Wildcard Masks Explained

Wildcard masks are used to specify a range of network addresses. They are commonly used with routing protocols (like OSPF) and access lists.

Just like a subnet mask, a wildcard mask is 32 bits long. It acts as an inverted subnet mask, but with a wildcard mask, the zero bits indicate that the corresponding bit position must match the same bit position in the IP address. The one bits indicate that the corresponding bit position doesn’t have to match the bit position in the IP address.

Here is an example of using a wildcard mask to include only the desired interfaces in the OSPF routing process:

wildcard mask topology

Router R1 has three networks directly connected. To include only the 10.0.1.0 subnet in the OSPF routing process, the following network command can be used:

R1(config)#router ospf 1
R1(config-router)#network 10.0.1.0 0.0.0.255 area 0

Let’s break down the wildcard part of the command. To do that, we need to use binary numbers instead of decimal notation.

10.0.1.0 = 00001010.00000000.00000001.00000000
0.0.0.255 = 00000000.0000000.00000000.11111111

The theory says that the zero bits of the wildcard mask have to match the same position in the IP address. So, let’s write the wildcard mask below the IP address:

00001010.00000000.00000001.00000000
00000000.00000000.00000000.11111111

As you can see from the output above, the last octet doesn’t have to match, because the wildcard mask bits are all ones. The first 24 bits have to match, because of the wildcard mask bits of all zeros. So, in this case, the wildcard mask will match all addresses that begin with 10.0.1.X. In our case, only one network will be matched, 10.0.1.0/24.

What if we want to match both 10.0.0.0/24 and 10.0.1.0/24? Then we will have to use different wildcard masks. We need to use the wildcard mask of 0.0.1.255. Why is that? Well, we again need to write down the addresses in binary:

00001010.00000000.00000000.00000000 = 10.0.0.0
00001010.00000000.00000001.00000000 = 10.0.1.0
00000000.00000000.00000001.11111111 = 0.0.1.255

From the output above, we can see that only the first 23 bits have to match (notice that the third octet of the wildcard mask has a 1 at the end). That means that all addresses in the range of 10.0.0.0 – 10.0.1.255 will be matched. So, in our case, we have successfully matched both addresses, 10.0.0.0 and 10.0.1.0.

NOTE
A wildcard mask of all zeros (0.0.0.0) means that the entire IP address has to match in order for a statement to execute. For example, if we want to match only the IP address of 192.168.0.1, the command used would be 192.168.0.1 0.0.0.0.
A wildcard mask of all ones (255.255.255.255) means that no bits have to match. This basically means that all addresses will be matched.

Download our Free CCNA Study Guide PDF for complete notes on all the CCNA 200-301 exam topics in one book.

We recommend the Cisco CCNA Gold Bootcamp as your main CCNA training course. It’s the highest rated Cisco course online with an average rating of 4.8 from over 30,000 public reviews and is the gold standard in CCNA training: