Reference5 min read

Wildcard Masks: What They Are and How to Use Them

A wildcard mask is the bitwise inverse of a subnet mask. It is used in Cisco ACLs, OSPF, and BGP configurations to match ranges of IP addresses.

What is a Wildcard Mask?

A wildcard mask is a 32-bit binary number used to specify which bits of an IP address must match (0-bits = must match) and which can be anything (1-bits = ignore). It is the bitwise inverse (NOT) of the subnet mask:

Subnet mask:   255.255.255.0   = 11111111.11111111.11111111.00000000
Wildcard mask:   0.0.0.255   = 00000000.00000000.00000000.11111111

Where the subnet mask has a 1, the wildcard has a 0 (must match). Where the subnet mask has a 0, the wildcard has a 1 (can be anything).

Calculating Wildcard Masks

The quickest method: subtract the subnet mask from 255.255.255.255:

255.255.255.255
-  255.255.255.0   (/24 subnet mask)
= 0.0.0.255       wildcard mask

255.255.255.255
-  255.255.255.240  (/28 subnet mask)
= 0.0.0.15        wildcard mask

Our subnet calculator shows the wildcard mask for every calculation automatically.

Wildcard Masks in Cisco ACLs

Wildcard masks are used in Cisco IOS Access Control Lists to match a range of hosts or networks:

! Match only 192.168.1.0/24 network
access-list 10 permit 192.168.1.0 0.0.0.255

! Match only host 10.0.0.5
access-list 20 permit 10.0.0.5 0.0.0.0

! Match all IPs (any)
access-list 30 permit 0.0.0.0 255.255.255.255

! Match odd-numbered hosts in 192.168.0.0/24
access-list 40 permit 192.168.0.1 0.0.0.254

The last example works because 0.0.0.254 in binary is 11111110 — it ignores bits 1–7 but requires bit 8 to be 1 (odd addresses only).

OSPF Wildcard Masks

In OSPF, wildcard masks are used in the network statement to specify which interfaces join an OSPF area:

router ospf 1
 network 10.0.0.0 0.255.255.255 area 0    ! All 10.x.x.x interfaces
 network 192.168.1.0 0.0.0.255 area 1     ! 192.168.1.x interfaces

Special Wildcard Masks

Wildcard maskMeaningEquivalent
0.0.0.0Match this exact hosthost keyword
255.255.255.255Match any addressany keyword
0.0.0.255Match any host in /24Standard /24 subnet
0.0.255.255Match any host in /16Standard /16 subnet
0.0.0.254Match even-numbered IPsNon-standard (bit-specific)