In this blog, we are going to go in depth to understand the real logic behind working of wildcard mask and how you can utilise it more effectively for your configuration. Wildcards masks are used at different places in Cisco IOS CLI and is a very important concept to understand from CCNA and CCNP certification point of view.

For beginners, the easiest method to figure out wildcard mask is still to subtract the subnet mask from For instance, if the subnet mask is the wildcard mask can be calculated as shown below:      <——- Subnet Mask                  <——-Wildcard Mask

This method is more than sufficient for most of the CCNA level configuration tasks. Basically, wildcard mask is made up of 1’s and 0’s where

1 Represents the bit that we don’t care about
0 Represents the bit that we care about and should not get changed in IP Address that is matched to statement


Let’s take an example,

We are given a range of – and from this range, I have to match only IP coming in the range of – For that, we have to write down a combination of an IP address and Wildcard mask such that it matches only first 4 IP addresses from the complete range. This can be done as, 00000001.00000010.00000011.00000000 First IP Address in Binary 00000001.00000010.00000011.00000001 Second IP Address in Binary 00000001.00000010.00000011.00000010 Third IP Address in Binary 00000001.00000010.00000011.00000011 Fourth IP Address in Binary
Wildcard Mask 00000000.00000000.00000000.00000011 – Wildcard Mask in Decimal
Network ID 00000001.00000010.00000011.000000XX – IP Address in Decimal


As you can see, first 30 bits in all the IP address are exactly same and must be same if we want to match all these IP. So when writing down the IP that we are going to use along with wildcard mask, we don’t have to change the first 30 bits of IP. Write them down as it is. Also, remember that we don’t care about last two bits, so we can write down anything that we can write by changing last two bits only. Matching will be done on the behalf of first 30 bits only. And that’s what we have done there. In place of XX, you can write down whatever you want to use.

First 30 bits must match so while writing down wildcard mask, we have to write 30 zeros and remaining 2 bits don’t care. If you think about this, by not caring about last two bits, we can make only 4 numbers, 00, 01, 10, and 11. Which means 0, 1, 2, 3 in decimal and that’s exactly what we wanted to match.

In order to understand the calculation for wildcard mask for advanced use, we first need to understand two logic gates – AND Gate and XOR Gate.

AND- The output is 1 when both inputs are 1. In all other cases output is 0.


A B Output
0 0 0
0 1 0
1 0 0
1 1 1

XOR- In Exclusive-OR gate the output is 1 when either of inputs A or B is 1, But not if both A and B are 1. Also, the output will be 0 if both are 0. In other words, we can say output will be 1 only when inputs are not same.


A B Output
0 0 0
0 1 1
1 0 1
1 1 0

Example case-2 – Permit or deny two different IP Address using one statement in ACL.

In order to find the best match for any specific address and wildcard combination that will match two address we use AND and XOR gates.

For instance, if we have two IP address and and we want to create an ACL that is the most specific match for these two addresses then we will have to use AND gate to figure out the address and XOR operation for finding wildcard mask. For ease of understanding, you can write the address in binary. Below mentioned table illustrates same:- 11000000.0000000.00000000.00000001 11000000.0000000.00000000.00000011 11000000.0000000.00000000.00000101 11000000.0000000.00000000.00000111

If you write the same two things in binary then address becomes and wildcard mask will be So the access-list statement would be something like:

Access-list 10 permit

This can be utilized to figure out most specific wildcard for ACL in one statement for two different IP Addresses.

This example also illustrates main difference between wildcard mask and subnet mask. When you write a subnet mask you write continuous 1’s followed by continuous 0’s whereas in case of wildcard mask you can write 1’s and 0’s in the discontinuous order.

Example case-2 – Permit odd or even IP address of a subnet in one statement.

Now, this use example might seem unrealistic and you may never use it but this example gives you further insight into how powerful wildcard mask can be compared to subnet mask. Here it goes, let’s say you have a full subnet in which you just want to permit IP Address whose fourth octet is the odd number. What I mean is that if the subnet is then I want only IP Address of,, and so on to be allowed for the certain thing. Now one easy way is to have lots of statements in ACL having individual entries for these IP Address. This same task can be accomplished in just one statement. For ease of understanding lets write some odd IP Address in binary: 11000000.0000000.00000000.00000001 11000000.0000000.00000000.00000011 11000000.0000000.00000000.00000101 11000000.0000000.00000000.00000111
AND Operation for IP Address 11000000.0000000.00000000.00000001
XOR Operation for Wildcard Mask 00000000.0000000.00000000.11111110

If you notice all the IP Addresses with the odd number in their fourth octet have the last bit as 1. So if this bit is 1 then only IP address has an odd number in their fourth octet. Relating to the previous statement, here,  we only care about the last most bit of the fourth octet. So if we want to accomplish the task of permitting all IP Address with 4th octet as the odd number then this last bit should remain as it is. We can use a wildcard mask such as it cares about only last most bit and doesn’t care about any other bit in the fourth octet. The statement can be written as:

Access-list 10 permit

Again to figure out this we have used an AND operation for IP Address and XOR operation for wildcard mask. 11000000.0000000.00000000.00000001 11000000.0000000.00000000.00000011 11000000.0000000.00000000.00000101 11000000.0000000.00000000.00000111
AND Operation for IP Address 11000000.0000000.00000000.00000001
XOR Operation for Wildcard Mask 00000000.0000000.00000000.11111110

Recommended Reads: