Where do we use Cisco Wildcard Masks?

People might still be interested in about Cisco Wildcard Masks. I try to summarize interesting information about Wildcard Masks in this post.

Use Case 1: IPv4 Access Control Lists on Cisco IOS, IOS XE, and IOS XR

Wildcard masks are for us to select only subsets of IPv4 addresses.



When we define selected source or destination IPv4 addresses for an Access Control List (ACL), we use Wildcard Mask. Here is an example for Cisco IOS and IOS XE.


ip access-list extended ACL-NAME
 deny tcp 172.16.9.0 0.0.0.255 172.16.0.0 0.0.255.255 eq 22
 permit ip any any


Here is an equivalent ACL example for Cisco IOS XR.


ipv4 access-list ACL-NAME
 deny tcp 172.16.9.0 0.0.0.255 172.16.0.0 0.0.255.255 eq 22
 permit ip any any


All Cisco IOS XR Access Control Lists are “extended, and named” in Cisco IOS’s sense. And we don’t need “extended” keyword in IOS XR commands.

Use Case 2: Selecting interfaces to start Routing Protocols on Cisco IOS, and IOS XE

The “network” commands for OSPFv2 and EIGRP are to select interfaces to start OSPF or EIGRP by interfaces’ IPv4 addresses. For example:


router eigrp 99
 network 192.168.199.0 0.0.0.255

router ospf 1
 network 192.168.201.0 0.0.0.255 area 0


Here, all interfaces with IPv4 addresses covered by “192.168.199.0 0.0.0.255” would be enabled with EIGRP AS 99, and all interfaces with IPv4 addresses covered by “192.168.201.0 0.0.0.255“ would be enabled with OSPF and assigned to area 0.


Just in case you need some help about visualizing Wildcard Masks, you can download an Excel Spreadsheet Wildcard Mask Calculator in this post:

Revised post: Covering Subnet Calculator to understand more about Wildcard Mask

That's all for use cases. We simply don't use Wildcard Masks, in any other scenarios.

NX-OS, ASA, and IPv6 we do not have Wildcard Masks

If you are lucky enough to work on Cisco NX-OS, Cisco ASA alone, you don’t need Wildcard Masks because they are not supported at all on these operating systems.

Or, if you work in IPv6-only world without IPv4, you don’t need Wildcard Masks at all because all IPv6 commands of any Cisco’s operating systems do not use Wildcard Masks at all.

Tamsui River (淡水河) Estuary after sunset.
Tamsui District, New Taipei City, Taiwan.

One more thing…

I always say that we can simply assume Cisco IOS Wildcard Mask are derived by mapping 1s to 0s and 0s to 1s of equivalent subnet mask in binary notation. This brings up a question: why do we need Wildcard Mask at the first place? Why not just reuse IP subnet masks instead of creating new objects like Wildcard Masks?

I don’t have any official information source. In my opinion, “flexibility” might be the cause.

I try to imagine two possible cases. We only want to select IP subnets with “even-number 3rd digits”, or, we want to select any hosts end with number “77”. Here are single line Wildcard Masks to select them out.

Single line Wildcard Mask “192.168.0.0 0.0.254.255” selects IP subnets 192.168.0.0/24, 192.168.2.0/24. 192.168.4.0/24 … 192.168.254.0/24.

Single line Wildcard Mask “192.168.0.77 0.0.255.0” selects 192.168.0.77, 192.168.1.77, 192.168.2.77 … 192.168.255.77.

Subnet masks are not flexible. All subnet masks must begin with contiguous “1”s, and rest of the digits must be “0”s, it is complex to combine many more subnet masks to define the identical selections for above two imaginary examples.

Please don’t get me wrong! I don’t like Wildcard Masks, either. I always avoid Wildcard Masks when managing a network. I do Wildcard Masks only when taking exams. These two imaginary examples are rare in practical networks. Most administrators I know of always group endpoints with IP subnets, instead of confusing even-odd way.


Maybe I will create another post to tell you how I avoid Wildcard Masks!


I am Li-Ji Hong. And this is my blog “Show IP Protocols”. See you next time!