Cisco ACL 中的通配符掩码详解

注：机翻，未校。

---

Wildcard Masks in ACLs Explained

This tutorial explains what the ACL wildcard masks are and how they are used. Learn the differences and similarities between wildcard masks and subnet masks.
本教程介绍了什么是 ACL 通配符掩码以及如何使用它们。了解通配符掩码和子网掩码之间的差异和相似之处。

Wildcard masks are used to define criteria in ACL statements. Wildcard masks allow an administrator defines a single IP address or a range of IP addresses. Without wildcard masks, you have to create an entry for each IP address. With wildcard masks, you can create a range of IP addresses that need the same actions.
通配符掩码用于定义 ACL 语句中的条件。通配符掩码允许管理员定义单个 IP 地址或 IP 地址范围。如果没有通配符掩码，则必须为每个 IP 地址创建一个条目。使用通配符掩码，您可以创建需要相同操作的 IP 地址范围。

Let’s take an example.
让我们举个例子。

A subnet includes 75 IP addresses. From these IP addresses, you want to block 50 IP addresses. Without wildcard masks, you have to create 50 entries to block these IP addresses. With wildcard masks, you can create a range that includes these IP addresses. Later, you can use this range to define criteria in the entry. This way, you can block or allow a range of IP addresses with a single entry.
子网包含 75 个 IP 地址。从这些 IP 地址中，您希望阻止 50 个 IP 地址。如果没有通配符掩码，您必须创建 50 个条目来阻止这些 IP 地址。使用通配符掩码，您可以创建包含这些 IP 地址的范围。稍后，您可以使用此范围在条目中定义条件。这样，您就可以通过单个条目阻止或允许一系列 IP 地址。

ACL 的定义、目的、优点和功能 ACL的基本概念和基础知识 访问列表在 Cisco 路由器上的工作原理 访问控制列表的类型说明 Cisco ACL 的规则和配置准则 访问控制列表用示例说明 ip access-list 命令选项和参数 标准 ACL 配置命令说明 配置标准访问控制列表分步指南 如何保护VTY对路由器的访问 扩展 ACL 配置命令说明 配置扩展访问控制列表分步指南 如何在Cisco路由器上阻止ICMP Ping

Wildcard masks v/s subnet masks 通配符掩码与子网掩码

Both wildcard masks and subnet masks are used with IP addresses. They look similar but they are different and are used for completely different purposes. A subnet mask is used to separate the network address from the host address in an IP address. A wildcard mask is used to define the part of the IP address that you want to match in the ACL statement.
通配符掩码和子网掩码都用于 IP 地址。它们看起来很相似，但它们是不同的，并且用于完全不同的目的。子网掩码用于将网络地址与 IP 地址中的主机地址分开。通配符掩码用于定义要在 ACL 语句中匹配的 IP 地址部分。

Both the wildcard mask and the subnet mask have a length of 32 bits. A bit has two states: ON and OFF. In binary, the ON state is written as 1, and the OFF state is written as 0.
通配符掩码和子网掩码的长度均为 32 位。位有两种状态：ON 和 OFF。在二进制文件中，ON 状态写为 1，OFF 状态写为 0。

In the subnet mask, an ON bit represents the network bit while the OFF bit represents the host bit.
在子网掩码中，ON 位表示网络位，而 OFF 位表示主机位。

In the wildcard mask, an ON bit represents the bit that you want to match while the OFF bit represents the bit that you want to ignore.
在通配符掩码中，ON 位表示要匹配的位，而 OFF 位表示要忽略的位。

Let’s take an example. The following address represents a subnet.
让我们举个例子。以下地址表示一个子网。

	Decimal value	Binary value
IP address	10.0.0.0	00001010.00000000.00000000.00000000
Subnet mask	255.0.0.0	11111111.00000000.00000000.00000000

This subnet includes the IP addresses from 10.0.0.0 to 10.255.255.255.
此子网包括从 10.0.0.0 到 10.255.255.255 的 IP 地址。

