Access-ListsCCNA (ICND2)Routing

Wildcard Mask

Before we can start to explain how routing protocols work, we need an understanding of wildcard masks.


The concept of wildcard mask is one that many people struggle with at first, but with a little time and practice it’s becomes second nature.

Converting a full class subnet mask into a wildcard mask quite straight forward, but when converting subneted address it becomes a little more complicated.


So firstly let’s look at what the wildcard mask is, and then we can look at what uses this value.

A wildcard mask is a subnet mask inverted. In other words, where ever there is a ‘1’ in the subnet mask, it will become a ‘0’ in the wildcard. Similarly, where there is a ‘0’ in the subnet mask, it will become a ‘1’ in the wildcard.


Example: if I converted the subnet mask (11111111.11111111.11111111.00000000) , the wildcard would be (00000000.00000000.00000000.11111111).


The wildcard mask informs the router which bits of the IP address or Subnet it cares about and which bits it doesn’t.  ‘0’ = Care, and ‘1’ = Don’t Care.


To get a better understanding, we need to know what uses wildcard masks.

                1 – Routing protocols such as OSPF and EIGRP

                2 – Access Control Lists (ACL’s)


The router uses the wildcard mask for matching interfaces or traffic.

In routing protocols we are telling the router which interfaces are going to participate in the routing, and with ACL’s we are telling the router how to match traffic we wish to allow or deny.


So if I had “” I am specifying that I care about the first 3 octets, but not the last one. This means any value from – would be included. Similarly, if I had – I care about all 4 octets and this would result in an exact match of the address On the other side of the scale, if I had – I only care about the first octet which would be any address from –


Subneted addresses are a little more tricky, as we care about certain bits in the octet and don’t care about other bits. Let’s look at a value of Firstly let’s do the obvious – I care about the first 2 octets, and I don’t care about the 4th octet. However I need to dissect the 3rd octet a little to see what I do or don’t care about.


In the below table we can see what ’15’ looks like in binary (our wildcard value in the 3rd octet) and we can see ’32’ in binary (our network value in the 3rd octet).



Based on our rules stating that 0=care and 1=don’t care. This means I care about the first 4 bits in the 3rd octet and I don’t care about the last 4 bits.

Therefore as long as the value in the 3rd octet has the first 4 bits of ‘0010’ we don’t care what the last 4 bits are to have a match.

As a range of addresses, this means we are looking for a match of an address of anything between –


In the below diagram we can see each value from 32 – 47, and you will notice the first 4 bits do not change, so they still have a match, the last 4 bits do change, but since we “don’t care” about them they are allowed to change and will constitute a match.


2 thoughts on “Wildcard Mask

    1. Invalid syntax.
      IP and wild card all need to be 4 oct in length.

      I’ll assume you meant

      If that’s the case, it means you don’t care if the 1st and 3rd bits (read from right to left) are the same or different as the bit values used to represent 4 (00000100).

      5 which is (00000101) indicates that bit value “4” and bit value “1” we don’t care about so they could be anything, but the other bits must all match the same values used in the value for 4 above.

      So the values that match would be

Leave a Reply

Your email address will not be published. Required fields are marked *