Wildcard Mask Converter

Networking

Input Type

Subnet Mask

What Is a Wildcard Mask?

A wildcard mask is a 32-bit number used in network configurations to specify which bits of an IP address must match exactly and which bits can be any value. It is the bitwise complement of a subnet mask: where the subnet mask has a 1-bit, the wildcard mask has a 0-bit, and vice versa. A 0-bit in a wildcard mask means the corresponding bit in the IP address must match; a 1-bit means it is ignored.

For example, the wildcard mask 0.0.0.255 means the first three octets must match exactly while the last octet can be any value from 0 to 255. This is equivalent to matching an entire /24 subnet. The corresponding subnet mask is 255.255.255.0.

How Wildcard Masks Are Calculated

The simplest formula is: Wildcard Mask = 255.255.255.255 minus the Subnet Mask. You subtract each octet of the subnet mask from 255 to get the corresponding wildcard mask octet. For a subnet mask of 255.255.240.0:

255 - 255 = 0 255 - 255 = 0 255 - 240 = 15 255 - 0 = 255 Result: 0.0.15.255

This is also equivalent to a bitwise NOT of the subnet mask. Converting from CIDR is equally direct: a /24 has 24 network bits and 8 host bits. The wildcard mask for a /24 is 0.0.0.255, where the 8 host bits are represented as ones (all 1s in 8 bits = 255).

Wildcard Masks in Access Control Lists

Wildcard masks are a foundational concept in Cisco IOS access control lists (ACLs). When you write an ACL entry on a Cisco router, you specify an IP address and a wildcard mask to define which addresses the rule applies to. The ACL entry permits or denies traffic where the packet source or destination IP matches the address pattern described by the wildcard mask.

A common use case is permitting an entire subnet. To allow traffic from 10.1.1.0/24, you would write: permit 10.1.1.0 0.0.0.255. The 0.0.0.255 wildcard mask instructs the router to match any address where the first three octets are 10.1.1, regardless of the last octet.

Wildcard masks also allow matching non-contiguous patterns, which subnet masks cannot do. For example, 0.0.0.254 (binary 11111110 in the last octet) matches only even-numbered addresses in a range. This flexibility makes wildcard masks more powerful than subnet masks for access control purposes.

Wildcard Masks in Routing Protocols

OSPF (Open Shortest Path First) uses wildcard masks in its network statements to specify which interfaces should participate in the OSPF process. The syntax is: network [address] [wildcard-mask] area [area-id]. For example, network 192.168.1.0 0.0.0.255 area 0 tells OSPF to enable itself on any interface whose IP address matches the 192.168.1.0 network with a /24 mask.

Similarly, EIGRP uses wildcard masks in its network statements. Understanding how to construct the correct wildcard mask is therefore essential for configuring dynamic routing protocols on Cisco equipment.

Relationship Between Subnet Masks and Wildcard Masks

Subnet masks and wildcard masks are inverses of each other and represent the same information from different perspectives. A subnet mask defines the network boundary: 1-bits identify the network portion and 0-bits identify the host portion. A wildcard mask defines a matching pattern: 0-bits require an exact match and 1-bits allow any value.

When you know one, you can always derive the other. This tool supports conversion from subnet mask to wildcard mask, from CIDR prefix to both, and from wildcard mask back to subnet mask and CIDR (as long as the wildcard mask represents a valid contiguous bit pattern).

Common Wildcard Mask Reference

Some frequently used wildcard masks and their subnet mask equivalents:

/8 = subnet 255.0.0.0 = wildcard 0.255.255.255

/16 = subnet 255.255.0.0 = wildcard 0.0.255.255

/24 = subnet 255.255.255.0 = wildcard 0.0.0.255

/25 = subnet 255.255.255.128 = wildcard 0.0.0.127

/26 = subnet 255.255.255.192 = wildcard 0.0.0.63

/27 = subnet 255.255.255.224 = wildcard 0.0.0.31

/28 = subnet 255.255.255.240 = wildcard 0.0.0.15

/30 = subnet 255.255.255.252 = wildcard 0.0.0.3

/32 = subnet 255.255.255.255 = wildcard 0.0.0.0 (single host)

Host and Any Wildcard Masks

Two special wildcard masks have shorthand keywords in Cisco IOS. The host keyword represents the wildcard mask 0.0.0.0, which requires all 32 bits to match exactly, effectively specifying a single IP address. Writing permit host 10.1.1.1 is equivalent to permit 10.1.1.1 0.0.0.0.

The any keyword represents the wildcard mask 255.255.255.255, which means all bits are ignored and every address matches. Writing permit any is equivalent to permit 0.0.0.0 255.255.255.255. These shorthands improve readability and reduce configuration errors in complex ACLs.

Binary Representation

The binary view shows the 32-bit structure of both the subnet mask and wildcard mask. In the subnet mask, network bits appear as 1s on the left and host bits as 0s on the right. In the wildcard mask, this pattern is exactly inverted: fixed bits appear as 0s and variable bits as 1s.

Understanding the binary representation clarifies why wildcard masks with non-contiguous 1-bits can match non-standard patterns. For instance, 0.0.0.254 in binary is 00000000.00000000.00000000.11111110, which matches addresses where only the last bit is fixed at 0, enabling matching of even-numbered addresses in a range.

Is the Wildcard Mask Converter free?

Yes, Wildcard Mask Converter is totally free :)

Can I use the Wildcard Mask Converter offline?

Yes, you can install the webapp as PWA.

Is it safe to use Wildcard Mask Converter?

Yes, any data related to Wildcard Mask Converter only stored in your browser (if storage required). You can simply clear browser cache to clear all the stored data. We do not store any data on server.

What is a wildcard mask?

A wildcard mask is the bitwise complement (inverse) of a subnet mask. Where the subnet mask has a 1-bit, the wildcard mask has a 0-bit, and vice versa. For example, the subnet mask 255.255.255.0 has a corresponding wildcard mask of 0.0.0.255. A 0-bit in the wildcard mask means that bit must match exactly; a 1-bit means it can be any value.

How is a wildcard mask calculated?

The formula is: Wildcard Mask = 255.255.255.255 minus the Subnet Mask. For each octet, subtract the subnet mask octet from 255. For example, with subnet mask 255.255.240.0: 255-255=0, 255-255=0, 255-240=15, 255-0=255, giving wildcard mask 0.0.15.255. This is equivalent to a bitwise NOT of the subnet mask.

Where are wildcard masks used?

Wildcard masks are commonly used in Cisco router and firewall configurations for access control lists (ACLs), OSPF network statements, and BGP prefix filters. They allow specifying which bits of an IP address must match and which can vary, making them more flexible than subnet masks for defining address ranges in security policies.

What is the difference between a wildcard mask and a subnet mask?

A subnet mask uses 1-bits to indicate the network portion and 0-bits for the host portion. A wildcard mask inverts this: 0-bits indicate bits that must match (the fixed portion) and 1-bits indicate bits that are ignored (the variable portion). They serve different purposes: subnet masks define network boundaries while wildcard masks define matching patterns.

Can I enter a CIDR prefix instead of a subnet mask?

Yes. You can enter a CIDR prefix length such as /24 and the tool will automatically calculate the corresponding subnet mask (255.255.255.0) and wildcard mask (0.0.0.255). The conversion is straightforward: a /24 prefix has 24 network bits and 8 host bits.

Does IPv6 use wildcard masks?

No, IPv6 does not use wildcard masks in the same way as IPv4. IPv6 uses prefix notation exclusively (e.g., /64). Some vendors implement prefix-based matching for IPv6 ACLs, but the concept of a dotted decimal wildcard mask does not apply to IPv6 addressing.