Wildcard Masks
Lab Objectives
- Learn how to calculate a wildcard mask (the inverse of a subnet mask) and why it matters for access lists.
- Build simple standard access control lists (ACLs) using wildcard masks to permit specific networks and hosts from the base topology.
- Verify ACL entries and confirm the wildcard mask is correctly applied.
Tip: A wildcard mask tells the router which bits to ignore when matching an IP address. Think of it as a "don't-care" mask — bits set to 1 mean "ignore this bit", bits set to 0 mean "match this bit exactly".
ASCII Topology (BASE LAB TOPOLOGY — exact IPs on every interface)
[Internet]
203.0.113.1
|
R1 (Gateway)
Gi0/0: 10.10.10.1 Gi0/1: 10.10.20.1 Gi0/2: 10.10.30.1
/ | \
R2 R3 R4
Gi0/0: 10.10.10.2 | Gi0/0: 10.10.30.2
Gi0/1: 10.10.40.1 |
/ \ |
S1 S2 S3
/ \ | /
PC1 PC2 PC3 PC4 PC5
IP SCHEME (exact networks to be used in this lesson)
- 10.10.10.0/24 — R1-R2 link
- 10.10.20.0/24 — R1-R3 link
- 10.10.30.0/24 — R1-R4 link
- 10.10.40.0/24 — R2-S1 link
- 192.168.1.0/24 — VLAN 10 (Sales)
- 192.168.2.0/24 — VLAN 20 (Engineering)
- 192.168.3.0/24 — VLAN 30 (Management)
- 203.0.113.0/24 — Public/Internet simulation
Lab Tasks (Try It Yourself First!)
Complete these tasks WITHOUT looking at the solution below. Use
?andshowcommands to figure it out.
Task 1: Create an ACL permitting the Sales network
On R1, create a standard ACL that permits the Sales VLAN (192.168.1.0/24). Calculate the correct wildcard mask (do not apply the ACL to an interface yet).
Task 2: Create an ACL permitting a single host
On R1, create a standard ACL that permits only the R1 Gi0/0 address (10.10.10.1). Use the wildcard mask that matches exactly that host.
Task 3: Create an ACL permitting two networks
On R1, create a single standard ACL with two permit statements: permit 10.10.20.0/24 and permit 10.10.30.0/24. Use the correct wildcard masks.
Think About It: Why does a wildcard mask of 0.0.0.255 match an entire /24 network, and how would you change the mask if you wanted to match only half of that /24 (a /25)?
Lab Solution
Task 1 Solution: Create an ACL permitting the Sales network
What we are doing: We will create a standard ACL entry that permits the network 192.168.1.0/24. For ACLs the router expects a network address plus a wildcard mask — the inverse of the subnet mask. For /24 the subnet mask is 255.255.255.0, so the wildcard mask is 0.0.0.255.
! On R1 - creating standard ACL 10 to permit 192.168.1.0/24
access-list 10 permit 192.168.1.0 0.0.0.255
What just happened:
access-list 10 permit 192.168.1.0 0.0.0.255— creates a standard numbered ACL (10) and adds a permit entry for any IP address where the first three octets match 192.168.1 and the last octet can be any value (wildcard 255 means "ignore these bits"). This is equivalent to permitting 192.168.1.0/24.
Verify:
show access-lists
Expected output (complete, not abbreviated):
Standard IP access list 10
10 permit 192.168.1.0 0.0.0.255 (hitcnt=0)
Why this matters: In production you would use such ACLs to permit or deny traffic from an entire subnet (for example, permitting Sales to access a resource). The wildcard mask must match the network you intend — get it wrong and you may permit or deny the wrong hosts.
Task 2 Solution: Create an ACL permitting a single host
What we are doing: Permit exactly R1's Gi0/0 IP (10.10.10.1). To match a single host, the wildcard mask is 0.0.0.0 (means every bit must match exactly).
