Explain the concept of a wildcard mask and how it is used in ACLs and routing protocols for matching IP addresses.

• A. Wildcard masks are the same as standard subnet masks used to calculate network addresses.
• B. Wildcard masks define which IP addresses are allowed through a firewall based on port.
• C. Wildcard masks specify which bits are significant when matching addresses; used in ACLs and routing protocols to define subnets with flexible, bit-wise matching.
• D. Wildcard masks encrypt address matching.

Answer: (C)

Wildcard masks indicate which bits in an IP address must be matched exactly and which can vary, enabling flexible, bit-by-bit address matching in ACLs and routing protocol statements.

In practice, a 0 in the wildcard mask means the corresponding bit in the address must match the given value, while a 1 means that bit can be anything. This lets you define ranges of addresses succinctly. For example, pairing 192.168.1.0 with a wildcard mask of 0.0.0.255 matches any address in 192.168.1.x, because only the last octet is allowed to vary. Pairing 10.0.0.0 with 0.255.255.255 matches any 10.x.x.x address. Conversely, 172.16.5.4 with 0.0.0.0 matches only that exact address.

Wildcard masks are often the inverse of subnet masks (bitwise NOT), which is why they’re phrased in terms of “don’t care” bits for routing statements and ACLs. They’re not about ports, encryption, or calculating networks the way standard subnet masks do, which is why the best match describes their role in defining significant bits for matching and enabling flexible, bit-level control.