What is a Wildcard Mask?
A wildcard mask is a 32-bit binary number used to specify which bits of an IP address must match (0-bits = must match) and which can be anything (1-bits = ignore). It is the bitwise inverse (NOT) of the subnet mask:
Subnet mask: 255.255.255.0 = 11111111.11111111.11111111.00000000
Wildcard mask: 0.0.0.255 = 00000000.00000000.00000000.11111111Where the subnet mask has a 1, the wildcard has a 0 (must match). Where the subnet mask has a 0, the wildcard has a 1 (can be anything).
Calculating Wildcard Masks
The quickest method: subtract the subnet mask from 255.255.255.255:
255.255.255.255
- 255.255.255.0 (/24 subnet mask)
= 0.0.0.255 wildcard mask
255.255.255.255
- 255.255.255.240 (/28 subnet mask)
= 0.0.0.15 wildcard maskOur subnet calculator shows the wildcard mask for every calculation automatically.
Wildcard Masks in Cisco ACLs
Wildcard masks are used in Cisco IOS Access Control Lists to match a range of hosts or networks:
! Match only 192.168.1.0/24 network
access-list 10 permit 192.168.1.0 0.0.0.255
! Match only host 10.0.0.5
access-list 20 permit 10.0.0.5 0.0.0.0
! Match all IPs (any)
access-list 30 permit 0.0.0.0 255.255.255.255
! Match odd-numbered hosts in 192.168.0.0/24
access-list 40 permit 192.168.0.1 0.0.0.254The last example works because 0.0.0.254 in binary is 11111110 — it ignores bits 1–7 but requires bit 8 to be 1 (odd addresses only).
OSPF Wildcard Masks
In OSPF, wildcard masks are used in the network statement to specify which interfaces join an OSPF area:
router ospf 1
network 10.0.0.0 0.255.255.255 area 0 ! All 10.x.x.x interfaces
network 192.168.1.0 0.0.0.255 area 1 ! 192.168.1.x interfacesSpecial Wildcard Masks
| Wildcard mask | Meaning | Equivalent |
|---|---|---|
| 0.0.0.0 | Match this exact host | host keyword |
| 255.255.255.255 | Match any address | any keyword |
| 0.0.0.255 | Match any host in /24 | Standard /24 subnet |
| 0.0.255.255 | Match any host in /16 | Standard /16 subnet |
| 0.0.0.254 | Match even-numbered IPs | Non-standard (bit-specific) |