IOS IP ACLs match packets by looking at the IP, TCP, and UDP headers in the packet. Standard IP access
lists can also examine only the source IP address. You can configure the router to match the entire IP
address or just a part of the IP address. When defining the ACL statements you can define a wildcard mask
along with the IP address. The wildcard mask tells the router which part of the IP address in the
configuration statement must be compared with the packet header. The wildcard masks look similar to
subnet masks, in that they represent a 32-bit number. However, the wildcard mask's 0 bits tell the router that
those corresponding bits in the address must be compared when performing the matching logic. The binary
1s in the wildcard mask tell the router that those bits do not need to be compared. Thus, wildcard mask
0.0.0.0, which in binary form is 00000000.00000000.00000000.00000000, indicates that the entire IP
address must be matched, while wildcard mask 0.0.0.255, which in binary form is
00000000.00000000.00000000.11111111, indicates that the first 24 bits of the IP address must be matched,
and wildcard mask 0.0.31.255, which in binary form is 00000000.00000000.00011111.11111111,
indicates that the first 24 bits of the IP address must be matched.