Wildcard Masks Explained: The Inverse Mask
A wildcard mask is the bit-inverse of a subnet mask, used in ACLs and OSPF network statements: 0 bits mean "must match", 1 bits mean "don't care". Where a /24 subnet mask is 255.255.255.0, its wildcard is 0.0.0.255 — match the first three octets, ignore the last.
The conversion trick
Subtract each mask octet from 255: mask 255.255.255.192 → wildcard 0.0.0.63. That's it. Common pairs to memorise: /24 → 0.0.0.255, /26 → 0.0.0.63, /30 → 0.0.0.3, and a single host → 0.0.0.0 (all bits must match — equivalent to the keyword host).
Where you'll use them
Two big places: ACLs (access-list 10 permit 192.168.1.0 0.0.0.255 matches that whole /24) and OSPF network statements (network 10.0.12.0 0.0.0.3 area 0 enables OSPF on that /30 link). The keywords host (0.0.0.0) and any (255.255.255.255) are shorthands for the two extremes.
Common mistakes
Typing the subnet mask where the wildcard belongs is the number-one error — permit 192.168.1.0 255.255.255.0 in an ACL matches almost nothing you intended. Practise conversions with the wildcard calculator until inverting masks is automatic.
Frequently asked questions
What is a wildcard mask?
The bit-inverse of a subnet mask used in ACLs and OSPF: 0 bits must match exactly, 1 bits are ignored — 0.0.0.255 matches any host in a /24.
How do you convert a subnet mask to a wildcard mask?
Subtract each octet from 255 — mask 255.255.255.192 becomes wildcard 0.0.0.63.
What do host and any mean in ACLs?
host equals wildcard 0.0.0.0 (exact single address); any equals 255.255.255.255 (match everything).
Why does OSPF use wildcard masks in network statements?
To select which interface addresses join OSPF — the wildcard defines the matching range, like 0.0.0.3 matching a /30 link's addresses.
Related articles
Want hands-on training?
Learn this on real Cisco lab devices with placement support at Attila Technologies, Ahmedabad.