Subnet Mask Versus Inverse Mask Overview

The IP address has two basic components: the network address and the host address. A mask is used to partition the network address from the host address within the IP address. The following section describes two types of masks—the subnet mask and the inverse mask.
Subnet Mask As mentioned earlier, an IP address consists of two parts: a network address and a host address. The subnet mask is used to establish where the network number in an IP address ends and the host number begins. It is a method used for splitting IP networks into a series of subgroups or subnets as documented in RFC 950. The mask is a 32-bit binary pattern that is matched up with the IP address to turn part of the host ID address field into a field for subnets. (Table 2-4 shows an example.)
Table 2-4. Mask Example
Network address (traffic that is to be processed)
Network address (binary) 00001010.00000001.00000001.00000000
Subnet mask (decimal)
Subnet mask (binary) 11111111.00000000.00000000.00000000
Wildcard/inverse mask (decimal)
Wildcard/inverse mask (binary) 00000000.00000000.00000000.11111111
Inverse Mask Masks for IOS IP ACLs are the reverse (for example, mask and are referred to as the inverse mask, also commonly known as a wildcard mask. (The terms wildcard and inverse are used interchangeably.) When he value of the mask is broken down into binary numbers (0s and 1s), the results determine which address bits re to be considered in processing the traffic. A 0 indicates that the address bits must be considered (exact atch); a 1 in the mask is a "don't care." Table 2-4 explains the concept further.
Based on the inverse mask shown in binary, the first three sets (octets) must match the given binary network
address exactly (00001010.00000001.00000001). The last set of numbers represents "don't care" (.11111111).
Therefore, all traffic that begins with 10.1.1. matches because the last octet is not considered. With this mask,
network addresses through (10.1.1.x) are processed.
The ACL inverse mask can also be determined by subtracting the normal mask from See
Example 2-1.
Example 2-1. ACL Inverse Mask
Code View:
The inverse mask for network address with a subnet mask of
is; - (subnet mask) = (inverse mask)
When configuring an ACL, you can substitute long dotted numbers with special keywords that represent
the same equivalents, as shown in the following examples:
Source/source-wildcard of can also be represented with the keyword
"any" within the ACL.
Source/wildcard of can also be represented as "host"