 | Tuesday, February 09, 2010 |
| -- advertisement -- |
| Resources | |
| Salary Surveys | |
| International Salaries | |
| Pop Quiz | |
| Exam Reviews | |
| Cert Basics | |
| RSS Feeds | |
| Articles | |
| Features | |
| Q & A | |
| News | |
| Reviews | |
| Archives | |
| Community | |
| Forums | |
| Newsletters | |
| Site Map | |
| Press Releases | |
|
 Home Q & A Q & A Answers |
  |
|
Q & A Wildcard Masks by Scott Morris Question: October 29, 2002 Hello, Scott, I have a question about originating a network in OSPF. I'm hung up with the wildcard mask. For example: Network 184.10.13.1 /30 Router ospf 7 Network 184.10.13.1 wild card mask? area 1 Can you help? Thank you, -- Joe T. Answer: Joe, You have hit on a topic that eludes many people throughout their networking career! (Kind of like the nuances of subnetting.) But in reality, it's not difficult at all! Remember that routers are just dumb binary devices. Life revolves around zeroes and ones! Wildcard masks are also referred to as "reverse" netmasks. And quite simply that means wherever there's a 1 in a regular netmask, you'll use a 0 in a wildcard mask (used for ACLs too). So, if my netmask normally is 255.255.255.0, in binary that is: 11111111 11111111 11111111 00000000 Swapping the bits that yields: 00000000 00000000 00000000 11111111 Or 0.0.0.255 Now, you can do this with ANY netmask you have. So in your example, you gave a /30, which normally is 255.255.255.252 or 30 1-bits: 11111111 11111111 11111111 11111100 Swapping: 00000000 00000000 00000000 0000011 0.0.0.3 Now, do you want the REALLY easy way? I thought you would... Take your normal netmask and subtract each octet from 255. Yup, it's that simple, still dealing in "normal" numbers! So: 255 255 255 255 -255 255 255 0 ============== 0 0 0 255 (my "reverse" netmask) Or; 255 255 255 255 -255 255 255 252 ================ 0 0 0 3 See how simple that is? So, for OSPF networks, access- lists, or anything that calls for a wildcard mask... Now you know the magic behind it! It's something that scares many people, but not really for any good reason. Broken down to the simplistic binary, we can see the mathematical relationships and understand how to use them more simply. Hope that helps! --Scott Scott Morris, quadruple CCIE, JNCIE and all-around uber-geek, can often be seen traveling around the world consulting and delivering CCIE training. He recently accepted a new Senior CCIE Instructor position with Internetwork Expert! For more information on him check out http://www.uber-geek.net or for CCIE training check out http://www.internetworkexpert.com. You can contact Scott via editor@tcpmag.com. You can contact Scott about "Wildcard Masks" at editor@tcpmag.com. |
printable format
e-mail to a friend
comment on article
back to question| Current TCPmag.com user comments for "Wildcard Masks" | |
| 12/23/02 - Catherine Fyffe from London says: | Hello Scot I need some help with wild card masks for IP subnetswhen applying ACLs. I know that a class B address 172.16.16.0 has a wild card mask of 0.0.15.255 for the subnets range from the 16 to the 31 subnet that is with 8 bits for subnetting. Please could you tell me what the wild card mask would be if I borrow bits also from the forth octet in the same class B address I am studying for a CCNA at present and I would be grateful for your help Yours Sincerely Catherine Fyffe |
| 5/30/03 - andrea from italy says: | hi! sorry for my english. I have understood your explain, but i don't understand how to find the wildcard mask for a ip address range. I have a wildcard calculator but i have seen that with some ip range it doesn't work! How can i know where i can use some range ip? how can i find the right wildcard mask for a range ip address? Thank's for all. bye |
| 6/28/03 - odog from east coast says: | perfect explination. i went from being more intimidated by wildcard mask then standard subnetting. subnetting turned out to easy once i got the binary down. i had not heard wildcarding done this simply. before reading this i couldn't do wildcarding reliably. after i have both a standard math and a binary math formula. in reality my standard binary is put to use, then i just reverse in binary or simply subtract 255 :) thanks google and big thanks to scott! thanks! |
| 1/30/04 - Nisha from London says: | hello Scot, I'm a bit cofused as to how to write wildcard masks. i know how to permit/deny any, but how do i write an ACL so only Odd or Even addresses are denied from Telnetting to Router. The subnet address range is from 192.168.1.64 to 192.168.1.127. Please help. Yours Sincerely Nisha |
| 4/8/04 - KhoaTran says: | Hello Scott, I have a question about the network in RIP, i was very confused with the wildcard mask. I have a scope range:172.25.163.1 to 172.25.163.254, subnet mask 255.255.255.0 and three exclude range as below: first: 172.25.163.1 to 172.25.163.40 second: 172.25.163.41 to 172.25.163.47 third: 172.25.163.239 to 172.25.163.254 they all have the same subnetmask 255.255.255.0 Please help me establish 3 wildcard mask to apply on the three above exclude range so that all IP numbers within the three exclude above can access the internet. Thank you Regards |
| 6/16/04 - Nafaz from india says: | how the wildcard mask work, have any way to study the wildcard mask. i want to study wild card mak, please help me. |
