Wildcard Masks – Complete Guide for ACLs & Routing Protocols

1. What Is a Wildcard Mask?

A wildcard mask is a 32-bit number used in Cisco IOS to tell the router which bits of an IP address it must check and which bits it can ignore. The rules are the opposite of a subnet mask:

• 0 bit — the corresponding IP address bit must match exactly
• 1 bit — the corresponding IP address bit is ignored (wildcard — any value is acceptable)

Wildcard masks are used in two main places on Cisco devices:

• Access Control Lists (ACLs) — to define which source or destination addresses a permit or deny rule applies to
• Routing protocol network statements — in OSPF and EIGRP to tell the router which interfaces to include in the routing process

Related pages: ACL Overview | Applying ACLs | Standard & Extended ACLs | Named ACLs | OSPF Overview | OSPF Single-Area Config | EIGRP Overview | EIGRP Config | Subnetting | Subnet Calculation | IP Addressing | show running-config

2. Wildcard Mask vs. Subnet Mask

Both are 32-bit numbers written in dotted-decimal, but they have opposite bit semantics. This is the single most common source of confusion on the CCNA exam:

Memory tip: In a subnet mask, 1s mark what you keep (the network). In a wildcard mask, 1s mark what you skip (the “don’t care” bits). They are perfect inverses of each other.

3. How Wildcard Masks Work – Bit-Level Example

The router applies the wildcard mask against each incoming IP address bit by bit. For every bit position where the mask is 0, the IP address bit must equal the reference IP bit. For every bit position where the mask is 1, the IP address bit is not checked.

  Reference IP:   192.168.10. 0
  Wildcard mask:    0.  0. 0.255
  Binary mask:  00000000.00000000.00000000.11111111
                |<——— must match ———>|<— any value —>|

  Result: Matches any IP where the first three octets are 192.168.10
          i.e., 192.168.10.0 through 192.168.10.255 (the entire /24 subnet)
            

  Reference IP:   10.1.1.10
  Wildcard mask:   0.0.0. 0
  Binary mask:  00000000.00000000.00000000.00000000
                |<——————— all bits must match ———————>|

  Result: Matches only 10.1.1.10 (single host match)
            

4. Calculating Wildcard Masks from Subnet Masks

Formula: Wildcard Mask = 255.255.255.255 − Subnet Mask
Subtract each octet of the subnet mask from 255. See Subnet Calculation.

5. Common Wildcard Mask Reference

Two important IOS shortcuts: host <IP> is equivalent to <IP> 0.0.0.0; any is equivalent to 0.0.0.0 255.255.255.255. Both are accepted interchangeably in ACL and OSPF statements.

6. Non-Contiguous Wildcard Masks

Unlike subnet masks (which must have all 1s on the left and all 0s on the right), wildcard masks can have 1s and 0s in any order. This enables matching patterns that are impossible with a simple subnet:

Non-contiguous wildcards are rarely needed in simple network designs but appear on the CCNA exam and in advanced ACL scenarios where you need to match multiple non-adjacent ranges with a single rule.

7. Wildcard Masks in Access Control Lists

ACLs use wildcard masks to define the range of IP addresses a rule matches. The mask follows the source IP in a standard ACL and both source and destination IPs in an extended ACL.

Standard ACL Examples — See Standard & Extended ACLs

! Permit all hosts in 192.168.1.0/24
Router(config)# access-list 10 permit 192.168.1.0 0.0.0.255

! Permit only the single host 192.168.5.10
Router(config)# access-list 10 permit 192.168.5.10 0.0.0.0
! Equivalent using the 'host' keyword:
Router(config)# access-list 10 permit host 192.168.5.10

! Deny all traffic from 172.16.0.0/16
Router(config)# access-list 10 deny 172.16.0.0 0.0.255.255

! Permit all remaining traffic (equivalent to 'permit any')
Router(config)# access-list 10 permit 0.0.0.0 255.255.255.255
Router(config)# access-list 10 permit any    ! same result
            

Extended ACL Example — See Extended ACL guide

! Permit TCP from 192.168.1.0/24 to 10.0.0.0/8 on port 443 (HTTPS)
Router(config)# access-list 100 permit tcp 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255 eq 443

! Deny ICMP from any source to a specific host 10.1.1.1
Router(config)# access-list 100 deny icmp any host 10.1.1.1
            

Named ACL Example — See Named ACLs

Router(config)# ip access-list standard PERMIT-MGMT
Router(config-std-nacl)# permit 10.10.10.0 0.0.0.255
Router(config-std-nacl)# deny any
            

8. Wildcard Masks in Routing Protocols

OSPF and EIGRP both use wildcard masks in their network statements to select which locally configured interfaces the routing process will activate on and advertise.

