This tutorial explains what the ACL wildcard masks are and how they are used. Learn the differences and similarities between wildcard masks and subnet masks.
Wildcard masks are used to define criteria in ACL statements. Wildcard masks allow an administrator defines a single IP address or a range of IP addresses. Without wildcard masks, you have to create an entry for each IP address. With wildcard masks, you can create a range of IP addresses that need the same actions.
Let's take an example.
A subnet includes 75 IP addresses. From these IP addresses, you want to block 50 IP addresses. Without wildcard masks, you have to create 50 entries to block these IP addresses. With wildcard masks, you can create a range that includes these IP addresses. Later, you can use this range to define criteria in the entry. This way, you can block or allow a range of IP addresses with a single entry.
This tutorial is the fifth part of the article 'Cisco Access Lists Explained with Examples.'. Other parts of this article are the following.
Definition, purposes, benefits, and functions of ACL
Basic concepts and fundamentals of ACLs
How Access Lists work on Cisco routers
Types of access control lists explained
Rules and configuration guidelines for Cisco ACLs
Access Control List Explained with Examples
The ip access-list command options and arguments
Standard ACL Configuration Commands Explained
Configure Standard Access Control List Step by Step Guide
How to secure VTY access to the Router
Extended ACL Configuration Commands Explained
Configure Extended Access Control List Step by Step Guide
How to block ICMP Ping on Cisco Routers
Wildcard masks v/s subnet masks
Both wildcard masks and subnet masks are used with IP addresses. They look similar but they are different and are used for completely different purposes. A subnet mask is used to separate the network address from the host address in an IP address. A wildcard mask is used to define the part of the IP address that you want to match in the ACL statement.
Both the wildcard mask and the subnet mask have a length of 32 bits. A bit has two states: ON and OFF. In binary, the ON state is written as 1, and the OFF state is written as 0.
In the subnet mask, an ON bit represents the network bit while the OFF bit represents the host bit.
In the wildcard mask, an ON bit represents the bit that you want to match while the OFF bit represents the bit that you want to ignore.
Let's take an example. The following address represents a subnet.
| Decimal value | Binary value | |
| IP address | 10.0.0.0 | 00001010.00000000.00000000.00000000 |
| Subnet mask | 255.0.0.0 | 11111111.00000000.00000000.00000000 |
This subnet includes the IP addresses from 10.0.0.0 to 10.255.255.255.
| Network address | First available address for the host | Last available address for the host | Broadcast address |
| 10.0.0.0 | 10.0.0.1 | 10.255.255.254 | 10.255.255.255 |
Creating the wildcard mask for the subnet mask
Now, let's suppose, you want to create an ACL statement that matches this subnet. To create criteria for this subnet, you have to use a wildcard mask that ignores all network bits but matches all host bits of the address.
As mentioned earlier, in a subnet mask an ON bit represents the network bit, and an OFF bit represents the host bit while in a wildcard mask an ON bit represents the bit to ignore, and an OFF bit represents the bit to match.
| Bit value | Subnet mask | wildcard mask |
| 0 | Host bit | Match |
| 1 | Network bit | Ignore |
To ignore all network bits, in the wildcard mask, you have to use the value 1 at the place of each network bit while to match all host bits, you have to use the value 0 at the place of each host bit.
| Decimal value | Binary value | |
| IP address | 10.0.0.0 | 00001010.00000000.00000000.00000000 |
| Subnet mask | 255.0.0.0 | 11111111.00000000.00000000.00000000 |
| Wildcard mask | 0.255.255.255 | 00000000.11111111.11111111.11111111 |
This process is much easier than it looks. To create a wildcard mask for a subnet, all you need to do is reverse the value of the subnet mask. If the subnet mask contains the value 1, then use the value 0 in the wildcard mask. If the subnet mask contains the value 0, use the value 1 in the wildcard mask.
The following table shows some subnet masks and their relative wildcard masks.
| Subnet mask | Wildcard mask |
| 11111111.00000000.00000000.00000000 | 00000000.11111111.11111111.11111111 |
| 11111111.11111111.00000000.00000000 | 00000000.00000000.11111111.11111111 |
| 11111111.11111111.11111111.00000000 | 00000000.00000000.00000000.11111111 |
If you are using subnet masks in decimal and want to create wildcard masks for them, there is no need to convert them into binary. Creating wildcard masks in decimal is also easy. In decimal, to create a wildcard mask for a given subnet mask, subtract the value of each byte from 255.
Let's take an example.
Calculate the wildcard mask that matches the subnet mask 255.0.0.0.
To calculate the wildcard mask for this subnet, subtract each byte value from 255.
Subtract value 255.255.255.255
- Subnet mask 255.0.0.0
= Wildcard mask 0.255.255.255
The following image shows another example.
The following table lists some more examples.
| Subtract value | Subnet mask | Wildcard mask |
| 255.255.255.255 | 255.240.0.0 | 0.15.255.255 |
| 255.255.255.255 | 255.255.16.0 | 0.0.239.255 |
| 255.255.255.255 | 255.255.255.128 | 0.0.0.127 |
Creating the subnet mask from the wildcard mask
ACL statements use wildcard masks to define criteria. To identify which statement filters which address or address range, you have to calculate the subnet mask from the wildcard card used in the statement.
By reversing the above process, you can easily calculate the subnet mask from the wildcard mask. To calculate the subnet mask in binary, use the opposite bit at each place. For example, if you have 1 in the wildcard mask, use the 0 in the subnet mask or if you have 0 in the wildcard mask, use the 1 in the subnet mask.
The following image shows some examples.
The following table lists some more examples.
| Wildcard mask | Subnet mask |
| 00000000.11111111.11111111.11111111 | 11111111.00000000.00000000.00000000 |
| 00000000.00000000.11111111.11111111 | 11111111.11111111.00000000.00000000 |
| 00000000.00000000.00000000.11111111 | 11111111.11111111.11111111.00000000 |
To calculate the subnet mask in decimal, subtract each byte of the wildcard mask from 255. For example, if you have 239 in a byte of the wildcard mask, use 255 -239 = 16 in the byte of the subnet mask.
The following table lists some examples.
| Subtract value | Wildcard mask | Subnet mask |
| 255.255.255.255 | 0.15.255.255 | 255.240.0.0 |
| 255.255.255.255 | 0.0.239.255 | 255.255.16.0 |
| 255.255.255.255 | 0.0.0.127 | 255.255.255.128 |
Special wildcard masks
There are two special wildcard masks: 0.0.0.0 and 255.255.255.255. A wildcard mask of 0.0.0.0 instructs the router to match all 32 bits of the address. This wildcard mask is called a host mask. This wildcard mask is used to match a single host. For example, if you want to allow or deny a specific host from a segment, you can use this wildcard mask to match the IP address of that host.
The following statement shows how this wildcard mask is used.
deny 10.0.0.1 0.0.0.0
The above statement will deny only the packets that are originated from the host 10.0.0.1.
A wildcard mask of 255.255.255.255 instructs the router to ignore all 32 bits of the address and match all packets. This wildcard mask is used to match all packets. Since this wildcard mask matches all packets, the IP address that you enter with this mask does not matter.
Technically, you can enter this wildcard mask with any IP address but usually, it is used with the IP address 0.0.0.0. Administrators use the following IP address and wildcard mask to match all incoming or outgoing packets.
0.0.0.0 255.255.255.255
That’s all for this tutorial. In the next tutorial, we will discuss general rules and guidelines of ACLs configuration.