Cisco Systems CCNA 2 manual Function of a wildcard mask, Verifying ACLs

11.1.4 The function of a wildcard mask

A wildcard mask is paired with an IP address. The binary numbers one and zero in the mask are used to identify how the corresponding IP address bits should be handled. Wildcard masks are used for different purposes and follow different rules than subnet masks. Wildcard masks are designed to filter individual or multiple IP addresses to permit or deny access to resources based on the addresses. Another issue is that the ones and zeros mean something different in wildcard and subnet masks.

In the wildcard mask process, the IP address in the access-list statement has the wildcard mask applied to it. This creates the match value, which is used to determine if a packet should be processed by a specific ACL statement or sent to the next statement to be checked. There are two special keywords that are used in ACLs, the any and host options. The any option, substitutes for the IP address and 255.255.255.255 mask. This mask says to ignore the entire IP address, or to accept any addresses. The host option substitutes for the 0.0.0.0 mask. This mask states that all IP address bits must match or only one host is matched.

The wildcard mask of a complete subnet mask can be found by subtracting the subnet mask from 255.255.255.255.

For example, if the subnet mask is 255.255.240.0, the following equation would be used:

255.255.255.255

-255.255.240.0

0.0. 15.255

0.0.15.255 is the wildcard mask.

Emphasize the importance of assigning IP addresses within the subnetwork. If addresses are logically assigned based on system use or location, then an ACL can be created to permit or deny these hosts with a single statement. These logical host IP address assignments should be based on the binary bit patterns of each address. If these bit patterns have groupings of common bits in their addresses, then an address and wildcard mask can refer to this group of hosts. If addresses are made at random, then the creation of ACLs to refer to particular groups becomes difficult or impossible without a statement for each host. The IP address assignments should be consistent across the internetwork. For example, when a common group of bits is used to identify the network devices, these same bits should be used to identify all network devices in the internetwork.

11.1.5 Verifying ACLs

The show ip interface command displays IP interface information and indicates if any ACLs are set. The show access-listscommand displays the contents of all ACLs on the router. To see a specific list, add the ACL name or number as an option for this command. The show running-configcommand will also reveal the access lists on a router and the interface assignment information. There are three common errors that students make when they create ACLs:

•Use incorrect wildcard masks

•Do not apply the ACL to an interface

•Filter in the wrong direction on an interface