IMPORTANCE OF WILDCARDMASK IN ACCESS CONTROL LIST

 In Access Control Lists (ACL), Wildcard masks are used to identify (or filter) an individual host, a network, or a range of IP addresses in a network to permit or deny access to the network.

When we use a wildcard mask, a 0 in a bit position means that the corresponding bit position in the address of the Access Control Lists (ACL) statement will be equal to the bit position in the IP address in the examined packet.

A “0” bit in the wildcard mask implies that the corresponding part in the IP address should exactly match and “1” bit means that the corresponding part in IP address can be ignored. I will work you through some examples of Access Control List (ACL) wildcard masks below.

How to identify a single host using Access Control List (ACL) Wildcard mask

In other to properly identify a single host using Access Control List (ACL) Wildcard mask, the IP address and wildcard mask should be as below.

172.16.0.12 0.0.0.0

The four zeros in the wildcard mask represent each octet of the address. As we discussed above, whenever a zero is present in wildcard mask, corresponding part in IP address must match exactly.

The keyword “host” can also be used to accomplish the same result as shown below.

Host 172.16.0.12

How to identify an entire network using Access Control List (ACL) Wildcard mask

To identify an entire network using Access Control List (ACL) Wildcard mask, use a wild card mask of 255 (all bits “1” in that octet).

Here are some examples to identify all IP addresses in 172.16.0.0/16 network.

172.16.0.0 0.0.255.255

The above example states that the values of only first two octects should exactly be the same as the values of the last two octets can be any.

This statement can match all the IP addresses of 172.16.0.0/16 network.

How to identify a range of IP addresses in a network using Access Control List (ACL) Wildcard mask

 To specify a range of IP addresses in a network using Access Control List (ACL) Wildcard mask, use the “1” bit only for the subnetted bits.

Example 1: The following example can be used to specify all IP addresses of a classs B network, 172.16.0.0, which is subnetted by using a class C subnet mask (172.16.0.0/24).

The binary representation of above network address, subnet mask and wild card mask is as shown below.

IP address –      10101100.00010000.00000000.00000000

Subnet Mask –   11111111.11111111.11111111.00000000

Wildcard Mask – 00000000.00000000.00000000.11111111

The decimal representation of the above IP Address and wildcard mask is given below.

172.16.0.0 0.0.0.255

The above example states that the values of first three octects should exactly match and the values of the last octet can be any. This statement can match all the IP addresses of 172.16.0.0/24 network.

Example 2: The following example can be used to specify all IP addresses of a class B network, 172.16.240.0/20 (Subnet Mask 255.255.240.0). Click the following link to learn more about class B subnetting.

The binary representation of above network address, subnet mask and wild card mask is as shown below.

IP address –      10101100.00010000.0000 | 0000.00000000

Subnet Mask –   11111111.11111111.1111 | 0000.00000000

Wildcard Mask – 00000000.00000000.0000 | 1111.11111111

The decimal representation of the above IP Address, Subnet Mask and Wildcard mask are given below.

IP address – 172.16.240.0

Subnet Mask – 255.255.240.0

Wildcard Mask -0.0.15.255

The above example states that the values of first 20 bits must exactly match and the last 12 bits can be any. This statement can match all the IP addresses of 172.16.240.0/20 network shown below.

Network address – 172.16.240.0/20

First usable IP address – 172.16.240.1/20

Last usable IP Address – 172.16.255.254/20

Broadcast address – 172.16.255.255/20

Leave a Reply

Your email address will not be published. Required fields are marked *