Wildcard Masks in ACLs Explained

Both wildcard masks and subnet masks work with IP addresses. They look similar, but they are different and serve entirely different purposes. A subnet mask separates the network address from the host address in an IP address, while a wildcard mask defines the part of the IP address that you want to match for a specific reason or purpose. This tutorial explains the differences and similarities between wildcard masks and subnet masks.

Wildcard mask

Wildcard masks allow you to define a single IP address or a range of IP addresses in ACL statements. Without wildcard masks, you have to create an entry for each IP address. With wildcard masks, you can create a range of IP addresses that need the same actions.

Let's take an example. A subnet includes 75 IP addresses. From these IP addresses, you want to block 50 IP addresses. Without wildcard masks, you have to create 50 entries to block these IP addresses. With wildcard masks, you can make a range that includes these IP addresses. Later, you can use this range to define criteria in the entry. This way, you can block or allow a range of IP addresses with a single entry.

Similarities and differences

Both the wildcard mask and the subnet mask have a length of 32 bits. A bit has two states: ON and OFF. In binary, the ON state is represented by 1, and the OFF state by 0.

In the subnet mask, an ON bit represents the network bit while an OFF bit represents the host bit.

In the wildcard mask, an ON bit represents the bit that you want to match, while an OFF bit represents the bit that you want to ignore.

Let's take an example. The following address represents a subnet.

This subnet includes the IP addresses from 10.0.0.0 to 10.255.255.255.

Creating the wildcard mask for the subnet mask

Let's assume you want to create an ACL statement that matches this subnet. To create criteria for this subnet, you have to use a wildcard mask that ignores all network bits but matches all host bits of the address. As mentioned earlier, in a subnet mask, an ON bit represents the network bit, and an OFF bit represents the host bit, while in a wildcard mask, an ON bit represents the bit to ignore, and an OFF bit represents the bit to match.

To ignore all network bits in the wildcard mask, use the value one in place of each network bit. To match all host bits, use the value zero in the place of each host bit.

To create a wildcard mask for a subnet, reverse the value of the subnet mask. If the subnet mask contains the value 1, then use the value 0 in the wildcard mask. If the subnet mask includes the value 0, use the value 1 in the wildcard mask.

The following table shows some subnet masks and their relative wildcard masks.

If you are using subnet masks in decimal and want to create wildcard masks, there is no need to convert them to binary. Creating wildcard masks in decimal is also easy. In decimal, to create a wildcard mask for a given subnet mask, subtract the value of each byte from 255.

Let's take an example.

Calculate the wildcard mask that matches the subnet mask 255.0.0.0.

    Subtract value     255.255.255.255
  - Subnet mask        255.0.0.0
  = Wildcard mask      0.255.255.255

The following image shows another example.

The following table lists some more examples.

Creating the subnet mask from the wildcard mask

ACL statements use wildcard masks to define criteria. To identify which statement filters which address or address range, you have to calculate the subnet mask from the wildcard card used in the statement. By reversing the above process, you can easily calculate the subnet mask from the wildcard mask. For example, if you have 1 in the wildcard mask, use the 0 in the subnet mask, or if you have 0 in the wildcard mask, use the 1 in the subnet mask.

The following table lists some more examples.

To calculate the subnet mask in decimal, subtract each byte of the wildcard mask from 255. For example, if you have 239 in a byte of the wildcard mask, use 255 -239 = 16 in the byte of the subnet mask.

The following table lists some examples.

Special wildcard masks

There are two special wildcard masks: 0.0.0.0 and 255.255.255.255. A wildcard mask of 0.0.0.0 instructs the router to match all 32 bits of the address. This wildcard mask is called a host mask. This wildcard mask matches a single host. For example, if you want to allow or deny a specific host from a segment, you can use this wildcard mask to match the IP address of that host. For example, use the following statement to block host 10.0.0.1.

deny 10.0.0.1 0.0.0.0

A wildcard mask of 255.255.255.255 instructs the router to ignore all 32 bits of the address and match all packets. This wildcard mask matches all packets. Since this wildcard mask matches all packets, the IP address you enter with it does not matter. Technically, you can use this wildcard mask with any IP address. However, administrators mainly use it with the IP address 0.0.0.0. They use the following IP address and wildcard mask to match all incoming or outgoing packets.

0.0.0.0 255.255.255.255

Conclusion

Wildcard masks and subnet masks share a similar structure. However, they serve distinct functions within networking. A subnet mask outlines the network portion of an IP address from the host portion. Conversely, a wildcard mask specifies which bits of an IP address should be matched or ignored, particularly in Access Control Lists (ACLs) used to define traffic rules. Understanding the relationship between these two types of masks is crucial for network configuration and management. By using wildcard masks, you can create ACL entries that apply to ranges of IP addresses without requiring multiple entries, enhancing efficiency and clarity in network security and management tasks.