Wildcard Bits explained

I understand how you go the result. In the example above this seem to only work on contiguous networks.

I think I have the idea. The point was re-enforced after reading the link below where he mentions “You want to target a consecutive range of IP addresses” in usage example number 4.



Hi Donald,

You can do some funny things with wildcard masks, you can even match networks that are not contiguous. Something to keep in mind is that your first network has to be an even number. Example #1:

148 – 10010100
149 – 10010101

In this case the first 7 bits are the same so you can use wildcard 00000001

Example #2:

149 - 10010101
150 - 10010110

Only the first 6 bits are the same so the wildcard would be 00000011. The problem of this wildcard is that it will match 4 networks:

148 - 10010100
149 - 10010101
150 - 10010110
151 - 10010111

These 4 networks have the same first 6 bits.

Here you can read some more funky wildcard examples:


And if want any more examples just let me know ok?


Hi Rene,

What is the benefit of using wildcard in access-lists ? and why we don’t use subnet mask ?
and in which cases or topics we are using wildcard mask ?
I need to know the the general interest of using wildcard mask?

Hi Hussein,

Back in the days, wildcard bits were faster to process than subnet masks. Here’s a long discussion about this:


On Cisco IOS we use wildcards for access-lists and also for OSPF network commands. On other devices like the Cisco ASA we use subnet masks for access-lists.


just to add to Rene’s comments above, the other reason to choose wild card mask over subnet mask is that subnet masks have contiguous number of bits for the network portion and host portions. for example as subnet mask of is 11111111.11111111.11111111.00000000. You can never have a subnet mask of 11110111.00111111.11110111.00000000, however this is not the case with wild card masks. With wild card mask we can turn bits on and off where we want to and therefore having a great deal of flexibility over what we want to match. you can get really creative with wildcard mask, for example you can, if you want to, permit only even or odd number hosts from a given network. so if you have a statement like access-list 101 permit ip any , this will only allow hosts with even number IP addresses.

Here are some examples of what you can do with wildcards btw:


In one of Todd Lammle’s book I learned two easy method’s to calculate the wildcard.

  1. 255 - subnetmask = wildcard.
    For example, netmask The wildcard will be (255-255=)0.(255-255=)0.(255-255=)0.(255-128=)127.

  2. ip-adresses-in-subnet - 1
    For example, the This netmask has 64 ip adresses per subnet, the wilcard will be 0.0.0.(64-1=)63

With the recommende cheat sheat from the introduction of this course, calculating wildcard marks becomes really easy :).

Hi Wilfried,

Those are two good tricks yes. Make sure you practice enough with different access-list statements and you’ll be an expert in no time :slight_smile:


Just to make sure I am understanding the access list wildcard, is my statement below is correct:
for the statement permit tcp it is means permit the range from to is that correct?
my question is, is the wildcard used in access list to make the process faster to the router or to get the inverse and permitted in my example?

Thanks in advance.

Hello Wisam,

Wildcard is the same as subnet mask

It matches the range from to (that’s 64 addresses).

One thing you can do with wildcard bits that you can’t do with subnet masks is matching on any bit you want. For example:

Historically, it might have something to do with how the router/pc processes access-lists and the speed of operation but I’m not sure about that :slight_smile:


Just some minor, constructive criticism: it would help if you explain wildcard bits as a concept, what they do. This lesson mainly explains how to get the bits.

For my own understanding, by providing a wildcard, the router knows what bits to use when it is checking whether the statements in an ACL apply, am I right? So with a wildcard of, the router will only examine that part of the IP address where there are 0s in the wildcard?

Hi Marit,

Sounds like a good idea. I’ll add it to my list.

We use a wildcard in ACL statements to tell the router what to match, and what to ignore:

  • Binary 0 means it has to match.
  • Binary 1 means we ignore it.

For example, let’s say you specify with wildcard This means “192.168.1” has to match, and we don’t care about the last octet. This means everything between - is a match.

Does this help?


1 Like

Yes, thank you Rene! :slight_smile:

1 Like

Hi Guys - simple couple of questions…

Are there any other instances we use subnet masks (rather than wildcard) other than BGP network statements and when summarising routes in BGP or an IGP?

And why do we use subnet masks with BGP network statements but wildcard masks with OSPF/EIGRP?



** and when configuring an IP address on an interface!!! **

Hello Gareth

Both the subnet mask and the wildcard mask essentially do the same thing. They are used to define the network portion and the host portion of a particular address. This is useful when defining the IP address of an interface, the range of addresses included in a particular subnet, the range of addresses participating in a routing protocol, as well as the range of addresses that are to be filtered using an access list. For IPv4, subnet and wildcard masks are used for many operations.

When using the subnet mask, it is always ANDed with the address in question to determine the associated range. When using a wildcard mask, it is NANDed. The results are exactly the same.

So why do we sometimes use one and sometimes the other? It all has to do with convention. Way back in 1985, when access lists were first used for IPv4 addresses, they were implemented using assembler language. It turns out that it was much easier to code a NAND operation than an AND operation. So the wildcard mask was used to define access lists.

For various other operations where these functions were necessary, they were either implemented in a more “user friendly” (subnet mask) manner or in a more “code friendly” (wildcard mask) manner depending on the vendor, the coder, and the CPU resources available.

Over the years, it turns out that the wildcard mask was used more for some features, while the subnet mask was used more for others. For configuring hosts, the subnet mask prevailed, because user friendliness was paramount. For configuring network devices, the winner was not so clear cut, so we use both for different features.

Today we don’t have such coding restrictions, so technically, both can be used as an implementation method. Even so, some features, such as the network command for various routing protocols will accept both wildcard and subnet masks. Some features, such as IP address configuration on an interface will only use subnet masks. Others still will use only wildcard masks. What is used today is largely due to the choices that vendors have made, and their attempt to make the CLI environments as familiar as possible for the professionals using them.

I hope this has been helpful!


What is wildcard mask to block this block ip add -
can i assign the wildcard mask

Hello Ravendrans

The short answer is, to include the whole range of - you would need a wildcard mask of

The long answer is, that you would have to first convert the last octet of the range to binary. So you have:

  • .4 = 00000100
  • .5 = 00000101
  • .6 = 00000110
  • .7 = 00000111
  • .8 = 00001000

Out of the eight bits, only the first four are all the same. The last four are all different for all values. So you need to make the last four bits ones like so:


This number in decimal is 15.

So the wildcard mask should be Keep in mind however that this will also include additional addresses in the range. Specifically, it includes all addresses where the last octet is between 00000000 and 00001111 which is and

Take a look at this lesson for more information on how to create more complex wildcard masks.

I hope this has been helpful!


to calculate wildcard mask do i have to always write in binary ? is there any other way ?