ACL Wildcard Masks

(Thanks to Bob Hennigan, and Steve Perry, CIS Instructors at Central New Mexico Community College.)

22 Feb 2014

<-- Back to main subnetting page

Binary reference charts

If you need to calculate an ACL wildcard mask at the subnet level, it's pretty easy. All you have to do is subtract the regular subnet mask from 255 . 255 . 255 . 255 and you have the wildcard mask.

But, what if you have something more complex? Given the ACL command:
access-list 1 permit [address_to_check] [wildcard_used_to_check]
We need to find the "address-to-check" and the "wildcard-used-to-check".

For instance calculate the most specific wildcard mask for the following four networks.

First convert the addresses to binary. 00000010 00000011 00000100 00000110 00000111 00001000 00001010 00001011 00001100 00001110 00001111 00010000

Now we find the address-to-check by performing a binary AND operation on the addresses. A binary AND means the output is high only when all the inputs are high. In this case, the result is:
00000001 00000010 00000011 00000000
Convert that to decimal and we have:
This is our address-to-check. Now we find the wildcard-used-to-check by performing a binary XOR. XOR means the output is high if any input is high but not all 1's. In this case, the result is:
00001100 00001100 00001100 00011100
Convert that to binary and we get:
This is our wildcard-used-to-check. Plugging the two results into our ACL gives us the most specific wildcard mask possible and the address which represents the original addresses.
access-list 1 permit