8/7/2019 Cisco IP Access-List Wildcard Mask

1/6

Cisco IP Access-List Wildcard Masks

Copyright 1999 Boson Software

by john@boson.com

We all know the rules and seen the literature on how to do wild card masks:

The 32 bit wildcard mask consists of l's and O's

1= ignore this bit

o =check this bit

Yada, yada, yada .

BUT MOST OF THE TIME WE WANT TO DO ONE OF

THESE THREE THINGS:

1. MATCH A HOST

2. MATCH AN ENTIRE SUBNET3. lVIATCHA RANGE

or

14. MATCH EVERYONEI Here are the easy ways to do that

A22 wi2dcard mask bits are zero's

For Standard Access-2ist

Access-2ist 1 permit 157.89.8.9 0.0.0.0

Access-2ist 1 permit 157.89.8.9 (standard access 2ists assume

a O. O. O. 0 mask)

For Extended Access-2ists

Access-2ist 101 permit ip 157.89.8.9 0.0.0.0 any

Access-2ist 101 permit ip host 157.89.8.9 any

........ - - -.-----.-.- -------- -- - - - - -- --_ _ - - - _ ._ - .- - - - - - - - - - - _ _ _ .. _ _ ._ _ ._- --------.-- -------- - - - - -.- ---_ _ -- .- -- -- -- --- -.- .-- .-- _ -. - -- - _ ..-- --- - .- -.--

i2. How to match an Entire Subnet(Wildcard mask = 255.255.255.255 - subnet mask

mailto:john@boson.commailto:john@boson.commailto:john@boson.commailto:john@boson.com

8/7/2019 Cisco IP Access-List Wildcard Mask

2/6

Example 2

:Given 111.2.4.112 subnet mask 255.255.255.224

255.255.255.255

Wildcard mask

(Answer:

Example 3

Given 3.2.128.0 subnet mask 255.255.192.0

255.255.255.255

8/7/2019 Cisco IP Access-List Wildcard Mask

3/6

Given 203.2.4.128 subnet mask 255.255.255.240

255.255.255.255

~- subnet mask 255.255.255.240

(Wildcard mask O. O. O. 15

:Answer:

! ACcess-list 1permit 203.2.4.128 0.0.0.15

3 D How to Match a range

(Works when the range lS an entire subnet)

157. 89. 31.255

-157. 89. 16. a

Warning: Each non-zero value must be ONE LESS than a power of 2

(i.e. one of these:0,1,3,7,15,31,63,127,255)

157 89 16 32 157 89 31 63

8/7/2019 Cisco IP Access-List Wildcard Mask

4/6

ITo Find Wildcard Mask, Take the HIGHER minus the Lower:

4 . Matching everyone is eSlsy: I~ = = ~ = = = = = = = ~ ~ ~ ~ ~ = ~ ~ ~ = = = ~ = = ~ ~ = ~ = ~ ~ = ~ ~ . =Access-list 1 permit any

or IAccess-list 1 permit 0.0.0.0 255.255.255.255

Questions, comments? Email t he Webmaster.

Copyright 1999 Bos on Software, Inc. All rights reserved

See ourfull disclaimer.

8/7/2019 Cisco IP Access-List Wildcard Mask

5/6

Using and Configuring QSPF Multi-Area

Components

Area 0 ABR

EO 10.64.0.2

10.64.0.1 EO10.2.1.1

51

interface EthernetO

ip address 10.64.0.2 255.255.255.0

1

interface SerialO

ip address 10.2.1.2 255.255.255.0

~Flf#~~;~'netwoik 10.2.1.2 0.0.0.0 : i t ~ ~ ; ~ fl !network 10.64.0.2 0.0.0. O .; 8 .1 :~ ~ ,'.9 i

There are no special commands to make a router an ABR or ASBR. The router

takes on this role by virtue of the areas to which it is connected. As a reminder,

the basic OSPF configuration steps are as foHows:

Step 1 Enable OSPF on the router.

Step 2 Identify which IP ne~orks on the router are part of the OSPF network. For each

network, you must identify what area the network belongs to. When configuring

multiple OSPF areas, make sure to associate the correct network addresses with

the desired area ID, as shown in the graphic.

Step 3 (Optional) If the router has at least one interface connected into a non-OSPF

network, perform the proper configuration steps. At this point, the router will be

acting as an ASBR. How the router exchanges (redistributes) non-OSPF route

information with the other OSPF routers is discussed in Chapter 9, "Optimizing

Routing Update Operation."

Note Refer to Chapter 4, "Configuring OSPF fo r a Single Area," for details about basic

OSPF configuration commands.

8/7/2019 Cisco IP Access-List Wildcard Mask

6/6

Controlling Inbound Access

access-list 12 permit 192.168.1.0 0.0.0.255

(implicit deny any)

line vty 4access-class 12 in

Permits only hosts in network 192.168.1.00.0.0.255 to

connect to the router vty

Example: vty Access

In this example, you are permitting any device on network 192.168.1.00.0.0.255 to establish a

virtual terminal (Telnet) session with the router. Of course, the user must know the appropriate

passwords to enter user mode and privileged mode.

Notice that identical restrictions have been set on every vty (0 to 4) because you cannot control

on which vty a user will connect.

The implicit deny any statement still applies to the ACL when it is used as an access-class

entry.