# How to calculate the wildcard mask in ACL

Aug 17th, 2007

Dears,

I know it may look a very bacis question, but frankly I searched the net, books & asked many friends and no one could help.

I want to create one or two access list to hit the following ip prefix.

192.168.2.0

192.168.6.0

192.168.11.0

192.168.15.0

192.168.18.0

may you kindly explain it for me by binary calculation.

regards

Correct Answer by Richard Burts about 9 years 5 months ago

I think that your question is asking about ways to have a single line in the ACL match more than one address so that with one or two lines of ACL you could match these 5 addresses. The way to start that is to figure what these addresses have in common. they all have 192.168 in the first two octets and 0 in the last octet. So the third octet is where there is any variation. So we need to start with the value of the third octet in binary:

2 is 00000010

6 is 00000110

11 is 00001011

15 is 00001111

18 is 00010010

If you look at the binary and see which numbers have most bits in common we see that 2 and 6 have 7 of 8 bits in common and could be grouped together. We see that 11 and 15 have 7 of 8 bits in common and could be grouped together.

So to group 2 and six we want a mask that says that bit positions 1, 2, 3, 4, 5, 7, and 8 must match and bit position 6 does not. The mask with 0 in 1, 2, 3, 4, 5, 7, and 8 is 00000100 (decimal 4). And to group 11 and 15 we also need bits 1, 2, 3, 4, 5, 7, and 8 to match so we would use that mask again 00000100.

There is not a way to combine 18 very well with the other addresses. So an ACL would need 3 statements to match these 5 addresses.

permit 192.168.2.0 0.0.4.0

permit 192.168.11.0 0.0.4.0

permit 192.168.18.0 0.0.0.0

HTH

Rick

Overall Rating: 4.7 (3 ratings)

## Replies

Richard Burts Fri, 08/17/2007 - 03:30

I think that your question is asking about ways to have a single line in the ACL match more than one address so that with one or two lines of ACL you could match these 5 addresses. The way to start that is to figure what these addresses have in common. they all have 192.168 in the first two octets and 0 in the last octet. So the third octet is where there is any variation. So we need to start with the value of the third octet in binary:

2 is 00000010

6 is 00000110

11 is 00001011

15 is 00001111

18 is 00010010

If you look at the binary and see which numbers have most bits in common we see that 2 and 6 have 7 of 8 bits in common and could be grouped together. We see that 11 and 15 have 7 of 8 bits in common and could be grouped together.

So to group 2 and six we want a mask that says that bit positions 1, 2, 3, 4, 5, 7, and 8 must match and bit position 6 does not. The mask with 0 in 1, 2, 3, 4, 5, 7, and 8 is 00000100 (decimal 4). And to group 11 and 15 we also need bits 1, 2, 3, 4, 5, 7, and 8 to match so we would use that mask again 00000100.

There is not a way to combine 18 very well with the other addresses. So an ACL would need 3 statements to match these 5 addresses.

permit 192.168.2.0 0.0.4.0

permit 192.168.11.0 0.0.4.0

permit 192.168.18.0 0.0.0.0

HTH

Rick

mmozanen Fri, 08/17/2007 - 05:06

Dear Rick,

Thnak you very very much for the fast response and also for the datailed explanation. I tried it with other combination and it works well.

regards.

Moe

Richard Burts Fri, 08/17/2007 - 06:49

Moe

I am glad that my explanation helped you to understand this better. Thanks for using the rating system to indicate that your question was resolved (and thanks for the rating). The forum is a very good place to learn concepts like the masking of access lists. I encourage you to continue your participation in the forum.

HTH

Rick

## Trending Topics - Security Subjects

 Cisco IPSEC VPN ports Cisco tunnel plus IPSEC policy invalidated proposal Cisco Mini usb console driver Reason 440 driver failure Cisco wireless G routers a security exception error Jabber & webcam macbook airs