Wildcard masks in extended ACLs are binary patterns used to specify IP addresses or ranges for filtering purposes. Unlike subnet masks, wildcard masks use 0s to represent “must match” bits and 1s for “don’t care” bits.
Effectively controlling access with wildcard masks involves strategically placing them within the network topology. By using a combination of specific and broad masks, administrators can create granular rules that allow or deny traffic based on source/destination IPs and ports.
For example, to permit only HTTP traffic from a specific subnet (192.168.1.0/24) to a web server (10.0.0.2), an administrator could configure an extended ACL with a wildcard mask as follows:
access-list 101 permit tcp 192.168.1.0 0.0.0.255 host 10.0.0.2 eq 80?
This rule uses the wildcard mask
0.0.0.255 to match any address within the 192.168.1.0/24 subnet while specifying the destination IP and port number explicitly.
