Networkers Academy

bullet

Home            

bullet

Course Content        

bullet

Exam Tips

bullet

Testimonials

bullet

About Us

 

Never Calculate a Wildcard Mask Again

When identifying ip addresses within access lists or Open Shortest Path First (OSPF) network statements, we want the flexibility to specify a range of IP addresses, not just individual addresses. Wildcard masks provide us with this flexibility. They allow us to tell Cisco IOSŪ Software that we "don't care" about particular bits in the IP address. At the same time, wildcard masks allow us to indicate that we "care very much" about other bits.

For example, let's say that in an access list, we want to permit all packets destined for hosts that live in network 172.16.0.0/16 (where 16 signifies 16 bits used in the subnet mask 255.255.0.0). Because we want our access list to match any address from the 172.16.0.0/16 network, we're not concerned with specific numbers in the last two octets (the last 16 bits). We're interested in permitting every address from 172.16.0.0 to 172.16.255.255.

We tell our Cisco router not to pay attention to those last 16 bits by placing "don't care" bits in the last two octets of the wildcard mask. As a result, our final access list statement looks like this:

 

RouterA(config)#access-list 101 
permit ip any 172.16.0.0 0.0.255.255

 

The downside to wildcard masks is that they can be confusing to calculate, especially when dealing with subnet masks that don't end at convenient 8-bit boundaries. Fortunately, a little known feature in Cisco IOS Software can help.

 


  FIGURE 1: OSPF network using VLSMs.

Let IOS Do the Work


Performing binary conversions can be a tedious chore when calculating multiple wildcard masks. The good news is that Cisco IOS Software can do the calculation for us.

 

A hidden feature of IOS converts any mistakenly entered subnet mask used in an OSPF network statement into the appropriate wildcard mask. For example, say we're configuring RouterA for OSPF (Figure 1).

We enter router configuration mode:

 

RouterA(config)#router ospf 1

 

We add network 10.1.1.0/28 to the OSPF process using an appropriate wildcard mask:

 

RouterA(config-router)#network 
10.1.1.0 0.0.0.15 area 0

 

While adding network 10.1.2.0/28 to the OSPF process, we accidentally enter the subnet mask instead of the wildcard mask:

 

RouterA(config-router)#network 
10.1.2.0 255.255.255.240 area 0

 

Fortunately, the IOS automatically converts the subnet mask into the appropriate wildcard mask.

 

router ospf 1
 network 10.1.1.0 0.0.0.15 area 0
 network 10.1.2.0 0.0.0.15 area 0

 

We can leverage this undocumented feature to do all of our wildcard calculations with three simple steps:

     

  1. Create an OSPF process to be used solely for wildcard calculations.

     

  2. Configure the OSPF process to be passive for all interfaces.

     

  3. Enter network statements using the subnet masks that you want to be converted.

As an example, let's say that we're creating several access lists, and therefore, we need to calculate wildcard masks for the following networks:

 

172.16.1.0 	255.255.255.224
10.1.2.0 	255.255.248.0
172.20.3.0 	255.255.255.192
10.20.40.0 	255.255.128.0

 

Instead of doing manual binary conversions, we plug these addresses into our non-production OSPF process:

 

RouterA(config) #router ospf 99
RouterA(config-router)#passive-interface default
RouterA(config-router)#network 172.16.1.0 255.255.255.224 area 99
RouterA(config-router)#network 10.1.2.0 255.255.248.0 area 99
RouterA(config-router)#network 172.20.3.0 255.255.255.192 area 99
RouterA(config-router)#network 10.20.40.0 255.255.128.0 area 99

 

Using the show running-config command, the newly calculated wildcard masks are displayed as follows:

 

router ospf 99
 passive-interface default
 network 10.1.0.0 0.0.7.255 area 99
 network 10.20.0.0 0.0.127.255 area 99
 network 172.16.1.0 0.0.0.31 area 99
 network 172.20.3.0 0.0.0.63 area 99

 

As you can see, Cisco IOS Software performed the subnet mask-to-wildcard mask conversion for you. Simply copy and paste these values as you create your access lists, and you will save time and eliminate potential configuration errors.

 

 

This website and the materials offered herein are neither affiliated with nor endorsed by Cisco Systems, Inc. "Cisco", "CCNA", "CCNP", "CCDA", and "CCIE" are all trademarks owned by Cisco Systems, Inc.
For problems or questions regarding this web contact [ProjectEmail].
Last updated: 01/02/06.

Hosted by www.Geocities.ws

1