Wildcard Mask Calculator
Convert a subnet mask or CIDR prefix to its inverse wildcard mask (used in ACLs and OSPF) โ and convert a wildcard mask back to a subnet mask and prefix. All in your browser.
Subnet mask vs. wildcard mask
A wildcard mask is the bitwise inverse of a subnet mask. Both are 32-bit values written in dotted-decimal, but they read in opposite directions. In a subnet mask a 1 bit means “this bit is part of the network,” while in a wildcard mask a 0 bit means “this bit must match” and a 1 bit means “don’t care.” That is why a /24 โ subnet mask 255.255.255.0 โ has the wildcard mask 0.0.0.255: the first three octets must match exactly and the last octet is free to be anything.
The arithmetic is easy to do by hand: subtract each octet of the subnet mask from 255. So 255.255.240.0 becomes 0.0.15.255, and 255.255.255.252 (a /30) becomes 0.0.0.3. This calculator accepts any of the three representations โ prefix, subnet mask, or wildcard โ and fills in the rest, validating that a mask you type is actually contiguous.
OSPF and ACLs on Cisco IOS take wildcard masks, not subnet masks. access-list 10 permit 10.1.1.0 0.0.0.255 matches every host in 10.1.1.0/24, and network 10.1.1.0 0.0.0.255 area 0 advertises that same range into OSPF area 0. A wildcard of 0.0.0.0 matches a single host; 255.255.255.255 (often written any) matches everything.
If the underlying concept of “network bits” versus “host bits” is still fuzzy, our explainer on what a subnet mask is walks through it with worked examples, and the broader what is an IP address guide gives the foundation. Once you have your wildcard, you may want to test which hosts a rule actually covers with the IP in Subnet Checker, or roll several rules into fewer blocks using the CIDR Aggregator.
Everything here is computed locally in JavaScript โ no data is transmitted โ so it is safe to paste production ACL masks and iterate quickly.
Frequently asked questions
What is a wildcard mask?
A wildcard mask is the bitwise inverse of a subnet mask. Where a subnet mask uses 1 bits to mark the network portion, a wildcard mask uses 0 bits to mean “must match” and 1 bits to mean “don’t care.” A /24 subnet mask of 255.255.255.0 has a wildcard mask of 0.0.0.255.
How do I calculate a wildcard mask from a subnet mask?
Subtract each octet of the subnet mask from 255. For 255.255.255.0 that gives 0.0.0.255, and for 255.255.240.0 it gives 0.0.15.255. This tool does the subtraction for you and also accepts a CIDR prefix such as /26.
Where are wildcard masks used?
Wildcard masks appear in Cisco IOS access-control lists and in OSPF network statements. For example, network 10.1.1.0 0.0.0.255 area 0 tells OSPF to match any address whose first three octets are 10.1.1. They are also used in route maps and other match conditions.
Do wildcard bits have to be contiguous?
For a mask that corresponds to a normal subnet the wildcard bits are contiguous, but Cisco ACLs allow non-contiguous wildcard bits so you can match patterns such as odd or even addresses. This calculator focuses on the contiguous case that maps cleanly to a CIDR prefix.
Want the theory? Read the guides โ ยท Visit the zoo โ