One topic that continues to confuse and stress CCNA and even quite a lot of CCNP level network engineers is wildcard masks. I think it is in most people’s nature to correlate wildcard masks to subnet masks, which is a major pitfall. You cannot think of a wildcard mask as a subnet mask even if you were taught to just do the inverse of a subnet mask to get your wildcard bits. The instructors who teach the ‘subtract 255.255.255.255 from your subnet mask to get your wildcard bits’ are cheating the students out of learning what a wildcard mask actually is. I believe they use this approach as they truly do not know themselves the proper way to form a wildcard mask. It is a sad state of affairs when a lot of technical instructors should still be students. The way wildcard masks actually work is fairly simplistic. You compare an IP address to a wildcard mask to figure out the ip in question matches. A ‘0’ in a bit field position means the bit must be ‘on’ or match and a ‘1’ in a bit field position means we do not care if that particular bit is on or off. Example #1 (Simplistic): If want a wildcard mask to match only the host 192.168.15.10 the wildcard mask would be 0.0.0.0. Why might you ask? Well to get the answer of why we will break things down into their binary form. 11000000.10101000.00001111.00001010 00000000.00000000.00000000.00000000 If a 0 = match exactly and a 1 = we don’t care if this bit is on or off then the above can result in ONLY a match for 192.168.15.10. Let’s say we now want to match all hosts in the 192.168.15.0 network (0-255) then the wildcard mask would be 0.0.0.255 11000000.10101000.00001111.00001010 00000000.00000000.00000000.11111111 If a 0 = match exactly and a 1 = we don’t care then the above will match 192.168.15.0 – 192.168.15.255. Now, let us get just a tad bit more complicated with things. Please note that in the above example we are still matching against 192.168.15.10 – if we entered this in the form of an ACL into a Cisco router then the router would automatically change the address matched against the wildcard to 192.168.10.0. What if we want to match only 192.168.15.10 and 192.168.15.11? If we break both IP addresses down into binary form we would see the following: 11000000.10101000.00001111.00001010 = 192.168.15.10 11000000.10101000.00001111.00001011 = 192.168.15.11 We can tell that there is only 1 bit of difference in these IP addresses, the very last bit in the last octet. Given this information we can deduct that if we match a wildcard against the IP 192.168.15.10 that we should care about every single bit but the last bit. 11000000.10101000.00001111.00001010 00000000.00000000.00000000.00000001 The above wildcard (0.0.0.1) results in a match for ONLY the IP addresses 192.168.15.10 and 192.168.15.11 since the only bit we do not care about is the last bit which is the ‘1’ position bit. Example #2 (Semi-Simplistic): I am going to use an example that you see quite a lot in different Cisco training books. Let’s say you want to block all odd numbered hosts on the 192.168.15.0 network. We will start by getting the binary form of some of the hosts on the network 11000000.10101000.00001111.00000000 = 192.168.15.0 11000000.10101000.00001111.00000001 = 192.168.15.1 11000000.10101000.00001111.00000010 = 192.168.15.2 11000000.10101000.00001111.00000011 = 192.168.15.3 11000000.10101000.00001111.00000100 = 192.168.15.4 11000000.10101000.00001111.00000101 = 192.168.15.5 You can start to see a repeating pattern in that all odd hosts will have the last bit set to ‘on’ thus if we compare 192.168.15.1 to wildcard mask 0.0.0.254 the result would be a match for every single odd host on the network, but none of the even hosts. 11000000.10101000.00001111.00000001 00000000.00000000.00000000.11111110 Example #3 (Medium ): Now that you should have the hang of the basics I am going to present a rather complex problem, break it down into binary, and show you exactly how to solve it. Problem: A customer has various web servers on his/her network that he/she wants to control access to. The customer wants to ensure that only the 10.0.0.0/8 private address range can access the following web servers:22.214.171.124 , 126.96.36.199 , 188.8.131.52 , 184.108.40.206 220.127.116.11 , 18.104.22.168 , 22.214.171.124 , 126.96.36.199 188.8.131.52 , 184.108.40.206 , 220.127.116.11 , 18.104.22.168 22.214.171.124 , 126.96.36.199 , 188.8.131.52 , 184.108.40.206 The customer has stated that he hates messy long access lists and requests that this be done in the smallest number of ACL lines possible. The way I usually approach something like this is take things octet by octet instead of trying to break down every single address all at once. The first thing we notice is that the first octet is either 128 or 192 or 10000000 and 11000000 in binary form. This means that there is only 1 bit of difference between the two so they can be easily matched. We can then move on the 2nd octet which is either 15 or 31 or 00001111 and 00011111 in binary form. There is also only 1 bit of difference between these two IP addresses which means they too can also be matched exactly to those two hosts. The 3rd octet is very simplistic in that they are all .12 which means we can do an exact match on this octet. The final octet has 4 hosts and is a bit tricky so let’s break it down into binary real quick: 00001000 = 8 00001001 = 9 00001010 = 10 00001011 = 11 Taking a look at this we can tell that the first 6 bits all match exactly; however the final 2 bits are different in each address. We are in luck though as we actually use all 4 combinations of this bit range which means we can ignore these final two bits since they can only equal 8,9,10,11 (00, 01, 10, 11) when combined with the rest of the octet. Given the information we have so far we can come up with the following wildcard mask: 220.127.116.11. When we compare 18.104.22.168 with wildcard mask 22.214.171.124 we see that we can only come up with the 16 networks defined above thus the final ACL would be: Access-list 101 permit 10.0.0.0 0.255.255.255 126.96.36.199 188.8.131.52 eq 80 I hope this quick lesson proved useful to you. If you have any questions or comments simply post them in here.