Network address	First available address for the host	Last available address for the host	Broadcast address
10.0.0.0	10.0.0.1	10.255.255.254	10.255.255.255

Creating the wildcard mask for the subnet mask 为子网掩码创建通配符掩码

Now, let’s suppose, you want to create an ACL statement that matches this subnet. To create criteria for this subnet, you have to use a wildcard mask that ignores all network bits but matches all host bits of the address.
现在，假设您想要创建一个与此子网匹配的 ACL 语句。要为此子网创建条件，您必须使用通配符掩码，该掩码会忽略所有网络位，但会匹配地址的所有主机位。

As mentioned earlier, in a subnet mask an ON bit represents the network bit, and an OFF bit represents the host bit while in a wildcard mask an ON bit represents the bit to ignore, and an OFF bit represents the bit to match.
如前所述，在子网掩码中，ON位表示网络位，OFF位表示主机位，而在通配符掩码中，ON位表示要忽略的位，OFF位表示要匹配的位。

Bit value	Subnet mask	wildcard mask
0	Host bit	Match
1	Network bit	Ignore

To ignore all network bits, in the wildcard mask, you have to use the value 1 at the place of each network bit while to match all host bits, you have to use the value 0 at the place of each host bit.
要忽略所有网络位，在通配符掩码中，您必须在每个网络位的位置使用值 1，而要匹配所有主机位，您必须在每个主机位的位置使用值 0。

	Decimal value	Binary value
IP address	10.0.0.0	00001010.00000000.00000000.00000000
Subnet mask	255.0.0.0	11111111.00000000.00000000.00000000
Wildcard mask	0.255.255.255	00000000.11111111.11111111.11111111

This process is much easier than it looks. To create a wildcard mask for a subnet, all you need to do is reverse the value of the subnet mask. If the subnet mask contains the value 1, then use the value 0 in the wildcard mask. If the subnet mask contains the value 0, use the value 1 in the wildcard mask.
这个过程比看起来要容易得多。要为子网创建通配符掩码，您只需反转子网掩码的值即可。如果子网掩码包含值 1，则在通配符掩码中使用值 0。如果子网掩码包含值 0，请在通配符掩码中使用值 1。

The following table shows some subnet masks and their relative wildcard masks.
下表显示了一些子网掩码及其相对通配符掩码。

Subnet mask	Wildcard mask
11111111.00000000.00000000.00000000	00000000.11111111.11111111.11111111
11111111.11111111.00000000.00000000	00000000.00000000.11111111.11111111
11111111.11111111.11111111.00000000	00000000.00000000.00000000.11111111

If you are using subnet masks in decimal and want to create wildcard masks for them, there is no need to convert them into binary. Creating wildcard masks in decimal is also easy. In decimal, to create a wildcard mask for a given subnet mask, subtract the value of each byte from 255.
如果您使用十进制的子网掩码，并希望为它们创建通配符掩码，则无需将它们转换为二进制文件。以十进制创建通配符掩码也很容易。在十进制中，要为给定的子网掩码创建通配符掩码，请从 255 中减去每个字节的值。

Let’s take an example.
让我们举个例子。

Calculate the wildcard mask that matches the subnet mask 255.0.0.0.
计算与子网掩码 255.0.0.0 匹配的通配符掩码。

To calculate the wildcard mask for this subnet, subtract each byte value from 255.
要计算此子网的通配符掩码，请从 255 中减去每个字节的值。

  Subtract value   255.255.255.255
 - Subnet mask    255.0.0.0
 = Wildcard mask   0.255.255.255

The following image shows another example.
下图显示了另一个示例。

The following table lists some more examples.
下表列出了更多示例。

Subtract value	Subnet mask	Wildcard mask
255.255.255.255	255.240.0.0	0.15.255.255
255.255.255.255	255.255.16.0	0.0.239.255
255.255.255.255	255.255.255.128	0.0.0.127