Excellent post Adam! I used to be stuck in that wildcard mask equals inverted mask paradigm myself!
Once you start getting the hang of it it's like riding a bike! I like to break everything out into binary in order to calculate the wildcard masks, it makes it much easier. Expanding on what Adam posted you can do some very interesting things with wildcard masks. For example we may be asked to match only even or odd numbers in the second octet of an access list for certain networks (102.X) Basically a 0 in the IP will be even and a 1 in the IP will be odd 128|64|32|16|8|4|2|1 102.00000001 = 102.1 - odd 102.00000011 = 102.3 - odd 102.00000101 = 102.5 - odd 102.00000010 = 102.2 - even 102.00000100 = 102.4 - even 102.00000110 = 102.6 - even For evens in the 2nd octet -- access-list 22 permit 102.0.0.0 0.254.0.0 For odds in the 2nd octet -- access-list 22 permit 102.1.0.0 0.254.0.0 We could take this a step further if we were asked to create an ACL matching two different IP addresses in a single line (5.10.15.20 and 20.15.10.5) To do this we write them out in binary and perform AND/OR logic against them. With the AND logic we find the similarities and with the OR logic we find the differences. So AND for network and OR for wildcard 5.10.15.20 = 00000101.00001010.00001111.00010100 20.15.10.5 = 00010100.00001111.00001010.00000101 AND 00000101.00001010.00001111.00010100 00010100.00001111.00001010.00000101 -------------------------------------- 00000100.00001010.00001010.00000100 = 4.10.10.4 XOR 00000101.00001010.00001111.00010100 00010100.00001111.00001010.00000101 -------------------------------------- 00010001.00000101.00000101.00010001 = 17.5.5.17 So the end result could be something like "access-list 10 deny 4.10.10.4 17.5.5.17" Of course we will be matching on more then just these two hosts, however it just demonstrated to show the power of this stuff. I also sent you some other links in a unicast. HTH Thank you, Steve Di Bias Network Engineer - Information Systems Valley Health System - Las Vegas Office - 702- 369-7594 Cell - 702-241-1801 [email protected] -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Adam Booth Sent: Wednesday, June 01, 2011 3:47 PM To: Alef Cc: [email protected] IE Subject: Re: [OSL | CCIE_RS] wildcard masks Hi Alef, Which part is getting you confused? One of the most important things to be aware of is that a wildcard mask is not just an inverted network mask. A rule regarding netmasks is that when looking at it as a binary sequence it has to be a bunch of consecutive 1s and 0s, as soon as the first 0 appears, the following digits must continue to be 0 For a wild card mask, the above concept does not apply, 1s and 0s can be in any order. The binary sequence of the wild card mask has a meaning that a 0 means, the value of this bit much match, where a 1 means, I don't care what the source value is and is therefore an implied match. To give a simple example, say you are in OSPF and have an interface 192.168.1.1/24 that you wish to enable. You could be most specific and do router ospf 1 network 192.168.1.1 0.0.0.0 area 0 or more general and do router ospf 1 network 192.168.1.0 0.0.0.255 area 0 I guess you could just go directly to the interface and do "ip ospf 1 area 0" but that kind of sidelines the use case here, so lets ignore that for the time being :) in both cases OSPF would be enabled for the interface, however if you wanted to have the most direct control, specifying the complete address and using an exact wildcard mask ensures that only that interface gets activated. For example if I renumbered the interface on 192.168.1.1/24 to 192.168.1.111/24in the first case OSPF would be disabled for the interface and the later it would not since the IP still matches the wildcard mask. There are also interesting things you can do with ACLs to match multiple non-consecutive IP addresses by use of an interesting wildcard mask, these rely on a base IP address and a wildcard string that relies on must match/don't care values for the binary string. Is that of any help? Cheers, Adam On Thu, Jun 2, 2011 at 7:22 AM, Alef <[email protected]> wrote: > Does anyone have any recommendations for a good tutorial on wildcard masks? > I know the one on the ipexpert site, i'm afraid i need some more material to > digest if possible ;-) > i'm somewhere in between getting it and not getting it i think > thanks, > alef > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com UHS Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient (s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution of this information is prohibited. If this was sent to you in error, please notify the sender by reply e-mail and destroy all copies of the original message. _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
