One part that I struggled to understand was the implementation of wild cards in subnet masks. Or to be more precise, how you could calculate them. But before I explain how they work, I will explain what they are used for.

Lets say you have big network with a massive amount of Access Lists (ACL) specifying who can access what, both from the inside and from the outside. Now, with a lot of nodes connected (PCs, servers and so on) you might end up with ACL`s that have a enormous amount of entries since each one of those potentially need access specified (due to the deny-all in all ACL`s at the end). Wildcards can vastly reduce this amount, especially if you plan your network inside the values of the binary system (1-2-4-8-16-32-64-128 -1). A wildcard works the way that you can specify if an entire binary value -1 (1-3-7-15-31-63-127) should be included in the permit/deny command that you are adding. So instead of adding all those entries – just do one and add the amount you need.

But the key here is to think binary. When trying to figure this out, I first thought that the binary value could be added to any “starting point”. But it can not! If you have an address of 192.168.1.25 as the first node and want to add the next 15 nodes in the network, the immediate decimal way of thinking should be that the permit could be like this:

access-list ext 188 10 permit ip 192.168.1.25 0.0.0.15 any

But this does not “compute” that way. The result in the ACL would actually be this:

10 permit ip 192.168.1.16 0.0.0.15 any

The range will effectively be 192.168.1.16 – 192.168.1.31 giving a completely wrong result for the desired accessibility. This shows how important it is to think about this before you choose your topology. To solve this you would need to do one of two things:

  1. Either change the IP address of all the nodes to inside the binary values permitted, or
  2. Create ACL entries for each of the nodes.

Just a tip for future network planning 😉