In the standard IP access list that we looked at in the previous example, you learned how to define a rule that would permit or deny access to a single host. In reality, you will probably wish to permit or deny access to a range of hosts rather than just one. Perhaps you’ll want to control access for all of the hosts on a subnet, or maybe just a subset of hosts. Either way, the ability to control access for a group of hosts is accomplished using what is known as a wildcard mask.
A wildcard mask is different than a subnet mask. Defining a wildcard mask is really no more difficult, but the approach is somewhat different. The purpose of the wildcard mask is to specify which group of addresses an access list entry should apply to. For example, imagine that we wanted to create a standard IP access list that would deny inbound access on interface E0 to all hosts on network 192.168.20.0/24. The access list entry would be:
RouterA(config)#access-list 40 deny 192.168.20.0 0.0.0.255
I know that the wildcard mask looks a little confusing. In this case, the wildcard mask is 0.0.0.255. The binary 0s in the mask tell the router that the associated bits in the source address much match exactly. Since the first 3 octets in the wildcard mask are set to binary 0, the router knows that the first three octets must match 192.168.20. The binary 1s in the mask tell the router to match any possible value. Since the last octet in the wildcard mask is all binary 1s, the router knows that any value in the last octet is a match. So, any source address beginning with 192.168.20 would match the access list, and in this case, be denied.
In the same way, consider the example below. It tells the router to permit traffic from hosts with any address that starts with 10.10. Since the last two octets are masked, any source address starting with 10.10 will be a match. In this case, all hosts from 10.10.0.1 to 10.10.255.254 would be permitted access.
RouterA(config)#access-list 40 deny 10.10.0.0 0.0.255.255
Recall that a single host can be specified in an access list using either the host command, or a wildcard mask of all 0s. The wildcard mask of all 0s means “match all octets exactly”. In the example below, only host 192.168.1.100 would be denied access.
RouterA(config)#access-list 40 deny 192.168.1.100 0.0.0.0
Things get a bit trickier when you want to block only a certain range of hosts, but not necessarily an entire network or subnet. Before looking at the masking, there is an important rule to remember. When you wish to block only a certain group of hosts, the multiple and starting values must be powers of 2. For example, you can block 2, 4, 8, 16, 32, 64, or 128 hosts, but not, for example, 26. If you think back, this is similar to the rules associated with subnetting.
Defining a custom wildcard mask is different that subnetting, in that those binary ones move in the opposite direction. Remember that the 1s in a wildcard mask specify the bits that the router should pay attention to in the source address. For example, imagine if we wanted to deny access to a group of 4 addresses starting with 192.168.1.4. In effect, that means that we want to deny access for addresses between 192.168.1.4 and 192.168.1.7, or 4 addresses total. In this case, the wildcard mask would be 0.0.0.3. At this point, I agree that number looks confusing. A quick look at things in binary will help to make things clearer.
Remember that we want to start at 192.168.1.4 and include 4 addresses. The wildcard mask specifies the bits that the router should consider when attempting to determine which hosts to permit or deny. In this case, the mask is 0.0.0.3, which is the equivalent to the following in binary:
00000000 00000000 00000000 00000011
Notice that only the last two bits are set to 1. What this means is “start at 192.168.1.4, and include any values for those last two bits”. The figure below outlines what all of the possible values would be for those last two octets.
The only possible addresses that apply are 192.168.1.4, 192.168.1.5, 192.168.1.6, and 192.168.1.7. In other words, our wildcard mask tells the router that starting with address 192.168.1.4, allow the last two address bits to be set to any value, and use this as the range to permit or deny traffic.
If you’re looking for an easier way to remember wildcard mask values, you’re in luck. Recall what I said earlier. When grouping ranges of addresses, they must be a valid power of 2. The associated wildcard mask number will always be one less that the value of the range. So, if you want to group 128 addresses together, the associated wildcard mask value would be 127. To group 64 addresses, the wildcard mask value would be 63, and so forth. These values are outlined in the table below:
|
Address Grouping |
128 |
64 |
32 |
16 |
8 |
4 |
2 |
1 |
|
Wildcard Mask |
127 |
63 |
31 |
15 |
7 |
3 |
1 |
0 |
Let’s take a closer look at the table. Notice that for a single address, the wildcard mask value is 0. This is consistent with our example of creating a wildcard mask for a single host of 0.0.0.0.
Let’s say that we want to group together 8 addresses starting at 192.168.20.17. Unfortunately we can’t. Why? Because you cannot start with the number 17 – the range must begin at a power of 2. So, let’s start at 192.168.20.16 instead. If we want to deny access to a group 16 addresses, then the wildcard mask will be one less – 15. In this case, the mask would be 0.0.0.15. This would deny access to all hosts between 192.168.20.16 and 192.168.20.31. If we wanted to add this entry to a standard IP access list, the command would be:
RouterA(config)#access-list 40 deny 192.168.20.16 0.0.0.15
The table above can also be used to block bigger ranges. For example, imagine if we wanted to permit access for 32 subnets, those from 192.168.32.0 up to 192.168.63.0. In this case, the wildcard mask must begin in the third octet. Because of this, the wildcard mask becomes 0.0.31.255. Notice that the third octet value is one less than the grouping, and that the last octet is 255. This tells the router that this access list entry applies to hosts with any value between 32 and 63 in the third octet, and any value in the fourth octet. The access list entry would be:
RouterA(config)#access-list 40 permit 192.168.32.0 0.0.31.255
As you’ll see shortly, wildcard masks can be used in both standard and extended IP access lists.
