Many people have this question. Since there is already a subnet mask, why should wildcard masks be used and what is the difference between them?

The short answer is the following:

There is a basic rule for the wild card mask: '0' in the wildcard mask indicates MUST MATCH while '1' means IGNORE, '0' and '1' can be discontinuous. 

So, the wildcard mask can match the addresses that are not on a subnet boundary, being more flexible than the subnet mask.

Let's take some examples.

Generally, the wildcard/subnet mask is used in the following scenarios:

1. A single IP address:

  Subnet mask: 192.168.0.1 255.255.255.255

  Wildcard mask: 192.168.0.1 0.0.0.0

2. A subnet

  Subnet mask: 192.168.0.0 255.255.255.0

  Wildcard mask: 192.168.0.0 0.0.0.255

In both cases, they can implement the same functions.

3. A range of IP addresses

In this case we can see there difference.

Assume that the device needs to allow the IP address 192.168.0.1、192.168.1.1…192.168.255.1 to pass through.

Subnet mask: can't represent

Wildcard mask: 192.168.0.1 0.0.255.0

The wildcard mask also has insufficient. It cannot accurately match the mask information.

For example, we want allow 10.1.1.0/24 to pass through and try to use ACL:

ACL 2000

   Rule permit source 10.1.1.0 0.0.0.255

When applying this ACL, not only 10.1.1.1/24, but also 10.1.1.1/23,10.1.1.1/22… can match the ACL.

That's why in practice, we usually use ip-prefix instead of ACL to match the routing information.