Cisco access lists ACL and wildcard mask

From Ever changing code
Jump to navigation Jump to search

Wild card mask

WILDCARD                    NETWORK MASK
0 - means match             0 - hosts part of a network address
1 - means ignore            1 - match, identifies network bits that need matching for all hosts in the same subnet

Calculate wild card mask

                   255.255.255.255
  subnet mask     -255.255.192.0
                 -----------------
 wild card mask      0.  0. 63.255

Examples

                        pattern     wildcard
access-list 33 permit 198.51.100.58 0.0.0.63
ip packet evaluated   198.51.100.3

in binary
ACL IP pattern        198.51.100.58 11000110.00110011.01100100.00111010
Wildcard mask           0. 0.  0.63 00000000.00000000.00000000.00111111
Logic applied                       \   these bits must match   /\ ignore,it/
                                     \ ________________________/  | can be |
                                                                  | 0 or 1 |
Range of addresses
matching         from 198.51.100.0  11000110.00110011.01100100.00000000
the rule:          to 198.51.100.63 11000110.00110011.01100100.00111111

Ip packet evaluated   198.51.100.3  11000110.00110011.01100100.00000011  MATCH!

ACL abbrivations

any  =      0.0.0.0 255.255.255.255      # wildcard ignores all address bits
host = eg: 10.0.0.2 0.0.0.0              # wildcard requires that all bits need to match

Standard numbered ACL

Router(config)# access-list access-list-number { deny | permit | remark } source [ source-wildcard ][ log ]
Router(config-if)# ip access-group { access-list-number | access-list-name } { in | out }
Retrieved from ‘http://wiki.ciscolinux.co.uk/index.php?title=Cisco_access_lists_ACL_and_wildcard_mask&oldid=1556