access list string as an example:
access−list 2 permit 193.5.5.10 0.0.0.255 log
Tip An octet is the 8−bit value between each dotted decimal in an IP address. For the IP address of 193.5.5.10
the first octet is 193 and the fourth octet is 10. It is always important to remember which octet you want to
mask.
The 0.0.0 of the wildcard address means that the first three octets of the source interface’s IP address must
exactly match the first three octets of the network portion of the Class C IP address: 193.5.5. Because the last
octet is 255, the last octet of the source interface of received data can be any value. This statement means that
any host address with the network ID 193.5.5 will be permitted. Based on this IP scheme, you may be using
variable−length subnet masks (VLSM).
To identify IP addresses that can be used within your chosen subnet mask, you must use the correct inverse
address to identify those addresses. Table 13.1 shows the possible wildcard inverse addresses matched to the
subnet mask.
Table 13.1: Possible wildcard inverse addresses.
Mask Wildcard Inverse Address
255 0
254 1
252 3
248 7
240 15
224 31
192 63
128 127
0 255
There is an easy way to figure out the wildcard inverse mask for your access list or the first network available
with any subnet mask. Always remember the magic number of 256, then subtract the network mask minus 1.
For example, with 255.255.255.192, use the 192, subtract it from the magic number of 256, and you will get
64, which is your first network. Subtract one more and you will get the inverse wildcard mask for your access
list identifying the network.
Here’s another example. Say you have a class C subnet mask of 255.255.255.224. Subtract 224 from the
magic number of 256 and you will get the first valid network of 32. Subtract 1 and you will get the network
inverse mask of 31.
You can use the same magic number to subnet. Let’s say you want to know the first and second networks of a
30−bit mask that is commonly used on point−to−point WAN links in order to conserve IP addresses. This
would be a mask of 255.255.255.252. Taking the magic number of 256 and subtracting 252 we would get the
number 4, which is our first valid network number. This time, instead of subtracting one, multiply by 2 and
you get your second valid network, which is 8. This means that your valid hosts are 5 and 6 and your
broadcast address is 7. This means we have just created a network with two hosts and wasted no IP addresses.
Let’s look at another example using 255.255.255.240, which is a 28−bit mask. Table 13.2 shows the first three
valid networks, the network numbers, the valid hosts for each network, and the broadcast address for each
subnetted network.
Table 13.2: Example of subnetting 255.255.255.240.
257