Solved: Wildcard Mask

Sulaiman Ejaz · ‎09-08-2013

Hi!

I want to know about wildcard mask,

1) what is that and why do we use it?

2) wildcard mask that we use in OSPF and in ACL, what is difference between both of them?

I mean in OSPF we say network 1.1.1.1 0.1.0.1 and in ACL we say access-control 5 1.1.1.1' '0.1.0.1 area 1.

my question is same command is invalid in case of OSPF but valid in ACL, what is the reason behind that?

Peter Paluch · ‎09-08-2013

Hi,

The use of wildcard masks in the network command is controversial and in my opinion, Cisco should not have done that in the first place. It unnecessarily confuses people because they think they can use any wildcard mask in the network command while in reality, the mask must either be a subnet mask (the command will accept it), or it must be a wildcard mask that corresponds to a valid subnet mask. It is not possible to use wildcard masks in the network command that do not directly correspond to a valid subnet mask.

In ACLs, that's a different story. In an ACL, you compare the source/destination IP address of packets to the addresses in the ACL entry. You need to have a means of saying what bits you want to compare between the packet addresses and the ACL entry addresses, and which bits you want to ignore. This is accomplished by the use of wildcard masks - in an ACL entry, a wildcard masks tells the router which bits of the packet's addresses shall be compared, and the addresses in the ACL entry tell the router what value should the compared bits be set to. Note that this has no direct relation to subnet masks at all. I may want, for whatever purposes, compare only the 1st, 8th-15th and 23rd bit. This does not create any sensible subnet, though the need to compare just these bits may be perfectly valid. That is why subnet masks and wildcard masks are two different things - because they have different purposes.

Best regards,

Peter

View solution in original post

Evgeniy Prichinin · ‎09-08-2013

0.1.0.1 is wrong wildcard mask.

read about subnet mask.

Sulaiman Ejaz · ‎09-08-2013

then why it is acceptabe in access-control ??

access-control 1 permit 1.1.1.1 1.0.1.0

this command is valid in router, why ?? where 1.0.1.0 is wildcard mask

Peter Paluch · ‎09-08-2013

Hi,

The use of wildcard masks in the network command is controversial and in my opinion, Cisco should not have done that in the first place. It unnecessarily confuses people because they think they can use any wildcard mask in the network command while in reality, the mask must either be a subnet mask (the command will accept it), or it must be a wildcard mask that corresponds to a valid subnet mask. It is not possible to use wildcard masks in the network command that do not directly correspond to a valid subnet mask.

In ACLs, that's a different story. In an ACL, you compare the source/destination IP address of packets to the addresses in the ACL entry. You need to have a means of saying what bits you want to compare between the packet addresses and the ACL entry addresses, and which bits you want to ignore. This is accomplished by the use of wildcard masks - in an ACL entry, a wildcard masks tells the router which bits of the packet's addresses shall be compared, and the addresses in the ACL entry tell the router what value should the compared bits be set to. Note that this has no direct relation to subnet masks at all. I may want, for whatever purposes, compare only the 1st, 8th-15th and 23rd bit. This does not create any sensible subnet, though the need to compare just these bits may be perfectly valid. That is why subnet masks and wildcard masks are two different things - because they have different purposes.

Best regards,

Peter

jawad-mukhtar · ‎09-08-2013

Wildcard mask often used routers switches

Two rules of WC mask

0bit mean match
1 bit mean ignore

Sent from Cisco Technical Support Android App

Jawad