ACL Wildcard Mask Calculator
Calculate IPv4 ACL wildcard masks from CIDR, subnet, host, or any entries, then review ACE lines, match size, overlaps, and broad matches.| Input | ACL target | Wildcard | Match size | IOS ACE | Copy |
|---|---|---|---|---|---|
| {{ row.input }} | {{ row.target }} | {{ row.wildcard }} | {{ row.matchSize }} | {{ row.ace }} |
| Input | Parse mode | Match form | Subnet / inverse mask | Wildcard mask | Binary wildcard | Ignored bits | Copy |
|---|---|---|---|---|---|---|---|
| {{ row.input }} | {{ row.mode }} | {{ row.matchForm }} | {{ row.subnetMask }} | {{ row.wildcard }} | {{ row.binary }} | {{ row.ignoredBits }} |
| Severity | Scope | Finding | Recommendation | Copy |
|---|---|---|---|---|
| {{ row.severity }} | {{ row.scope }} | {{ row.finding }} | {{ row.recommendation }} |
A short access control list entry can match one host, a department subnet, a regional aggregate, or the whole IPv4 address space. In Cisco IOS-style ACLs, the wildcard mask is the address-test field that decides which packet-address bits must match the configured address and which bits may vary.
The wildcard rule reverses the subnet-mask habit many network engineers learn first. A zero bit in a wildcard means the packet address must match the configured bit. A one bit means that bit is ignored. That inverted reading is why the familiar subnet mask 255.255.255.0 turns into the ACL wildcard 0.0.0.255.
- Subnet mask
- Uses one bits for the fixed network portion and zero bits for the host portion.
- Wildcard mask
- Uses zero bits for the part that must match and one bits for the part that can vary.
- Match size
- Counts how many IPv4 addresses can satisfy the bit test, from one host to 4,294,967,296 addresses.
Wildcard masks matter most during change review. Notes copied from diagrams, tickets, and old device configs may use CIDR notation, a normal dotted subnet mask, a dotted wildcard mask, the host keyword, or any. Those forms can describe the same address test, but they are not equally easy to audit. A line that looks narrow in dotted decimal can still match a large aggregate or a non-contiguous bit pattern.
Contiguous wildcards map neatly to CIDR-style ranges because the ignored bits sit at the low end of the address. Non-contiguous wildcards do not. A mask such as 0.0.254.255 is a bit test, not one ordinary subnet. Cisco-style ACLs can use that kind of pattern, but it deserves closer review because dotted decimal hides which addresses will match.
The wildcard is only the address test. Final traffic behavior also depends on permit or deny action, rule order, protocol and port fields, source versus destination position, interface direction, platform syntax, and neighboring entries that match before or after the line.
How to Use This Tool:
Use the first pass to turn mixed address notes into consistent ACL targets, then use the audit outputs to decide whether each entry is narrow enough and ordered carefully enough for the change you are reviewing.
- Choose
ACL actionandACL line prefixto shape the generatedIOS ACEtext. Permit and deny change the line text, not the wildcard calculation. - Keep
Mask interpretationonAuto detect dotted masksfor mixed notes. Force subnet-mask mode or wildcard-mask mode when every dotted value in the list should be read the same way. - Paste one IPv4 entry per line in
Networks and ACL patterns. The input accepts CIDR, address plus subnet mask, address plus wildcard mask,host, andanyforms in one list. - Fix any
Network input needs attentionmessage before using the generated lines. Invalid IPv4 octets, non-contiguous forced subnet masks, malformed rows, and lists over the processing limit are reported with enough detail to find the bad entry. - Review
ACE Linesfor generated targets,Wildcard Mathfor binary and match-size checks, andMatch Auditfor broad, duplicate, covered, or overlapping entries. - Open
ACL Address Coveragewhen entries differ widely in match size. The chart makes a single host, a /24, a /8, andanyvisibly different before you copy a rule.
If you need Cisco shorthand, switch ACE target style to use host and any. The shorthand appears only when the wildcard exactly matches a single host or the all-address pattern.
Interpreting Results:
Start with Wildcard, Match size, and Severity. A wildcard of 0.0.0.0 fixes all 32 bits and matches one host. A wildcard of 255.255.255.255 ignores all 32 bits and matches every IPv4 address. Broad contiguous prefixes such as /8 or /16 can be valid, but they should not appear by accident in a source ACL.
Match Audit is a review aid, not proof that a deployed ACL is safe. A clean audit means the entered patterns did not trigger the broadness, overlap, duplicate, non-contiguous, or normalization checks shown by the page. It does not verify sequence numbers, interface direction, protocol fields, object groups, platform defaults, or entries that are already on the device.
Take normalization seriously. If the generated target differs from the raw input, host bits were removed from a CIDR or contiguous subnet-style entry before the ACL target was generated. Copy the normalized ACL target and keep the Wildcard Math row with the change record so the reviewed address, wildcard, ignored-bit count, and match form stay explicit.
Treat overlap findings as rule-order prompts. A broader earlier match can make a narrower later match unreachable when the actions differ, while a narrower earlier match may be an intentional exception before a broader catch-all.
Technical Details:
IPv4 addresses are 32-bit values written as four decimal octets. CIDR notation makes the number of fixed leading bits explicit with a slash prefix from /0 through /32. A subnet mask writes that same continuous boundary with one bits for the fixed portion and zero bits for the host portion.
An ACL wildcard mask reverses the reading. The care mask is the bitwise inverse of the wildcard. A candidate packet address matches when every cared-about bit equals the configured ACL address after both values are masked. The ignored bits determine how many addresses can match the pattern, so one extra wildcard bit doubles the possible match size.
