Question on ACLs and wildcard masking

T

techtips

Gawd
Joined
Jan 3, 2011
Messages
530
Hello everyone, I am reading through my WAN book and started the ACL(ughh) chapter.

I am at the ACL Wildcard Masking section and I am completely lost on the following.
I realize with ACL's, bit 0 = Match and bit 1=Ignore.

Looking at the image below:
1681ef06.png


It shows the IP address of 192.168.10.0, this is a class C address so I presume /24 subnet mask.
The wildcard mask it has is 0.0.255.255

The resulting IP address is 192.168.0.0.

What I don't understand, is how/why is the wildcard mask a /16 with the last 2 octets 255.255?
Why is the resulting IP address 192.168.0.0 and not 192.168.10.0.


I've been searching the internet and can't find a way to understand this. Anybody mind sharing?
 
Your presumption of /24 is wrong, but a common mistake if you are not familiar with CIDR. It is indeed a /16. Remember, wildcard mask is the exact opposite of subnet mask.

Something else confusing in that diagram is the term "resulting IP address". It should read "resulting network address(/name)".
 
192.168.10.0 is a classless address, not class C. It means your host range includes some values in the third octet. You need the third octet to be wild to accommodate this. Someone can probably explain this better.
 
So let me get this straigth, because 192.168.10.0 is a classless address, it's subnet mask would be a /16? With that being a /16, the inverse mask would be 0.0.255.255

I thought of it being a Class C address since it starts with 192 and Class C goes from 192-223. I understand it's not 192.0.0.0 as it is listed as 192.168.10.0.

So the classfull address would be 192.0.0.0 but since the address is 192.168.10.0 it is considered as classless addressing because it's a 32-bit stream and the boundary between network and host can be between bit 0 and 32.

ah ha lol
 
You should probably learn CIDR first...

But yes, class C can only have host bits in the last octet whereas a classless can actually have many masks. For example that could be valid as a /20 and a 0.0.15.255 wildcard.
 
To hit on 2 things before I explain the access list

SpaceHonkey is right. A Class C IP address can have a prefix of less than /24 using supernetting (address aggrigation). It's not really a hard process but also not in the scope of the question...lol.

@timberdoodle - 192.168.10.0 is still a Class C address (first 3 bits are 110). The best and easiest way to describe classful and classless as it relates to routing protocols is the addresses in a classful protocol are only limited to the IP Classes (/8, /16. /24) and the routes will be summarized as such in the routing table and classless protocols removes that limitation and allow the use of VLSM.

techtips - I think you are getting confused because you are looking at the wildcard as the netmask. I'm a Cisco guy so I can explain it the Cisco way..lol and I don't know if this goes across the board but it should. When wanting to allow or deny a range of IP address, summarization is use and this sometimes involve supernetting. If you just wanted to allow 192.168.10.0/24 then the ACL command would be

access-list 1 allow 192.168.10.0 0.0.0.255

The example in your first post just supernetted the IP range 192.168.0.0 - 192.168.255.255 into 192.168.0.0 so the access list that would be created using that would allow traffic from 192.168.0.1 - 192.168.255.255.
 
Last edited:
Okay so after reviewing CIDR...now I realize they don't really follow the class addresses of A/B/C much.
I've done a bunch of examples, one being 192.168.0.200/26 and figured out the netmask and IP ranges...and haven't had issues with that.

I went back to the content I am reading on the CCNA chapter and I am still lost on how they came up with the 0.0.255.255 inverse mask.
I know the subnet mask would be 255.255.0.0 so = /16
but where does it come from? how do I know that 192.168.10.0 = /16 subnet ?

I know I may sound like a broken record, but I guess my stubborn brain won't allow me to understand why it's being a /16 instead of /24?

what does that .10.0 show that I am not seeing?

If cisco in their document wrote that it's 192.168.10.0 /16 or /24 then I would understand how they came up with the subnet/inverse mask, but without them stating the subnet how did they decide in a 255.255.0.0 / 0.0.255.255 inverse mask?
 
I'm just learning this stuff myself.

They gave you 192.168.10.0 and the wildmask 0.0.255.255 which means your subnet is 255.255.0.0 so it's /16. If they gave you just 192.168.10.0, yeah, then who the hell knows what the hell subnet it is.
 
That I completely understand. I realize they gave me the 0.0.255.255 inverse mask, which is a 255.255.0.0 subnet, thus being a /16 but they don't specify that.

As you see in the image above, that is ALL that cisco states, I've re-read the page and it doesn't mention why they went with the 0.0.255.255 inverse mask. Why not 0.0.0.255 ?

They did provide the subnet, but they didn't provide the reason for them using the 255.255.0.0 / 0.0.255.255 subnet, which is why I am lost.
 
Again, you are confusing wildcard with a subnet mask. They are 2 different things. The subnet mask shows what bits will be subnetted. A wildcard mask is not used for subnetting but it's use for more of matching. In my example earlier, the access list that allows 192.168.0.0 0.0.255.255; the 0's indicates what needs to be the same. It called inverse mask because when subnetting, the 1 bits indicates similar bits.
 
Forget Subnet Masks. This is a Wildcard Mask. The Class of the IP address is irrelevant. The Wildcard Mask does not have anything to do with the Subnet.

192.168.10.0 with a Wildcard Mask of 0.0.255.255 means any IP from 192.168.0.0 - 192.168.255.255.

0 (00000000) with a Wildcard Mask of 00001111 means 0 (00000000) - 15 (00001111)
128 (10000000) with a Wildcard Mask of 00001111 means 128 (10000000) - 143 (10001111)
127 (01111111) with a Wildcard Mask of 00001111 means 112 (01110000) - 127 (01111111)

If you must put it in terms of a Subnet Mask, a Wildcard Mask is the inverse of a Subnet Mask but it does not define the actual Subnet, only a range of IPs to match.

0 with a Wildcard Mask of 00001111 or Subnet Mask of 11110000 means 0 - 15
128 with a Wildcard Mask of 00001111 or Subnet Mask of 11110000 means 128 - 143
127 with a Wildcard Mask of 00001111 or Subnet Mask of 11110000 means 112 - 127
 
You must log in or register to reply here.
Back
Top