Wildcard Mask
A wildcard mask is used to identify which parts of an IP address to check when applying ACL rules. The wildcard mask works with the IP address of packets that are being evaluated by the ACL, NOT with the IP address in the ACL statement.
The wildcard mask uses the following logic:
- 0 = must match exactly
- 1 = don't care (any value is acceptable)
Here are some examples:
Example 1: Specific Host
access-list 10 permit 192.168.1.5 0.0.0.0
This ACL entry will match packets from exactly 192.168.1.5. The wildcard mask 0.0.0.0 means all bits must match exactly.
Example 2: Network Range
access-list 10 permit 192.168.1.0 0.0.0.255
This ACL entry will match any packet from the 192.168.1.0/24 network. The wildcard mask 0.0.0.255 means:
- First three octets must match exactly (
192.168.1) - Last octet can be anything (0-255)
Example 3: Any Host
access-list 10 permit 0.0.0.0 255.255.255.255
This ACL entry will match packets from any source IP address. The wildcard mask 255.255.255.255 means no bits need to match - any value is acceptable.
Note that this can also be written as:
access-list 10 permit any
Wildcard Mask vs Subnet Mask
Wildcard masks are the inverse of subnet masks:
- Subnet mask
255.255.255.0= Wildcard mask0.0.0.255 - Subnet mask
255.255.0.0= Wildcard mask0.0.255.255 - Subnet mask
255.0.0.0= Wildcard mask0.255.255.255
To convert from subnet mask to wildcard mask, subtract the subnet mask from 255.255.255.255.