ACL Wildcard Masks
Understanding wildcard masks for ACLs - how they differ from subnet masks and quick conversion methods.
What are Wildcard Masks?
Wildcard masks are used in Access Control Lists (ACLs) to specify which parts of an IP address to match. Unlike subnet masks, wildcard masks use inverted logic: - 0 means "must match exactly" - 1 means "don't care" or "can be anything" This is the opposite of subnet masks, where 1 means network and 0 means host.
Wildcard vs Subnet Masks
The key difference is the bit meaning: **Subnet Mask:** 1 = network portion, 0 = host portion **Wildcard Mask:** 0 = must match, 1 = don't care Wildcard masks are essentially the inverse (bitwise NOT) of subnet masks.
Key Difference
Wildcard masks are the bitwise inverse of subnet masks. If you know one, you can calculate the other by
subtracting from 255.255.255.255.
Conversion Examples
/24 network - match first 24 bits exactly, any host
Subnet Mask:
255.255.255.0Subnet Binary:
11111111.11111111.11111111.00000000Wildcard Mask:
0.0.0.255Wildcard Binary:
00000000.00000000.00000000.11111111/21 network - match first 21 bits, any of last 11 bits
Subnet Mask:
255.255.248.0Subnet Binary:
11111111.11111111.11111000.00000000Wildcard Mask:
0.0.7.255Wildcard Binary:
00000000.00000000.00000111.11111111/30 network - match first 30 bits, last 2 can vary
Subnet Mask:
255.255.255.252Subnet Binary:
11111111.11111111.11111111.11111100Wildcard Mask:
0.0.0.3Wildcard Binary:
00000000.00000000.00000000.00000011/8 network - match first 8 bits, rest don't care
Subnet Mask:
255.0.0.0Subnet Binary:
11111111.00000000.00000000.00000000Wildcard Mask:
0.255.255.255Wildcard Binary:
00000000.11111111.11111111.11111111Quick Conversion Method
Formula: Wildcard = 255.255.255.255 - Subnet Mask
Steps:
- Take the subnet mask
- Subtract each octet from 255
- The result is your wildcard mask
Examples:
| Subnet Mask | Calculation | Wildcard Mask |
|---|---|---|
255.255.255.0 | 255-255, 255-255, 255-255, 255-0 | 0.0.0.255 |
255.255.240.0 | 255-255, 255-255, 255-240, 255-0 | 0.0.15.255 |
255.255.255.252 | 255-255, 255-255, 255-255, 255-252 | 0.0.0.3 |
ACL Examples by Platform
Cisco Router ACL Examples
Allow entire 192.168.1.0/24 network
ACL Entry:
access-list 10 permit 192.168.1.0 0.0.0.255Explanation: First 24 bits must match, last 8 bits don't care
Block entire 10.0.0.0/8 network
ACL Entry:
access-list 10 deny 10.0.0.0 0.255.255.255Explanation: First 8 bits must match, last 24 bits don't care
Allow 172.16.0.0/16 network
ACL Entry:
access-list 10 permit 172.16.0.0 0.0.255.255Explanation: First 16 bits must match, last 16 bits don't care
Allow only host 192.168.1.100
ACL Entry:
access-list 10 permit 192.168.1.100 0.0.0.0Explanation: All 32 bits must match exactly
Juniper Firewall Examples
Match 10.0.0.0/8 network
ACL Entry:
from source-address 10.0.0.0/8Explanation: Juniper uses CIDR notation, equivalent to wildcard 0.255.255.255
Match 192.168.1.0/24 network
ACL Entry:
from source-address 192.168.1.0/24Explanation: Equivalent to wildcard mask 0.0.0.255
Special Cases
Any Host (0.0.0.0 255.255.255.255)
Wildcard: 255.255.255.255
Meaning: Match any IP address
Usage: Often written as 'any' in ACLs
Usage: Often written as 'any' in ACLs
Specific Host (X.X.X.X 0.0.0.0)
Wildcard: 0.0.0.0
Meaning: Match exactly one IP address
Usage: Can be written as just the IP without mask
Usage: Can be written as just the IP without mask
Odd/Even Addresses
Wildcard: 0.0.0.1
Meaning: Last bit can vary (odd/even addresses)
Usage: Match pairs of consecutive addresses
Usage: Match pairs of consecutive addresses
Every 4th Address
Wildcard: 0.0.0.3
Meaning: Last 2 bits can vary
Usage: Match groups of 4 consecutive addresses
Usage: Match groups of 4 consecutive addresses
Platform Differences
| Platform | Format | Example | Notes |
|---|---|---|---|
| Cisco IOS | access-list [number] [permit|deny] [source] [wildcard] | access-list 10 permit 192.168.1.0 0.0.0.255 | Explicit wildcard mask required |
| Cisco ASA | access-list [name] [permit|deny] [protocol] [source/mask] [dest/mask] | access-list INSIDE permit ip 192.168.1.0/24 any | Can use CIDR notation or wildcard masks |
| Juniper | from source-address [network/prefix] | from source-address 192.168.1.0/24 | Uses CIDR notation, not wildcard masks |
| Palo Alto | [network/prefix] or [start-ip]-[end-ip] | 192.168.1.0/24 or 192.168.1.1-192.168.1.254 | CIDR or range format, no wildcard masks |
Quick Reference Table
| CIDR | Subnet Mask | Wildcard Mask | Addresses |
|---|---|---|---|
/32 | 255.255.255.255 | 0.0.0.0 | Single host |
/30 | 255.255.255.252 | 0.0.0.3 | 4 addresses |
/29 | 255.255.255.248 | 0.0.0.7 | 8 addresses |
/28 | 255.255.255.240 | 0.0.0.15 | 16 addresses |
/27 | 255.255.255.224 | 0.0.0.31 | 32 addresses |
/26 | 255.255.255.192 | 0.0.0.63 | 64 addresses |
/25 | 255.255.255.128 | 0.0.0.127 | 128 addresses |
/24 | 255.255.255.0 | 0.0.0.255 | 256 addresses |
/16 | 255.255.0.0 | 0.0.255.255 | 65k addresses |
/8 | 255.0.0.0 | 0.255.255.255 | 16M addresses |
Common Mistakes
Using subnet mask instead of wildcard mask
Problem: ACL won't match intended addresses
Solution: Remember to invert the mask (subtract from 255.255.255.255)
Forgetting wildcard mask entirely
Problem: Many devices assume 0.0.0.0 (host-only match)
Solution: Always specify the wildcard mask explicitly
Using non-contiguous wildcard bits
Problem: Can create unexpected matches
Solution: Stick to contiguous bit patterns for predictable results
Tips for Success
Remember These
Remember: wildcard 0 = must match, 1 = don't care
Quick conversion: subtract subnet mask from 255.255.255.255
Test your ACLs in a lab before production deployment
Use 'any' keyword instead of 0.0.0.0 255.255.255.255 for readability
Document the purpose of each ACL entry
Wildcard masks don't have to match subnet boundaries
Quick Memory Aid
Wildcard 0 = "must match exactly", Wildcard 1 = "don't care". Think of it as a mask where 0 blocks changes and
1 allows anything.