This topic is to discuss the following lesson:
From your first example,you gave a subnetmask of 255.255.255.0 and you gave the wildcard mask as 0.255.255.255. And from the other explanation in your next example,you 255.255.255.128’s wildcard mask would be 0.0.0.127 of which I understood by your explanation of turning the 1s to 0s. Applying that to the first example of subnetmask 255.255.255.0 with wildcardmask of 0.255.255.255 which you gave, I was thinking the wildcard mask of that should be 0.0.0.255 since the 1s are to be turned to 0s and 0s are to be 1s…pls review it and let me know which is it that is right. Thank you
Hi Ali,
You are 100% right, just fixed this typo. Thanks for sharing!
Rene
Having trouble with the following example: Not clear why A and C are the correct answers.
A network administrator is configuring ACLs on a Cisco router, to allow traffic from hosts on networks 192.168.146.0, 192.168.147.0, 192.168.148.0, and 192.168.149.0 only. Which two ACL statements, when combined, would you use to accomplish this task? (Choose two)
A. access-list 10 permit ip 192.168.146.0 0.0.1.255
B. access-list 10 permit ip 192.168.147.0 0.0.255.255
C. access-list 10 permit ip 192.168.148.0 0.0.1.255
D. access-list 10 permit ip 192.168.149.0 0.0.255.255
E. access-list 10 permit ip 192.168.146.0 0.0.0.255
F. access-list 10 permit ip 192.168.146.0 255.255.255.0
Having trouble with the following example: Not clear why A and C are the correct answers.
A network administrator is configuring ACLs on a Cisco router, to allow traffic from hosts on networks 192.168.146.0, 192.168.147.0, 192.168.148.0, and 192.168.149.0 only. Which two ACL statements, when combined, would you use to accomplish this task? (Choose two)
A. access-list 10 permit ip 192.168.146.0 0.0.1.255
B. access-list 10 permit ip 192.168.147.0 0.0.255.255
C. access-list 10 permit ip 192.168.148.0 0.0.1.255
D. access-list 10 permit ip 192.168.149.0 0.0.255.255
E. access-list 10 permit ip 192.168.146.0 0.0.0.255
F. access-list 10 permit ip 192.168.146.0 255.255.255.0
Hi Donald,
Let’s do this one in binary so you can see how it works.
146 - 10010010
147 - 10010011
As you can see the first 7 bits are the same, only the 7th bit is different. When a bit is the same we use a 0, when it’s different we use a 1. Our wildcard will be:
00000001 which in decimal is .1 which matches with answer A. We can use the same logic for answer C:
148 - 10010100
149 - 10010101
The first 7 bits are the same, only the 8th bit is different.
I hope this helps!
Rene
2 Likes
I understand how you go the result. In the example above this seem to only work on contiguous networks.
I think I have the idea. The point was re-enforced after reading the link below where he mentions “You want to target a consecutive range of IP addresses” in usage example number 4.
http://www.networking-forum.com/viewtopic.php?t=3596
Thanks
Hi Donald,
You can do some funny things with wildcard masks, you can even match networks that are not contiguous. Something to keep in mind is that your first network has to be an even number. Example #1:
148 – 10010100
149 – 10010101
In this case the first 7 bits are the same so you can use wildcard 00000001
Example #2:
149 - 10010101
150 - 10010110
Only the first 6 bits are the same so the wildcard would be 00000011. The problem of this wildcard is that it will match 4 networks:
148 - 10010100
149 - 10010101
150 - 10010110
151 - 10010111
These 4 networks have the same first 6 bits.
Here you can read some more funky wildcard examples:
https://networklessons.com/security/create-complex-wildcard-masks/
And if want any more examples just let me know ok?
Rene
Hi Rene,
What is the benefit of using wildcard in access-lists ? and why we don’t use subnet mask ?
and in which cases or topics we are using wildcard mask ?
I need to know the the general interest of using wildcard mask?
Hi Hussein,
Back in the days, wildcard bits were faster to process than subnet masks. Here’s a long discussion about this:
https://learningnetwork.cisco.com/thread/3194
On Cisco IOS we use wildcards for access-lists and also for OSPF network commands. On other devices like the Cisco ASA we use subnet masks for access-lists.
Rene
just to add to Rene’s comments above, the other reason to choose wild card mask over subnet mask is that subnet masks have contiguous number of bits for the network portion and host portions. for example as subnet mask of 255.255.255.0 is 11111111.11111111.11111111.00000000. You can never have a subnet mask of 11110111.00111111.11110111.00000000, however this is not the case with wild card masks. With wild card mask we can turn bits on and off where we want to and therefore having a great deal of flexibility over what we want to match. you can get really creative with wildcard mask, for example you can, if you want to, permit only even or odd number hosts from a given network. so if you have a statement like access-list 101 permit ip 192.168.1.0 0.0.0.254 any , this will only allow hosts with even number IP addresses.
1 Like
Here are some examples of what you can do with wildcards btw:
https://networklessons.com/security/create-complex-wildcard-masks/
In one of Todd Lammle’s book I learned two easy method’s to calculate the wildcard.
-
255 - subnetmask = wildcard.
For example, netmask 255.255.255.128. The wildcard will be (255-255=)0.(255-255=)0.(255-255=)0.(255-128=)127. -
ip-adresses-in-subnet - 1
For example, the 255.255.255.192. This netmask has 64 ip adresses per subnet, the wilcard will be 0.0.0.(64-1=)63
With the recommende cheat sheat from the introduction of this course, calculating wildcard marks becomes really easy :).
Hi Wilfried,
Those are two good tricks yes. Make sure you practice enough with different access-list statements and you’ll be an expert in no time 
Rene
Just to make sure I am understanding the access list wildcard, is my statement below is correct:
for the statement permit tcp 10.195.187.0 0.0.0.63 it is means permit the range from 10.195.187.1 to 10.195.187.62? is that correct?
my question is, is the wildcard used in access list to make the process faster to the router or to get the inverse and permitted in my example?
Thanks in advance.
Wisam
Hello Wisam,
Wildcard 0.0.0.63 is the same as subnet mask 255.255.255.192.
It matches the range from 10.195.187.0 to 10.195.187.63 (that’s 64 addresses).
One thing you can do with wildcard bits that you can’t do with subnet masks is matching on any bit you want. For example:
Historically, it might have something to do with how the router/pc processes access-lists and the speed of operation but I’m not sure about that
Rene
Just some minor, constructive criticism: it would help if you explain wildcard bits as a concept, what they do. This lesson mainly explains how to get the bits.
For my own understanding, by providing a wildcard, the router knows what bits to use when it is checking whether the statements in an ACL apply, am I right? So with a wildcard of 0.0.0.255, the router will only examine that part of the IP address where there are 0s in the wildcard?
Hi Marit,
Sounds like a good idea. I’ll add it to my list.
We use a wildcard in ACL statements to tell the router what to match, and what to ignore:
- Binary 0 means it has to match.
- Binary 1 means we ignore it.
For example, let’s say you specify 192.168.1.0 with wildcard 0.0.0.255. This means “192.168.1” has to match, and we don’t care about the last octet. This means everything between 192.168.1.0 - 192.168.1.255 is a match.
Does this help?
Rene
1 Like
Yes, thank you Rene! 
1 Like