HP ProCurve Secure Router 7203 dl Advanced Management And Configuration Manual page 230

Applying Access Control to Router Interfaces
Using ACLs Alone to Configure Access Control
5-10
Use Wildcard Bits. You can use wildcard bits to permit or deny a range of
IP addresses. Wildcard bits define which address bits the Secure Router OS
should match and which address bits it should ignore. Essentially, you use the
wildcard bits to specify the subnet to which you want the Secure Router OS
to match packets.
When you enter wildcard bits, you use a 0 to indicate that the Secure Router
OS should match the corresponding bit in the IP address. You use a 1 to
indicate that the Secure Router OS can ignore the corresponding bit in the IP
address. In other words, the Secure Router OS does not have to match that bit.
For example, you might enter:
ProCurve(config-std-nacl)# deny 192.168.1.0 0.0.0.255
If you enter 192.168.1.90 with the wildcard bits 0.0.0.255, the Secure Router
OS will not match any address bits in the fourth octet of the IP address. The
Secure Router OS will match incoming packets to the IP subnet address
192.115.1.0 /24. (because it will not match the bits in the fourth octet). (See
Figure 5-3.)
As a general rule, you should specify the network address for the subnet you
are using the wildcard bits to select. Adding the wildcard bits to the network
address gives you the last address in the range. For example, enter permit
192.168.1.0 0.0.0.255 to permit traffic with any source address between
192.168.1.0 and 192.168.1.255.
192.168.1.0 0.0.0.3
192.168.1.0 0.0.0.31
192.168.1.0 0.0.0.255
Figure 5-3. Understanding Wildcard Bits
Implicit "deny any" Entry. Each ACL includes an implicit "deny any" entry
at the end of the list. If a packet does not match any entry in the ACL you
create, it matches the implicit "deny any" entry.
When you configure a standard ACL and apply it to an interface, you should
permit at least one host. Otherwise, you will, in effect, shut down the interface,
preventing any traffic from entering it.
128 68 32 16 8 4 2
0 0 0 0 0 0 1
0 0 0 1 1 1 1
1 1 1 1 1 1 1
Match last two address
1
bits in fourth octet
1
Ignore last five address
1
bits in the fourth octet
1
Do not match address
bits in the fourth octet