Access Control List (ACL) - Wildcard Masks

Wildcard masks are used in Access Control Lists (ACL) to identify (or filter) an individual host, a network, or a range IP addresses in a network to permit or deny access .

When using a wildcard mask, a 0 in a bit position means that the corresponding bit position in the address of the Access Control Lists (ACL) statement must match the bit position in the IP address in the examined packet. A "0" bit in the wildcard mask means that corresponding part in the IP address should exactly match and "1" bit means that the corresponding part in IP address can be ignored. Some examples of Access Control List (ACL) wildcard masks are given below

How to specify a single host using Access Control List (ACL) Wildcard mask

To specify a single host using Access Control List (ACL) Wildcard mask, the IP address and wildcard mask should be as below.

172.16.0.12 0.0.0.0

The four zeros in the wildcard mask represent each octet of the address. As we discussed above, whenever a zero is present in wildcard mask, correspoding part in IP address must match exactly.

The keyword "host" can also be used to accomplish the same result as shown below.

host 172.16.0.12

How to specify an entire network using Access Control List (ACL) Wildcard mask

To specify an entire network using Access Control List (ACL) Wildcard mask, use a wild card mask of 255 (all bits "1" in that octet). The following example can be used to specify all IP addresses in 172.16.0.0/16 ntwork.

172.16.0.0 0.0.255.255

The above example states that the values of only first two octects should exactly match and the values of the last two octets can be any. This statement can match all the IP addresses of 172.16.0.0/16 network.

How to specify a range of IP addresses in a network using Access Control List (ACL) Wildcard mask

 

To specify a range of IP addresses in a network using Access Control List (ACL) Wildcard mask, use the "1" bit only for the subnetted bits.

Example 1: The following example can be used to specify all IP addresses of a classs B network, 172.16.0.0, which is subnetted by using a class C subnet mask (172.16.0.0/24).

The binary representation of above network address, subnet mask and wild card mask is as shown below.

IP address -      10101100.00010000.00000000.00000000
Subnet Mask -   11111111.11111111.11111111.00000000
Wildcard Mask - 00000000.00000000.00000000.11111111

The decimal representation of the above IP Address and wildcard mask is given below.

172.16.0.0 0.0.0.255

The above example states that the values of first three octects should exactly match and the values of the last octet can be any. This statement can match all the IP addresses of 172.16.0.0/24 network.

Example 2: The following example can be used to specify all IP addresses of a classs B network, 172.16.240.0/20 (Subnet Mask 255.255.240.0). Click the following link to learn more about class B subnetting.

The binary representation of above network address, subnet mask and wild card mask is as shown below.

IP address -      10101100.00010000.0000 | 0000.00000000
Subnet Mask -   11111111.11111111.1111 | 0000.00000000
Wildcard Mask - 00000000.00000000.0000 | 1111.11111111

The decimal representation of the above IP Address, Subnet Mask and Wildcard mask are given below.

IP address - 172.16.240.0
Subnet Mask -  255.255.240.0
Wildcard Mask -0.0.15.255

The above example states that the values of first 20 bits must exactly match and the last 12 bits can be any. This statement can match all the IP addresses of 172.16.240.0/20 network shown below.

Network address - 172.16.240.0/20
First usable IP address - 172.16.240.1/20
Last usable IP Address - 172.16.255.254/20
Broadcast address - 172.16.255.255/20