IPRangeExplorer
Networking 5 min read

Wildcard Masks vs CIDR Notation: Understanding the Difference

Cisco ACLs use wildcard masks instead of subnet masks. A wildcard mask is the bitwise inverse of a subnet mask — 0 bits match, 1 bits are ignored. Here's how to convert between the two.

wildcard-mask cisco acl cidr subnet-mask

If you have spent time configuring Cisco routers or studying for CCNA, you have encountered wildcard masks. They look like subnet masks but behave differently — a common source of confusion. Understanding the relationship between wildcard masks, subnet masks, and CIDR notation removes the confusion permanently.

What a Wildcard Mask Is

A wildcard mask is the bitwise complement of a subnet mask. Where a subnet mask has a 1 bit, the wildcard has a 0 bit, and vice versa. In a wildcard mask: a 0 bit means "this bit must match" and a 1 bit means "this bit can be anything". This is the opposite of a subnet mask's convention.

Converting Between Subnet Mask and Wildcard Mask

The conversion is simple: subtract the subnet mask from 255.255.255.255.

Subnet mask:    255.255.255.0
Wildcard mask:    0.  0.  0.255

Subnet mask:    255.255.255.240   (/28)
Wildcard mask:    0.  0.  0. 15

You can verify this with the subnet mask vs CIDR guide or by using the CIDR calculator to look up the wildcard mask for any prefix length.

Using Wildcard Masks in Cisco ACLs

In a Cisco access control list, you specify a source or destination as an IP address plus a wildcard mask:

access-list 10 permit 192.168.1.0 0.0.0.255

This permits any address in 192.168.1.0/24. The wildcard 0.0.0.255 means "the first three octets must match 192.168.1, the last octet can be anything." This is equivalent to the CIDR block 192.168.1.0/24.

Non-Contiguous Wildcard Masks

Wildcard masks can be non-contiguous — a capability CIDR notation does not have. For example, the wildcard 0.0.255.0 matches addresses where the second octet is fixed and the third can be anything. This lets you match even-numbered subnets or specific patterns that CIDR cannot express. This is a niche feature but occasionally useful for matching specific host patterns across multiple subnets.

Host and Any Shortcuts

Cisco IOS provides two shortcuts in ACLs:

  • host 192.168.1.1 is equivalent to 192.168.1.1 0.0.0.0 — matches exactly one IP
  • any is equivalent to 0.0.0.0 255.255.255.255 — matches all IPs

The host shortcut corresponds to a CIDR /32 and any corresponds to 0.0.0.0/0. Modern network automation tools and cloud providers use CIDR notation exclusively, so most engineers work with CIDR for new infrastructure even if they maintain Cisco ACLs using wildcard notation.

← All articles