Wildcard Bits explained

When you are studying Cisco and access-lists you will encounter the so-called Wildcard Bits. Most CCNA students find these very confusing so I’m here to help you and explain to you how they work. Let’s take a look at an example access-list:

Router#show access-lists 
Standard IP access list 1
    10 permit 192.168.1.0, wildcard bits 0.0.0.255
    20 permit 192.168.2.0, wildcard bits 0.0.0.255
    30 permit 172.16.0.0, wildcard bits 0.0.255.255

Access-lists don’t use subnet masks but wildcard bits. This means that in binary a “0” will be replaced by a “1” and vice versa.

Let me show you some examples:

Subnet mask 255.255.255.0 would be 0.0.0.255 as the wildcard mask. To explain this I need to show you some binary:

Bits	128	64	32	16	8	4	2	1
255	1	1	1	1	1	1	1	1

This is the the first octet of the subnet mask (255.255.255.0) in binary, as you can see all values have a 1 making the decimal number 255.

Bits	128	64	32	16	8	4	2	1
0	0	0	0	0	0	0	0	0

This is also the first octet but now with wildcard bits. If you want the wildcard-equivalent you need to flip the bits, if there’s a 1 you need to change it into a 0. That’s why we now have the decimal number 0.

Let me show you another subnet mask…let’s take 255.255.255.128. What would be the wildcard-equivalent of this? We know the 255.255.255.X part so I’m only showing you the .128 part.

Bits	128	64	32	16	8	4	2	1
128	1	0	0	0	0	0	0	0

That’s the last octet of our subnet mask, let’s flip the bits:

Bits	128	64	32	16	8	4	2	1
127	0	1	1	1	1	1	1	1

Just flip the bits over and this is the wildcard-equivalent. This gives us the decimal number 127.

The subnet mask 255.255.255.128 will be 0.0.0.127 as a wildcard.

Just one more!

Subnet mask 255.255.255.224…what is the wildcard?

Bits	128	64	32	16	8	4	2	1
224	1	1	1	0	0	0	0	0

Flip those bits!

Bits	128	64	32	16	8	4	2	1
31	0	0	0	1	1	1	1	1

Our wildcard will be 0.0.0.31

Are you following me? It will take some practice by configuring access-lists to become familiar with these wildcards.