Wildcard Masks in Networking Explained

Wildcard Masks Explained

A wildcard mask is the bitwise inverse of a subnet mask. While subnet masks use 1s for the network portion, wildcard masks use 0s for bits that must match and 1s for bits that can be anything ("don't care" bits).

Subnet Mask vs. Wildcard Mask

Subnet Mask	Wildcard Mask	CIDR
255.0.0.0	0.255.255.255	/8
255.255.0.0	0.0.255.255	/16
255.255.255.0	0.0.0.255	/24
255.255.255.128	0.0.0.127	/25
255.255.255.192	0.0.0.63	/26
255.255.255.252	0.0.0.3	/30

Quick Conversion

To convert a subnet mask to a wildcard mask, subtract each octet from 255:

Subnet Mask:  255.255.255.192
Wildcard:     0  .0  .0  .63    (255-255=0, 255-255=0, 255-255=0, 255-192=63)

Where Wildcard Masks Are Used

1. Cisco ACLs (Access Control Lists):

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

This matches any source address from 192.168.1.0 to 192.168.1.255.

2. OSPF Network Statements:

router ospf 1
  network 10.0.0.0 0.255.255.255 area 0

This tells OSPF to enable on all interfaces in the 10.0.0.0/8 range.

3. Advanced Matching:

Wildcard masks can match non-contiguous patterns, something subnet masks cannot do. For example, 0.0.0.254 matches all even-numbered addresses (checking only the last bit).

Common Wildcard Masks

• 0.0.0.0 — match a single host (equivalent to /32)
• 0.0.0.255 — match a /24 network
• 0.0.255.255 — match a /16 network
• 255.255.255.255 — match any address (equivalent to /0)

Why Not Just Use CIDR?

Some network operating systems (particularly older Cisco IOS) require wildcard masks in certain contexts. Understanding them is essential for configuring ACLs, OSPF, and EIGRP on Cisco equipment and similar platforms.