You learn to both create ACLs as well as how to subnet while you’re learning for your CCNA. You also may learn about wildcard masks and how to configure them. Wildcard masks are a lot more powerful than they lead you to believe. They are NOT simply inverted subnet masks. A wildcard mask can be used to pretty much match any value you so desire in a subnet address.
As an example take 192.168.0.0 0.0.0.20 – This matches either 192.168.0.4; 192.168.0.16 or 192.168.0.20 – How else could you match 3 non-consecutive addresses in a single line?
So, how do we actually create them? Let’s say you’re given a task which states that you have the following few address: 184.108.40.206; 220.127.116.11 and 18.104.22.168
Write them all out in binary like so:
22.214.171.124 - 11011001.11000100.00110000.00110011 126.96.36.199 - 11001000.10010110.00000011.00000101 188.8.131.52 - 10011011.10000111.00010010.00001011
Line up all the binary. You need to do a bit of logic. If all 3 values are 1, put a 1 in. If all 3 are 0, put a 0 in. If any of the digits in the 3 numbers are different, put an X in like so:
11011001.11000100.00110000.00110011 11001000.10010110.00000011.00000101 10011011.10000111.00010010.00001011 ----------------------------------- 1X0X10XX.1XXX11X0.00XX00XX.00XXXXX1
We are now left with 1X0X10XX.1XXX11X0.00XX00XX.00XXXXX1 – Now convert back to binary. X’s can be anything, but to make it easier I consider them to be 0 for now.
1X0X10XX.1XXX11X0.00XX00XX.00XXXXX1 = 184.108.40.206
To now work out the wildcard mask, ensure every X is a 1, while all others are 0:
1X0X10XX.1XXX11X0.00XX00XX.00XXXXX1 = 01010011.01110010.00110011.00111110 = 220.127.116.11
So therefore, to match the 3 original addresses in a single line with minimum overlap we would use the subnet address of 18.104.22.168 with a wildcard mask of 22.214.171.124
Basically what we’re trying to do is tell the IOS that anything in the X above could be any digit. i.e. X could be a 0 or 1. The numbers we are sure of will get a 0. This tells IOS that it HAS to match the subnet address in this part of the byte.
If we take the first octet above we can break it down.
136 with a wildcard mask of 83
136 - 10001000 83 - 01010011
This tells IOS that the first bit HAS to be 1; the third bit HAS to be 0; the fifth bit HAS to be 1 and the sixth bit HAS to be 0. All the other bits can be anything at all, in any combination. So a wildcard 0 HAS to match, a wilcard 1 can mean anything.
Hence the term ‘wildcard’
It takes a little bit of time and practice to get good at it, just like regular subnetting when you started out. Once you understand what it is you’re looking at, it’s not that hard :)