ACLs on Cisco devices – Part two | Understanding Wildcard Masks

Home > Blogs > Cisco > ACLs on Cisco devices – Part two | Understanding Wildcard Masks

ACLs on Cisco devices – Part two | Understanding Wildcard Masks

Like This Blog 1 Mark Jacob
Added by May 16, 2014

This is part 2 of understanding ACLs on Cisco Devices. In part 1, ACLs on Cisco devices-introduction, I covered the NAT ACL sequence.

If you have read the initial blog in this ACL sequence, then you are no doubt primed to start seeing the ‘meat’ of the matter – that is, what to type.  As a reminder, the introductory blog indicated that the main function of an ACL is to identify traffic.  Once you have identified the interesting traffic, you decide what to do with it.  So let’s take a look at that piece….

One very common use of a standard ACL is to identify which traffic on an internal LAN is permitted to be NATed to the outside world.  Let’s look at a sample environment:

001-LAN-NAT-ACLs-on-Cisco-devices

  • In the figure above, the addresses that need to be permitted by a standard ACL are the 172.20.1.0 /24 addresses

To fully understand the syntax of ACLs, we must first review another topic – that of wildcard masks.  This is because a portion of the command consists of just such a mask.  Let’s cover that part first.  Many networking people refer to a wildcard mask as an inverse subnet mask.  While this may be an oversimplification, it does help figure out what wildcard mask to use.  Let’s look at one and analyze it.

A wildcard mask is composed of 32 bits, like an IPv4 address or subnet mask.  The bits are either 0s or 1s, with 0 meaning ‘look at this’ and 1 meaning ‘ignore this’ or ‘don’t care.’  My memory aid on this concept is to imagine the 0s as eyeballs, like this:

002-LAN-NAT-ACLs-on-Cisco-devices

I imagine a wildcard mask as sitting above a hallway watching what passes through.  Once again, the eyeballs (the 0s) mean ‘watch this bit,’ while 1s means ‘ignore this bit.’  Let’s see that with actual numbers.

Let’s say I have a network with this address:  192.168.10.0.  If I wanted a wildcard that would watch the third octet, the 10, that 3rd octet would look like this

003-LAN-NAT-ACLs-on-Cisco-devices

A wildcard mask of all 0s (in the above example, the given all 0s wildcard mask is in octet 3) means watch these bits – they aren’t allowed to change.  This means an IP network tried to go through our hallway with the address 192.168.10.0, (looking ONLY at octet 3) it would match.  The network address of 192.168.11.0 would not match, because the eyeballs (the 0s) are looking at EACH bit in octet 3.  Let see a wildcard mask with a bit more complexity.

004-LAN-NAT-ACLs-on-Cisco-devices

This wildcard mask is neither 0 nor 255.  So what now?  Well, the 0s still mean ‘look at’ and the 1s still mean ‘ignore.’  Interpretation?  The 0s are watching the first four bits of the address below.  Those numbers equal 144 in decimal.  The rest of the wildcard mask is composed of 1s.  That means ‘I don’t care.’

Watch what happens to the green numbers in Figure 2 as the red numbers aren’t allowed to change:

005-LAN-NAT-ACLs-on-Cisco-devices

The green numbers roll through all possible combinations that binary numbers will allow.  Let’s say the numbers we are examining here were in the third octet, for example, of some given network information.  In that case, note what this wildcard mask allows us to do.  Let’s pick an arbitrary network ID:  172.30.144.0 /24.  The wildcard mask shown above would allow me to match all the networks from 172.30.144.0 through 172.30.159.0, because those network IDs are matched by that mask.

Earlier I mentioned that some people refer to a wildcard mask as an inverse subnet mask.  Let’s see why that is the case.  Think about what subnet mask would be needed to match the above scenario where the network bits progress 4 bits into the third octet.  This would be a mask of 255.255.240.0.  A quick way to determine the matching wildcard mask is to subtract the subnet mask from all 255s, like so:

006-LAN-NAT-ACLs-on-Cisco-devices

This wildcard mask, 0.0.15.255, will match all the addresses (in the 3rd octet) shown in Figure 2 above. 

Now let’s turn our attention back to our original objective.  We wanted to create an access list that permits certain addresses to be NATed.  The pre-translation addresses are 172.16.1.0 /24.  Let’s create a standard list that permits those addresses:

(config) access-list 1 permit 172.20.1.0 0.0.0.255

This wildcard mask says look at the 172, the 20, and the 1.  The last octet, which has a wildcard mask of 255 (all 1s in binary) says I don’t care what is in the last octet of the IP address.  If you imagine this access list as a bouncer in the router, this scene might occur:  Along comes Host1 from Figure 1.  Let’s say its IP address is 172.20.1.1 /24.  The NAT bouncer will look at his list and say to Host1, “Does your IP address start with 172.20.1?”  Of course, Host1 will respond in the affirmative.  The bouncer (access list) will then allow the host to pass through the NAT process.

We have just created a simple standard numbered access list which, when associated with the ip nat command, will allow selected IP addresses to be NATed.

Just in case you want to see the entire NAT (PAT, in this case) configuration, here it is:

For more complete coverage of NAT, see my previous blog.

The next blog entry in this series will progress to extended access lists which have far more granularity of control than do standard access lists.  See you next time…

Mark Jacob
Cisco Instructor – Interface Technical Training
Phoenix, AZ

Videos You May Like

A Simple Introduction to Cisco CML2

0 3877 0

Mark Jacob, Cisco Instructor, presents an introduction to Cisco Modeling Labs 2.0 or CML2.0, an upgrade to Cisco’s VIRL Personal Edition. Mark demonstrates Terminal Emulator access to console, as well as console access from within the CML2.0 product. Hello, I’m Mark Jacob, a Cisco Instructor and Network Instructor at Interface Technical Training. I’ve been using … Continue reading A Simple Introduction to Cisco CML2

Creating Dynamic DNS in Network Environments

0 641 1

This content is from our CompTIA Network + Video Certification Training Course. Start training today! In this video, CompTIA Network + instructor Rick Trader teaches how to create Dynamic DNS zones in Network Environments. Video Transcription: Now that we’ve installed DNS, we’ve created our DNS zones, the next step is now, how do we produce those … Continue reading Creating Dynamic DNS in Network Environments

Cable Testers and How to Use them in Network Environments

0 724 1

This content is from our CompTIA Network + Video Certification Training Course. Start training today! In this video, CompTIA Network + instructor Rick Trader demonstrates how to use cable testers in network environments. Let’s look at some tools that we can use to test our different cables in our environment. Cable Testers Properly Wired Connectivity … Continue reading Cable Testers and How to Use them in Network Environments

Write a Comment

See what people are saying...

  1. Pingback: Understanding Access Control Lists (ACLs) on Cisco Devices - Intro

Share your thoughts...

Please fill out the comment form below to post a reply.