Wildcard mask – What’s the difference from subnet mask?

What is Wildcard Masking?

Wildcard mask is like any other computer IP address basically a group od zeroes and ones (o and 1). To be short, in wildcard mask all number one (1) mean “I don’t care about that position”, and all zeroes (0) mean “I care about that position in binary address”. Let’s take an example where Access list with wildcardmask will be able to deny fourth subnet and alow next four and so on for all /24 subnets of supernetwork.

In the access-list we put an network;

We know that 255 means 1111 1111 in binary.
We know that 251 means 1111 1011 in binary.

In the line we could change to any other kind of because in this situation our ACL will not care about the bits in the first, second and last octet. We could write it will fit in our example.

One more thing to make myself more clear. If we use deny in ACL, this ACL will not filter only network, but every network in the whole 32bit range from to in which third octet has an zero (0) in 6th position. To filter only those subnets that are part of supernet we would need to use deny because in that way we will say that we care about first and second octet of the address.


  • We will now convert the thirt octet to binary: As third octet is zero (0) in binary is also  0 = 0000 0000
  • With the 251 in the wildcard mask, we only care about the 6th bit in of the third octet because 251 is “1111 1011
  • That means, if the third octet is in the form of xxxx xOxx then it will match my access-list only where 6th bit is equal to zero (0).
  • Now let’s write the third octet of some first 20 subnets in binary form:

01 = 0000.0001
02 = 0000.0010
03 = 0000.0011
04 = 0000.0100
05 = 0000.0101
06 = 0000.0110
07 = 0000.0111
08 = 0000.1000
09 = 0000.1001
10 = 0000.1010
11 = 0000.1011
12 = 0000.1100
13 = 0000.1101
14 = 0000.1110
15 = 0000.1111
16 = 0001.0000
17 = 0001.0001
18 = 0001.0010
19 = 0001.0011
20 = 0001.0100

We will put this Access list to some interface:

access-list 10 deny 
access-list 10 permit any

In this example you see that my access list will alow the traffic from,, and network and it will deny the traffic sourced from,, and network because the ACL it will match it by 6th bit of third octet. Of course it will alow all /24 subnets from examble that are in green color from  01 to 255.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: