Wildcard Mask Calculator

What is a wildcard mask?

A wildcard mask is the bitwise inverse of a subnet mask. Where a subnet mask uses 1-bits to identify the network portion, a wildcard mask uses 0-bits to identify bits that must match, and 1-bits for bits that are ignored (don't-care).

The formula: wildcard = 255.255.255.255 − subnet mask.

Wildcard masks in Cisco ACLs

In access control lists, the wildcard mask follows the IP address to define the range of addresses matched by the entry:

access-list 10 permit 10.10.10.0 0.0.0.255

This permits any address in 10.10.10.0/24. The wildcard 0.0.0.255 means: first three octets must match exactly (0 = must match), fourth octet is ignored (255 = any value).

Two shorthand keywords replace common wildcard patterns:

• host 192.168.1.5 is equivalent to 192.168.1.5 0.0.0.0 — match one specific address.
• any is equivalent to 0.0.0.0 255.255.255.255 — match all addresses.

Wildcard masks in OSPF

OSPF uses wildcard masks in the network command to determine which interfaces participate in OSPF and which area they belong to:

router ospf 1
 network 10.0.0.0 0.255.255.255 area 0

This enables OSPF on all interfaces with addresses in the 10.0.0.0/8 range and assigns them to area 0. A more specific statement using /24 wildcard activates OSPF only on interfaces in a single /24 subnet.

Common mistake — using subnet mask instead of wildcard

Cisco IOS will accept a subnet mask as a wildcard argument without error, but the result is the opposite of what you intend. The mask 255.255.255.0 as a wildcard means: ignore the first three octets, match only addresses where the fourth octet is exactly zero. This matches one address per /24, not the whole subnet.

Always double-check: wildcard masks tend to start with zeros (for the fixed portion) and end with values like 255, 127, 63, 31, 15, 7, 3, 1 (for the variable portion). Subnet masks do the opposite.