Wildcards are used with access lists to specify a host, network, or part of a network. To understand wildcards, you need to understand block sizes.
Block sizes are used to specify a range of addresses. The following list shows some of the different block sizes available. When you need to specify a range of addresses, you choose the closest block size for your needs. For example, if you need to specify 34 networks, you need a block size of 64. If you want to specify 18 hosts, you need a
block size of 32. If you only specify two networks, then a block size of 4 would work.
Wildcards are used with the host or network address to tell the router a range of available addresses to filter.
Whenever a zero is present, it means that octet in the address must match exactly.
Block Sizes can be: 4, 8, 16, 32, or 64
What if you want to specify only a small
range of subnets? This is
where the block sizes come in. You can specify the range of values in a
For example, the range could either have to be 16 or 32, but not 20. Let’s say that you want to block access to part of network that is in the range from 172.16.8.0 through 172.16.15.0. That is a block size of 8. Your network number would be 172.16.8.0, and the wildcard would be 0.0.7.255.
The 7.255 is what the router uses to determine the block size. The network and wildcard tell the router to start at 172.16.8.0 and go up a block size of eight addresses to network 172.16.15.0.
All you have to do is remember that the wildcard is always one number less than the block size. So, in our example, the wild-card would be 7 since our block size is 8. If you used a block size of 16, the wildcard would be 15.
We’ll go through some examples to help you really understand it. The following example tells the router to match the first three octets exactly but that the fourth octet can be anything.
RouterA(config)#access-list 10 deny 172.16.10.0 0.0.0.255
The next example tells the router to match the first two octets and that the last two octets can be any value.
RouterA(config)#access-list 10 deny 172.16.0.0 0.0.255.255
Try to figure out this next line:
RouterA(config)#access-list 10 deny 172.16.16.0 0.0.3.255
The above configuration tells the router to start at network 172.16.16.0 and use a block size of 4. The range would then be 172.16.16.0 through 172.16.19.0.
The example below shows an access list starting at 172.16.16.0 and going up a block size of 8 to 172.16.23.0.
RouterA(config)#access-list 10 deny 172.16.16.0 0.0.7.255
The next example starts at network 172.16.32.0 and goes up a block size of 32 to 172.16.63.0.
RouterA(config)#access-list 10 deny 172.16.32.0 0.0.31.255
The last example starts at network 172.16.64.0 and goes up a block size of 64 to 172.16.127.0.
RouterA(config)#access-list 10 deny 172.16.64.0 0.0.63.255
Here are two more things to keep in mind when working with block sizes and wildcards:
Each block size must start at 0. For example,
you can’t say that you want a block size of 8 and start at 12. You must use
0–7, 8–15, 16–23, etc. For a block size of 32, the ranges are 0–31, 32–63,
Controlling VTY (Telnet) Access
You will have a difficult time trying to stop users from telnetting into a router because any active port on a router is fair game for VTY access. How-ever, you can use a standard IP access list to control access by placing the access list on the VTY lines themselves.
To perform this function:
1. Create a standard IP access list that permits only the host or hosts you want to be able to telnet into the routers.
2. Apply the access list to the VTY line with the access-class command.
Here is an example of allowing only host 172.16.10.3 to telnet into a router:
RouterA(config)#access-list 50 permit 172.16.10.3
RouterA(config)#line vty 0 4
RouterA(config-line)#access-class 50 in
Because of the implied deny any at the end of the list, the access list stops any host from telneting into the router except the host 172.16.10.3.