ACL wildcard mask

When configuring an access list in a Cisco IOS device, a wildcard mask is used to specify what parts of a prefix must be matched, and which should be ignored.

A wildcard mask is similar to a subnet mask in that it uses the ANDing process to identify which bits in an IPv4 address to match. However, a wildcard mask and a subnet mask differ in the way they match binary 1s and 0s. Unlike with a subnet mask, in which binary 1 is equal to a match, and binary 0 is not a match, with a wildcard mask, the reverse is true. A binary - means it has to match and a binary 1 means we don't care about this bit.

The following standard access list will match all IP addresses that begin with the 10.10.10.

access-list 1 permit ip 10.10.10.0 0.0.0.255

The wildcard mask in binary format is 00000000.00000000.00000000.11111111. Notice that the positions where there is a 1 is the last octet. Thus, the last octet of the 10.10.10.0 prefix can be any value because we don't care about those.

Note that the syntax doesn't require you to have a contiguous stream of ones or zeros. They can be mixed and matched. Thus, any value between 0.0.0.0 and 255.255.255.255 is accepted as the wildcard mask.

However, almost all uses of wildcard masks tend to be in the format of contiguous zeroes and then ones, thus it is rare that you will see a wildcard mask of any other format. However, it is good to know that the Cisco IOS will not "catch" any errors that you may make in the way the wildcard mask is formed.

This allows us to be able to create complex wildcard masks that can match various combinations of prefixes.

https://networklessons.com/cisco/ccie-enterprise-infrastructure/create-complex-wildcard-masks