What is Wildcard Masking?
Wildcard mask is like any other computer IP address basically a group od zeroes and ones (o and 1). To be short, in wildcard mask all number one (1) mean “I don’t care about that position”, and all zeroes (0) mean “I care about that position in binary address”. Let’s take an example where Access list with wildcardmask will be able to deny fourth subnet and alow next four and so on for all /24 subnets of 192.168.0.0/16 supernetwork.
In the access-list we put an 0.0.0.0 255.255.251.255 network;
We know that 255 means 1111 1111 in binary.
We know that 251 means 1111 1011 in binary.
In the 0.0.0.0 255.255.251.255 line we could change 0.0.0.0 to any other kind of 22.214.171.124 126.96.36.199 because in this situation our ACL will not care about the bits in the first, second and last octet. We could write 192.168.0.0 it will fit in our example.
One more thing to make myself more clear. If we use deny 192.168.0.0 255.255.251.255 in ACL, this ACL will not filter only 192.168.0.0/16 network, but every network in the whole 32bit range from 0.0.0.0 to 255.255.255.255 in which third octet has an zero (0) in 6th position. To filter only those subnets that are part of 192.168.0.0/16 supernet we would need to use deny 192.168.0.0 0.0.251.255 because in that way we will say that we care about first and second octet of the address.