Wildcard Mask Facts

The wildcard mask is used with access list statements to identify a range of IP addresses (such as all addresses on a specific network). When used to identify network addresses in access list statements, wildcard masks are the exact opposite of a subnet mask. To calculate the wildcard mask:

  1. Identify the decimal value of the subnet mask.
  2. Subtract each octet in the subnet mask from 255.

For example, suppose you wanted to allow all traffic on network 10.12.16.0/21. To find the wildcard mask:

  1. A mask that covers 21 bits converts to 255.255.248.0
  2. The wildcard mask would be:
    • First octet: 255 - 255 = 0
    • Second octet: 255 - 255 = 0
    • Third octet: 255 - 248 = 7
    • Fourth octet: 255 - 0 = 255

This gives you the mask of: 0.0.7.255

Like subnet masks, wildcard masks operate at the bit level. Any bit in the wildcard mask with a 0 value means that the bit must match to match the access list statement. A bit with a 1 value means that the bit does not have to match. For example, let's examine the subnet address, subnet mask, and wildcard mask in binary form for the preceding example.

Address Type

Decimal Values

Binary Values

 

Subnet address

10.12.16.0

00001010.00001100.00010000.00000000

  
 

Subnet mask

255.255.248.0

11111111.11111111.11111000.00000000

 

Wildcard mask

0.0.7.255

00000000.00000000.00000111.11111111

 

Notice how the bits in the wildcard mask are exactly opposite of the bits in the subnet mask. Suppose an access list were created with a statement as follows:

access-list 12 deny 10.12.16.0 0.0.7.255

Suppose that a packet addressed to 10.12.16.15 was received. The router uses the wildcard mask to compare the bits in the address to the bits in the subnet address.

Address Type

Decimal Values

Binary Values

 

Subnet address

10.12.16.0

00001010.00001100.00010000.00000000

  
 

Wildcard mask

0.0.7.255

00000000.00000000.00000111.11111111

 

Target address #1

10.12.16.15

00001010.00001100.00010000.00001111

 

How the router applies the mask to the address
m=match
i=ignored
x=doesn't match

 

mmmmmmmm.mmmmmmmm.mmmmmiii.iiiiiiii

 

In this example, all bits identified with a 0 in the wildcard mask must match between the address and the network address. Any bit identified with a 1 is ignored. In this example, 10.12.16.15 matches the access list statement and the traffic is denied.

Now suppose that a packet addressed to 10.13.17.15 was received. The router uses the wildcard mask to compare the bits in the address to the bits in the subnet address.

Address Type

Decimal Values

Binary Values

 

Subnet address

10.12.16.0

00001010.00001100.00010000.00000000

  
 

Wildcard mask

0.0.7.255

00000000.00000000.00000111.11111111

 

Target address #1

10.13.17.15

00001010.00001101.00010001.00001111

 

How the router applies the mask to the address

  • m=match
  • i=ignored
  • x=doesn't match 
mmmmmmmm.mmmmmmmx.mmmmmiii.iiiiiiii

 

Notice that this address does not match the access list statement as identified with the wildcard mask. In this case, traffic would be permitted.

Tip: If you use a table to help you identify subnet masks, be aware that the wildcard mask value is one less than the magic number, as shown in the following table:

Bits in the mask

/25

/26

/27

/28

/29

/30

/31

/32

Magic number

128

64

32

16

8

4

2

1

Decimal mask value

128

192

224

240

248

252

254

255

Wildcard mask value

127

63

31

15

7

3

1

0

 

 

Credit: Testout 640-802 CCNA Notes