ACLs and wildcard mask syntax 0=exact match 1=don’t care

Masks are used with IP addresses in IP ACLs to specify what should be permitted and denied. Masks to configure IP addresses on interfaces start with 255 and have the large values on the left side (for example, IP address 209.165.202.129 with a 255.255.255.224 mask). Masks for IP ACLs are the reverse (for example, mask 0.0.0.255). This is sometimes called an inverse mask or a wildcard mask. When the value of the mask is broken down into binary (0s and 1s), the results determine which address bits are to be considered in processing the traffic. A 0 indicates that the address bits must be considered (exact match); a 1 in the mask is a “don’t care”. The following table further explains this concept.

Mask Example 
network address (traffic that is to be processed)
10.1.1.0 
mask
0.0.0.255 
network address (binary)
00001010.00000001.00000001.00000000 
mask (binary)
00000000.00000000.00000000.11111111 

Based on the binary mask, you can see that the first three sets (octets) must match the given binary network address exactly (00001010.00000001.00000001). The last set of numbers are “don’t cares” (.11111111). Therefore, all traffic beginning with 10.1.1. will match since the last octet is “don’t care”. So, with this mask, network addresses 10.1.1.1 through 10.1.1.255 (10.1.1.x) will be processed. 

The ACL inverse mask can also be determined by subtracting the normal mask from 255.255.255.255. In the following example, the inverse mask is determined for network address 172.16.1.0 with a normal mask of 255.255.255.0. 

255.255.255.255 – 255.255.255.0 (normal mask) = 0.0.0.255 (inverse mask) 
Note the following ACL equivalents.

The source/source-wildcard of 0.0.0.0/255.255.255.255 means “any”. 

The source/wildcard of 10.1.1.2/0.0.0.0 is the same as “host 10.1.1.2”. 

Summarizing ACLs
Note: Subnet masks can also be represented as a fixed length notation. For example, 192.168.10.0/24 would represent 192.168.10.0 255.255.255.0.

The following describes how to summarize a range of networks into a single network for ACL optimization. Consider the following networks.

192.168.32.0/24
192.168.33.0/24
192.168.34.0/24
192.168.35.0/24
192.168.36.0/24
192.168.37.0/24
192.168.38.0/24
192.168.39.0/24

The first two octets and the last octet are the same for each network. The following is an explanation of how to summarize these into a single network. 

The third octet for the above networks can be written as follows, according to the octet bit position and address value for each bit. Note that M means “Match” and D means “Don’t care”.
Decimal 128 64 32 16 8 4 2 1
32 0 0 1 0 0 0 0 0
33 0 0 1 0 0 0 0 1
34 0 0 1 0 0 0 1 0
35 0 0 1 0 0 0 1 1
36 0 0 1 0 0 1 0 0
37 0 0 1 0 0 1 0 1
38 0 0 1 0 0 1 1 0
39 0 0 1 0 0 1 1 1
M M M M M D D D
As you can see, the first five bits match. All eight possible combinations of the three low-order bits (the last three bits) are relevant for the network ranges in question; creating binary numbers in sequence from 0 (000 binary) to 7 (111 binary). Therefore the above eight networks can be summarized into one network (192.168.32.0/21 or 192.168.32.0 255.255.248.0); 

The following command defines an ACL that permits this network. Subtracting 255.255.248.0 (normal mask) from 255.255.255.255 yields 0.0.7.255.

access-list acl_permit permit ip 192.168.32.0 0.0.7.255

For further explanation, consider the following set of networks. 

192.168.146.0/24
192.168.147.0/24
192.168.148.0/24
192.168.149.0/24

The first two octets and the last octet are the same for each network. The following is an explanation of how to summarize these. 

The third octet for the above networks can be written as follows, according to the octet bit position and address value for each bit.
Decimal 128 64 32 16 8 4 2 1
146 1 0 0 1 0 0 1 0
147 1 0 0 1 0 0 1 1
148 1 0 0 1 0 1 0 0
149 1 0 0 1 0 1 0 1
M M M M M ? ? ?

Similar to previous example, the first five bits match. However the last three bits are not creating binary numbers in sequence. The last three bits are creating “partial” binary numbers in sequence instead in the form of two separate binary sequence numbers. The first two are from 2 (010 binary) to 3 (011 binary). The last two are from 4 (100 binary) to 5 (101 binary). 

In order to summarize these networks into a single network, there must be a complete binary numbers in sequence from 0 (000 binary) to 7 (111 binary). Therefore unlike previous example, you cannot summarize these networks into a single network. 

The above networks however can be summarized into two networks, as shown below.

For networks 192.168.146.x and 192.168.147.x, all bits match except for the last one, which is a “don’t care”. This can be written as 192.168.146.0/23 (or 192.168.146.0 255.255.254.0). 

For networks 192.168.148.x and 192.168.149.x, all bits match except for the last one, which is a “don’t care”. This can be written as 192.168.148.0/23 (or 192.168.148.0 255.255.254.0). 
The following defines a summarized ACL for the above networks.

access-list 10 permit ip 192.168.146.0 0.0.1.255
access-list 10 permit ip 192.168.148.0 0.0.1.255