Wildcard Mask Explained: How Routers Really Match Addresses

If you have ever typed an access list on a Cisco router, you have seen a wildcard mask. It looks like a subnet mask, but the logic is flipped. Where a subnet mask uses 1 bits to mark the network portion, a wildcard mask uses 0 bits to say “this bit must match exactly” and 1 bits to say “I don’t care about this bit.”

That naming is not arbitrary. Think of it like a wildcard character in a search: * means “anything goes here.” A 1 bit in a wildcard mask means the same thing for that bit position. A 0 bit means “this has to be an exact match.”

The relationship to subnet masks

A wildcard mask is the bitwise inverse of a subnet mask. If you know one, you can derive the other by flipping every bit.

Take a /24 subnet mask: 255.255.255.0. In binary that is 24 ones followed by 8 zeros. Flip every bit and you get 24 zeros followed by 8 ones: 0.0.0.255. That is the wildcard mask.

Here is the quick math shortcut: for each octet, subtract the subnet mask value from 255.

255.255.255.0    →  subnet mask
─────────────────────────────────
octet 1:  255 − 255 = 0
octet 2:  255 − 255 = 0
octet 3:  255 − 255 = 0
octet 4:  255 − 0   = 255
─────────────────────────────────
0.0.0.255        →  wildcard mask

See it in binary

Binary is where this actually clicks. Let’s take 255.255.255.224 (a /27 mask) and invert it:

Subnet mask in binary:   11111111.11111111.11111111.11100000
Wildcard mask in binary: 00000000.00000000.00000000.00011111

Every position where the subnet mask has a 1, the wildcard mask has a 0. The wildcard mask 0 bits are the positions the router checks for an exact match. The 1 bits are the positions the router ignores.

So when a router evaluates the wildcard mask 0.0.0.31, it is checking the first 27 bits of the address exactly and ignoring the last 5 bits. That matches any address within that /27 block.

A few common conversions worth memorizing:

Notice the pattern: the wildcard mask value in the last octet is always one less than the block size. A /26 has 64 addresses per block, so the wildcard value is 63. A /28 has 16 addresses per block, so the wildcard value is 15.

Where wildcard masks show up

Access control lists (ACLs)

This is the most common context. Cisco IOS extended ACLs use wildcard masks to define which source and destination addresses a rule applies to.

access-list 101 permit ip 192.168.10.0 0.0.0.255 any

This permits traffic from any host in 192.168.10.0/24. The wildcard 0.0.0.255 tells the router: match the first three octets exactly (192.168.10), ignore the last octet entirely.

A tighter match:

access-list 101 permit ip 10.0.1.0 0.0.0.31 host 172.16.5.10

This permits traffic from 10.0.1.0/27 (addresses .0 through .31) to a single host. The wildcard 0.0.0.31 covers 32 addresses.

OSPF network statements

OSPF uses wildcard masks in the network command to decide which interfaces participate in the routing process:

router ospf 1
 network 10.0.0.0 0.0.255.255 area 0

This tells OSPF to activate on any interface whose IP falls within 10.0.0.0/16. The wildcard 0.0.255.255 means: match the first two octets, ignore the rest.

EIGRP network statements

Same idea as OSPF. EIGRP also uses wildcard masks:

router eigrp 100
 network 172.16.0.0 0.0.3.255

This matches 172.16.0.0/22, covering 172.16.0.0 through 172.16.3.255.

Special wildcard values

Two wildcard masks come up constantly in ACL work:

• 0.0.0.0 — match this exact address, no bits ignored. The keyword host is shorthand for this. host 10.1.1.1 is the same as 10.1.1.1 0.0.0.0.
• 255.255.255.255 — ignore all bits, match any address. The keyword any is shorthand for this. any is the same as 0.0.0.0 255.255.255.255.

These two are worth committing to memory because you will see them in nearly every ACL.

The most common mistake

People confuse subnet masks and wildcard masks because they look similar. If you accidentally type a subnet mask where a wildcard mask belongs, you will get behavior that makes no sense. For example:

! WRONG — this is a subnet mask, not a wildcard
access-list 101 permit ip 192.168.1.0 255.255.255.0 any

A wildcard of 255.255.255.0 tells the router to ignore the first three octets and match only the last one. That is the opposite of what you intended. You would match addresses like 10.20.30.0, 172.16.99.0, basically any address ending in .0 regardless of the first three octets.

The correct version:

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

If the wildcard values seem large (like 255 in the interesting octet), double-check that you did not accidentally write a subnet mask.

Non-contiguous wildcard masks

Here is something subnet masks cannot do. Wildcard masks can technically be non-contiguous, meaning the 0 and 1 bits don’t have to be in a clean block. For example:

0.0.0.254

In binary: 00000000.00000000.00000000.11111110

This checks the last bit of the final octet (odd vs. even) while ignoring bits 1 through 7. You could use this to match only even addresses or only odd addresses in a block.

In practice, non-contiguous wildcard masks are rare and hard to troubleshoot. Most network engineers stick to contiguous masks that mirror standard subnets. But it is worth knowing the capability exists, because it sometimes appears in exam questions and in edge-case filtering scenarios.

Quick mental conversion

When you see a wildcard mask and need to think in CIDR:

1. Subtract each octet from 255 to get the subnet mask
2. Count the leading 1 bits in the subnet mask to get the prefix

When you have a CIDR prefix and need the wildcard:

1. Write the subnet mask
2. Subtract each octet from 255

With practice, common ones become instant: /24 → 0.0.0.255, /30 → 0.0.0.3, /16 → 0.0.255.255. For the rest, the 255-minus trick takes a few seconds.

Final takeaway

A wildcard mask is just an inverted subnet mask. The 0 bits mean “check this,” the 1 bits mean “skip this.” Once that flipped logic clicks, ACL syntax and OSPF network statements stop being confusing. The hardest part is not the math. The hardest part is remembering which one to use where — and catching yourself when you accidentally type the wrong one.