09-08-2013 04:52 AM - edited 03-07-2019 03:20 PM
Hi!
I want to know about wildcard mask,
1) what is that and why do we use it?
2) wildcard mask that we use in OSPF and in ACL, what is difference between both of them?
I mean in OSPF we say network 1.1.1.1 0.1.0.1 and in ACL we say access-control 5 1.1.1.1' '0.1.0.1 area 1.
my question is same command is invalid in case of OSPF but valid in ACL, what is the reason behind that?
Solved! Go to Solution.
09-08-2013 01:29 PM
Hi,
The use of wildcard masks in the network command is controversial and in my opinion, Cisco should not have done that in the first place. It unnecessarily confuses people because they think they can use any wildcard mask in the network command while in reality, the mask must either be a subnet mask (the command will accept it), or it must be a wildcard mask that corresponds to a valid subnet mask. It is not possible to use wildcard masks in the network command that do not directly correspond to a valid subnet mask.
In ACLs, that's a different story. In an ACL, you compare the source/destination IP address of packets to the addresses in the ACL entry. You need to have a means of saying what bits you want to compare between the packet addresses and the ACL entry addresses, and which bits you want to ignore. This is accomplished by the use of wildcard masks - in an ACL entry, a wildcard masks tells the router which bits of the packet's addresses shall be compared, and the addresses in the ACL entry tell the router what value should the compared bits be set to. Note that this has no direct relation to subnet masks at all. I may want, for whatever purposes, compare only the 1st, 8th-15th and 23rd bit. This does not create any sensible subnet, though the need to compare just these bits may be perfectly valid. That is why subnet masks and wildcard masks are two different things - because they have different purposes.
Best regards,
Peter
09-08-2013 06:48 AM
0.1.0.1 is wrong wildcard mask.
read about subnet mask.
09-08-2013 07:15 AM
then why it is acceptabe in access-control ??
access-control 1 permit 1.1.1.1 1.0.1.0
this command is valid in router, why ?? where 1.0.1.0 is wildcard mask
09-08-2013 01:29 PM
Hi,
The use of wildcard masks in the network command is controversial and in my opinion, Cisco should not have done that in the first place. It unnecessarily confuses people because they think they can use any wildcard mask in the network command while in reality, the mask must either be a subnet mask (the command will accept it), or it must be a wildcard mask that corresponds to a valid subnet mask. It is not possible to use wildcard masks in the network command that do not directly correspond to a valid subnet mask.
In ACLs, that's a different story. In an ACL, you compare the source/destination IP address of packets to the addresses in the ACL entry. You need to have a means of saying what bits you want to compare between the packet addresses and the ACL entry addresses, and which bits you want to ignore. This is accomplished by the use of wildcard masks - in an ACL entry, a wildcard masks tells the router which bits of the packet's addresses shall be compared, and the addresses in the ACL entry tell the router what value should the compared bits be set to. Note that this has no direct relation to subnet masks at all. I may want, for whatever purposes, compare only the 1st, 8th-15th and 23rd bit. This does not create any sensible subnet, though the need to compare just these bits may be perfectly valid. That is why subnet masks and wildcard masks are two different things - because they have different purposes.
Best regards,
Peter
09-08-2013 02:58 PM
Wildcard mask often used routers switches
Two rules of WC mask
0bit mean match
1 bit mean ignore
Sent from Cisco Technical Support Android App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide