Wildcard mask is like any other computer IP address basically a group od zeroes and ones (o and 1). To be short, in wildcard mask all number one (1) mean “I don’t care about that position”, and all zeroes (0) mean “I care about that position in binary address”. Let’s take an example where Access list with wildcardmask will be able to deny fourth subnet and alow next four and so on for all /24 subnets of 192.168.0.0/16 supernetwork.

In the access-list we put an  0.0.0.0 255.255.251.255 network;

We know that 255 means 1111 1111 in binary.
We know that 251 means 1111 1011 in binary.

In the 0.0.0.0 255.255.251.255 line we could change 0.0.0.0 to any other kind of 1.1.0.1 23.23.0.33 because in this situation our ACL will not care about the bits in the first, second and last octet. We could write 192.168.0.0 it will fit in our example.

One more thing to make myself more clear. If we use deny 192.168.0.0 255.255.251.255 in ACL, this ACL will not filter only 192.168.0.0/16 network, but every network in the whole 32bit range from 0.0.0.0 to 255.255.255.255 in which third octet has an zero (0) in 6th position. To filter only those subnets that are part of 192.168.0.0/16 supernet we would need to use deny 192.168.0.0 0.0.251.255 because in that way we will say that we care about first and second octet of the address.

### Example:

• We will now convert the thirt octet to binary: As third octet is zero (0) in binary is also  0 = 0000 0000
• With the 251 in the wildcard mask, we only care about the 6th bit in of the third octet because 251 is “1111 1011
• That means, if the third octet is in the form of xxxx xOxx then it will match my access-list only where 6th bit is equal to zero (0).
• Now let’s write the third octet of some first 20 subnets in binary form:

01 = 0000.0001
02 = 0000.0010
03 = 0000.0011
04 = 0000.0100
05 = 0000.0101
06 = 0000.0110
07 = 0000.0111
08 = 0000.1000
09 = 0000.1001
10 = 0000.1010
11 = 0000.1011
12 = 0000.1100
13 = 0000.1101
14 = 0000.1110
15 = 0000.1111
16 = 0001.0000
17 = 0001.0001
18 = 0001.0010
19 = 0001.0011
20 = 0001.0100

We will put this Access list to some interface:

```access-list 10 deny 0.0.0.0 255.255.251.255
access-list 10 permit any```

In this example you see that my access list will alow the traffic from 192.168.4.0, 192.168.5.0, 192.168.6.0 and 192.168.7.0 network and it will deny the traffic sourced from 192.168.8.0, 192.168.9.0, 192.168.10.0 and 192.168.11.0 network because the ACL it will match it by 6th bit of third octet. Of course it will alow all /24 subnets from examble that are in green color from  01 to 255.