

Here is how to accomplish the above, without too much pain….

1. TO MATCH A HOST

Set all the wildcard mask bits to zero

For a Standard Access-list

Access-list 1 permit 186.145.65.12 0.0.0.0

or
Access-list 1 permit 186.145.65.12 (standard access lists assume a 0.0.0.0 mask)

For Extended Access-lists

Access-list 101 permit ip 186.145.65.12 0.0.0.0 any

or
Access-list 101 permit ip host 186.145.65.12 any

2. MATCH AN ENTIRE SUBNET

Wildcard mask = 255.255.255.255 – (minus) the subnet mask

Example 1

Given 42.64.86.0 subnet mask 255.255.255.0

255.255.255.255 - subnet mask 255.255.255.0 = Wildcard mask 0.0.0.255

Access-list 1 permit 42.64.86.0 0.0.0.255

Example 2

Given 202.22.66.99 subnet mask 255.255.255.240

255.255.255.255 - subnet mask 255.255.255.240 = Wildcard mask 0.0.0.15

Access-list 1 permit 202.22.66.99 0.0.0.15

 Example 3

Given 55.66.77.0 subnet mask 255.255.224.0

255.255.255.255 - subnet mask 255.255.224.0 = Wildcard mask 0.0.31.255

Access-list 1 permit 55.66.77.0 0.0.31.255

Example 4

Given 211.95.32.128 subnet mask 255.255.255.248

255.255.255.255 - subnet mask 255.255.255.248 = Wildcard mask 0.0.0.7

Access-list 1 permit 211.95.32.128 0.0.0.7

3. MATCH A RANGE (WITHIN A SINGLE (SUB)NETWORK)

To Find Wildcard Mask, Take the HIGHER (END OF THE RANGE) minus the lower
(end of the range):

Example 1

Match the range from 132.43.48.0 to 132.43.63.255

132.43.63.255 - 132.43.48.0 = Wildcard mask 0.0.15.255

Access-list 1 permit 132.43.48.0 0.0.15.255

Pay Attention! Now hear this: Each Wildcard mask value must be ONE LESS than
a power of 2 using this approach (i.e. one of these: 0, 1, 3, 7, 15, 31, 63, 127, 255) and
the octets to the right of any value other than 0 must be 255. You will have to
create more ranges if this condition is not met. (See below for an example.)

4. MATCH EVERYONE

Access-list 1 permit any

or
Access-list 1 permit 0.0.0.0 255.255.255.255

These are the only masks that you should try to use at this point, keeping it simple.

0.0.0.0 (will allow/deny 1 IP address)

0.0.0.1 (will allow/deny 2 IP addresses)
0.0.0.3 (will allow/deny 4 IP addresses)
0.0.0.7 (will allow/deny 8 IP addresses)
0.0.0.15 (will allow/deny 16 IP addresses)
0.0.0.31 (will allow/deny 32 IP addresses)
0.0.0.63 (will allow/deny 64 IP addresses)
0.0.0.127 (will allow/deny 128 IP addresses)
0.0.0.255 (will allow/deny 256 IP addresses)
0.0.0.255 (will allow/deny 1 IP address in the third oct or 256 IP addresses)
0.0.1.255 (will allow/deny 2 IP addresses in the third oct or 512 IP addresses)
0.0.3.255 (will allow/deny 4 IP addresses in the third oct or 1024 IP addresses)
0.0.7.255 (will allow/deny 8 IP addresses in the third oct or 2048 IP addresses)
0.0.15.255 (will allow/deny 16 IP addresses in the third oct or 4096 IP addresses)
0.0.31.255 (will allow/deny 32 IP addresses in the third oct or 8192 IP addresses)
0.0.63.255 (will allow/deny 64 IP addresses in the third oct or 16384 IP addresses)
0.0.127.255 (will allow/deny 128 IP addresses in the third oct or 32768 IP addresses)
0.0.255.255 (will allow/deny 256 IP addresses in the third oct or 65536 IP addresses)

This is what you have to do when working outside a single (sub)network. Note: The
CCNA test won’t have you doing this. You’ll have to wait until CCNP or CCIE.

Match the range from 132.43.16.32 to 132.43.31.63

This is a class “B” address and if we use subnet mask 255.255.255.224 (/27) we see the smallest
range of contiguous address groupings. Using successively smaller subnet masks, we get larger
grouping of addresses. The goal is to have contiguous addresses matched by the wildcard mask.

132.43.16.63 - 132.43.16.32 = 0.0.0.31

132.43.16.127 - 132.43.16.64 = 0.0.0.63
132.43.16.255 - 132.43.16.128 = 0.0.0.127
132.43.17.255 - 132.43.17.0 = 0.0.0.255
132.43.19.255 - 132.43.18.0 = 0.0.1.255
132.43.23.255 - 132.43.20.0 = 0.0.3.255
(Notice that we can not take the next size subnet as it exceeds our range, 132.43.31.255 -
132.43.24.0 = 0.0.7.255, so we stay in this range.)
132.43.27.255 - 132.43.24.0 = 0.0.3.255
(Now we take smaller ranges again or we exceed the range of the exercise.)
132.43.29.255 - 132.43.28.0 = 0.0.1.255
132.43.30.255 - 132.43.30.0 = 0.0.0.255
(The next one down, 132.43.31.255 - 132.43.31.128 = 0.0.0.127, exceeds the end of our exercise
we so take a smaller range again.)
132.43.31.63 - 132.43.31.0 = 0.0.0.63, bringing us to the end of the range.

Taking the starting range addresses and wildcard mask from above we get

Access-list 1 permit 132.43.16.32 0.0.0.31

Access-list 1 permit 132.43.16.64 0.0.0.63
Access-list 1 permit 132.43.16.128 0.0.0.127
Access-list 1 permit 132.43.17.0 0.0.0.255
Access-list 1 permit 132.43.18.0 0.0.1.255
Access-list 1 permit 132.43.20.0 0.0.3.255
Access-list 1 permit 132.43.24.0 0.0.3.255
Access-list 1 permit 132.43.28.0 0.0.1.255
Access-list 1 permit 132.43.30.0 0.0.0.255
Access-list 1 permit 132.43.31.0 0.0.0.63

For a rather unorthodox discussion of ACLs, see http://www.routergod.com/donking/

Michael McKeever, Network Instructor, Santa Rosa Junior College