Networking Basics: What are Wildcard Masks and How do they Work?
The quick definition: A wildcard mask allows or denies all the traffic from a network IP address. The wildcard mask tells the router which bits in the IP address need to match the access list and which do not.
What is a Wildcard Mask?
Let's say that you're driving down the road and you want to get your car washed. You pull into the car wash, go up to the counter, and ask for the deluxe car wash. You don't realize it, but it comes with an air freshener.
The car wash clerk asks, "What type of air freshener would you like?"
You say, "One that freshens the air."
The clerk says, "No, what scent would you like?"
Because you weren't planning that far ahead, you say, "I don't care. Any of them."
Alternately, when the clerk asked you, "Which one do you want?" You could have responded, "None of them."
In either case, you either don't care(or care strongly). That's exactly how a wildcard mask works.
How Does a Wildcard Mask Work?
A wildcard mask identifies some portion of an IP address that we either care or don't care about, and grants everything from that network either all or no access. It's very black and white.
Let's say your manager says, "Too many people in Sales are using the nice printer in Finance. I want you to deny any traffic sourced from network 172.16.56.0." You can either individually filter every single IP address in that network, or you can create a wildcard mask to block everyone.
In this case, you're going to create an Access Control List that blocks the network 172.16.56.0, and any devices on that subnet.
In a subnet, the IP addresses for the printer and computer are the same, except for the last octet. That's because they're on the same network. The last number identifies the device. The first three identify the network.
Printer – 172.16.56.5
Computer 1 – 172.16.56.8
You can apply a wildcard mask that only looks at the first three octets, denying traffic from the entire network.
It doesn't matter what the bits in the last octet say. As soon as the router only cares about the first three octets. If they're on the blocked list, then you're not getting through.
A wildcard mask tells the router which bits it should examine and which bits not to examine. It's an easy enough concept.
Wildcard Mask Example
If you needed to create an access list that's going to deny everything from the 172.16.56 network, but permit all other traffic, then see above.
#deny 172.16.56.0 0.0.0.255
Notice the wildcard mask. The wildcard mask is 0.0.0.255. With the wildcard mask, the IP address doesn't have to match, it could be anything.
Where Can Wildcard Masks Be Used?
Wildcard masks are beneficial when you have a large network and need to allow free traffic flow between multiple routers. If you have a large network with several routers and LAN segments, you will likely run into wildcard masks.
Just make sure you properly set your wildcard mask to ensure only allowable traffic can pass through your router.
CBT Nuggets Wildcard Mask Courses
Wildcard masks play a vital role in the smooth flow of network traffic. The CBT Nuggets training library features a wide variety of networking training from widely respected vendors such as Cisco and CompTIA. Our following courses address wildcard masks:
Keith Barker explains wildcard masks more in depth right here: