Proper use of matching and masks can reduce the number of access list entries that a network administrator must write. As we discussed before, matching sets of IP addresses, whether for networks or hosts in standard access lists or for the source and destination definitions for an extended access list, always involves defining an IP address and a mask. Masks are bit masks that apply to the corresponding bit of the IP address. Remember that a 1 in a access list wildcard mask is a wildcard, meaning that the corresponding bit in the IP address is a match no matter what the value is in the IP address being compared. A 0 indicates that the corresponding bit must match the IP address exactly.

So far we have used only 1’s in the last portion of a mask to match all the hosts in that network, like this:

192.168.30.0 0.0.0.255

In this and all previous examples, the 1’s in a mask were on the right while the 0’s were on the left, but we can mask on other portions of an IP address to consolidate access list entries, as we’ll see here. Let’s include four networks in a policy set: 192.168.32.0/24, 192.168.33.0/24, 192.168.34.0/24, and 192.168.35.0/24. The following access list entries accomplish this:

access-list 1 permit 192.168.32.0
access-list 1 permit 192.168.33.0 
access-list 1 permit 192.168.34.0 
access-list 1 permit 192.168.35.0

We can reduce the number of entries by looking at the network numbers and asking what these networks have in common. Clearly, the first two octets ...