Cisco Systems CCNA 2 11.1.4 The function of a wildcard mask , 11.1.5 Verifying ACLs

11.1.4 The function of a wildcard mask

A wildcard mask is paired with an IP address. The binary numbers one and zero in the mask

are used to identify how the corresponding IP address bits should be handled. Wildcard masks

are used for different purposes and follow different rules than subnet masks. Wildcard masks

are designed to filter individual or multiple IP addresses to permit or deny access to resources

based on the addresses. Another issue is that the ones and zeros mean something different in

wildcard and subnet masks.

In the wildcard mask process, the IP address in the access-list statement has the wildcard

mask applied to it. This creates the match value, which is used to determine if a packet should

be processed by a specific ACL statement or sent to the next statement to be checked. There

are two special keywords that are used in ACLs, the any and host options. The any option,

substitutes for the IP address and 255.255.255.255 mask. This mask says to ignore the entire

IP address, or to accept any addresses. The host option substitutes for the 0.0.0.0 mask.

This mask states that all IP address bits must match or only one host is matched.

The wildcard mask of a complete subnet mask can be found by subtracting the subnet mask

from 255.255.255.255.

For example, if the subnet mask is 255.255.240.0, the following equation would be used:

255.255.255.255

- 255.255.240.0

0. 0. 15.255

0.0.15.255 is the wildcard mask.

Emphasize the importance of assigning IP addresses within the subnetwork. If addresses are

logically assigned based on system use or location, then an ACL can be created to permit or

deny these hosts with a single statement. These logical host IP address assignments should

be based on the binary bit patterns of each address. If these bit patterns have groupings of

common bits in their addresses, then an address and wildcard mask can refer to this group of

hosts. If addresses are made at random, then the creation of ACLs to refer to particular groups

becomes difficult or impossible without a statement for each host. The IP address assignments

should be consistent across the internetwork. For example, when a common group of bits is

used to identify the network devices, these same bits should be used to identify all network

devices in the internetwork.

11.1.5 Verifying ACLs

The show ip interface command displays IP interface information and indicates if any

ACLs are set. The show access-lists command displays the contents of all ACLs on the

router. To see a specific list, add the ACL name or number as an option for this command. The

show running-config command will also reveal the access lists on a router and the

interface assignment information. There are three common errors that students make when

they create ACLs:

• Use incorrect wildcard masks

• Do not apply the ACL to an interface

• Filter in the wrong direction on an interface