Contiguous wildcards behave like ordinary CIDR ranges because all ignored bits sit at the low end of the 32-bit address. Non-contiguous wildcards are different. They can match a set of addresses that share selected bits without forming one continuous range, which is why they need a bit-level review instead of a subnet-only review.
Formula Core:
For 10.10.20.0/24, the subnet mask is 255.255.255.0. Inverting it gives 0.0.0.255. The wildcard has eight ignored bits, so the match size is 2^8, or 256 IPv4 addresses.
| Input form | Interpretation | Important boundary |
|---|---|---|
10.10.20.0/24 |
CIDR prefix defines a contiguous subnet mask, which is inverted to a wildcard. | Host bits are normalized to the network base. |
10.10.30.0 255.255.255.0 |
Dotted subnet mask defines the same continuous prefix boundary. | Forced subnet-mask mode rejects non-contiguous dotted subnet masks. |
172.16.8.0 0.0.7.255 |
Dotted wildcard mask is used directly as the ACL match mask. | Contiguous wildcards can still be summarized as a CIDR-style match form. |
host 198.51.100.42 |
Single-host match with wildcard 0.0.0.0. |
All 32 bits are fixed, so the match size is 1. |
any |
All-address match with wildcard 255.255.255.255. |
No bits are fixed, so the match size is 4,294,967,296. |
Automatic dotted-mask detection uses a conservative heuristic. A contiguous dotted value whose first octet is at least 128 is treated as a subnet mask, except for all-zero and all-one edge values. Other dotted values are treated as wildcard masks. Forcing the parse mode removes that guess from the review when the pasted list is known to use one format.
| Audit condition | Severity | Reason to review |
|---|---|---|
any or wildcard 255.255.255.255 |
Critical | The entry matches the whole IPv4 address space. |
Contiguous prefix /0 through /8 |
High | The source match is extremely broad for most ACL changes. |
Contiguous prefix /9 through /16 |
Review | The aggregate may be valid, but the action should apply to the full range. |
| Non-contiguous wildcard | Review | The match is a bit pattern rather than one CIDR block. |
| Duplicate, covered, covering, or overlapping earlier line | Review or Info | ACL order can make later entries redundant or hide narrower exceptions. |
Limitations and Safety Notes:
The output checks address-match scope only. It does not inspect a live device, confirm platform-specific syntax, test packet counters, or simulate the full ACL after it is applied to an interface or line. Use it as a pre-change review aid, then verify the final configuration on the target platform.
Only IPv4 address patterns are handled. IPv6 ACLs, object groups, named service groups, time ranges, logging behavior, route-map logic, and protocol or port fields need separate review.
The calculator processes the entered patterns in the browser after the page is loaded. Avoid putting confidential production ACLs into shared links, screenshots, tickets, or exported files unless your own change process allows that disclosure.
Large pasted lists are capped at 128 non-blank entries. When that warning appears, split the review into smaller sets so every rule is audited intentionally.
Worked Examples:
A normal /24 source range
Entering 10.10.20.0/24 produces an ACL target of 10.10.20.0 0.0.0.255. Wildcard Math shows eight ignored bits and a Match size of 256, so the line covers the addresses from 10.10.20.0 through 10.10.20.255.
A host entered with shorthand
Entering host 198.51.100.42 produces wildcard 0.0.0.0 and Match size 1. The audit may add an info row that this is a single-host match. If ACE target style is set to Cisco shorthand, the generated target stays in host form.
A non-contiguous wildcard
Entering 10.1.2.0 0.0.254.255 keeps the wildcard as an explicit bit pattern instead of turning it into one CIDR block. Match Audit marks the line for review because the matched addresses are not one ordinary continuous subnet.
A broad line that hides a later exception
If any appears before host 198.51.100.42, Match Audit flags the all-address line as Critical and can also report that the host line is covered by the broader earlier line. That does not prove the ACL is wrong, but it is the cue to verify sequence order and action before applying the change.
A malformed dotted value
If a line has an invalid IPv4 octet or a forced subnet mask with non-contiguous one bits, the error list names the line that needs attention. Fix the input before using the IOS ACE output, because partially parsed lists can hide the rule that actually needs review.
FAQ:
Is a wildcard mask the same as a subnet mask?
No. A subnet mask uses one bits for the fixed network portion. An ACL wildcard uses zero bits for the bits that must match, so the wildcard is the inverse of the subnet mask for contiguous prefixes.
When should I force subnet-mask or wildcard-mask mode?
Use forced mode when the pasted list comes from one known format. Auto mode is useful for mixed notes, but a forced mode is clearer when every dotted value should be read as a normal subnet mask or every dotted value should be read as an ACL wildcard.
Why does the calculator allow non-contiguous wildcards?
Cisco-style wildcard masks can represent non-contiguous bit tests. The result is valid as a bit pattern, but the Match Audit marks it for review because it cannot be read as one ordinary CIDR range.
Why did my address change in the generated target?
For CIDR and contiguous subnet-style matches, host bits are normalized to the network base. Use the generated ACL target when you want the canonical network form instead of the raw typed address.
What does Network input needs attention mean?
One or more lines could not be parsed cleanly. Check the line number in the message for invalid IPv4 octets, missing masks, malformed host entries, non-contiguous forced subnet masks, or a pasted list longer than the entry limit.
What should I check after copying an ACE line?
Check rule order, action, protocol, interface direction, and existing ACL entries on the device. The wildcard result verifies the address match pattern, not the full behavior of a deployed access list.
References:
- IP Access List Overview, Cisco.
- RFC 4632: Classless Inter-domain Routing (CIDR), RFC Editor, August 2006.