Calculating wildcard masks can be challenging. One shortcut method is to subtract the subnet mask from 255.255.255.255.
Wildcard Mask Calculation: Example 1
In the first example in the figure, assume you wanted to permit access to all users in the 192.168.3.0 network. Because the subnet mask is 255.255.255.0, you could take the 255.255.255.255 and subtract the subnet mask 255.255.255.0 as is indicated in the figure. The solution produces the wildcard mask 0.0.0.255.
Wildcard Mask Calculation: Example 2
In the second example in the figure, assume you wanted to permit network access for the 14 users in the subnet 192.168.3.32/28. The subnet mask for the IP subnet is 255.255.255.240, therefore take 255.255.255.255 and subtract the subnet mask 255.255.255.240. The solution this time produces the wildcard mask 0.0.0.15.
Wildcard Mask Calculation: Example 3
In the third example in the figure, assume you wanted to match only networks 192.168.10.0 and 192.168.11.0. Again, you take the 255.255.255.255 and subtract the regular subnet mask which in this case would be 255.255.252.0. The result is 0.0.3.255.
You could accomplish the same result with statements like the two shown below:
R1(config)# access-list 10 permit 192.168.10.0
R1(config)# access-list 10 permit 192.168.11.0
It is far more efficient to configure the wildcard mask in the following way:
R1(config)# access-list 10 permit 192.168.10.0 0.0.3.255
Consider the configuration below to match networks in the range between 192.168.16.0 to 192.168.31.0:
R1(config)# access-list 10 permit 192.168.16.0
R1(config)# access-list 10 permit 192.168.17.0
R1(config)# access-list 10 permit 192.168.18.0
R1(config)# access-list 10 permit 192.168.19.0
R1(config)# access-list 10 permit 192.168.20.0
R1(config)# access-list 10 permit 192.168.21.0
R1(config)# access-list 10 permit 192.168.22.0
R1(config)# access-list 10 permit 192.168.23.0
R1(config)# access-list 10 permit 192.168.24.0
R1(config)# access-list 10 permit 192.168.25.0
R1(config)# access-list 10 permit 192.168.26.0
R1(config)# access-list 10 permit 192.168.27.0
R1(config)# access-list 10 permit 192.168.28.0
R1(config)# access-list 10 permit 192.168.29.0
R1(config)# access-list 10 permit 192.168.30.0
R1(config)# access-list 10 permit 192.168.31.0
The previous 16 configuration statements can be reduced to a single statement using the correct wildcard mask as shown below:
R1(config)# access-list 10 permit 192.168.16.0 0.0.15.255