When you are studying Cisco and access-lists you will encounter the so-called Wildcard Bits. Most CCNA students find these very confusing so I’m here to help you and explain to you how they work. Let’s take a look at an example access-list:
Router#show access-lists
Standard IP access list 1
10 permit 192.168.1.0, wildcard bits 0.0.0.255
20 permit 192.168.2.0, wildcard bits 0.0.0.255
30 permit 172.16.0.0, wildcard bits 0.0.255.255Access-lists don’t use subnet masks but wildcard bits. This means that in binary a “0” will be replaced by a “1” and vice versa.
Let me show you some examples:
Subnet mask 255.255.255.0 would be 0.0.0.255 as the wildcard mask. To explain this I need to show you some binary:
| Bits | 128 | 64 | 32 | 16 | 8 | 4 | 2 | 1 |
| 255 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 |
This is the the first octet of the subnet mask (255.255.255.0) in binary, as you can see all values have a 1 making the decimal number 255.
| Bits | 128 | 64 | 32 | 16 | 8 | 4 | 2 | 1 |
| 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
This is also the first octet but now with wildcard bits. If you want the wildcard-equivalent you need to flip the bits, if there’s a 1 you need to change it into a 0. That’s why we now have the decimal number 0.
Let me show you another subnet mask…let’s take 255.255.255.128. What would be the wildcard-equivalent of this? We know the 255.255.255.X part so I’m only showing you the .128 part.
| Bits | 128 | 64 | 32 | 16 | 8 | 4 | 2 | 1 |
| 128 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
That’s the last octet of our subnet mask, let’s flip the bits:
Having trouble with the following example: Not clear why A and C are the correct answers.
A network administrator is configuring ACLs on a Cisco router, to allow traffic from hosts on networks 192.168.146.0, 192.168.147.0, 192.168.148.0, and 192.168.149.0 only. Which two ACL statements, when combined, would you use to accomplish this task? (Choose two)
A. access-list 10 permit ip 192.168.146.0 0.0.1.255
... Continue reading in our forumB. access-list 10 permit ip 192.168.147.0 0.0.255.255
C. access-list 10 permit ip 192.168.148.0 0.0.1.255
D. access-list 10 permit ip 192.168.149.0 0.0.255.255
Having trouble with the following example: Not clear why A and C are the correct answers.
A network administrator is configuring ACLs on a Cisco router, to allow traffic from hosts on networks 192.168.146.0, 192.168.147.0, 192.168.148.0, and 192.168.149.0 only. Which two ACL statements, when combined, would you use to accomplish this task? (Choose two)
A. access-list 10 permit ip 192.168.146.0 0.0.1.255
... Continue reading in our forumB. access-list 10 permit ip 192.168.147.0 0.0.255.255
C. access-list 10 permit ip 192.168.148.0 0.0.1.255
D. access-list 10 permit ip 192.168.149.0 0.0.255.255
Hi Donald,
You can do some funny things with wildcard masks, you can even match networks that are not contiguous. Something to keep in mind is that your first network has to be an even number. Example #1:
148 – 10010100
149 – 10010101
In this case the first 7 bits are the same so you can use wildcard 00000001
Example #2:
149 - 10010101
150 - 10010110
Only the first 6 bits are the same so the wildcard would be 00000011. The problem of this wildcard is that it will match 4 networks:
148 - 10010100
149 - 10010101
150 - 10010110
151 - 10010111
These 4 networks have
... Continue reading in our forumHi Hussein,
Back in the days, wildcard bits were faster to process than subnet masks. Here’s a long discussion about this:
https://learningnetwork.cisco.com/thread/3194
On Cisco IOS we use wildcards for access-lists and also for OSPF network commands. On other devices like the Cisco ASA we use subnet masks for access-lists.
Rene
just to add to Rene’s comments above, the other reason to choose wild card mask over subnet mask is that subnet masks have contiguous number of bits for the network portion and host portions. for example as subnet mask of 255.255.255.0 is 11111111.11111111.11111111.00000000. You can never have a subnet mask of 11110111.00111111.11110111.00000000, however this is not the case with wild card masks. With wild card mask we can turn bits on and off where we want to and therefore having a great deal of flexibility over what we want to match. you can get really creat
... Continue reading in our forum