Using Discontiguous Wildcard Masks in ACLs

Using Discontiguous Wildcard Masks in ACLs

Unlike subnet masks, wildcard masks allow you to use discontiguous bits which enable you to match on a range of values. Using these within routing protocols is typically frowned upon, if not outright prohibited. Unfortunately, there are those individuals who strive to trim every line they can from their ACLs. Can you say job security through routing obscurity? The downside to using these masks is that the more complex they get, the more unintentional traffic they allow in. In all sense of reality, they should never be used in production networks.

I’ll reiterate that statement. Do not use in productions networks unless you know, and completely understand the consequences!

An Illogical Example

For our first example, lets take 3 random /24s and match them with one single statement. The first thing we have to do is come up with your network address. After we convert our networks to binary, we need to perform AND logic on them. The result will be our network address. -  01001010 . 00010010 . 00010111 . 00000000 -  01000100 . 00100010 . 00001110 . 00000000 -  01010100 . 00110011 . 00010100 . 00000000
AND Result ----  01000000 . 00000010 . 00000100 . 00000000 =

Now that we have our network address we a wildcard mask to go with it. This time, we’re going to use XOR logic to calculate it. -  01001010 . 00010010 . 00010111 . 00000000 -  01000100 . 00100010 . 00001110 . 00000000 -  01010100 . 00110011 . 00010100 . 00000000
XOR Result ----  00011110 . 00110001 . 00011011 . 00000000 =

Now, something should strike you as odd, since we’re matching subnets, and not specific IP addresses, we need to change the last octet in our wildcard mask to 255. Remember, a bit set to 0 means ‘must match’, and a 1 equals ‘don’t care’. So, when complete, our ACL should look something like this.

access-list 1 permit

This brings up the point of avoiding their use in production networks again… since our mask has 18 bits set to 1, aka ‘don’t care’, this ACL will permit a total of 2^10, or 262,144 IP addresses. This means 1 in 16,384 (2^14) randomly chosen IP addresses would be allowed in through this ACL.

A Better Example

A slightly more realistic example would be a more simple match of two /32s, or single IP addresses. First, lets build our wildcard mask. -  00001100 . 00010010 . 00010111 . 00000101 -  00001100 . 00010010 . 00010110 . 00000110
AND Result -  00001100 . 00010010 . 00010110 . 00000100 =

Using the same methods as before, we can calculate the network address. -  00001100 . 00010010 . 00010111 . 00000101 -  00001100 . 00010010 . 00010110 . 00000110
XOR Result -  00000000 . 00000000 . 00000001 . 00000011 =

As a result, our ACL should look just like this.

access-list 2 permit

Now, before we get too far with this, since we may be allowing more addresses than intended, we should learn how to examine what will be allowed through and what will be denied. For example, let’s say that we need to ensure that this access-list did NOT permit a specific IP address. For this example, we’ll use

To check an address against the ACL we need to build a filter that we can compare against. Basically, any bits that are 0 in the wildcard mask must match. Any bits that are set to 1, we don’t care about. I’ll mark those with an ‘x’.

Network Ad.    -  00001100 . 00010010 . 00010110 . 00000100
Wildcard Mask  -  00000000 . 00000000 . 00000001 . 00000011
Filter         -  00001100 . 00010010 . 0001011x . 000001xx

Using this filter, we can compare it to our test IP and see if it will pass through the ACL. -  00001100 . 00010010 . 00010110 . 00001000
Filter     -  00001100 . 00010010 . 0001011x . 000001xx

As you can see, in the last octet we have a discrepancy. will NOT pass through our ACL.

Some Random Matches

So, now that we’ve explored the concepts, lets build some totally off the wall ACLs. For our first trick, lets say you wanted an ACL that matches on all IP address with a last octet of .1 — You would end up with something like this.

access-list 20 permit
! or, only match inside
access-list 21 permit

How about a couple ACLs that only matches IPs with all odd, or even octets?

! Even
access-list 30
! Odd
access-list 31

Another trick, that will probably never come in handy is matching every n-th network, or IP address. For example, lets match every 4th, or 8th network address inside

! Match any ip in every 4th /24 network
access-list 40
! Match any ip in every 8th /24 network
access-list 40

The way this works is quite simple. We just mark everything left of (and including) our starting point to ignore. Since we know everything to the left of 2^4 is a factor of 4 we want to only match addresses in those bits. So, we ignore them, and insure that everything to the right is matched, and equals 0. This means, that address that is matched, must be a factor of 4.

128  64  32  16  8   4   2   1
 1   1   1   1   1   1   0   0   = 252
 1   1   1   1   1   0   0   0   = 248


Obviously, this can get ridiculous if left to your imagination. Wildcard masks can seem archaic at first, but once you learn how useful they can truly be you will never look back. Remember that if choose to use these in a production network, be careful. Do NOT build masks with 10+ bits set to ignore, you will not be happy with the results, nor will your boss.

As usual, if you have any questions or concerns please leave a comment below. Thanks!

comments powered by Disqus

Related Posts

Brocade and VCS… quite impressive

Brocade and VCS… quite impressive

Our second visit on day 2 of Network Field day was Brocade, who incidentally supplied us with a great lunch! We spent a little time going through the expected marketing …

Read More
RouterJockey is launching a clothing line?!?!???

RouterJockey is launching a clothing line?!?!???

Ok maybe that title is a bit grandiose… But due to the great response I received Friday morning from the launch of the original PCAP shirt, and the IPv6 follow-up, I decided to …

Read More
Using Regular Expressions on Cisco IOS

Using Regular Expressions on Cisco IOS

As a followup to my previous post on Regular Expression Basics , I wanted to give a few examples on using them on Cisco …

Read More