When you are studying Cisco and access-lists you will encounter the so-called Wildcard Bits. Most networking students find these very confusing, so I’m here to help you and explain how they work. Let’s take a look at an example access-list:
Router#show access-lists
Standard IP access list 1
10 permit 192.168.1.0, wildcard bits 0.0.0.255
20 permit 192.168.2.0, wildcard bits 0.0.0.255
30 permit 172.16.0.0, wildcard bits 0.0.255.255Access-lists don’t use subnet masks but wildcard bits. A wildcard mask is used to specify what part of a prefix has to match and what should be ignored.
A wildcard mask is similar to a subnet mask. They both use an AND process to identify which bits have to match. The way they do this is different though:
- Subnet mask: a binary 1 means it has to match, and a binary 0 means it does not match.
- Wildcard mask: a binary 0 means it has to match, and a binary 1 means we don’t care about it.
Let me show you some examples:
Subnet mask 255.255.255.0 would be 0.0.0.255 as the wildcard mask. To explain this, I need to show you some binary:
| Bits | 128 | 64 | 32 | 16 | 8 | 4 | 2 | 1 |
| 255 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 |
This is the first octet of the subnet mask (255.255.255.0) in binary. As you can see all values have a 1 making the decimal number 255.
| Bits | 128 | 64 | 32 | 16 | 8 | 4 | 2 | 1 |
| 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
This is also the first octet, but now with wildcard bits. If you want the wildcard equivalent, you need to flip the bits. If there’s a 1 you need to change it into a 0. That’s why we now have the decimal number 0.
Let me show you another subnet mask…let’s take 255.255.255.128. What would be the wildcard equivalent of this? We know the 255.255.255.X part, so I’m only showing you the .128 part.
| Bits | 128 | 64 | 32 | 16 | 8 | 4 | 2 | 1 |
| 128 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
That’s the last octet of our subnet mask. Let’s flip the bits:
From your first example,you gave a subnetmask of 255.255.255.0 and you gave the wildcard mask as 0.255.255.255. And from the other explanation in your next example,you 255.255.255.128’s wildcard mask would be 0.0.0.127 of which I understood by your explanation of turning the 1s to 0s. Applying that to the first example of subnetmask 255.255.255.0 with wildcardmask of 0.255.255.255 which you gave, I was thinking the wildcard mask of that should be 0.0.0.255 since the 1s are to be turned to 0s and 0s are to be 1s…pls review it and let me know which is it that is right. Thank you
Hi Ali,
You are 100% right, just fixed this typo. Thanks for sharing!
Rene
Having trouble with the following example: Not clear why A and C are the correct answers.
A network administrator is configuring ACLs on a Cisco router, to allow traffic from hosts on networks 192.168.146.0, 192.168.147.0, 192.168.148.0, and 192.168.149.0 only. Which two ACL statements, when combined, would you use to accomplish this task? (Choose two)
A. access-list 10 permit ip 192.168.146.0 0.0.1.255
... Continue reading in our forumB. access-list 10 permit ip 192.168.147.0 0.0.255.255
C. access-list 10 permit ip 192.168.148.0 0.0.1.255
D. access-list 10 permit ip 192.168.149.0 0.0.255.255
Having trouble with the following example: Not clear why A and C are the correct answers.
A network administrator is configuring ACLs on a Cisco router, to allow traffic from hosts on networks 192.168.146.0, 192.168.147.0, 192.168.148.0, and 192.168.149.0 only. Which two ACL statements, when combined, would you use to accomplish this task? (Choose two)
A. access-list 10 permit ip 192.168.146.0 0.0.1.255
... Continue reading in our forumB. access-list 10 permit ip 192.168.147.0 0.0.255.255
C. access-list 10 permit ip 192.168.148.0 0.0.1.255
D. access-list 10 permit ip 192.168.149.0 0.0.255.255
Hi Donald,
Let’s do this one in binary so you can see how it works.
146 - 10010010
147 - 10010011
As you can see the first 7 bits are the same, only the 7th bit is different. When a bit is the same we use a 0, when it’s different we use a 1. Our wildcard will be:
00000001 which in decimal is .1 which matches with answer A. We can use the same logic for answer C:
148 - 10010100
149 - 10010101
The first 7 bits are the same, only the 8th bit is different.
I hope this helps!
Rene