The wildcard mask is used with access list statements to identify a range of IP addresses (such as all addresses on a specific network). When used to identify network addresses in access list statements, wildcard masks are the exact opposite of a subnet mask. To calculate the wildcard mask:
- Identify the decimal value of the subnet mask.
- Subtract each octet in the subnet mask from 255.
For example, suppose you wanted to allow all traffic on network 10.12.16.0/21. To find the wildcard mask:
- A mask that covers 21 bits converts to 255.255.248.0
- The wildcard mask would be:
- First octet: 255 – 255 = 0
- Second octet: 255 – 255 = 0
- Third octet: 255 – 248 = 7
- Fourth octet: 255 – 0 = 255
This gives you the mask of: 0.0.7.255
Like subnet masks, wildcard masks operate at the bit level. Any bit in the wildcard mask with a 0 value means that the bit must match to match the access list statement. A bit with a 1 value means that the bit does not have to match. For example, let’s examine the subnet address, subnet mask, and wildcard mask in binary form for the preceding example.
Notice how the bits in the wildcard mask are exactly opposite of the bits in the subnet mask. Suppose an access list were created with a statement as follows:
access-list 12 deny 10.12.16.0 0.0.7.255
Suppose that a packet addressed to 10.12.16.15 was received. The router uses the wildcard mask to compare the bits in the address to the bits in the subnet address.
In this example, all bits identified with a 0 in the wildcard mask must match between the address and the network address. Any bit identified with a 1 is ignored. In this example, 10.12.16.15 matches the access list statement and the traffic is denied.
Now suppose that a packet addressed to 10.13.17.15 was received. The router uses the wildcard mask to compare the bits in the address to the bits in the subnet address.
Notice that this address does not match the access list statement as identified with the wildcard mask. In this case, traffic would be permitted.