Access List Wildcard Masks

In the standard IP access list that we looked at in the previous example, you learned how to define a rule that would permit or deny access to a single host. In reality, you will probably wish to permit or deny access to a range of hosts rather than just one. Perhaps you’ll want to control access for all of the hosts on a subnet, or maybe just a subset of hosts. Either way, the ability to control access for a group of hosts is accomplished using what is known as a wildcard mask.

A wildcard mask is different than a subnet mask. Defining a wildcard mask is really no more difficult, but the approach is somewhat different. The purpose of the wildcard mask is to specify which group of addresses an access list entry should apply to. For example, imagine that we wanted to create a standard IP access list that would deny inbound access on interface E0 to all hosts on network The access list entry would be:
RouterA(config)#access-list 40 deny

I know that the wildcard mask looks a little confusing. In this case, the wildcard mask is The binary 0s in the mask tell the router that the associated bits in the source address much match exactly. Since the first 3 octets in the wildcard mask are set to binary 0, the router knows that the first three octets must match 192.168.20. The binary 1s in the mask tell the router to match any possible value. Since the last octet in the wildcard mask is all binary 1s, the router knows that any value in the last octet is a match. So, any source address beginning with 192.168.20 would match the access list, and in this case, be denied.

In the same way, consider the example below. It tells the router to permit traffic from hosts with any address that starts with 10.10. Since the last two octets are masked, any source address starting with 10.10 will be a match. In this case, all hosts from to would be permitted access.

RouterA(config)#access-list 40 deny

Recall that a single host can be specified in an access list using either the host command, or a wildcard mask of all 0s. The wildcard mask of all 0s means “match all octets exactly”. In the example below, only host would be denied access.

RouterA(config)#access-list 40 deny

Things get a bit trickier when you want to block only a certain range of hosts, but not necessarily an entire network or subnet. Before looking at the masking, there is an important rule to remember. When you wish to block only a certain group of hosts, the multiple and starting values must be powers of 2. For example, you can block 2, 4, 8, 16, 32, 64, or 128 hosts, but not, for example, 26. If you think back, this is similar to the rules associated with subnetting.

Defining a custom wildcard mask is different that subnetting, in that those binary ones move in the opposite direction. Remember that the 1s in a wildcard mask specify the bits that the router should pay attention to in the source address. For example, imagine if we wanted to deny access to a group of 4 addresses starting with In effect, that means that we want to deny access for addresses between and, or 4 addresses total. In this case, the wildcard mask would be At this point, I agree that number looks confusing. A quick look at things in binary will help to make things clearer.

Remember that we want to start at and include 4 addresses. The wildcard mask specifies the bits that the router should consider when attempting to determine which hosts to permit or deny. In this case, the mask is, which is the equivalent to the following in binary:

00000000 00000000 00000000 00000011

Notice that only the last two bits are set to 1. What this means is “start at, and include any values for those last two bits”. The figure below outlines what all of the possible values would be for those last two octets.

Figure: Matching address values for when a source address of is specified with a wildcard mask of

The only possible addresses that apply are,,, and In other words, our wildcard mask tells the router that starting with address, allow the last two address bits to be set to any value, and use this as the range to permit or deny traffic.

If you’re looking for an easier way to remember wildcard mask values, you’re in luck. Recall what I said earlier. When grouping ranges of addresses, they must be a valid power of 2. The associated wildcard mask number will always be one less that the value of the range. So, if you want to group 128 addresses together, the associated wildcard mask value would be 127. To group 64 addresses, the wildcard mask value would be 63, and so forth. These values are outlined in the table below:

Address Grouping









Wildcard Mask









Let’s take a closer look at the table. Notice that for a single address, the wildcard mask value is 0. This is consistent with our example of creating a wildcard mask for a single host of

Let’s say that we want to group together 8 addresses starting at Unfortunately we can’t. Why? Because you cannot start with the number 17 – the range must begin at a power of 2. So, let’s start at instead. If we want to deny access to a group 16 addresses, then the wildcard mask will be one less – 15. In this case, the mask would be This would deny access to all hosts between and If we wanted to add this entry to a standard IP access list, the command would be:

RouterA(config)#access-list 40 deny

The table above can also be used to block bigger ranges. For example, imagine if we wanted to permit access for 32 subnets, those from up to In this case, the wildcard mask must begin in the third octet. Because of this, the wildcard mask becomes Notice that the third octet value is one less than the grouping, and that the last octet is 255. This tells the router that this access list entry applies to hosts with any value between 32 and 63 in the third octet, and any value in the fourth octet. The access list entry would be:

RouterA(config)#access-list 40 permit

As you’ll see shortly, wildcard masks can be used in both standard and extended IP access lists.

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.