[ CCNA · DOMAIN 5 · ACLS · PLAIN-ENGLISH ANSWER ]
WHAT IS A WILDCARD MASK?_
It looks like a subnet mask turned inside out — and that's basically what it is. Here's how to read one and the shortcut to build it fast.
[ ▶ SHORT ANSWER ]
A wildcard mask is a 32-bit value used in Cisco ACLs and OSPF network statements that tells the device which bits of an IP address must match and which to ignore. Unlike a subnet mask, a 0 bit means 'this bit must match exactly' and a 1 bit means 'don't care.' It is the inverse of a subnet mask: subtract each subnet-mask octet from 255 to get the wildcard. For example, the subnet mask 255.255.255.0 becomes the wildcard 0.0.0.255, which matches any host in a /24. The shortcut 'host x.x.x.x' equals wildcard 0.0.0.0 (one exact host), and 'any' equals 0.0.0.0 with wildcard 255.255.255.255 (match everything).
Wildcard masks trip up almost everyone at first because they feel backwards compared to subnet masks. Once you see the rule, it's easy.
The one rule
In a wildcard mask, each bit means:
- 0 = must match (check this bit)
- 1 = don't care (ignore this bit)
That's the exact opposite of a subnet mask, where 1s are the network and 0s are the host. So a wildcard mask is just the inverse of a subnet mask.
The shortcut: 255 minus the subnet mask
To turn a subnet mask into a wildcard, subtract each octet from 255:
Subnet mask: 255.255.255.0
255 - each: 0. 0. 0.255
Wildcard: 0.0.0.255 (matches any host in a /24)
Subnet mask: 255.255.255.192 (/26)
Wildcard: 0.0.0.63
The two you must memorize
0.0.0.0 = match one exact host. Cisco lets you write host 10.1.1.1 instead.
255.255.255.255 = match anything. Cisco lets you write any.
Where you'll use it
Two big places on the CCNA: ACLs (which traffic a rule matches) and OSPF network statements (which interfaces join the process). Example ACL line:
access-list 10 permit 192.168.1.0 0.0.0.255
That permits every host in 192.168.1.0/24. Get the wildcard wrong and you'll match too much or too little — the most common ACL mistake there is.
★ RELATED QUESTIONS
[ Is a wildcard mask the same as a subnet mask? ]
No — they're inverses. A subnet mask uses 1s for the network portion; a wildcard mask uses 0s for the bits that must match and 1s for the bits to ignore. Convert by subtracting each subnet-mask octet from 255.
[ What wildcard mask matches a single host? ]
0.0.0.0 — every bit must match, so it matches exactly one address. Cisco's 'host' keyword (e.g. 'host 10.1.1.1') is shorthand for it.
[ Do wildcard masks have to be contiguous? ]
For the CCNA, treat them as contiguous (a clean inverse of a subnet mask). Cisco hardware can technically process non-contiguous wildcard bits, but that's outside the exam scope and rarely used.
★ READ NEXT
[ ▶ RELATED PLAIN-ENGLISH ANSWERS ]
[ ★ PRACTICE IT, DON'T JUST READ IT ]
Concepts stick when you drill them. Run
today's CCNA practice questions to build a streak, or jump straight into the related labs and tools: