Wildcard masks

Wildcard masks are used to specify a range of network addresses. They are commonly used with routing protocols (like OSPF) and access lists.

Just like a subnet mask, a wildcard mask is 32 bits long. It acts as an inverted subnet masks, but with wildcard mask, the zero bits indicate that the corresponding bit position must match the same bit position in the IP address. The one bits indicate that the corresponding bit position doesn’t have to match the bit position in the IP address.

Here is an example of using a wildcard mask to include only the desired interfaces in the OSPF routing process:

wildcard mask topology

Router R1 has three networks directly connected. To include only the subnet in the OSPF routing process, the following network command can be used:

R1(config)#router ospf 1
R1(config-router)#network area 0

Let’s break down the wildcard part of the command. To do that, we need to use binary numbers instead of decimal notation. = 00001010.00000000.00000001.00000000 = 00000000.0000000.00000000.11111111

The theory says that the zero bits of the wildcard mask have to match the same position in the IP address. So, let’s write the wildacard mask below the IP address:


As you can see from the output above, the last octet doesen’t have to match, because the wildcard mask bits are all ones. The first 24 bits have to match, because of the wildcard mask bits of all zeros. So, in this case, wildcard mask will match all addresses that begins with 10.0.1.X. In our case, only one network will be matched,

What is we want to match both and Than we will have to use different wildcard mask. We need to use the wildcard mask of Why is that? Well, we again need to write down the addresses in binary:

00001010.00000000.00000000.00000000 =
00001010.00000000.00000001.00000000 =
00000000.00000000.00000001.11111111 =

From the output above, we can see that only the first 23 bits have to match (notice that the third octet of the wildcard mask has a 1 at the end). That means that all addresses in the range of – will be matched. So, in our case, we have successfully matched both addresses, and

Wildcard mask of all zeros ( means that the entire IP address have to match in order for a statement to execute. For example, if we want to match only the IP address of, the command used would be
A wildcard mask of all ones ( means that no bits have to match. This basically means that all addresses will be matched.

Download our Free CCNA Study Guide PDF for complete notes on all the CCNA 200-301 exam topics in one book.

We recommend the Cisco CCNA Gold Bootcamp as your main CCNA training course. It’s the highest rated Cisco course online with an average rating of 4.8 from over 30,000 public reviews and is the gold standard in CCNA training: