How to Construct a Wildcard Mask to Match a Range of Subnets – Plus Download the Spreadsheet Tool

Home > Blogs > How to Construct a Wildcard Mask to Match a Range of Subnets – Plus Download the Spreadsheet Tool

How to Construct a Wildcard Mask to Match a Range of Subnets – Plus Download the Spreadsheet Tool

Like This Blog 0 Mark Jacob
Added by July 29, 2021

How often have you been creating an ACL and you needed to match not ONE subnet, but a whole range of subnets? The same logic holds for creating a “network” statement in an IGP such as EIGRP or OSPF. You want a single statement to match all your desired subnets, but you don’t want your router’s mouth writing checks its body can’t cash (great “Top Gun” line), which means you want your statement to most closely match what is really there. While experimenting, I made myself an Excel spreadsheet into which can be entered the low subnet and the high subnet, and it outputs the closest match, using a single statement. Best practice says that if a single statement encompasses more than is desired, use two (or even more) statements to more closely match your actual subnets. This spreadsheet only matches using a single statement, but it was an interesting experiment so I thought I would share the fruits of this labor.

Let’s look at a simple example first. Let’s say a router, we’ll call it RouterA, wanted to announce the following subnets to another router, RouterB:,,, and A lazy way to accomplish this would be for the RouterA to announce, “All my networks have a 10 in the first octet.” Such a network statement would look like this:

It turns out this is not a lie – it is, in fact, true that RouterA’s subnets all have a 10 in the first octet. The issue that would arise is there could easily be another router, RouterC, that announces that it has this network: This would “step on” the information announced by RouterA. How can RouterA make a routing announcement that more closely matches its actual subnets?

In my CCNA classes I have a morning review question that asks a similar question. Here it is:

What is the most efficient wildcard mask configuration that would match all the subnets from to (I also add the stipulation that the answer must be ONE statement.)

If you want to try this one for yourself, pause your eyeballs (I can’t say “Pause the video”) and give it a shot. When you are ready, resume reading. For more information on Wildcard Masks, I have created a couple of other resources.

Check out:

Fun Tricks with Network Wildcard Masks and ACL’s


ACLs on Cisco devices – Part two | Understanding Wildcard Masks

I provide the answer to this question in my classes, so if you ever take my CCNA class, promise me you will feign ignorance! The key is that with the Wildcard Mask, you “look at” bits that don’t move with a “0,” and “ignore” bits that move with a “1.” Figure 1 shows the information on my answer slide:

Notice that reference IP information goes all the way back to, even though the lowest subnet actually possessed is You can check this yourself: Grab an IOS device and type: access-list 1 permit
Then show your running-config and see what appears for access-list 1. The IOS device will change what you typed to

I did this on a 2960 switch. Here it is:

Switch(config)#access-list 1 permit
Switch(config)#do sh access-list 1
Standard IP access list 1
10 permit, wildcard bits

Why does it change? Notice the Wildcard Mask in the third octet and the reference IP address under it. Remember that when I type a “1” I am telling the IOS to “ignore” that bit. So even if I type a “60” in the third octet, I told the IOS that I was only watching the first bit (most significant bit at the far left) and ignoring the rest.

So the IOS attitude is, “If you don’t care about those other bits, then neither do I, so it sets them all to 0, meaning your octet that said

0 0 1 1 1 1 0 0  is changed to 0 0 0 0 0 0 0 0 and your running-config shows instead of

I also show how to create a more specific match by using more than one statement, shown in Figure 2:

As you can see, if the group of subnets is separated at a binary block (64 is a power of 2, thus a “binary block”) the two resulting Wildcard Masks very precisely match the subnets in question.

The spreadsheet I created on does the “one statement” option, but it’s nice to check your work if you are practicing creating Wildcard Masks in preparation for a certification exam, or if you are creating them in production. Figure 3 shows a screenshot from the spreadsheet solving the above scenario (I broke it into 2 screenshots so they would be large enough to see):

Just type the low subnet info in the upper section and the highest subnet to match in the lower section. Only type in the yellow-ish colored boxes. It does the rest. Feel free to explore and hit me with any suggestions.

Click here to download the spreadsheet

Until next time….

Mark Jacob

Videos You May Like

Cable Testers and How to Use them in Network Environments

0 668 1

This content is from our CompTIA Network + Video Certification Training Course. Start training today! In this video, CompTIA Network + instructor Rick Trader demonstrates how to use cable testers in network environments. Let’s look at some tools that we can use to test our different cables in our environment. Cable Testers Properly Wired Connectivity … Continue reading Cable Testers and How to Use them in Network Environments

Configuring Windows Mobility Center and How to Turn it On and Off

1 1413 1

Video transcription Steve Fullmer: In our Windows training courses, we often share information about the Windows 8.1 Mobility Center. Mobility Center was introduced for mobile and laptop devices in Windows 7. It’s present and somewhat enhanced in Windows 8. Since we don’t have mobile devices in our classrooms, I decided to take a little bit … Continue reading Configuring Windows Mobility Center and How to Turn it On and Off

OSPF Adjacency Troubleshooting Solution – Getting Close to the OSPF adj

0 247 1

In this video, Cisco CCNA & CCNP instructor Mark Jacob shows how to troubleshoot OSPF Adjacency issues by showing the distance between routers with the show ip ospf neighbor command.

Write a Comment

Share your thoughts...

Please fill out the comment form below to post a reply.