Standard access-list example on Cisco Router

Lessons Discussion
11

Hi Jon,

You didn’t specify the network address that you used with the wildcard. Let’s assume it’s 20.10.0.0 0.0.254.254. Let’s look at some examples…

20.10.1.0 = 00010100 000001010 00000001 00000000
20.10.1.1 = 00010100 000001010 00000001 00000001
20.10.1.2 = 00010100 000001010 00000001 00000010
20.10.1.3 = 00010100 000001010 00000001 00000011
20.10.1.4 = 00010100 000001010 00000001 00000100

20.10.2.0 = 00010100 000001010 00000010 00000000
20.10.3.0 = 00010100 000001010 00000011 00000000
20.10.4.0 = 00010100 000001010 00000100 00000000
20.10.4.1 = 00010100 000001010 00000100 00000001
20.10.4.2 = 00010100 000001010 00000100 00000010

And our network and wildcard:

20.10.0.0 = 00010100 000001010 00000000 00000000

0.0.254.254 = 00000000 00000000 11111110 111111110

The first two octets have to match so we are only looking at the 20.10.x.x range. Let’s forget about those two octets.

1.0 = 00000001 00000000
1.1 = 00000001 00000001
1.2 = 00000001 00000010
1.3 = 00000001 00000011
1.4 = 00000001 00000100

2.0 = 00000010 00000000
3.0 = 00000011 00000000
4.0 = 00000100 00000000
4.1 = 00000100 00000001
4.2 = 00000100 00000010

NW = 00000000 000000000
WC = 11111110 111111110

With this network/wildcard combination, the 24th and 32th bit have to be a 0. We don’t care about the other bits, Only 20.10.2.0, 20.10.4.0 and 20.10.4.2 will match this. It matches only the EVEN networks with EVEN host addresses. If you want the odd networks, use a “deny” in your access-list instead of a “permit”.

If you want to get funky you could use another network address in combination with this wildcard. Let’s say we pick 20.10.0.1:

20.10.0.1 = 00010100 000001010 00000000 00000001

0.0.254.254 = 00000000 00000000 11111110 111111110

Let’s look at the last two octects:

1.0 = 00000001 00000000
1.1 = 00000001 00000001
1.2 = 00000001 00000010
1.3 = 00000001 00000011
1.4 = 00000001 00000100

2.0 = 00000010 00000000
3.0 = 00000011 00000000
4.0 = 00000100 00000000
4.1 = 00000100 00000001
4.2 = 00000100 00000010

NW = 00000000 000000001
WC = 11111110 111111110

Now we are saying that the 24th bit has to be a 0 and the 32th bit has to be a 1. In my example that would only be 20.10.4.1. Another match would be 20.10.2.1 or 20.10.4.1. Now you have EVEN networks with ODD host addresses.

Hope this helps, it can be mind boggling. If you are unsure, write down everything in binary and then check for the matching bits. You can verify your work with two routers, some loopback interfaces and a distribute-list for RIP/EIGRP. If you want some more explanations, take a look here:

https://networklessons.com/security/create-complex-wildcard-masks/

Rene