What is the core formula in Cisco Access Control List (ACL) Syntax and Wildcard Masks?

Cisco Access Control List (ACL) Syntax and Wildcard Masks

⏳ 1 min read

Mastering the syntax structure of Cisco IOS ACLs and wildcard mask calculation logic.

Cisco Standard vs. Extended ACLs

- **Standard ACLs (1-99):** Filters traffic based on **source IP address** only.

- **Extended ACLs (100-199):** Filters traffic based on **source/destination IP**, **protocol**, and **source/destination port**.

The Logic of Wildcard Masks

Unlike subnet masks (where 1s indicate network bits), Cisco wildcard masks use **0s to match** and **1s to ignore**. A wildcard mask is computed by subtracting the subnet mask from `255.255.255.255`.

Wildcard Mask Calculation Proof:

255.255.255.255 (All binary 1s) - 255.255.255.192 (Subnet Mask for /26) ----------------- 0.0.0.63 (Wildcard Mask)

Hence, to match all IPs in the range `192.168.1.0/26`, the Cisco statement is:

access-list 101 permit ip 192.168.1.0 0.0.0.63 any

← Launch Interactive Calculator