ACL wildcard mask

When configuring an access listin a Cisco IOS device, a wildcard mask is used to specify what parts of a prefix must be matched, and which should be ignored.

A wildcard mask is similar to a subnet mask in that it uses the ANDing process to identify which bits in an IPv4 address to match. However, a wildcard mask and a subnet mask differ in the way they match binary 1s and 0s. Unlike with a subnet mask, in which binary 1 is equal to a match, and binary 0 is not a match, with a wildcard mask, the reverse is true.

The following standard access list will match all IP addresses that begin with the 10.10.10.

access-list 1 permit ip

The wildcard mask in binary format is 00000000.00000000.00000000.11111111. Notice that the positions where there is a 1 is the last octet. Thus, the last octet of the prefix can be any value.

Note that the syntax doesn't require you to have a contiguous stream of ones or zeros. They can be mixed and matched. Thus, any value between and is accepted as the wildcard mask.

However, almost all uses of wildcard masks tend to be in the format of contiguous zeros and then ones, thus it is rare that you will see a wildcard mask of any other format. However, it is good to know that the Cisco IOS will not "catch" any errors that you may make in the way the wildcard mask is formed.

This allows us to be able to create complex wildcard masks that can match various combinations of prefixes.