Wildcard Masks in ACLs Explained

This tutorial explains what the ACL wildcard masks are and how they are used. Learn the differences and similarities between wildcard masks and subnet masks.

Wildcard masks are used to define criteria in ACL statements. Wildcard masks allow an administrator defines a single IP address or a range of IP addresses. Without wildcard masks, you have to create an entry for each IP address. With wildcard masks, you can create a range of IP addresses that need the same actions.

wildcard example

Let's take an example.

A subnet includes 75 IP addresses. From these IP addresses, you want to block 50 IP addresses. Without wildcard masks, you have to create 50 entries to block these IP addresses. With wildcard masks, you can create a range that includes these IP addresses. Later, you can use this range to define criteria in the entry. This way, you can block or allow a range of IP addresses with a single entry.

Wildcard masks v/s subnet masks

Both wildcard masks and subnet masks are used with IP addresses. They look similar but they are different and are used for completely different purposes. A subnet mask is used to separate the network address from the host address in an IP address. A wildcard mask is used to define the part of the IP address that you want to match in the ACL statement.

Both the wildcard mask and the subnet mask have a length of 32 bits. A bit has two states: ON and OFF. In binary, the ON state is written as 1, and the OFF state is written as 0.

In the subnet mask, an ON bit represents the network bit while the OFF bit represents the host bit.

subnet mask to wildcard mask

In the wildcard mask, an ON bit represents the bit that you want to match while the OFF bit represents the bit that you want to ignore.

wildcard to subnet mask

Let's take an example. The following address represents a subnet.

Decimal value Binary value
IP address 10.0.0.0 00001010.00000000.00000000.00000000
Subnet mask 255.0.0.0 11111111.00000000.00000000.00000000

This subnet includes the IP addresses from 10.0.0.0 to 10.255.255.255.

Network address First available address for the host Last available address for the host Broadcast address
10.0.0.0 10.0.0.1 10.255.255.254 10.255.255.255

Creating the wildcard mask for the subnet mask

Now, let's suppose, you want to create an ACL statement that matches this subnet. To create criteria for this subnet, you have to use a wildcard mask that ignores all network bits but matches all host bits of the address.

As mentioned earlier, in a subnet mask an ON bit represents the network bit, and an OFF bit represents the host bit while in a wildcard mask an ON bit represents the bit to ignore, and an OFF bit represents the bit to match.

Bit value Subnet mask wildcard mask
0 Host bit Match
1 Network bit Ignore

To ignore all network bits, in the wildcard mask, you have to use the value 1 at the place of each network bit while to match all host bits, you have to use the value 0 at the place of each host bit.

Decimal value Binary value
IP address 10.0.0.0 00001010.00000000.00000000.00000000
Subnet mask 255.0.0.0 11111111.00000000.00000000.00000000
Wildcard mask 0.255.255.255 00000000.11111111.11111111.11111111

This process is much easier than it looks. To create a wildcard mask for a subnet, all you need to do is reverse the value of the subnet mask. If the subnet mask contains the value 1, then use the value 0 in the wildcard mask. If the subnet mask contains the value 0, use the value 1 in the wildcard mask.

The following table shows some subnet masks and their relative wildcard masks.

Subnet mask Wildcard mask
11111111.00000000.00000000.00000000 00000000.11111111.11111111.11111111
11111111.11111111.00000000.00000000 00000000.00000000.11111111.11111111
11111111.11111111.11111111.00000000 00000000.00000000.00000000.11111111

If you are using subnet masks in decimal and want to create wildcard masks for them, there is no need to convert them into binary. Creating wildcard masks in decimal is also easy. In decimal, to create a wildcard mask for a given subnet mask, subtract the value of each byte from 255.

Let's take an example.

Calculate the wildcard mask that matches the subnet mask 255.0.0.0.

To calculate the wildcard mask for this subnet, subtract each byte value from 255.

    Subtract value     255.255.255.255
  - Subnet mask        255.0.0.0
  = Wildcard mask      0.255.255.255

The following image shows another example.

wildcard decimal convert

The following table lists some more examples.

Subtract value Subnet mask Wildcard mask
255.255.255.255 255.240.0.0 0.15.255.255
255.255.255.255 255.255.16.0 0.0.239.255
255.255.255.255 255.255.255.128 0.0.0.127

Creating the subnet mask from the wildcard mask

ACL statements use wildcard masks to define criteria. To identify which statement filters which address or address range, you have to calculate the subnet mask from the wildcard card used in the statement.

By reversing the above process, you can easily calculate the subnet mask from the wildcard mask. To calculate the subnet mask in binary, use the opposite bit at each place. For example, if you have 1 in the wildcard mask, use the 0 in the subnet mask or if you have 0 in the wildcard mask, use the 1 in the subnet mask.

The following image shows some examples.

subnet mask from wildcard mask

The following table lists some more examples.

Wildcard mask Subnet mask
00000000.11111111.11111111.11111111 11111111.00000000.00000000.00000000
00000000.00000000.11111111.11111111 11111111.11111111.00000000.00000000
00000000.00000000.00000000.11111111 11111111.11111111.11111111.00000000

To calculate the subnet mask in decimal, subtract each byte of the wildcard mask from 255. For example, if you have 239 in a byte of the wildcard mask, use 255 -239 = 16 in the byte of the subnet mask.

convert wildcard to subnet mask

The following table lists some examples.

Subtract value Wildcard mask Subnet mask
255.255.255.255 0.15.255.255 255.240.0.0
255.255.255.255 0.0.239.255 255.255.16.0
255.255.255.255 0.0.0.127 255.255.255.128

Special wildcard masks

There are two special wildcard masks: 0.0.0.0 and 255.255.255.255. A wildcard mask of 0.0.0.0 instructs the router to match all 32 bits of the address. This wildcard mask is called a host mask. This wildcard mask is used to match a single host. For example, if you want to allow or deny a specific host from a segment, you can use this wildcard mask to match the IP address of that host.

The following statement shows how this wildcard mask is used.

deny 10.0.0.1 0.0.0.0

The above statement will deny only the packets that are originated from the host 10.0.0.1.

A wildcard mask of 255.255.255.255 instructs the router to ignore all 32 bits of the address and match all packets. This wildcard mask is used to match all packets. Since this wildcard mask matches all packets, the IP address that you enter with this mask does not matter.

Technically, you can enter this wildcard mask with any IP address but usually, it is used with the IP address 0.0.0.0. Administrators use the following IP address and wildcard mask to match all incoming or outgoing packets.

0.0.0.0 255.255.255.255

That’s all for this tutorial. In the next tutorial, we will discuss general rules and guidelines of ACLs configuration.

ComputerNetworkingNotes CCNA Study Guide Wildcard Masks in ACLs Explained