Hi
ACL wildcards are usually used in their simplest form, e.g.
192.168.0.1 0.0.0.0 means only this address
192.168.0.0 0.0.0.3 means any address from .0 to .3
192.168.0.0 0.0.0.15 means any address from .0 to .15
192.168.200.64 0.0.0.31 means any address from .64 to .95
But how should we understand a wildcard 0.0.1.0? or 10.12.16.20?
Let’s say we have the following acl:
deny ip 172.20.0.1 0.6.0.0 any
this means that all bits in the second octet need to match with the exception of bits 6 and 7. Why? bit 6 stands for number 4, bit 7 stands for number 2.
20 in binary is 00010100. Bits that don’t need to match are bits 6 and 7.
00010100
so we could have four possible combinations:
00010000 = 16
00010010 = 18
00010100 = 20
00010110 = 22
So now we know that 172.20.0.1 0.6.0.0 would match 172.16.0.1, 172.18.0.1, 172.20.0.1, 172.22.0.1
This could be used to e.g. define odd numbers. An odd number has 1 in the eighth bit, so:
xxxxxxx1 = last bit needs to match, previous don’t need to match
so while normally we define wildcards like: 0.0.0.1, 0.0.0.3, in this example it will be the opposite because it is the last bit that needs to match!
If our task is to define a range from 172.16.0.0 – 172.31.255.255 but only odd numbers, we would have:
172.16.0.1 with the wildcard 0.15.255.254
I’ve even found a useful app for this!
http://leighfinch.net/cisco_wiki/index.php/Discontiguous_Wildcard_mask_Calculator