OSPF

! Include all interfaces in the 10.10.10.0/24 range in OSPF area 0
Router(config)# router ospf 1
Router(config-router)# network 10.10.10.0 0.0.0.255 area 0

! Include only the single interface 192.168.1.1 in OSPF area 1
Router(config-router)# network 192.168.1.1 0.0.0.0 area 1

! Include ALL interfaces (use with care in production)
Router(config-router)# network 0.0.0.0 255.255.255.255 area 0
            

See Applying ACLs for interface application (ip access-group). When OSPF evaluates a network statement, it compares each of the router’s interface IP addresses against the reference IP using the wildcard mask. If the bits required to match (mask bits = 0) all agree, that interface is included in OSPF.

EIGRP

! Include all interfaces in 192.168.0.0 – 192.168.255.255 (/16 range)
Router(config)# router eigrp 100
Router(config-router)# network 192.168.0.0 0.0.255.255

! Include only the exact interface 10.1.1.1
Router(config-router)# network 10.1.1.1 0.0.0.0
            

9. Verification Commands

! View all configured ACLs and their match counters
Router# show access-lists

! View a specific ACL
Router# show access-lists 10

! Check which OSPF network statements are configured
Router# show running-config | section router ospf

! Check all network statements across routing protocols
Router# show running-config | include network

! Check which interfaces OSPF is active on (confirms wildcard matching worked)
Router# show ip ospf interface brief

! Verify EIGRP interfaces
Router# show ip eigrp interfaces

! Confirm ACL is applied to the correct interface and direction
Router# show ip interface GigabitEthernet0/0 | include access list
            

10. Common Mistakes and Troubleshooting

11. Best Practices

• Always calculate the wildcard by subtracting the subnet mask from 255.255.255.255 — never guess
• Use the host keyword instead of 0.0.0.0 for single-host matches; use any instead of 0.0.0.0 255.255.255.255 for readability
• Add remarks to ACLs to document what each wildcard range is intended to match: ip access-list extended FILTER — remark Permit branch VLAN 10 hosts
• After any subnetting change, review and recalculate all wildcard masks used in ACLs and routing protocol statements
• Use show access-lists to verify match counters: a counter stuck at zero means the rule is never being matched — likely a wildcard error
• Avoid overlapping rules in ACLs; overlapping wildcards can cause rules to shadow each other unintentionally
• Prefer named ACLs over numbered ones; they are easier to document and can be edited in-place without deleting and re-creating the entire list

12. Summary Reference Table

13. Key Points & CCNA Exam Tips

• Wildcard mask: 0 = must match, 1 = ignore — this is the opposite of a subnet mask (where 1 = network, 0 = host)
• Wildcard mask = 255.255.255.255 − subnet mask (subtract each octet individually)
• Single-host wildcard = 0.0.0.0 (all bits must match); keyword shortcut: host <IP>
• Any-host wildcard = 255.255.255.255 (no bits are checked); keyword shortcut: any
• Common /24 wildcard = 0.0.0.255; /16 wildcard = 0.0.255.255; /8 wildcard = 0.255.255.255
• Wildcard masks are used in ACL source/destination matching and in OSPF/EIGRP network statements to select which interfaces join the routing process
• Unlike subnet masks, wildcard masks can be non-contiguous — bits can alternate in any order, enabling matching of patterns like "all even hosts"
• The most common CCNA exam error is confusing wildcard and subnet masks — always double-check which one the question is asking about
• Use show access-lists to verify ACL match counters; zero matches usually indicates a wildcard error
• Use show ip ospf interface brief to confirm OSPF network statements with wildcard masks are activating on the correct interfaces

Wildcard Masks Quiz

Related Topics & Step-by-Step Tutorials

Continue your studies with these closely related pages:

• ACL Overview — how ACLs use wildcard masks to permit or deny traffic
• Standard & Extended ACLs — full ACL configuration with wildcard examples
• Named ACLs — preferred format; easier to read and edit
• Applying ACLs — ip access-group on interfaces and VTY lines
• Standard ACL Configuration (Step-by-Step)
• Extended ACL Configuration (Step-by-Step)
• OSPF Overview — wildcard masks in network statements select OSPF interfaces
• OSPF Single-Area Configuration
• OSPF Single-Area (Step-by-Step)
• EIGRP Overview — wildcard masks in EIGRP network statements
• EIGRP Configuration
• EIGRP Configuration (Step-by-Step)
• Subnetting Basics — subnet masks are the basis for wildcard calculation
• Subnet Calculation — practise the 255.255.255.255 minus subnet mask formula
• IP Addressing — understanding address structure underpins wildcard usage
• DHCP Configuration — subnet masks (not wildcards) used in DHCP pool configuration
• show ip route — routing table uses subnet masks, not wildcards
• show ip interface brief — verify which interfaces are active before configuring network statements
• show running-config — view all configured ACL and routing protocol wildcard entries