Like This Blog 0

Added by Mark Jacob July 29, 2021

How often have you been creating an ACL and you needed to match not ONE subnet, but a whole range of subnets? The same logic holds for creating a “network” statement in an IGP such as EIGRP or OSPF. You want a single statement to match all your desired subnets, but you don’t want your router’s mouth writing checks its body can’t cash (great “Top Gun” line), which means you want your statement to most closely match what is really there. While experimenting, I made myself an Excel spreadsheet into which can be entered the low subnet and the high subnet, and it outputs the closest match, using a single statement. Best practice says that if a single statement encompasses more than is desired, use two (or even more) statements to more closely match your actual subnets. This spreadsheet only matches using a single statement, but it was an interesting experiment so I thought I would share the fruits of this labor.

Let’s look at a simple example first. Let’s say a router, we’ll call it RouterA, wanted to announce the following subnets to another router, RouterB: 10.0.0.0/24, 10.1.0.0/24, 10.2.0.0/24, and 10.3.0.0/24. A lazy way to accomplish this would be for the RouterA to announce, “All my networks have a 10 in the first octet.” Such a network statement would look like this:
network 10.0.0.0 0.255.255.255

It turns out this is not a lie – it is, in fact, true that RouterA’s subnets all have a 10 in the first octet. The issue that would arise is there could easily be another router, RouterC, that announces that it has this network: 10.100.0.0/24. This would “step on” the information announced by RouterA. How can RouterA make a routing announcement that more closely matches its actual subnets?

In my CCNA classes I have a morning review question that asks a similar question. Here it is:

What is the most efficient wildcard mask configuration that would match all the subnets from 10.1.60.0 to 10.1.127.0? (I also add the stipulation that the answer must be ONE statement.)

If you want to try this one for yourself, pause your eyeballs (I can’t say “Pause the video”) and give it a shot. When you are ready, resume reading. For more information on Wildcard Masks, I have created a couple of other resources.

Check out:

Fun Tricks with Network Wildcard Masks and ACL’s

and

ACLs on Cisco devices – Part two | Understanding Wildcard Masks

I provide the answer to this question in my classes, so if you ever take my CCNA class, promise me you will feign ignorance! The key is that with the Wildcard Mask, you “look at” bits that don’t move with a “0,” and “ignore” bits that move with a “1.” Figure 1 shows the information on my answer slide:

Notice that reference IP information goes all the way back to 10.1.0.0, even though the lowest subnet actually possessed is 10.1.60.0. You can check this yourself: Grab an IOS device and type: access-list 1 permit 10.1.60.0 0.0.127.255
Then show your running-config and see what appears for access-list 1. The IOS device will change what you typed to 10.1.0.0 0.0.127.255.

I did this on a 2960 switch. Here it is:

Switch(config)#access-list 1 permit 10.1.60.0 0.0.127.255
Switch(config)#do sh access-list 1
Standard IP access list 1
10 permit 10.1.0.0, wildcard bits 0.0.127.255
Switch(config)#

Why does it change? Notice the Wildcard Mask in the third octet and the reference IP address under it. Remember that when I type a “1” I am telling the IOS to “ignore” that bit. So even if I type a “60” in the third octet, I told the IOS that I was only watching the first bit (most significant bit at the far left) and ignoring the rest.

So the IOS attitude is, “If you don’t care about those other bits, then neither do I, so it sets them all to 0, meaning your octet that said

0 0 1 1 1 1 0 0  is changed to 0 0 0 0 0 0 0 0 and your running-config shows 10.1.0.0 instead of 10.1.60.0.

I also show how to create a more specific match by using more than one statement, shown in Figure 2:

As you can see, if the group of subnets is separated at a binary block (64 is a power of 2, thus a “binary block”) the two resulting Wildcard Masks very precisely match the subnets in question.

The spreadsheet I created on does the “one statement” option, but it’s nice to check your work if you are practicing creating Wildcard Masks in preparation for a certification exam, or if you are creating them in production. Figure 3 shows a screenshot from the spreadsheet solving the above scenario (I broke it into 2 screenshots so they would be large enough to see):

Just type the low subnet info in the upper section and the highest subnet to match in the lower section. Only type in the yellow-ish colored boxes. It does the rest. Feel free to explore and hit me with any suggestions.

Click here to download the spreadsheet

Until next time….

Mark Jacob