| 7/27/04 - N3M3515 from Mpls MN says: | Nisha, when you work with the acl wild card mask to get the odd or even addresses denied to telnet you have to break it down to the binary level. In your case we are focusing on the 4th octet. So 192.168.1.01000000 to 01111111 one thing to keep in mind is all ones in the host area means a broadcast address ie 127. Another thing to keep in mind is that wild card masks are NOT like subnet masks, making comparisons will only confuse you. So with that said, you need to logically AND the wild card mask and the ip address that you are specifying in your ACL statement. Your ip address and wildcard mask would be 192.168.1.64 0.0.0.00111110 because look at the zero in the 1's place you are compairing that now to every address. So if you have an odd address ex 65 which would be 01000001 the router will compair it to the ACL... which will be the ip address and the wild card mask logically ANDED. 01111110 but keep in mind that the digits in the fields 128 and 64 and 1 have to match but all the rest don't have to match. So lets look at the two. 1st the host address of 65, and then the Acl ip anded wild card mask. I split the addresses so its clearer to see what the router is actually looking at, its looking at the far left and far right, to be matched and it doesnt care about the middle digits. 01 | 00000 | 1 01 | 11111 | 0 You can easily see now that the 1's place now has to be even for it to match and it will only match for even integers in the range of 64-127. So your ACL might look something like... router(config) access-list 101 permit tcp 192.168.1.64 0.0.0.62 any eq 23 router(config) access-list 101 deny tcp any any eq 23 router(config) access-list 101 permit ip any any If you have any Questions and Comments please feel free to email me. N3M3515@gbronline.com I hope I helped. N3M3515 |
| 8/5/04 - rommel from philippines says: | Hi Joe, currently, i'm studying configuring OSPF but i need some items to enligthen about. i hope you can help me. router ospf 1 network 192.168.1.128 0.0.0.63 area 0 network 192.168.15.0 0.0.0.3 area 0 router ospf 1 log adjacency-changes what do these commands mean? thanks a lot |
| 8/12/04 - end-user from East Coast says: | Ok, is it me? I thought that this wildcard addressing seemed pretty simple - it's an XOR, right? I'm trying to block a range x.144.0.0 - x.168.255.255. I need to say x.144.0.0 0.56.255.255, right? I've noticed that when I add it to my list of blocks, the router instead lists it as x.128.0.0 0.56.255.255! I feel like I'm going nuts. TIA |
| 11/3/04 - Ashura M from Dar-es-salaam says: | Hi dear, sorry I'm a student of cisco, so I'm on Access Control Lists chapter and their is some calculating about Wildcard Masks its so confusing me. please help me with examples. Thanks |
| 1/26/05 - Anonymous says: | What was discribed above in October of 2002 is a great way to quickly calculate the IP address that can be grouped for a particular ACL, however, it can only be done this way if the wildcard mask bits are consecutive. Note* that if you have for instance, a wildcard mask of 0.0.0.22 then you would need to break it out into binary, as the bits are not consecutive. Then calculate the IP groupings. A good rule of thumb here is that for every (1) bit used n (2n) will give you how many possible combinations you will achieve from that wildcardmask. Ex. IP: 200.145.64.44 wildcard mask of 0.0.0.22 - 22 in binary is: 00010110 this equates to 3 bits used or 2 to the 3rd. and that is 8 possible combinations. After writing .44 out in binary, and placing the .22 of the wildcard mask in binary directly underneath, set all of the binary bits associated with the IP address (.44) to zero these will have a one under it from the wildcard mask. If there is a 0, leave the current value. This will give you your starting point. Write that decimal equivalant down. From there you turn on and off your IP bits until you reach all possible combinations. This will give you your grouping for each bit value. The grouping for this range is: 40,42,44,46,48,56,60,62 and 8 possible combinations. This extra check allows you to know that you have solved for all the possible combinations. Hope this helps, wish I would have seen this sooner. Glenn |
| 1/27/05 - Glenn says: |
I did not add in how this should be configured into the router. command should be, for example:
router#config t
router |
| 1/28/05 - Glenn says: | correct range is: 40,42,44,46,56,58,60,&62 the correct syntax for the Cisco CLI did not appear as the way it was entered. |
| 1/28/05 - Phi Hung from Viet Nam says: | Hi, my name is Hung, living in Viet Nam. I am studying the CCNA course, everything ok, but i do not know how to use the wildcard mask. I still confuse about wildcard mask. Can you all show me more detail wildcard mask ? Thank you very much. Sorry, my Engish is not very well. |
| 2/3/05 - Anonymous says: | Hi, I was wondering what wildcard I would use to allow the following: Range is 10.0.3.1-10.0.4.254 (512 ip's), subnet is 255.255.254.0. If I were writing an ACL, how would I do the following: acl101 permit tcp 10.0.3.0 0.0.1.255 host 10.1.0.0 eq www I am looking for the wildcard characters that allow from the 3.0 to 4.254 addresses to access this system. thanks. I believe this 0.0.1.255 is incorrect? |
| 3/10/05 - ramachandran from cochin says: | i am doing ccna. how to connect two routers each in different location through leased line. |
| 7/5/05 - surfer says: | Yes, this ACL is correct. |
| 10/14/05 - kam from Canada says: | Dear Scott, How do we get even numbers from 192.168.Z.0 where Z can be any number from 1 to 255. Thanks for you help Kam |
| Display Page: 01 02 | |
Sponsored Links
| home | certification basics | features | exams | exam reviews | salary surveys forums | link state update | news | q & a | article archive | tech library webcasts |  | ||||
| ||||
| Application Development Trends | Campus Technology | CertCities.com | The Data Warehousing Institute E-Gov | EduHound | ENTmag.com | Enterprise Systems | Federal Computer Week | FTPOnline.com | Government Health IT IT Compliance Institute | MCPmag.com | Recharger | Redmond Developer News | Redmond Redmond Channel Partner | Redmond Events | Redmond Report | T.H.E. Journal | TechMentor Conferences Virtualization Review | Visual Studio Magazine | VSLive! Free Print or Digital Subscriptions: Redmond | Redmond Channel Partner | Redmond Developer News Virtualization Review | Visual Studio Magazine Copyright 1996-2009 1105 Media, Inc. See our Privacy Policy. 
|
||||
|
||||