ACL Wildcard Mask Calculator

ACL action:

Choose the action for the generated ACL source entries.

ACL line prefix:

Use access-list 10, ip access-list standard OFFICE, or leave blank for action-only lines.

Mask interpretation:

Use Auto for mixed lists, or force dotted values to subnet mask or ACL wildcard mask when reviewing ambiguous lines.

Networks and ACL patterns:

Examples: 10.10.20.0/24, 10.10.30.0 255.255.255.0, 172.16.8.0 0.0.7.255, host 198.51.100.42, or any.

CIDR, subnet mask, wildcard mask, host, and any forms can be mixed.

ACE target style:

Keep literal for audits, or use shorthand when preparing readable host and any entries.

Network input needs attention

{{ error }}

Input	ACL target	Wildcard	Match size	IOS ACE	Copy
{{ row.input }}	{{ row.target }}	{{ row.wildcard }}	{{ row.matchSize }}	{{ row.ace }}

Input	Parse mode	Match form	Subnet / inverse mask	Wildcard mask	Binary wildcard	Ignored bits	Copy
{{ row.input }}	{{ row.mode }}	{{ row.matchForm }}	{{ row.subnetMask }}	{{ row.wildcard }}	{{ row.binary }}	{{ row.ignoredBits }}

Severity	Scope	Finding	Recommendation	Copy
{{ row.severity }}	{{ row.scope }}	{{ row.finding }}	{{ row.recommendation }}

Export to PDF Fullscreen

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

ACL wildcard masks describe which IPv4 address bits must match and which bits can be ignored when an access control entry is evaluated. They look similar to subnet masks, but the meaning is inverted: a zero bit is checked, and a one bit is ignored. That inversion is easy to misread when a ticket, router configuration, and subnet plan use different notation for the same source range.

Wildcard conversion matters because an access list can permit or deny far more addresses than the line appears to cover at first glance. A common /24 subnet becomes 0.0.0.255, which means the first 24 bits must match and the final 8 bits can vary. A single host becomes 0.0.0.0, and an all-address match becomes 255.255.255.255.

Subnet mask bits inverted into an ACL wildcard mask where zero bits match and one bits are ignored.

Wildcard masks also allow non-contiguous bit patterns. That is useful for some Cisco IOS access-list designs, but it changes the mental model from a neat CIDR range to a bit match. A line such as 10.1.2.0 0.0.254.255 is not the same kind of object as 10.1.2.0/24; it matches addresses by selected bit positions rather than by one continuous prefix boundary.

The safest habit is to read a wildcard line as a match test, not as proof that an ACL is correct. Action, order, interface direction, protocol, and surrounding entries still decide what traffic is actually allowed or denied.

Technical Details:

IPv4 uses 32 address bits. CIDR notation marks a continuous run of leading network bits with a slash prefix from /0 through /32. A subnet mask writes the same boundary in dotted decimal, with one bits for the fixed network portion and zero bits for the remaining host portion.

An ACL wildcard mask inverts that subnet-mask meaning. The care mask is the bitwise inverse of the wildcard. A packet source matches when every cared-about bit equals the configured address bit. Ignored bits may be zero or one in the candidate address without changing the match.

Rule Core

The core transformations are small, but they are worth keeping explicit because one broad wildcard can affect millions of addresses.

Wildcard = \neg SubnetMask

CareMask = \neg Wildcard

CandidateMatches = (CandidateIP \land CareMask) = (ACLAddress \land CareMask)

MatchedAddresses = 2^{ignoredBits}

For 10.10.20.0/24, the subnet mask is 255.255.255.0. Inverting that mask gives 0.0.0.255. The final octet has eight one bits in the wildcard, so the match size is 2^8, or 256 IPv4 addresses.

Input forms and how they map to ACL wildcard matching
Input form	Interpretation	Important boundary
`10.10.20.0/24`	CIDR prefix defines the subnet mask, which is inverted to a wildcard.	Host bits are normalized to the network base before the ACL target is generated.
`10.10.30.0 255.255.255.0`	Dotted subnet mask defines the same continuous prefix boundary.	A forced subnet-mask parse rejects non-contiguous dotted subnet masks.
`172.16.8.0 0.0.7.255`	Dotted wildcard mask is used directly as the ACL match mask.	Contiguous wildcards can still be summarized as a CIDR-style match form.
`host 198.51.100.42`	Single-host match with wildcard `0.0.0.0`.	All 32 bits are fixed, so the match size is 1.
`any`	All-address match with wildcard `255.255.255.255`.	No bits are fixed, so the match size is 4,294,967,296.
`10.1.2.0 0.0.254.255`	Non-contiguous wildcard match.	The result is a bit pattern, not a single CIDR range.

Automatic dotted-mask detection follows a practical heuristic. A contiguous dotted value whose first octet is at least 128 is treated as a subnet mask, except for all-zero and all-one edge values. Other dotted values are treated as wildcard masks. For ambiguous reviews, forcing the dotted value to subnet-mask mode or wildcard-mask mode makes the interpretation explicit.

Audit rules used to flag broad or confusing ACL wildcard matches
Audit condition	Severity	Why it matters
`any` or wildcard `255.255.255.255`	Critical	The line matches the whole IPv4 address space.
Contiguous prefix `/0` through `/8`	High	The source match is very broad for an ACL entry and should be reviewed before use.
Contiguous prefix `/9` through `/16`	Review	The line may be a valid aggregate, but the action should apply to the whole site or range.
Non-contiguous wildcard	Review	The match cannot be read as one CIDR block and needs an explicit bit-pattern note.
Duplicate, covered, covering, or overlapping earlier line	Review or Info	ACL order can make a later line redundant or make a narrower exception unreachable.

Everyday Use & Decision Guide:

Start with Mask interpretation set to Auto detect dotted masks when you are reviewing a mixed list from tickets, change records, or router snippets. It lets CIDR, subnet-mask, wildcard-mask, host, and any entries sit in the same Networks and ACL patterns box without turning the first pass into a manual cleanup job.

Use ACL action and ACL line prefix to make the generated IOS ACE resemble the line you expect to paste or review. The wildcard math is unchanged by permit or deny. Those controls only shape the generated ACE text, so a correct wildcard can still be dangerous if the action or rule order is wrong.

Keep ACE target style on Literal address wildcard when you want every row to show the address and wildcard explicitly for peer review.
Switch to Use host and any keywords when you want single-host and all-address lines to read like common IOS shorthand.
Open Wildcard Math when a dotted value looks suspicious. The Parse mode, Subnet / inverse mask, Binary wildcard, and Ignored bits fields explain how the match was read.
Open Match Audit before copying a broad or unfamiliar line. Critical, High, and Review findings are stronger stop signals than an ordinary summary badge.
Use ACL Address Coverage when several entries are hard to compare by eye. The chart makes a single host, a /24, a /8, and any look as different as they really are.

A clean first pass is not the same as deployment approval. Check the generated ACL target, the Wildcard, and the Match size against the intent, then review the surrounding ACL order in the actual device configuration before applying the line.

Step-by-Step Guide:

Build the ACL source line from the notation you already have, then use the result tabs to verify both the math and the match risk.

Choose permit or deny in ACL action. The selected action appears in IOS ACE, while Wildcard and Match size stay tied to the address pattern.
Set ACL line prefix to text such as access-list 10, ip access-list standard OFFICE, or leave it blank if you are working inside a named ACL context.
Leave Mask interpretation on Auto detect dotted masks for a mixed paste. Force Treat dotted values as subnet masks or Treat dotted values as ACL wildcard masks when the source notation is known and ambiguity would be risky.
Paste one IPv4 entry per line in Networks and ACL patterns. Accepted forms include 10.10.20.0/24, 10.10.30.0 255.255.255.0, 172.16.8.0 0.0.7.255, host 198.51.100.42, and any.
If Network input needs attention appears, fix the named line before trusting exports. Common causes include an invalid IPv4 address, a CIDR prefix outside /0 through /32, an address without its dotted mask, or a non-contiguous value forced into subnet-mask mode.
Read ACE Lines first. Confirm ACL target, Wildcard, Match size, and IOS ACE before copying a row.
Use Wildcard Math and Match Audit to explain the result. If the audit flags a broad match, overlap, duplicate, host-bit normalization, or non-contiguous wildcard, resolve that finding in the change record before exporting.
Use ACL Address Coverage or JSON only after the table output matches the intended source range. The chart is useful for visual comparison, and the JSON view is useful when the same normalized result needs to be stored with a ticket.

A practical finish is to copy the generated ACE only after the Match Audit findings make sense for the ACL order you plan to use.

Interpreting Results:

The most important fields are ACL target, Wildcard, and Match size. Together they say which source pattern the ACE will test and how many IPv4 addresses can match it. Read those before the generated IOS ACE, because the ACE text can look familiar even when the wildcard covers more than intended.

How to interpret ACL wildcard result fields and audit statuses
Result cue	What to trust	What to verify
`Wildcard = 0.0.0.0`	Only one host address matches.	Use `ACE target style` if you prefer the `host` keyword in the generated line.
`Wildcard = 255.255.255.255`	Every IPv4 source address matches.	Treat the `Critical` audit finding as a stop-and-review point unless the ACL line is intentionally global.
`Ignored bits`	Each ignored bit doubles the match size.	Compare the reported `Match size` with the intended source population, not just the dotted wildcard.
`Host bits were normalized`	The generated target uses the canonical network base for a contiguous prefix.	Copy the generated target instead of the raw pasted address when the normalized base is what you need.
`Non-contiguous wildcard`	The wildcard is an explicit bit pattern.	Document the intended pattern because it is not a single CIDR range.