! On R1 - permit only host 10.10.10.1
access-list 11 permit 10.10.10.1 0.0.0.0
What just happened:
access-list 11 permit 10.10.10.1 0.0.0.0— creates ACL 11 and a permit entry that matches only the single IPv4 address 10.10.10.1. A wildcard of 0.0.0.0 means "match all bits exactly".
Verify:
show access-lists
Expected output appended to previous:
Standard IP access list 11
10 permit 10.10.10.1 0.0.0.0 (hitcnt=0)
Real-world context: Use a host-specific wildcard when you need to allow management access from a single device (for example, only a particular NMS server).
Task 3 Solution: Create an ACL permitting two networks
What we are doing: Create an ACL that permits both 10.10.20.0/24 and 10.10.30.0/24. Each /24 uses wildcard 0.0.0.255.
! On R1 - ACL 12 permits 10.10.20.0/24 and 10.10.30.0/24
access-list 12 permit 10.10.20.0 0.0.0.255
access-list 12 permit 10.10.30.0 0.0.0.255
What just happened:
- Two statements were added to ACL 12. Each permit line allows traffic where the first three octets match the given network and the final octet is ignored (can be any value).
Verify:
show access-lists
Expected output appended:
Standard IP access list 12
10 permit 10.10.20.0 0.0.0.255 (hitcnt=0)
20 permit 10.10.30.0 0.0.0.255 (hitcnt=0)
Why this matters: Grouping related permit statements into one ACL is commonly done to simplify management. The router evaluates ACL entries top-down — the first matching entry applies.
Troubleshooting Scenario
Scenario: Wildcard mask reversed
Symptom: You created an ACL to permit 192.168.1.0/24 but many unrelated hosts are being permitted. Your task: Find and fix the issue. Hint: Look at how you entered the wildcard mask — remember wildcard = inverse(subnet mask). Solution:
- Show the ACL and check the wildcard mask.
show access-lists 10
- If you see
access-list 10 permit 192.168.1.0 255.255.255.0then you used the subnet mask instead of the wildcard — that would only match when the router permits addresses where the last octet must match 255 (which is almost never), but more commonly a reversed octet set can accidentally match other addresses due to bit patterns. - Fix by removing and re-adding with the correct wildcard:
no access-list 10
access-list 10 permit 192.168.1.0 0.0.0.255
- Verify:
show access-lists 10
Warning: A wrong wildcard mask can either be too permissive or too restrictive. Always calculate wildcard as bitwise NOT of subnet mask.
Verification Checklist
- ACL 10 exists and permits 192.168.1.0 with wildcard 0.0.0.255
- ACL 11 exists and permits host 10.10.10.1 with wildcard 0.0.0.0
- ACL 12 exists and has two permit statements for 10.10.20.0 and 10.10.30.0 with wildcards 0.0.0.255
Common Mistakes
| Symptom | Cause | Fix |
|---|---|---|
| ACL permits the wrong hosts | Used subnet mask instead of wildcard (e.g., 255.255.255.0 instead of 0.0.0.255) | Replace with correct wildcard (wildcard = inverse of subnet mask) |
| ACL matches nothing | Used an incorrect network address (not the network base) | Ensure you use the network base (e.g., 192.168.1.0 for /24) with correct wildcard |
| Unexpected traffic allowed | ACL not applied where expected (or applied in wrong direction) | Confirm application (if applied) with show run and verify interface direction |
Challenge Task
Create a single standard ACL on R1 that permits:
- All hosts in Sales (192.168.1.0/24)
- A single management host 10.10.30.2
- Deny all other traffic from 192.168.0.0/16 but still allow the two permitted entries above
Do this without step-by-step guidance — calculate the required wildcard masks and the correct ACL order to achieve the policy. Verify with show access-lists.
Important final note: Always remember the basic formula — Wildcard mask = 255.255.255.255 - Subnet mask (bitwise inversion). For a /24 (255.255.255.0) the wildcard is 0.0.0.255; for a host (/32) the wildcard is 0.0.0.0.