ACL Wildcard Masking
Address ?¬?ltering occurs when you use ACL address wildcard masking to identify how to check or
ignore corresponding IP address bits. Wildcard masking for IP address bits uses the numbers 1 and
0 to identify how to treat the corresponding IP address bits, as follows:
?– Wildcard mask bit 0: Match the corresponding bit value in the address.
?– Wildcard mask bit 1: Do not check (ignore) the corresponding bit value in the address.
By carefully setting wildcard masks, you can permit or deny tests with one ACL statement. You
can select a single IP address or many IP addresses. Figure 6-9 illustrates how to check
corresponding address bits.
Figure 6-9 Wildcard Mask
NOTE A wildcard mask is sometimes referred to as an inverse mask.
0
0
0
1
1
0
0
0
1
1
0
1
0
1
1
0
1
0
1
1
0
1
1
1
1
0
1
1
1
1
0
1
1
0
1
0
1
1
0
1
=
=
=
=
=
128 64 32 16 8 4 2 1
Octect Bit Position and
Address Value for Bit
Examples
Match All Address Bits
(Match All)
Ignore Last 6
Address Bits
Ignore Last 4
Address Bits
Match Last 2
Address Bits
Do Not Check Address
(Ignore Bits in Octet)
220 Chapter 6: Managing Traffic with Access Control Lists
In Figure 6-10, an administrator wants to test a range of IP subnets that is to be permitted or
denied.
Pages:
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336