Wildcard Bits explained

When you are studying Cisco and access-lists you will encounter the so-called Wildcard Bits. Most CCNA students find these very confusing so I’m here to help you and explain to you how they work. Let’s take a look at an example access-list:

Router#show access-lists 
Standard IP access list 1
    10 permit 192.168.1.0, wildcard bits 0.0.0.255
    20 permit 192.168.2.0, wildcard bits 0.0.0.255
    30 permit 172.16.0.0, wildcard bits 0.0.255.255

Access-lists don’t use subnet masks but wildcard bits. This means that in binary a “0” will be replaced by a “1” and vice versa.

Let me show you some examples:



Subnet mask 255.255.255.0 would be 0.0.0.255 as the wildcard mask. To explain this I need to show you some binary:

Bits 128 64 32 16 8 4 2 1
255 1 1 1 1 1 1 1 1

This is the the first octet of the subnet mask (255.255.255.0) in binary, as you can see all values have a 1 making the decimal number 255.

Bits 128 64 32 16 8 4 2 1
0 0 0 0 0 0 0 0 0

This is also the first octet but now with wildcard bits. If you want the wildcard-equivalent you need to flip the bits, if there’s a 1 you need to change it into a 0. That’s why we now have the decimal number 0.

Let me show you another subnet mask…let’s take 255.255.255.128. What would be the wildcard-equivalent of this? We know the 255.255.255.X part so I’m only showing you the .128 part.

Bits 128 64 32 16 8 4 2 1
128 1 0 0 0 0 0 0 0

That’s the last octet of our subnet mask, let’s flip the bits:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 651 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

504 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Forum Replies

  1. Having trouble with the following example: Not clear why A and C are the correct answers.

    A network administrator is configuring ACLs on a Cisco router, to allow traffic from hosts on networks 192.168.146.0, 192.168.147.0, 192.168.148.0, and 192.168.149.0 only. Which two ACL statements, when combined, would you use to accomplish this task? (Choose two)

    A. access-list 10 permit ip 192.168.146.0 0.0.1.255
    B. access-list 10 permit ip 192.168.147.0 0.0.255.255
    C. access-list 10 permit ip 192.168.148.0 0.0.1.255
    D. access-list 10 permit ip 192.168.149.0 0.0.255.255

    ... Continue reading in our forum

  2. Having trouble with the following example: Not clear why A and C are the correct answers.

    A network administrator is configuring ACLs on a Cisco router, to allow traffic from hosts on networks 192.168.146.0, 192.168.147.0, 192.168.148.0, and 192.168.149.0 only. Which two ACL statements, when combined, would you use to accomplish this task? (Choose two)

    A. access-list 10 permit ip 192.168.146.0 0.0.1.255
    B. access-list 10 permit ip 192.168.147.0 0.0.255.255
    C. access-list 10 permit ip 192.168.148.0 0.0.1.255
    D. access-list 10 permit ip 192.168.149.0 0.0.255.255

    ... Continue reading in our forum

  3. Hi Donald,

    You can do some funny things with wildcard masks, you can even match networks that are not contiguous. Something to keep in mind is that your first network has to be an even number. Example #1:

    148 – 10010100
    149 – 10010101

    In this case the first 7 bits are the same so you can use wildcard 00000001

    Example #2:

    149 - 10010101
    150 - 10010110

    Only the first 6 bits are the same so the wildcard would be 00000011. The problem of this wildcard is that it will match 4 networks:

    148 - 10010100
    149 - 10010101
    150 - 10010110
    151 - 10010111

    These 4 networks have

    ... Continue reading in our forum

  4. just to add to Rene’s comments above, the other reason to choose wild card mask over subnet mask is that subnet masks have contiguous number of bits for the network portion and host portions. for example as subnet mask of 255.255.255.0 is 11111111.11111111.11111111.00000000. You can never have a subnet mask of 11110111.00111111.11110111.00000000, however this is not the case with wild card masks. With wild card mask we can turn bits on and off where we want to and therefore having a great deal of flexibility over what we want to match. you can get really creat

    ... Continue reading in our forum

11 more replies! Ask a question or join the discussion by visiting our Community Forum