If you have configured a Cisco ACL or OSPF network statement, you've seen syntax like 192.168.10.0 0.0.0.255 instead of 192.168.10.0/24. That second number is a wildcard mask — the inverse of a subnet mask, where 0 bits mean "must match" and 1 bits mean "don't care."

Wildcard masks exist because Cisco's earlier syntax used them, and they have stuck around in IOS and IOS XE. Modern configs increasingly use prefix-length notation, but you still encounter wildcards in ACLs and OSPF network statements. This article explains how to convert between the two, why wildcard masks exist, and the edge cases where non-contiguous wildcards matter.

The basic conversion

For each octet: wildcard = 255 − subnet_mask.

PrefixSubnet maskWildcard mask
/8255.0.0.00.255.255.255
/16255.255.0.00.0.255.255
/20255.255.240.00.0.15.255
/22255.255.252.00.0.3.255
/24255.255.255.00.0.0.255
/25255.255.255.1280.0.0.127
/26255.255.255.1920.0.0.63
/27255.255.255.2240.0.0.31
/28255.255.255.2400.0.0.15
/30255.255.255.2520.0.0.3
/32255.255.255.2550.0.0.0 (or host keyword)

The wildcard for a /N is just the size of the subnet minus 1, expressed as a 32-bit number. /24 has 256 addresses, wildcard is 255 (= 256-1) in the last octet.

How wildcard matching works

A wildcard mask is a bitmask:

  • 0 bit = this bit must match exactly
  • 1 bit = this bit is "don't care" (matches either 0 or 1)

For 192.168.10.0 0.0.0.255: the first 24 bits must match exactly (192.168.10), and the last 8 bits are wildcarded (any value 0-255). This matches the entire /24 range from 192.168.10.0 to 192.168.10.255.

Where you actually see wildcard masks

Cisco IOS ACLs

access-list 10 permit 192.168.10.0 0.0.0.255
access-list 10 permit 10.0.0.0 0.0.0.255
access-list 10 deny any

The first line matches 192.168.10.0/24, the second matches 10.0.0.0/24 (note: not 10/8!), the third denies everything else.

OSPF network statements

router ospf 1
 network 10.0.0.0 0.0.0.255 area 0
 network 10.0.1.0 0.0.0.255 area 1
 network 192.168.10.0 0.0.0.255 area 0

Specifies which interfaces participate in OSPF and which area they belong to.

BGP neighbor / route-map matches

ip prefix-list MY_PREFIXES seq 10 permit 10.0.0.0/8 le 24

BGP usually uses prefix lists (CIDR-native), not wildcards. But older configs sometimes still use wildcard-masked ACLs.

The /32 host shortcut

For a single host, instead of writing 192.168.10.42 0.0.0.0, Cisco accepts:

access-list 10 permit host 192.168.10.42

And for any source, instead of 0.0.0.0 255.255.255.255:

access-list 10 permit any

These keywords are common in production ACLs and you should recognize them.

Non-contiguous wildcards

Here is where wildcards reveal their power. Unlike subnet masks (which are always contiguous 1s followed by contiguous 0s), wildcard masks can have non-contiguous bits. This lets you match patterns that subnet masks cannot express.

Example: match all hosts on even-numbered /24s in 10.0.0.0/16 (10.0.0.0/24, 10.0.2.0/24, 10.0.4.0/24, ...):

access-list 10 permit 10.0.0.0 0.0.254.255

The wildcard 0.0.254.255 in binary: 00000000.00000000.11111110.11111111. The third octet's lowest bit is 0 (must match), making only addresses with that bit = 0 (even values) match.

This is mostly an esoteric pattern in modern networks. It's useful for matching odd/even VLANs or for compactly expressing certain firewall patterns, but most engineers will never need it. Mentioning it because it explains why wildcards exist instead of just using subnet masks: they are strictly more expressive.

Conversion shortcut

For typical subnet masks (contiguous 1s), the conversion is mechanical:

  1. Find the wildcard's value in the interesting octet: 256 - mask_value - 1.
  2. The wildcard has 0s in all "255" octets of the mask and 255s in all "0" octets.

For /22 (mask 255.255.252.0): wildcard third octet = 256 - 252 - 1 = 3. Wildcard fourth octet = 255 (subnet mask 0). Wildcard first two octets = 0 (subnet mask 255). Result: 0.0.3.255.

Common wildcard mask mistakes

  • Writing the wildcard as a subnet mask. access-list 10 permit 10.0.0.0 255.0.0.0 is wrong — IOS will use the value as a wildcard, which means "match only 10.x.0.0 hosts where x can be anything, with the second and third octets being 0." Almost certainly not what you wanted.
  • Misreading non-contiguous wildcards. If you see 0.0.255.7, it is unusual and probably intentional. Don't "simplify" it without understanding what was intended.
  • Forgetting OSPF wildcards match interfaces, not networks. OSPF wildcards select which interfaces participate, based on their IP. If you have an interface at 10.0.0.1 and you write network 10.0.0.0 0.0.0.255 area 0, that interface joins area 0.

Migrating from wildcards to prefix-list

Modern IOS supports prefix-list and CIDR-native syntax in most places. The transition:

! Old: ACL with wildcard
access-list 10 permit 10.0.0.0 0.255.255.255

! New: prefix-list with CIDR
ip prefix-list ALLOW_RFC1918 seq 10 permit 10.0.0.0/8

For new configs, prefer prefix-list and CIDR notation. They are easier to read, less error-prone, and more expressive (you can specify le and ge bounds for prefix length).

Key takeaways

  • Wildcard = inverse of subnet mask. 0 means match, 1 means don't care.
  • Conversion: each octet's wildcard = 255 − that octet's subnet mask value.
  • Used in Cisco IOS ACLs, OSPF network statements, and route-maps.
  • Wildcards can be non-contiguous (unlike subnet masks), enabling patterns like "match all odd VLANs."
  • Use the host and any keywords for /32 and 0.0.0.0/0 shortcuts.
  • For new configs, prefer prefix-lists and CIDR notation over ACLs with wildcard masks.