VLSM Calculator

Wildcard Masks for ACLs

Discover how wildcard masks are used to filter traffic.

A wildcard mask is a 32-bit number used primarily in Access Control Lists (ACLs) and some routing protocols (like OSPF and EIGRP) to specify a range of IP addresses. At first glance, it looks like a subnet mask, but it works in the opposite way. It's essentially an inverted subnet mask.

The Logic: "Match" vs. "Don't Care"

The easiest way to understand wildcard masks is to think of them in binary. The bits in the wildcard mask tell the router how to treat the corresponding bits in the IP address:

  • A binary 0 in the wildcard mask means: "The corresponding bit in the IP address must match."
  • A binary 1 in the wildcard mask means: "I don't care about the corresponding bit in the IP address."

Our Wildcard Mask Calculator can quickly do the conversion from a standard subnet mask for you.

Practical Examples in ACLs

Let's see how this works in a common Cisco IOS ACL.

Example 1: Matching a Single Host

You want to write an ACL to permit traffic from only the server at 192.168.1.100.

To match every single bit in the address, your wildcard mask must be all zeros.

access-list 101 permit ip host 192.168.1.100 any

This is a shortcut. The full command would be:

access-list 101 permit ip 192.168.1.100 0.0.0.0 any

The 0.0.0.0 mask tells the router "every bit of 192.168.1.100 must match exactly."

Example 2: Matching a Whole Subnet

You want to deny traffic from the entire 192.168.10.0/24 subnet.

The subnet mask is 255.255.255.0. To get the wildcard mask, you subtract the subnet mask from 255.255.255.255.

255.255.255.255
- 255.255.255.0
------------------
0.  0.  0.255

Your ACL would be:

access-list 102 deny ip 192.168.10.0 0.0.0.255 any

The 0.0.0.255 mask tells the router: "The first three octets must match 192.168.10, but I don't care what the last octet is." This effectively matches all addresses from 192.168.10.0 to 192.168.10.255.

Example 3: Matching a Range of Subnets

This is where wildcard masks show their power. Suppose you want to match all subnets from 172.16.0.0 to 172.16.15.255.

This requires more complex binary matching, but the wildcard mask would be 0.0.15.255.

access-list 103 permit ip 172.16.0.0 0.0.15.255 any

This mask says: "The first two octets must be 172.16. For the third octet, I don't care about the first four bits, but the last four bits must be 0. For the last octet, I don't care at all." This is how complex ranges can be specified efficiently.