A clean Match Audit means no broad, duplicate, overlap, host-bit, or non-contiguous concerns were detected in the pasted set. It does not prove the ACL is safe. The real configuration can still be wrong if a broader earlier line shadows the new ACE, if permit and deny are reversed, or if the ACL is applied in the wrong direction.

Before using a result in a change, verify one row end to end: the original input, Parse mode, ACL target, Wildcard, Match size, and the audit recommendation. That check catches most mistakes caused by confusing subnet masks with wildcard masks.

Worked Examples:

Turning a /24 source subnet into an ACE

With ACL action set to permit and ACL line prefix set to access-list 10, entering 10.10.20.0/24 produces ACL target 10.10.20.0 0.0.0.255. ACE Lines shows Wildcard 0.0.0.255, Match size 256, and IOS ACE access-list 10 permit 10.10.20.0 0.0.0.255. Wildcard Math reports Parse mode CIDR, Subnet / inverse mask 255.255.255.0, and Ignored bits 8 ignored / 24 fixed.

Spotting an all-address deny

Entering any with ACL action set to deny creates an all-address source match. In literal style, ACE Lines shows ACL target 0.0.0.0 255.255.255.255, Wildcard 255.255.255.255, and Match size 4,294,967,296. If ACE target style is set to Cisco shorthand, the generated IOS ACE can read access-list 10 deny any. Match Audit marks the row Critical because it matches every IPv4 address.

Keeping a non-contiguous wildcard explicit

Entering 10.1.2.0 0.0.254.255 leaves the dotted value as an ACL wildcard in auto mode. Wildcard Math reports Parse mode auto wildcard mask, Match form 10.1.2.0 0.0.254.255, Subnet / inverse mask 255.255.1.0 (inverse), and Ignored bits 15 ignored / 17 fixed. The Match Audit row is Review, with a recommendation to keep the ACE as an explicit wildcard and document the intended bit pattern.

Fixing a bad subnet-mask paste

If Mask interpretation is forced to Treat dotted values as subnet masks and the pasted line is 10.10.30.0 255.0.255.0, the page shows Network input needs attention with a non-contiguous subnet-mask message. Correct the source to a contiguous subnet mask such as 255.255.255.0, or switch to wildcard-mask mode only if the second dotted value was meant to be an ACL wildcard.

FAQ:

Why is 0.0.0.255 the wildcard for a /24?

A /24 subnet mask is 255.255.255.0. Inverting each bit produces 0.0.0.255, so the first 24 bits must match and the final 8 bits are ignored.

Can I paste subnet masks and wildcard masks together?

Yes. Leave Mask interpretation on Auto detect dotted masks for a mixed list. Force subnet-mask or wildcard-mask mode only when you know every dotted pair uses the same notation.

Does a clean audit mean the ACL is ready?

No. A clean Match Audit only means the pasted source patterns did not trigger the built-in broad-match, duplicate, overlap, normalization, or non-contiguous checks. You still need to verify action, order, protocol, direction, and device context.

Why did the output address change from what I pasted?

For contiguous CIDR or subnet-mask inputs, host bits are normalized to the network base before ACL target and IOS ACE are generated. The audit reports that normalization so you can copy the canonical target intentionally.

What happens to comments, blank lines, and very long lists?

Blank lines are ignored, and lines beginning with # are skipped. The calculator processes the first 128 non-blank entries and reports that limit in Network input needs attention when a longer paste is trimmed.

Is the address list sent to a server?

The parsing, wildcard math, audit checks, chart data, and JSON output are computed in the browser. The current settings are reflected in the page URL for shareable state, so avoid sharing links that contain sensitive internal address plans.

Glossary:

ACL: Access control list, a set of ordered rules used to permit or deny traffic.
ACE: Access control entry, one line inside an ACL.
Wildcard mask: An IPv4 bit mask where zero bits must match and one bits are ignored.
Subnet mask: A dotted mask that marks the fixed network portion of an IPv4 prefix.
CIDR prefix: A slash notation such as /24 that states how many leading IPv4 bits are fixed.
Non-contiguous wildcard: A wildcard whose ignored bits do not form one continuous host portion.

References:

IP Access List Overview, Cisco Systems.
RFC 4632: Classless Inter-domain Routing (CIDR): The Internet Address Assignment and Aggregation Plan, RFC Editor, August 2006.