While I was going through the concept of Access Control, I came upon the fact that ACLs use inverse masks. But while going through the explanation given in cisco site about Control lists, I noticed that in all their explanations, they convert the inverse mask to the original mask and then do the needful.
If that is the case, why do we need inverse masks at all? From my understanding, inverse masks would prove to be useful only when they are bit ORed with the IP address. But I doubt this is the case. So what is the real reason for using an inverse mask?
Inverse bit masks allow you more flexibility that merely using a netmask. The vast majority of applications simply invert a netmask into an inverse mask, like this:
Essentially, acl 101 blocks packets based on /32 netmasks. A more compact way of expressing the same is
ACL 102 is simply a more compact way of expressing the first ACL.
In the days when Cisco IOS switched all traffic based on CPU power alone and had no internal acl pattern optimizations built-in, ACL 101 would have been much slower than ACL 102 due to the number of entries in ACL 101. Now, Cisco IOS includes some significant optimisations in the pattern matching engine and higher-end platforms even use ASICs for filtering... so expressing an ACL as 102 does is more for convenience.
Keep in mind that your IOS configurations are only as good as your staff is at 3am in the morning when something is broken; so if you write ACLs as cleverly as possible, it's possible you will need a lot more time to debug things during an early-morning crisis.