(Table 2-4 shows an example.)
Table 2-4. Mask Example
Network address (traffic that is to be
processed)
10.1.1.0
Network address (binary) 00001010.00000001.00000001.00000000
Subnet mask (decimal) 255.0.0.0
Subnet mask (binary) 11111111.00000000.00000000.00000000
Wildcard/inverse mask (decimal) 0.0.0.255
Wildcard/inverse mask (binary) 00000000.00000000.00000000.11111111
Inverse Mask
Masks for IOS IP ACLs are the reverse (for example, mask 0.0.0.255) and are referred to as the inverse mask,
also commonly known as a wildcard mask. (The terms wildcard and inverse are used interchangeably.) When
the value of the mask is broken down into binary numbers (0s and 1s), the results determine which address bits
are to be considered in processing the traffic. A 0 indicates that the address bits must be considered (exact
match); a 1 in the mask is a "don't care." Table 2-4 explains the concept further.
Based on the inverse mask shown in binary, the first three sets (octets) must match the given binary network
address exactly (00001010.00000001.00000001). The last set of numbers represents "don't care" (.11111111).
Therefore, all traffic that begins with 10.1.1. matches because the last octet is not considered.
Pages:
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81